Page 1

October 2015 Issue No: 1.1

Security Procedures

Windows Server 2012 R2

IPsec Security Gateway

Security Procedures

Windows 2012 R2 IPsec Security Gateway

Issue No: 1.1 October 2015

This document describes the manner in which this product should be implemented to ensure it complies with the requirements of the CPA security characteristic that it was assessed against. The intended audience for this document is HMG implementers, and as such they should have access to the documents referenced within. If you do not have access to these documents but believe that you have an HMG focused business need, please contact CESG Enquiries.

Document History

Version Date Comment

1.0 August 2014 First issue

1.1 October 2015 First public release

Page 1

Windows 2012 R2 IPsec Security Gateway

About this document These Security Procedures provide guidance in the secure operation of Windows Server 2012 R2 (in relation to operation as an IPsec Security Gateway). This document is intended for System Designers, Risk Managers and Risk Management Advisors. The Security Procedures come from detailed technical assessment carried out on behalf of CESG. They do not replace the need for tailored technical or legal advice on specific systems or issues. CESG and its advisors accept no

liability whatsoever for any expense, liability, loss, claim or proceedings arising from reliance placed on this guidance.

Related documents The documents listed in the References section are also relevant to the secure deployment of this product. For detailed information about device operation, refer to the Microsoft Windows Server 2012 R2 product documentation.

Points of contact For additional hard copies of this document and general queries, please contact CESG using the following details. CESG Enquiries

Hubble Road Cheltenham GL51 0EX United Kingdom

enquiries@cesg.gsi.gov.uk Tel: 01242-709141

CESG welcomes feedback and encourage readers to inform CESG of their experience, good or bad in this document. Please email: enquiries@cesg.gsi.gov.uk

Page 2

Windows 2012 R2 IPsec Security Gateway

Contents:

Chapter 1 - Outline Description ................................................................................ 3

Product Summary ..................................................................................................... 3

Certification ............................................................................................................... 3 Components ............................................................................................................. 3

Chapter 2 - Security Functionality ........................................................................... 5

Chapter 3 - Secure Operation ................................................................................... 6

Pre-installation .......................................................................................................... 6

Installation ................................................................................................................ 8 Configuration ............................................................................................................ 9 VPN Server Configuration ...................................................................................... 10

DirectAccess Server Configuration ......................................................................... 11 Operation ................................................................................................................ 11 Maintenance and Updates ...................................................................................... 11 System Logs ........................................................................................................... 12

System Administration ............................................................................................ 12

Chapter 4 - Security Incidents ................................................................................ 14

Incident Management ............................................................................................. 14

Chapter 5 - Disposal and Destruction .................................................................... 15

Routine Destruction of Equipment .......................................................................... 15

References ............................................................................................................... 16

Page 3

Windows 2012 R2 IPsec Security Gateway

Chapter 1 - Outline Description

Product Summary

1. Microsoft Windows Server 2012 R2 is the 6th release of Windows Server. It is the server version of Windows 8 and succeeds Windows Server 2008 R21.

2. Windows Server 2012 R2 supports the tunnelling protocol: IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2). This makes VPN connections more reliable by automatically re-establishing the connection when a user has temporarily lost Internet connectivity, and particularly when a client computer changes its IP address.

3. In addition, the VPN capability can be configured to support DirectAccess, a Remote Access component of Windows Server 2012 R2 that helps remote users (using Windows 7 or 8.1 clients) to securely access shared resources, websites, and applications on an internal network. DirectAccess establishes bi-directional connectivity with an organisation’s corporate network every time a DirectAccess-enabled computer is connected to the Internet, i.e. the connection is transparent to the user, and does not require to be manually initiated. DirectAccess is based on AuthIP (Authenticated IP), which is a Microsoft proprietary extension of the IKEv1 protocol.

Certification

4. Windows Server 2012 R2 has undergone CPA assessment. It has been certified as meeting Foundation Grade requirements, as described in the IPsec Security Gateway SC v2.3 (reference [a]). Later versions are automatically covered by this certification until the certificate expires or is revoked, as stated on the product’s certificate and on the CPA website 2 . Specific certified modes of operation are as described in Chapter 2, paragraph 8 of this document.

Components

5. Windows Server 2012 R2 comprises a number of roles. The IPsec Security Gateway functionality is provided by the Remote Access Server role, which is a logical grouping of the following related network access technologies:

DirectAccess

Routing and Remote Access (RRAS)

Web Application Proxy

6. These technologies are the role services of the Remote Access server role.

1 Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. 2 CPA website address: http://www.cesg.gov.uk/servicecatalogue/CPA/Pages/CPA.aspx

Page 4

Windows 2012 R2 IPsec Security Gateway

7. A server running Windows Server 2012 R2 should be treated at a security classification commensurate with the highest security classification of data which the device has or will handle.

Page 5

Windows 2012 R2 IPsec Security Gateway

Chapter 2 - Security Functionality

8. Windows Server 2012 R2 IPsec Security Gateway provides the following primary security functionality assessed at Foundation Grade:

Built in IKEv2 VPN providing support for the PSN End-State IPsec profiles

DirectAccess mode of operation (Windows 7 and 8.1)

9. The product also relies on the following native Windows Server 2012 R2 security functionality:

Windows logon controls providing for identification and authentication of the Remote Access server administrators

Windows event logging ensures that relevant IPsec events are logged and timestamped, together with other events that may affect the security of the deployment e.g. crashes. Event logs are protected from unauthorised access

Windows Event Forwarding provides the capability to automatically forward event logs to another server (Windows Event Collector)

Windows Firewall with Advanced Security, configured to control the attack surface on the IPsec Security Gateway Red and Black interfaces

Windows Update, supporting the timely application of security updates to the product and assuring their authenticity and integrity

Page 6

Windows 2012 R2 IPsec Security Gateway

Chapter 3 - Secure Operation

10. The following recommendations outline a configuration for the Windows Server 2012 R2 IPsec Security Gateway that is in line with the Security Characteristic for an IPsec Security Gateway. These requirements must be followed unless there is a strong business requirement not to do so. Such instances should be discussed with your Accreditor. Note that must is used in these Security Procedures to indicate a configuration instruction that is mandatory in order to ensure that Windows Server 2012 R2 is in a secure and approved state.

Pre-installation

11. Before installing the product, a check should be made to verify the authenticity of the installation media or the download contents. Microsoft openly publishes the SHA-1 hash values within the additional details for each product listed on MSDN Subscriber Downloads and the relevant one must be validated against the (ISO image) installation software. A variety of publicly available utilities can be used, including the Microsoft File Checksum Integrity Verifier which can be obtained at reference [b]. The command to be executed for a single file using the File Checksum Integrity Verifier is:

fciv -sha1 <filename>.

12. It is recommended that the guidance at reference [c] be consulted prior to the deployment of the Remote Access capability (built-in VPN or DirectAccess).

13. As stated in the SC (reference [a]), the guidance and patterns described in CESG Architectural Pattern, Walled Gardens for Remote Access (reference [d]) should be followed when deploying the IPsec Security Gateway as part of a remote working VPN deployment. In particular, the Windows Server 2012 R2 Remote Access Server should be deployed within a Demilitarised Zone (DMZ) network between an Edge firewall (connected to the less trusted network, e.g. Internet) and a Perimeter firewall (connected to the more trusted network e.g. Corporate).

14. A simplified deployment is illustrated below.

Page 7

Windows 2012 R2 IPsec Security Gateway

Page 8

Windows 2012 R2 IPsec Security Gateway

15. However, the use of a presentation layer (as advocated within the Walled Garden pattern) may impact the user experience when using DirectAccess and detract from the ethos of transparent access to corporate resources that DirectAccess is intended to provide. In order to permit access to corporate resources without the use of presentation services, an advanced perimeter firewall and/or Intruder Detection Systems (IDS) should be employed to inspect traffic originating from DirectAccess clients that are communicating with corporate resources via the DirectAccess server.

16. Microsoft publishes a number of Test Lab Guides (TLGs) which explain how to set up a test lab configuration for demonstrating the required functionality3, and which are relevant to deployment of the Remote Access capabilities. These TLGs, which are referenced throughout these Security Procedures, build upon the Windows Server 2012 R2 base configuration TLG (reference [e]). Microsoft recommends adoption of the test lab approach as a means of gaining familiarity with the process for setting up a working configuration, prior to deployment.

17. The deployment must be supported by an internal Public Key Infrastructure (PKI). It is recommended that the guidance on creating a 2-tier PKI hierarchy using Windows Server 2012 and Active Directory Certificate Services (AD CS) in reference [f] is consulted. This includes guidance on setting up an offline root CA and installing an online enterprise subordinate CA, configuring a Certificate Revocation List (CRL), Certificate Distribution Point (CDP) and automatically deploying certificates to the domain.

18. The following TechNet guidance should be consulted prior to deployment of a DirectAccess server:

Guidance on the necessary prerequisites for using the configuration wizards to deploy DirectAccess is provided in reference [g]

A list of known issues (recommended hotfixes and updates for Windows Server 2012 DirectAccess and Windows Server 2012 R2 DirectAccess) is detailed at reference [h]

A list of unsupported configurations is provided at reference [i]

Installation

19. The equipment must be deployed in a data centre that has been accredited for the security classification of the data that the device is handling. In particular:

Physical access controls must restrict access to the server hardware to authorised personnel only, such that only the administrator can gain local access to the IPsec Security Gateway

Physical access controls must restrict access to the management network to authorised personnel only (thus preventing an unauthorised person connecting an unauthorised device to it)

3 The TLGs are not claimed to be based on best practices and neither are they intended to be used as the basis of a production configuration. However they do contain guidance on how to perform specific steps that will be needed in setting up such a configuration.

Page 9

Windows 2012 R2 IPsec Security Gateway

Tamper evident seals should be placed over access points on the server, such that unauthorised entry to system internals can be detected through physical inspection. Tamper stickers should be uniquely identifiable to prevent an attacker successfully replacing it with a new, undamaged sticker

20. Installation should only be performed by trained, knowledgeable and authorised personnel. Details regarding installation of Windows Server 2012 R2 are given in reference [j].

21. The Windows Server 2012 R2 operating system should be hardened using the Windows Server 2012 R2 baseline security setting recommendations in the Security Compliance Management Toolkit (reference [k]) when these are published. In the interim, the Windows Server 2012 baselines should be used.

22. Only drivers that have been through the Microsoft driver verification program should be used on the Remote Access Server. These will have the correct signature and logo to demonstrate that they have successfully been evaluated. Drivers that do not have the signature and logo should not be used.

23. The Remote Access server role must be installed on the IPsec Security Gateway. In addition, the Remote Access Setup Wizard must be run using one of the following options:

‘Deploy VPN only’ – where the gateway is to be a VPN server

‘DirectAccess only’ – where the gateway is to be a DirectAccess server

24. Guidance on the deployment of VPN servers is provided in references [l] and [m]. Note: Guidance for using RRAS as a VPN Server in Windows Server 2008 R2 is still generally applicable to Windows Server 2012 R2 VPN Server scenarios.

25. Guidance on installation and configuration of DirectAccess servers may be found in reference [n]. Step-by-step instructions for configuring DirectAccess in a single server deployment with mixed IPv4 and IPv6 resources may be found in reference [o].

26. Note: Guidance provided for DirectAccess simplified setup or using the Getting Started Wizard must not be followed as this does not meet the certificate requirements to meet the CPA security characteristic. Therefore, only advanced setup guidance should be followed.

Configuration

27. Note: IKEv2 VPN component will trust a Client certificate signed by any CA root in the certificate store; minimise this list where possible.

28. Active Directory controls must be used to enforce separate accounts for Remote Access Server administrators and for user account administration. There must be no standard user accounts on the Remote Access Server. (Local administrator access is required in order to use the Remote Access Server administrator tools.)

Page 10

Windows 2012 R2 IPsec Security Gateway

29. Endpoints should be configured in line with good IT practice. Refer to the Microsoft Windows 7 and Windows 8.1 IPsec Client Security Procedures (reference [p]) for further details.

30. ASLR is enabled by default on installation of the product. It must not be disabled.

31. Remote Access Administrators must not enable program exceptions to DEP and must not reduce DEP coverage to only essential Windows Programs and Services.

32. Microsoft have developed PowerShell customisation scripts in order to meet approved IPsec profile requirements. The intention is that these scripts will be hosted on the product’s certification page on the CESG website www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/CPA-certified-products.aspx and made available in text form. These are to be copied from the web page and the scripts executed as described in the CPA customisation guides, as detailed in the following sections.

33. The customisation scripts include the configuration of the Windows Firewall with Advanced Security to restrict inbound services on the Remote Access server. These restrictions must not be relaxed. In particular, management services must not be enabled on the Black interface (i.e. on the connection to the less trusted network).

34. It should be noted that the customisation scripts have been created based upon a single-server deployment topology and may require modification for a load-balanced or multi-site configuration. Advice should therefore be sought from Microsoft regarding the use of such scripts in more complex deployments.

35. The user running the customisation scripts must have appropriate privileges to make the required changes (local administrator, or permissions to modify Group Policies as discussed in section 1.8.1 of reference [q], as indicated in the CPA Customisation Guides referenced in the following sections).

VPN Server Configuration

36. The Remote Access server must be configured as a dedicated VPN server and must not host other services, including DirectAccess services.

37. The default configuration of the VPN server and clients must be modified as described in the CPA Customisation Guide – VPN, Microsoft (reference [r]). These configuration customisations include the following in relation to the VPN Server:

Configuration of the VPN Server component in order to meet the custom cryptography requirements of the End-State profile

Configuration of the Windows Firewall with Advanced Security on the VPN Server to restrict inbound services by removal of the Public profile from several built-in inbound firewall rules

Page 11

Windows 2012 R2 IPsec Security Gateway

DirectAccess Server Configuration

38. The Remote Access server must be configured as a dedicated DirectAccess server and must not host other services (including VPN services).

39. The default configuration of the DirectAccess server and clients must be modified as described in the CPA Customisation Guide – Direct Access, Microsoft (reference [s]). These configuration customisations include the following in relation to the DirectAccess Server:

Configuration of the DirectAccess Server component in order to meet the custom cryptography requirements of the Interim or End-State profiles

Configuration of the Windows Firewall with Advanced Security on the DirectAccess Server to restrict inbound services by removal of the Public profile from several built-in inbound firewall rules

Operation

40. The Remote Access Server must only be used with other VPN Security Gateways and Clients that have been certified to CPA Foundation Grade.

41. Management of the Remote Access Server should be carried out either via RDP over a TLS connection, or via a physical console connection.

42. The default certificate templates that are included in Windows Server based enterprise certification authorities ensure that all client certificates are renewed every year. Certificate lifetimes must not be increased beyond 2 years.

43. Active Directory Certificate Services must be used to issue and (where necessary) revoke all gateway and client certificates. When a replacement certificate is provisioned for the Remote Access Server, the old certificate must be revoked on all IPsec clients.

44. All certificates and, where possible, keys, should be revoked prior to disposal, using functionality provided by Active Directory Certificate Services.

45. Standard users must not be permitted to manage the certificate installation for the Remote Access Server.

Maintenance and Updates

46. The latest version of the product should be used (i.e. updated with the most recent security patches). Therefore product updates should be applied as soon as is possible. General guidance on this matter is in CESG Good Practice Guide No. 7 (GPG 7), Protection from Malicious Code (reference [t]).

47. The product should be configured to use either the Windows Update process or the Windows Software Update Services (WSUS) process. Alternatively, an enterprise tool such as System Centre Configuration Manager (SCCM) may be deployed to ensure that server and client software is kept up to date.

48. Guidance on the Windows Update process may be found in reference [u].

Page 12

Windows 2012 R2 IPsec Security Gateway

System Logs

49. The Remote Access Server must be configured to log all actions that are deemed to be of interest, in sufficient detail to support forensic investigation during security incident management. Details of the IPsec and Windows Firewall with Advanced Security events that may be logged are provided in reference [v].

50. It should be noted that, by default, Windows Firewall with Advanced Security does not generate audit events for either the Windows Firewall service or IPsec. Event logging must therefore be enabled in order to see these events, as described in reference [w].

51. Audit logs must be regularly reviewed for unexpected entries. Events of interest include (but are not limited to):

Failed server administrator logon attempts or account lockout

Account activity occurring at unusual times

Security policy configuration changes

Dropping or blocking of packets

Failed or blocked connections

Failed negotiations

Failed Windows updates

Service or system failures

52. See also the general guidance on this matter that is provided in CESG Good Practice Guide No. 13 (GPG 13), Protective Monitoring for HMG ICT Systems (reference [x]). The impact of log entries related to a suspected compromise or attempt at compromise should be assessed, and organisational procedures followed for incident resolution (see Chapter 4).

53. Review of audit logs may be carried out using any of the following means:

Manually, using Windows Event Log Viewer. See the guidance on using Event Viewer to examine IPsec and Windows Firewall with Advanced Security audit events in reference [y]

Using a third party Security Event and Incident Management (SEIM) product

Using an enterprise monitoring solution such as System Centre Operations Manager (SCOM)

54. Windows Event Forwarding should be configured to automatically export logs to a Windows Server Event Collector, as described in reference [z].

System Administration

55. The only “users” to be defined for Windows Server 2012 R2 should be administrators and these will be set up with full access rights.

Page 13

Windows 2012 R2 IPsec Security Gateway

56. Authorised administrators should have sufficient skills and experience to manage the Remote Access Server. They must also be cleared to access all material on the server and be trusted to follow the guidance and not misuse their privileges.

57. Administrators should inspect the recent authentication history that is displayed immediately following successful logon to identify any unexpected activity for that account (last successful logon and the number of logon failures since then). If an attempted compromise is suspected, this should be immediately reported as a security incident, following the organisational incident reporting procedures.

58. SyOPs for the deployment should provide administrators of the IPsec Security Gateway with advice on the tamper threat. This should ensure that:

Administrators regularly check for possible damage to tamper evident seals

Any evidence of tampering is reported as soon as possible, in line with organisational incident reporting procedures

The product is immediately removed from use in the event of such tampering

Any product that shows evidence of tampering must not be returned to service unless and until approved by the relevant Accreditor(s)

Page 14

Windows 2012 R2 IPsec Security Gateway

Chapter 4 - Security Incidents

Incident Management

59. If a security incident results in the compromise of information protected by the Windows Server 2012 R2 IPsec Security Gateway, the local IT security incident management policy should ensure that the Department Security Officer (DSO) is informed.

60. Any security incidents should be managed in accordance with the local accredited security incident management procedures and policies.

61. Contact CESG if a compromise occurred that is suspected to have resulted from a failure of Windows Server 2012 R2.

Page 15

Windows 2012 R2 IPsec Security Gateway

Chapter 5 - Disposal and Destruction

Routine Destruction of Equipment

62. Disposal and destruction of equipment (e.g. server hardware, network devices, etc.) must be in accordance with HMG policy and guidance (reference [aa]) including preliminary sanitisation before it is sent for disposal or destruction.

Page 16

Windows 2012 R2 IPsec Security Gateway

References

Unless stated otherwise, these documents are available from the CESG website. Users who do not have access should contact CESG Enquiries to enquire about obtaining documents. [a] CPA Security Characteristic - IPsec Security Gateway, Version 2.3, April 2013

(available from www.cesg.gov.uk/servicecatalogue/CPA)

[b] Microsoft File Checksum Integrity Verifier, http://support.microsoft.com/default.aspx?scid=kb;en-us;841290

[c] Remote Access (DirectAccess, Routing and Remote Access) Overview http://technet.microsoft.com/en-us/library/hh831416.aspx

[d] CESG Architectural Pattern, Walled Gardens for Remote Access – latest issue available from the CESG website.

[e] Test Lab Guide: Windows Server 2012 R2 Base Configuration http://www.microsoft.com/en-us/download/details.aspx?id=39638

[f] Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy http://technet.microsoft.com/en-us/library/hh831348.aspx

[g] Remote Access (DirectAccess) Prerequisites: http://technet.microsoft.com/en-us/library/dn464273.aspx

[h] Remote Access (DirectAccess) Known Issues: http://technet.microsoft.com/en-us/library/dn464275.aspx

[i] Remote Access (DirectAccess) Unsupported Configurations: http://technet.microsoft.com/en-gb/library/dn464274.aspx

[j] Installing Windows Server 2012, http://technet.microsoft.com/en-us/library/jj134246.aspx

[k] Microsoft Security Compliance Manager, Windows Server 2012 Security Baseline, http://technet.microsoft.com/en-us/library/jj898542.aspx

[l] TLG: Demonstrate Remote Access VPNs: http://social.technet.microsoft.com/wiki/contents/articles/2473.test-lab-guide-demonstrate-remote-access-vpns.aspx

[m] Deploying Remote Access with VPN Reconnect: http://www.microsoft.com/en-us/download/details.aspx?id=20277

[n] Install and Configure Advanced Remote Access: http://technet.microsoft.com/en-us/library/jj134158.aspx

[o] Test Lab Guide: Demonstrate DirectAccess Single Server Setup with Mixed IPv4 and IPv6 in Windows Server 2012: http://www.microsoft.com/en-us/download/details.aspx?id=29031

Page 17

Windows 2012 R2 IPsec Security Gateway

[p] Microsoft Windows 7 and Windows 8.1 IPsec Client Security Procedures – latest issue available from the CESG website.

[q] Plan the DirectAccess Infrastructure: http://technet.microsoft.com/en-us/library/jj134148.aspx

[r] CPA Customisation Guide – DirectAccess, Microsoft, latest version, www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/CPA-certified-products.aspx

[s] CPA Customisation Guide – VPN, Microsoft, latest version, www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/CPA-certified-products.aspx

[t] CESG Good Practice Guide No. 7, Protection from Malicious Code – latest issue available from the CESG website.

[u] How to Keep Windows up-to-date, http://support.microsoft.com/kb/311047

[v] Auditing: http://msdn.microsoft.com/en-us/library/windows/desktop/bb309058(v=vs.85).aspx.

[w] Enable IPsec and Windows Firewall Audit Events: http://technet.microsoft.com/en-us/library/cc754714(v=ws.10).aspx

[x] CESG Good Practice Guide No. 13, Protective Monitoring for HMG ICT Systems – latest issue available from the CESG website.

[y] Using Event Viewer to examine IPsec and Windows Firewall with Advanced Security audit events: http://technet.microsoft.com/en-us/library/ff428140(v=ws.10).aspx

[z] “Quick and Dirty Large Scale Eventing for Windows” http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx see also: http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

[aa] HMG IA Standard No. 5, Secure Sanitisation – latest issue available from the CESG website.

CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice. CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: enquiries@cesg.gsi.gov.uk © Crown Copyright 2015.