REMOTE ACCESS TECHNOLOGIES

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |

Network Access Technologies VPN

SMB/SQL/LDAP/DCOM sensitive to RTT Remote Desktop

no clipboard, no file proliferation limited malware surface

802.1x WiFi or Ethernet no encryption, authorization only

DirectAccess GPO managed IPSec tunnel over IPv6

RDP

VPN ScenarioVPN

Client

VPN Gatewa

y

DC FSSQL

RADIUS

NATSharePoint

RDP

DA ScenarioDA

Client

DA Server

DC FSSQL

RADIUS

NATSharePoint

WksWks

RDP

RDP ScenarioRDP

Client

RDP Gatewa

y

DC FSSQL

RADIUS

NATSharePoint

Wks

RDP

802.1x WiFi Scenario

WiFiClient

DC FSSQL

RADIUS

WiFi AP

SharePoint

RDP

802.1x Ethernet Scenario

Wks

DC FSSQL

RADIUS

Switch

SharePoint Wks

Printer

VPN ComparedProtocol Transport Client RRAS Server

Server Requirements

PPTP TCP 1723IP GRE

MS-DOS and newer NT 4.0 and newer -

-

L2TPUDP 500, 4500IP ESP

NT 4.0, 98and newer 2000 and

newer

IPSec certificatepublic namePublic IPIPSec machine

certificate

SSTP TCP 443TLS

Vista/2008 and newer 2008 and

newerTLS certificatepublic name-

IKEv2UDP 500, 4500IP ESP

7/2008 R2 and newer 2008 R2 and

newer

IPSec certificatepublic namePublic IP

IPSec machine certificate

VPN ComparedProtocol Transport Client RRAS Server

Server Requirements

RD Gateway

TCP 443TLS

RDP Client 6.0and newer 2008 and

newerTLS certificatepublic name

-

DirectAccess

IPSec insideIPv6 insideTCP 443 TLSor Teredo/6-to-4

7/2008 R2 EntepriseIPv6 enabled, GPO 2012 and

newer

IPSec certificateTLS certificatepublic nameIPSec machine

certificate

Network Access Protection (NAP)

Client health validation before connecting Firewall on? Windows up-to-date? Antimalware up-to-date? SCCM compliance items in order?

Client validates itself no security, only an added layer of

obstruction

Microsoft RADIUS Server

Standard authentication server IAS - Internet Authentication Service

(2003-) NPS - Network Policy Service (2008+)

Authentication options login/password certificate Active Directory authentication only

Clear-text transport with signatures message authenticator (MD5)

RADIUS General

Access Client

RADIUS

Active Director

y

VPN

WiFi

Ethernet

RDP GW RADIUS

Access Server

AD Passthrough Authentication

RRAS VPN

WiFi AP

Ethernet Switch

RDP GW

DHCP

DHCP Server

RADIUS Terminology

Access Client

RADIUS

Active Director

y

VPN

WiFi

Ethernet

RDP GW RADIUS

RADIUS Client

AD Passthrough Authentication

RRAS VPN

WiFi AP

Ethernet Switch

RDP GW

DHCP

DHCP Server

Authentication Methods

PAP, SPAP clear, hash resp.

CHAP MD5 challenge response Store passwords using reversible encryption

MS-CHAP NTLM equivalent DES(MD4)

MS-CHAPv2 NTLMv2 equivalent plus improvements (time constraints) HMAC-MD5 (MD4)

EAP-TLS, PEAP client authentication certificate in user profile or in smart/card

No authentication sometimes the authentication occurs on the Access Server itself (RD

Gateway)

PPTP issues

MPPE encryption proprietary, RC4

Encrypted by authentication products "by" password or "by" certificate

PAP/SPAP/EAP travels in clear

EAP-TLS vs. PEAP

EAP-TLS is designed for protected transport does not protect itself

Protected EAP EAP wrapped in standard TLS

EAP/PEAP Generic

Access Client

RADIUS

Active Director

y

EAP/PEAP Server

Certificate

Access Server

EAP/PEAP Client

Certificate

VPN Tunnel Server

Certificate

VPN Tunnel Client

Certificate

MS-CHAPv2 with SSTP

Access Client

RADIUS

Active Director

y

Access Server

VPN Tunnel Server

Certificate

EAP with SSTP

Access Client

RADIUS

Active Director

y

EAPServer

Certificate

Access Server

EAP/PEAP Client

Certificate

VPN Tunnel Server

Certificate

PEAP with SSTP

Access Client

RADIUS

Active Director

y

PEAP Server

Certificate

Access Server

EAP/PEAP Client

Certificate

VPN Tunnel Server

Certificate

EAP Server

Certificate

RADIUS Clients configuration IP address of the device

can translate from DNS, but must match IP address of the device (no reverse DNS)

Shared secrets MD5(random message authenticator +

shared secret) NETSH NPS DUMP ExportPSK=YES

Implementing NPS Policy

Implementing NPS Policy

Implementing NPS Policy

Implementing NPS Policy

NPS Auditing

PEAP on NPS

PEAP on NPS

VPN Client Notes

Validates CRL SSTP

does not use CRL cache HKLM\System\CCS\Services\SSTPSvc\Parameters NoCertRevocationCheck = DWORD = 1

IPSec set global ipsec strongcrlcheck 0 HKLM\System\CCS\Services\PolicyAgent StrongCrlCheck = 0 = disabled StrongCrlCheck = 1 = fail only if revoked StrongCrlCheck = 2 = fail even if CRL not available HKLM\System\CCS\Services\IPSec AssumeUDPEncapsulationContextOnSendRule = 2

PEAP Client Settings

VPN Client Configuration

Group Policy Preferences limited options

Connection Manager Administration Kit (CMAK) create VPN installation packages

802.1x Notes

Required services WLAN Autoconfig (WlanSvc) Wired Autoconfig (Doc3Svc)

Group Policy Settings Windows XP SP3 and newer full configuration options

802.1x Authentication

User authentication login/password client certificate in user profile or in

smart card Computer authentication

MACHINE$ login/password client certificate in the local computer

store Computer authentication with user

re-authentication since Windows 7 works like charm

MS-CHAPv2 with 802.1x

Access Client

RADIUS

Active Director

y

APswitchsingle

Ethernetcable

WiFi

EAP/PEAP with 802.1x

Access Client

RADIUS

Active Director

y

APswitchsingle

Ethernetcable

WiFi

EAP/PEAP Client

Certificate

User Machine

EAP-TLS Server

Certificate

EAP/PEAP Server

Certificate

RD Proxy Troubleshooting

RPCPING-t ncacn_http-e 3388-s localhost (local TSGateway COM service)-v 3 (verbose output 1/2/3)-a connect (conntect/call/pkt/integrity/privacy)-u ntlm (nego/ntlm/schannel/kerberos/kernel)-I "kamil,gps,*"

-o RpcProxy=gps-wfe.gopas.virtual:443-F ssl-B msstd:gps-wfe.gopas.virtual-H ntlm (RPCoverHTTP proxy authentication ntlm/basic)-P "proxykamil,gps,*"

-U NTLM (HTTP proxy authentication ntlm/basic) rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o

RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"

RPC Proxy Troubleshooting

https://rpcserver/Rpc/RpcProxy.dll https://rpcserver/RpcWithCert/

RpcProxy.dll