remote-access-wug - Ondrej Sevecek`s Blog
Download
Report
Transcript remote-access-wug - Ondrej Sevecek`s Blog
Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
REMOTE ACCESS TECHNOLOGIES
Network Access Technologies
VPN
SMB/SQL/LDAP/DCOM sensitive to RTT
Remote Desktop
no clipboard, no file proliferation
limited malware surface
802.1x
WiFi or Ethernet
no encryption, authorization only
DirectAccess
GPO managed IPSec tunnel over IPv6
VPN Scenario
VPN
Client
SQL
DC
FS
Share
Point
RDP
RADIUS
VPN
Gateway
DA Scenario
DA
Client
SQL
DC
FS
Share
Point
RDP
RADIUS
DA
Server
RDP Scenario
RDP
Client
SQL
DC
FS
Wks
Wks
Wks
Share
Point
RDP
RADIUS
RDP
Gateway
802.1x WiFi Scenario
SQL
DC
FS
Share
Point
WiFi AP
RDP
WiFi
Client
RADIUS
802.1x Ethernet Scenario
SQL
DC
FS
Share
Point
Wks
Switch
RDP
Wks
RADIUS
Printer
VPN Compared
Protocol
Transport
Client
PPTP
TCP 1723
IP GRE
MS-DOS and newer
L2TP
SSTP
IKEv2
UDP 500, 4500
IP ESP
TCP 443
TLS
UDP 500, 4500
IP ESP
RRAS Server
Server
Requirements
NT 4.0 and newer
-
2000 and newer
IPSec certificate
public name
Public IP
2008 and newer
TLS certificate
public name
2008 R2 and
newer
IPSec certificate
public name
Public IP
-
NT 4.0, 98
and newer
IPSec machine
certificate
Vista/2008 and newer
-
7/2008 R2 and newer
IPSec machine
certificate
VPN Compared
Protocol
RD Gateway
Transport
TCP 443
TLS
Client
RDP Client 6.0
and newer
RRAS Server
Server
Requirements
2008 and newer
TLS certificate
public name
2012 and newer
IPSec certificate
TLS certificate
public name
-
DirectAccess
IPSec inside
IPv6 inside
TCP 443 TLS
or Teredo/6-to-4
7/2008 R2 Enteprise
IPv6 enabled, GPO
IPSec machine
certificate
Network Access Protection (NAP)
Client health validation before connecting
Firewall on?
Windows up-to-date?
Antimalware up-to-date?
SCCM compliance items in order?
Client validates itself
no security, only an added layer of obstruction
Microsoft RADIUS Server
Standard authentication server
IAS - Internet Authentication Service (2003-)
NPS - Network Policy Service (2008+)
Authentication options
login/password
certificate
Active Directory authentication only
Clear-text transport with signatures
message authenticator (MD5)
RADIUS General
RRAS VPN
WiFi AP
Access
Client
Ethernet Switch
RDP GW
VPN
Access
Server
DHCP Server
WiFi
Ethernet
RDP GW
DHCP
RADIUS
RADIUS
AD Passthrough
Authentication
Active
Directory
RADIUS Terminology
RRAS VPN
WiFi AP
Access
Client
Ethernet Switch
RDP GW
VPN
RADIUS
Client
DHCP Server
WiFi
Ethernet
RDP GW
DHCP
RADIUS
RADIUS
AD Passthrough
Authentication
Active
Directory
Authentication Methods
PAP, SPAP
CHAP
NTLMv2 equivalent plus improvements (time constraints)
HMAC-MD5 (MD4)
EAP-TLS, PEAP
NTLM equivalent
DES(MD4)
MS-CHAPv2
MD5 challenge response
Store passwords using reversible encryption
MS-CHAP
clear, hash resp.
client authentication certificate
in user profile or in smart/card
No authentication
sometimes the authentication occurs on the Access Server itself (RD Gateway)
PPTP issues
MPPE encryption
proprietary, RC4
Encrypted by authentication products
"by" password or "by" certificate
PAP/SPAP/EAP travels in clear
EAP-TLS vs. PEAP
EAP-TLS is designed for protected transport
does not protect itself
Protected EAP
EAP wrapped in standard TLS
EAP/PEAP Generic
Access
Client
EAP/PEAP
Client
Certificate
VPN Tunnel
Client
Certificate
VPN Tunnel
Server
Certificate
Access
Server
EAP/PEAP
Server
Certificate
RADIUS
Active
Directory
MS-CHAPv2 with SSTP
Access
Client
VPN Tunnel
Server
Certificate
Access
Server
RADIUS
Active
Directory
EAP with SSTP
Access
Client
EAP/PEAP
Client
Certificate
VPN Tunnel
Server
Certificate
Access
Server
EAP
Server
Certificate
RADIUS
Active
Directory
PEAP with SSTP
Access
Client
EAP/PEAP
Client
Certificate
VPN Tunnel
Server
Certificate
Access
Server
PEAP
Server
Certificate
EAP
Server
Certificate
RADIUS
Active
Directory
RADIUS Clients configuration
IP address of the device
can translate from DNS, but must match IP
address of the device (no reverse DNS)
Shared secrets
MD5(random message authenticator + shared
secret)
NETSH NPS DUMP ExportPSK=YES
Implementing NPS Policy
Implementing NPS Policy
Implementing NPS Policy
Implementing NPS Policy
NPS Auditing
PEAP on NPS
PEAP on NPS
VPN Client Notes
Validates CRL
SSTP
does not use CRL cache
HKLM\System\CCS\Services\SSTPSvc\Parameters
NoCertRevocationCheck = DWORD = 1
IPSec
set global ipsec strongcrlcheck 0
HKLM\System\CCS\Services\PolicyAgent
StrongCrlCheck = 0 = disabled
StrongCrlCheck = 1 = fail only if revoked
StrongCrlCheck = 2 = fail even if CRL not available
HKLM\System\CCS\Services\IPSec
AssumeUDPEncapsulationContextOnSendRule = 2
PEAP Client Settings
VPN Client Configuration
Group Policy Preferences
limited options
Connection Manager Administration Kit
(CMAK)
create VPN installation packages
802.1x Notes
Required services
WLAN Autoconfig (WlanSvc)
Wired Autoconfig (Doc3Svc)
Group Policy Settings
Windows XP SP3 and newer
full configuration options
802.1x Authentication
User authentication
login/password
client certificate in user profile or in smart card
Computer authentication
MACHINE$ login/password
client certificate in the local computer store
Computer authentication with user re-
authentication
since Windows 7 works like charm
MS-CHAPv2 with 802.1x
Access
Client
single
Ethernet
cable
AP
switch
WiFi
RADIUS
Active
Directory
EAP/PEAP with 802.1x
Access
Client
EAP/PEAP
Client
Certificate
User
single
Ethernet
cable
Machine
WiFi
AP
switch
EAP/PEAP
EAP-TLS
Server
Server
Certificate
Certificate
RADIUS
Active
Directory
RD Proxy Troubleshooting
RPCPING
-t ncacn_http
-e 3388
-s localhost (local TSGateway COM service)
-v 3 (verbose output 1/2/3)
-a connect (conntect/call/pkt/integrity/privacy)
-u ntlm (nego/ntlm/schannel/kerberos/kernel)
-I "kamil,gps,*"
-o RpcProxy=gps-wfe.gopas.virtual:443
-F ssl
-B msstd:gps-wfe.gopas.virtual
-H ntlm (RPCoverHTTP proxy authentication ntlm/basic)
-P "proxykamil,gps,*"
-U NTLM (HTTP proxy authentication ntlm/basic)
rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o
RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"
RPC Proxy Troubleshooting
https://rpcserver/Rpc/RpcProxy.dll
https://rpcserver/RpcWithCert/RpcProxy.dll