Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Network Access Technologies VPN SMB/SQL/LDAP/DCOM sensitive to RTT Remote Desktop no clipboard, no file proliferation limited malware surface 802.1x WiFi or Ethernet no encryption, authorization only DirectAccess GPO managed IPSec tunnel over IPv6
RDP VPN Scenario VPN Client VPN Gateway DC FS SQL RADIUS NAT Share Point
RDP DA Scenario DA Client DA Server DC FS SQL RADIUS NAT Share Point
Wks RDP RDP Scenario RDP Client RDP Gateway DC FS SQL RADIUS NAT Share Point Wks
RDP 802.1x WiFi Scenario WiFi Client DC FS SQL RADIUS WiFi AP Share Point
RDP 802.1x Ethernet Scenario Wks DC FS SQL RADIUS Switch Share Point Wks Printer
VPN Compared ProtocolTransportClientRRAS Server Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer- - L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000 and newer IPSec certificate public name Public IP IPSec machine certificate SSTP TCP 443 TLS Vista/2008 and newer 2008 and newer TLS certificate public name - IKEv2 UDP 500, 4500 IP ESP 7/2008 R2 and newer 2008 R2 and newer IPSec certificate public name Public IP IPSec machine certificate
VPN Compared ProtocolTransportClientRRAS Server Server Requirements RD Gateway TCP 443 TLS RDP Client 6.0 and newer 2008 and newer TLS certificate public name - DirectAccess IPSec inside IPv6 inside TCP 443 TLS or Teredo/6-to-4 7/2008 R2 Enteprise IPv6 enabled, GPO 2012 and newer IPSec certificate TLS certificate public name IPSec machine certificate
Network Access Protection (NAP) Client health validation before connecting Firewall on? Windows up-to-date? Antimalware up-to-date? SCCM compliance items in order? Client validates itself no security, only an added layer of obstruction
Microsoft RADIUS Server Standard authentication server IAS - Internet Authentication Service (2003-) NPS - Network Policy Service (2008+) Authentication options login/password certificate Active Directory authentication only Clear-text transport with signatures message authenticator (MD5)
RADIUS General Access Client RADIUS Active Directory VPN WiFi Ethernet RDP GW RADIUS Access Server AD Passthrough Authentication RRAS VPN WiFi AP Ethernet Switch RDP GW DHCP DHCP Server
RADIUS Terminology Access Client RADIUS Active Directory VPN WiFi Ethernet RDP GW RADIUS RADIUS Client AD Passthrough Authentication RRAS VPN WiFi AP Ethernet Switch RDP GW DHCP DHCP Server
Authentication Methods PAP, SPAP clear, hash resp. CHAP MD5 challenge response Store passwords using reversible encryption MS-CHAP NTLM equivalent DES(MD4) MS-CHAPv2 NTLMv2 equivalent plus improvements (time constraints) HMAC-MD5 (MD4) EAP-TLS, PEAP client authentication certificate in user profile or in smart/card No authentication sometimes the authentication occurs on the Access Server itself (RD Gateway)
PPTP issues MPPE encryption proprietary, RC4 Encrypted by authentication products "by" password or "by" certificate PAP/SPAP/EAP travels in clear
EAP-TLS vs. PEAP EAP-TLS is designed for protected transport does not protect itself Protected EAP EAP wrapped in standard TLS
EAP/PEAP Generic Access Client RADIUS Active Directory EAP/PEAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate VPN Tunnel Client Certificate
MS-CHAPv2 with SSTP Access Client RADIUS Active Directory Access Server VPN Tunnel Server Certificate
EAP with SSTP Access Client RADIUS Active Directory EAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate
PEAP with SSTP Access Client RADIUS Active Directory PEAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate EAP Server Certificate
RADIUS Clients configuration IP address of the device can translate from DNS, but must match IP address of the device (no reverse DNS) Shared secrets MD5(random message authenticator + shared secret) NETSH NPS DUMP ExportPSK=YES
Implementing NPS Policy
NPS Auditing
PEAP on NPS
VPN Client Notes Validates CRL SSTP does not use CRL cache HKLM\System\CCS\Services\SSTPSvc\Parameters NoCertRevocationCheck = DWORD = 1 IPSec set global ipsec strongcrlcheck 0 HKLM\System\CCS\Services\PolicyAgent StrongCrlCheck = 0 = disabled StrongCrlCheck = 1 = fail only if revoked StrongCrlCheck = 2 = fail even if CRL not available HKLM\System\CCS\Services\IPSec AssumeUDPEncapsulationContextOnSendRule = 2
PEAP Client Settings
VPN Client Configuration Group Policy Preferences limited options Connection Manager Administration Kit (CMAK) create VPN installation packages
802.1x Notes Required services WLAN Autoconfig (WlanSvc) Wired Autoconfig (Doc3Svc) Group Policy Settings Windows XP SP3 and newer full configuration options
802.1x Authentication User authentication login/password client certificate in user profile or in smart card Computer authentication MACHINE$ login/password client certificate in the local computer store Computer authentication with user re- authentication since Windows 7 works like charm
MS-CHAPv2 with 802.1x Access Client RADIUS Active Directory AP switch single Ethernet cable WiFi
EAP/PEAP with 802.1x Access Client RADIUS Active Directory AP switch single Ethernet cable WiFi EAP/PEAP Client Certificate UserMachine EAP-TLS Server Certificate EAP/PEAP Server Certificate
RD Proxy Troubleshooting RPCPING -t ncacn_http -e s localhost (local TSGateway COM service) -v 3 (verbose output 1/2/3) -a connect (conntect/call/pkt/integrity/privacy) -u ntlm (nego/ntlm/schannel/kerberos/kernel) -I "kamil,gps,*" -o RpcProxy=gps-wfe.gopas.virtual:443 -F ssl -B msstd:gps-wfe.gopas.virtual -H ntlm (RPCoverHTTP proxy authentication ntlm/basic) -P "proxykamil,gps,*" -U NTLM (HTTP proxy authentication ntlm/basic) rpcping -t ncacn_http -e s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"
RPC Proxy Troubleshooting