Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Published byHeidi Dorchester Modified over 9 years ago

Similar presentations

Presentation on theme: "Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"— Presentation transcript:

1 Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |

2 Network Access Technologies  VPN  SMB/SQL/LDAP/DCOM sensitive to RTT  Remote Desktop  no clipboard, no file proliferation  limited malware surface  802.1x  WiFi or Ethernet  no encryption, authorization only  DirectAccess  GPO managed IPSec tunnel over IPv6

3 RDP VPN Scenario VPN Client VPN Gateway DC FS SQL RADIUS NAT Share Point

4 RDP DA Scenario DA Client DA Server DC FS SQL RADIUS NAT Share Point

5 Wks RDP RDP Scenario RDP Client RDP Gateway DC FS SQL RADIUS NAT Share Point Wks

6 RDP 802.1x WiFi Scenario WiFi Client DC FS SQL RADIUS WiFi AP Share Point

7 RDP 802.1x Ethernet Scenario Wks DC FS SQL RADIUS Switch Share Point Wks Printer

8 VPN Compared ProtocolTransportClientRRAS Server Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer- - L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000 and newer IPSec certificate public name Public IP IPSec machine certificate SSTP TCP 443 TLS Vista/2008 and newer 2008 and newer TLS certificate public name - IKEv2 UDP 500, 4500 IP ESP 7/2008 R2 and newer 2008 R2 and newer IPSec certificate public name Public IP IPSec machine certificate

9 VPN Compared ProtocolTransportClientRRAS Server Server Requirements RD Gateway TCP 443 TLS RDP Client 6.0 and newer 2008 and newer TLS certificate public name - DirectAccess IPSec inside IPv6 inside TCP 443 TLS or Teredo/6-to-4 7/2008 R2 Enteprise IPv6 enabled, GPO 2012 and newer IPSec certificate TLS certificate public name IPSec machine certificate

10 Network Access Protection (NAP)  Client health validation before connecting  Firewall on?  Windows up-to-date?  Antimalware up-to-date?  SCCM compliance items in order?  Client validates itself  no security, only an added layer of obstruction

11 Microsoft RADIUS Server  Standard authentication server  IAS - Internet Authentication Service (2003-)  NPS - Network Policy Service (2008+)  Authentication options  login/password  certificate  Active Directory authentication only  Clear-text transport with signatures  message authenticator (MD5)

12 RADIUS General Access Client RADIUS Active Directory VPN WiFi Ethernet RDP GW RADIUS Access Server AD Passthrough Authentication RRAS VPN WiFi AP Ethernet Switch RDP GW DHCP DHCP Server

13 RADIUS Terminology Access Client RADIUS Active Directory VPN WiFi Ethernet RDP GW RADIUS RADIUS Client AD Passthrough Authentication RRAS VPN WiFi AP Ethernet Switch RDP GW DHCP DHCP Server

14 Authentication Methods  PAP, SPAP  clear, hash resp.  CHAP  MD5 challenge response  Store passwords using reversible encryption  MS-CHAP  NTLM equivalent  DES(MD4)  MS-CHAPv2  NTLMv2 equivalent plus improvements (time constraints)  HMAC-MD5 (MD4)  EAP-TLS, PEAP  client authentication certificate  in user profile or in smart/card  No authentication  sometimes the authentication occurs on the Access Server itself (RD Gateway)

15 PPTP issues  MPPE encryption  proprietary, RC4  Encrypted by authentication products  "by" password or "by" certificate  PAP/SPAP/EAP travels in clear

16 EAP-TLS vs. PEAP  EAP-TLS is designed for protected transport  does not protect itself  Protected EAP  EAP wrapped in standard TLS

17 EAP/PEAP Generic Access Client RADIUS Active Directory EAP/PEAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate VPN Tunnel Client Certificate

18 MS-CHAPv2 with SSTP Access Client RADIUS Active Directory Access Server VPN Tunnel Server Certificate

19 EAP with SSTP Access Client RADIUS Active Directory EAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate

20 PEAP with SSTP Access Client RADIUS Active Directory PEAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate EAP Server Certificate

21 RADIUS Clients configuration  IP address of the device  can translate from DNS, but must match IP address of the device (no reverse DNS)  Shared secrets  MD5(random message authenticator + shared secret)  NETSH NPS DUMP ExportPSK=YES

22 Implementing NPS Policy

23

24

25

26 NPS Auditing

27 PEAP on NPS

28

29 VPN Client Notes  Validates CRL  SSTP  does not use CRL cache  HKLM\System\CCS\Services\SSTPSvc\Parameters  NoCertRevocationCheck = DWORD = 1  IPSec  set global ipsec strongcrlcheck 0  HKLM\System\CCS\Services\PolicyAgent  StrongCrlCheck = 0 = disabled  StrongCrlCheck = 1 = fail only if revoked  StrongCrlCheck = 2 = fail even if CRL not available  HKLM\System\CCS\Services\IPSec  AssumeUDPEncapsulationContextOnSendRule = 2

30 PEAP Client Settings

31 VPN Client Configuration  Group Policy Preferences  limited options  Connection Manager Administration Kit (CMAK)  create VPN installation packages

32 802.1x Notes  Required services  WLAN Autoconfig (WlanSvc)  Wired Autoconfig (Doc3Svc)  Group Policy Settings  Windows XP SP3 and newer  full configuration options

33 802.1x Authentication  User authentication  login/password  client certificate in user profile or in smart card  Computer authentication  MACHINE$ login/password  client certificate in the local computer store  Computer authentication with user re- authentication  since Windows 7 works like charm

34 MS-CHAPv2 with 802.1x Access Client RADIUS Active Directory AP switch single Ethernet cable WiFi

35 EAP/PEAP with 802.1x Access Client RADIUS Active Directory AP switch single Ethernet cable WiFi EAP/PEAP Client Certificate UserMachine EAP-TLS Server Certificate EAP/PEAP Server Certificate

36 RD Proxy Troubleshooting  RPCPING -t ncacn_http -e 3388 -s localhost (local TSGateway COM service) -v 3 (verbose output 1/2/3) -a connect (conntect/call/pkt/integrity/privacy) -u ntlm (nego/ntlm/schannel/kerberos/kernel) -I "kamil,gps,*" -o RpcProxy=gps-wfe.gopas.virtual:443 -F ssl -B msstd:gps-wfe.gopas.virtual -H ntlm (RPCoverHTTP proxy authentication ntlm/basic) -P "proxykamil,gps,*" -U NTLM (HTTP proxy authentication ntlm/basic)  rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"

37 RPC Proxy Troubleshooting  https://rpcserver/Rpc/RpcProxy.dll  https://rpcserver/RpcWithCert/RpcProxy.dll

Download ppt "Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.

4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.

Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
Chapter 8: Configuring Network Connectivity. 2/24 Objectives Learn how to configure a network adapter Learn about the Network and Sharing Center Learn.

Chapter 8: Configuring Network Connectivity. 2/24 Objectives Learn how to configure a network adapter Learn about the Network and Sharing Center Learn.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Similar presentations

Ads by Google