remote-access-wug - Ondrej Sevecek`s Blog

Report
Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
REMOTE ACCESS TECHNOLOGIES
Network Access Technologies
 VPN
 SMB/SQL/LDAP/DCOM sensitive to RTT
 Remote Desktop
 no clipboard, no file proliferation
 limited malware surface
 802.1x
 WiFi or Ethernet
 no encryption, authorization only
 DirectAccess
 GPO managed IPSec tunnel over IPv6
VPN Scenario
VPN
Client
SQL
DC
FS
Share
Point
RDP
RADIUS
VPN
Gateway
DA Scenario
DA
Client
SQL
DC
FS
Share
Point
RDP
RADIUS
DA
Server
RDP Scenario
RDP
Client
SQL
DC
FS
Wks
Wks
Wks
Share
Point
RDP
RADIUS
RDP
Gateway
802.1x WiFi Scenario
SQL
DC
FS
Share
Point
WiFi AP
RDP
WiFi
Client
RADIUS
802.1x Ethernet Scenario
SQL
DC
FS
Share
Point
Wks
Switch
RDP
Wks
RADIUS
Printer
VPN Compared
Protocol
Transport
Client
PPTP
TCP 1723
IP GRE
MS-DOS and newer
L2TP
SSTP
IKEv2
UDP 500, 4500
IP ESP
TCP 443
TLS
UDP 500, 4500
IP ESP
RRAS Server
Server
Requirements
NT 4.0 and newer
-
2000 and newer
IPSec certificate
public name
Public IP
2008 and newer
TLS certificate
public name
2008 R2 and
newer
IPSec certificate
public name
Public IP
-
NT 4.0, 98
and newer
IPSec machine
certificate
Vista/2008 and newer
-
7/2008 R2 and newer
IPSec machine
certificate
VPN Compared
Protocol
RD Gateway
Transport
TCP 443
TLS
Client
RDP Client 6.0
and newer
RRAS Server
Server
Requirements
2008 and newer
TLS certificate
public name
2012 and newer
IPSec certificate
TLS certificate
public name
-
DirectAccess
IPSec inside
IPv6 inside
TCP 443 TLS
or Teredo/6-to-4
7/2008 R2 Enteprise
IPv6 enabled, GPO
IPSec machine
certificate
Network Access Protection (NAP)
 Client health validation before connecting
 Firewall on?
 Windows up-to-date?
 Antimalware up-to-date?
 SCCM compliance items in order?
 Client validates itself
 no security, only an added layer of obstruction
Microsoft RADIUS Server
 Standard authentication server
 IAS - Internet Authentication Service (2003-)
 NPS - Network Policy Service (2008+)
 Authentication options
 login/password
 certificate
 Active Directory authentication only
 Clear-text transport with signatures
 message authenticator (MD5)
RADIUS General
RRAS VPN
WiFi AP
Access
Client
Ethernet Switch
RDP GW
VPN
Access
Server
DHCP Server
WiFi
Ethernet
RDP GW
DHCP
RADIUS
RADIUS
AD Passthrough
Authentication
Active
Directory
RADIUS Terminology
RRAS VPN
WiFi AP
Access
Client
Ethernet Switch
RDP GW
VPN
RADIUS
Client
DHCP Server
WiFi
Ethernet
RDP GW
DHCP
RADIUS
RADIUS
AD Passthrough
Authentication
Active
Directory
Authentication Methods

PAP, SPAP


CHAP



NTLMv2 equivalent plus improvements (time constraints)
HMAC-MD5 (MD4)
EAP-TLS, PEAP



NTLM equivalent
DES(MD4)
MS-CHAPv2



MD5 challenge response
Store passwords using reversible encryption
MS-CHAP



clear, hash resp.
client authentication certificate
in user profile or in smart/card
No authentication

sometimes the authentication occurs on the Access Server itself (RD Gateway)
PPTP issues
 MPPE encryption
 proprietary, RC4
 Encrypted by authentication products
 "by" password or "by" certificate
 PAP/SPAP/EAP travels in clear
EAP-TLS vs. PEAP
 EAP-TLS is designed for protected transport
 does not protect itself
 Protected EAP
 EAP wrapped in standard TLS
EAP/PEAP Generic
Access
Client
EAP/PEAP
Client
Certificate
VPN Tunnel
Client
Certificate
VPN Tunnel
Server
Certificate
Access
Server
EAP/PEAP
Server
Certificate
RADIUS
Active
Directory
MS-CHAPv2 with SSTP
Access
Client
VPN Tunnel
Server
Certificate
Access
Server
RADIUS
Active
Directory
EAP with SSTP
Access
Client
EAP/PEAP
Client
Certificate
VPN Tunnel
Server
Certificate
Access
Server
EAP
Server
Certificate
RADIUS
Active
Directory
PEAP with SSTP
Access
Client
EAP/PEAP
Client
Certificate
VPN Tunnel
Server
Certificate
Access
Server
PEAP
Server
Certificate
EAP
Server
Certificate
RADIUS
Active
Directory
RADIUS Clients configuration
 IP address of the device
 can translate from DNS, but must match IP
address of the device (no reverse DNS)
 Shared secrets
 MD5(random message authenticator + shared
secret)
 NETSH NPS DUMP ExportPSK=YES
Implementing NPS Policy
Implementing NPS Policy
Implementing NPS Policy
Implementing NPS Policy
NPS Auditing
PEAP on NPS
PEAP on NPS
VPN Client Notes
 Validates CRL
 SSTP
 does not use CRL cache
 HKLM\System\CCS\Services\SSTPSvc\Parameters
 NoCertRevocationCheck = DWORD = 1
 IPSec







set global ipsec strongcrlcheck 0
HKLM\System\CCS\Services\PolicyAgent
StrongCrlCheck = 0 = disabled
StrongCrlCheck = 1 = fail only if revoked
StrongCrlCheck = 2 = fail even if CRL not available
HKLM\System\CCS\Services\IPSec
AssumeUDPEncapsulationContextOnSendRule = 2
PEAP Client Settings
VPN Client Configuration
 Group Policy Preferences
 limited options
 Connection Manager Administration Kit
(CMAK)
 create VPN installation packages
802.1x Notes
 Required services
 WLAN Autoconfig (WlanSvc)
 Wired Autoconfig (Doc3Svc)
 Group Policy Settings
 Windows XP SP3 and newer
 full configuration options
802.1x Authentication
 User authentication
 login/password
 client certificate in user profile or in smart card
 Computer authentication
 MACHINE$ login/password
 client certificate in the local computer store
 Computer authentication with user re-
authentication
 since Windows 7 works like charm
MS-CHAPv2 with 802.1x
Access
Client
single
Ethernet
cable
AP
switch
WiFi
RADIUS
Active
Directory
EAP/PEAP with 802.1x
Access
Client
EAP/PEAP
Client
Certificate
User
single
Ethernet
cable
Machine
WiFi
AP
switch
EAP/PEAP
EAP-TLS
Server
Server
Certificate
Certificate
RADIUS
Active
Directory
RD Proxy Troubleshooting

RPCPING
-t ncacn_http
-e 3388
-s localhost (local TSGateway COM service)
-v 3 (verbose output 1/2/3)
-a connect (conntect/call/pkt/integrity/privacy)
-u ntlm (nego/ntlm/schannel/kerberos/kernel)
-I "kamil,gps,*"
-o RpcProxy=gps-wfe.gopas.virtual:443
-F ssl
-B msstd:gps-wfe.gopas.virtual
-H ntlm (RPCoverHTTP proxy authentication ntlm/basic)
-P "proxykamil,gps,*"
-U NTLM (HTTP proxy authentication ntlm/basic)

rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o
RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"
RPC Proxy Troubleshooting
 https://rpcserver/Rpc/RpcProxy.dll
 https://rpcserver/RpcWithCert/RpcProxy.dll

similar documents