ondřej Ševeček | gopas a.s. | mcm: directory services | mvp: enterprise security |...
TRANSCRIPT
![Page 1: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/1.jpg)
REMOTE ACCESS TECHNOLOGIES
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
![Page 2: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/2.jpg)
Network Access Technologies VPN
SMB/SQL/LDAP/DCOM sensitive to RTT Remote Desktop
no clipboard, no file proliferation limited malware surface
802.1x WiFi or Ethernet no encryption, authorization only
DirectAccess GPO managed IPSec tunnel over IPv6
![Page 3: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/3.jpg)
RDP
VPN ScenarioVPN
Client
VPN Gatewa
y
DCFS
SQL
RADIUS
NATSharePoint
![Page 4: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/4.jpg)
RDP
DA ScenarioDA
Client
DA Server
DCFS
SQL
RADIUS
NATSharePoint
![Page 5: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/5.jpg)
WksWks
RDP
RDP ScenarioRDP
Client
RDP Gatewa
y
DCFS
SQL
RADIUS
NATSharePoint
Wks
![Page 6: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/6.jpg)
RDP
802.1x WiFi Scenario
WiFiClient
DCFS
SQL
RADIUS
WiFi A
P
SharePoint
![Page 7: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/7.jpg)
RDP
802.1x Ethernet Scenario
Wks
DCFS
SQL
RADIUS
Switch
SharePoint Wks
Printer
![Page 8: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/8.jpg)
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
PPTP TCP 1723IP GRE
MS-DOS and newer NT 4.0 and newer -
-
L2TPUDP 500, 4500IP ESP
NT 4.0, 98and newer 2000 and
newer
IPSec certificatepublic namePublic IPIPSec machine
certificate
SSTP TCP 443TLS
Vista/2008 and newer 2008 and
newerTLS certificatepublic name
-
IKEv2UDP 500, 4500IP ESP
7/2008 R2 and newer 2008 R2 and
newer
IPSec certificatepublic namePublic IP
IPSec machine certificate
![Page 9: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/9.jpg)
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
RD Gateway
TCP 443TLS
RDP Client 6.0and newer 2008 and
newerTLS certificatepublic name
-
DirectAccess
IPSec insideIPv6 insideTCP 443 TLSor Teredo/6-to-4
7/2008 R2 EntepriseIPv6 enabled, GPO 2012 and
newer
IPSec certificateTLS certificatepublic nameIPSec machine
certificate
![Page 10: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/10.jpg)
Network Access Protection (NAP)
Client health validation before connecting Firewall on? Windows up-to-date? Antimalware up-to-date? SCCM compliance items in order?
Client validates itself no security, only an added layer of
obstruction
![Page 11: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/11.jpg)
Microsoft RADIUS Server
Standard authentication server IAS - Internet Authentication Service
(2003-) NPS - Network Policy Service (2008+)
Authentication options login/password certificate Active Directory authentication only
Clear-text transport with signatures message authenticator (MD5)
![Page 12: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/12.jpg)
RADIUS General
Access Client
RADIUS
Active Director
y
VPN
WiFi
Ethernet
RDP GWRADIUS
Access Server
AD Passthrough Authentication
RRAS VPN
WiFi AP
Ethernet Switch
RDP GW
DHCP
DHCP Server
![Page 13: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/13.jpg)
RADIUS Terminology
Access Client
RADIUS
Active Director
y
VPN
WiFi
Ethernet
RDP GWRADIUS
RADIUS Client
AD Passthrough Authentication
RRAS VPN
WiFi AP
Ethernet Switch
RDP GW
DHCP
DHCP Server
![Page 14: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/14.jpg)
Authentication Methods
PAP, SPAP clear, hash resp.
CHAP MD5 challenge response Store passwords using reversible encryption
MS-CHAP NTLM equivalent DES(MD4)
MS-CHAPv2 NTLMv2 equivalent plus improvements (time constraints) HMAC-MD5 (MD4)
EAP-TLS, PEAP client authentication certificate in user profile or in smart/card
No authentication sometimes the authentication occurs on the Access Server itself (RD
Gateway)
![Page 15: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/15.jpg)
PPTP issues
MPPE encryption proprietary, RC4
Encrypted by authentication products "by" password or "by" certificate
PAP/SPAP/EAP travels in clear
![Page 16: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/16.jpg)
EAP-TLS vs. PEAP
EAP-TLS is designed for protected transport does not protect itself
Protected EAP EAP wrapped in standard TLS
![Page 17: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/17.jpg)
EAP/PEAP Generic
Access Client
RADIUS
Active Director
y
EAP/PEAP Server
Certificate
Access Server
EAP/PEAP Client
Certificate
VPN Tunnel Server
Certificate
VPN Tunnel Client
Certificate
![Page 18: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/18.jpg)
MS-CHAPv2 with SSTP
Access Client
RADIUS
Active Director
y
Access Server
VPN Tunnel Server
Certificate
![Page 19: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/19.jpg)
EAP with SSTP
Access Client
RADIUS
Active Director
y
EAPServer
Certificate
Access Server
EAP/PEAP Client
Certificate
VPN Tunnel Server
Certificate
![Page 20: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/20.jpg)
PEAP with SSTP
Access Client
RADIUS
Active Director
y
PEAP Server
Certificate
Access Server
EAP/PEAP Client
Certificate
VPN Tunnel Server
Certificate
EAP Server
Certificate
![Page 21: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/21.jpg)
RADIUS Clients configuration IP address of the device
can translate from DNS, but must match IP address of the device (no reverse DNS)
Shared secrets MD5(random message authenticator +
shared secret) NETSH NPS DUMP ExportPSK=YES
![Page 22: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/22.jpg)
Implementing NPS Policy
![Page 23: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/23.jpg)
Implementing NPS Policy
![Page 24: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/24.jpg)
Implementing NPS Policy
![Page 25: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/25.jpg)
Implementing NPS Policy
![Page 26: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/26.jpg)
NPS Auditing
![Page 27: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/27.jpg)
PEAP on NPS
![Page 28: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/28.jpg)
PEAP on NPS
![Page 29: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/29.jpg)
VPN Client Notes
Validates CRL SSTP
does not use CRL cache HKLM\System\CCS\Services\SSTPSvc\Parameters NoCertRevocationCheck = DWORD = 1
IPSec set global ipsec strongcrlcheck 0 HKLM\System\CCS\Services\PolicyAgent StrongCrlCheck = 0 = disabled StrongCrlCheck = 1 = fail only if revoked StrongCrlCheck = 2 = fail even if CRL not available HKLM\System\CCS\Services\IPSec AssumeUDPEncapsulationContextOnSendRule = 2
![Page 30: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/30.jpg)
PEAP Client Settings
![Page 31: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/31.jpg)
VPN Client Configuration
Group Policy Preferences limited options
Connection Manager Administration Kit (CMAK) create VPN installation packages
![Page 32: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/32.jpg)
802.1x Notes
Required services WLAN Autoconfig (WlanSvc) Wired Autoconfig (Doc3Svc)
Group Policy Settings Windows XP SP3 and newer full configuration options
![Page 33: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/33.jpg)
802.1x Authentication
User authentication login/password client certificate in user profile or in
smart card Computer authentication
MACHINE$ login/password client certificate in the local computer
store Computer authentication with user
re-authentication since Windows 7 works like charm
![Page 34: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/34.jpg)
MS-CHAPv2 with 802.1x
Access Client
RADIUS
Active Director
y
APswitchsingle
Ethernetcable
WiFi
![Page 35: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/35.jpg)
EAP/PEAP with 802.1x
Access Client
RADIUS
Active Director
y
APswitchsingle
Ethernetcable
WiFi
EAP/PEAP Client
Certificate
UserMachin
eEAP-TLS Server
Certificate
EAP/PEAP Server
Certificate
![Page 36: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/36.jpg)
RD Proxy Troubleshooting
RPCPING-t ncacn_http-e 3388-s localhost (local TSGateway COM service)-v 3 (verbose output 1/2/3)-a connect (conntect/call/pkt/integrity/privacy)-u ntlm (nego/ntlm/schannel/kerberos/kernel)-I "kamil,gps,*"
-o RpcProxy=gps-wfe.gopas.virtual:443-F ssl-B msstd:gps-wfe.gopas.virtual-H ntlm (RPCoverHTTP proxy authentication ntlm/basic)-P "proxykamil,gps,*"
-U NTLM (HTTP proxy authentication ntlm/basic) rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o
RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"
![Page 37: Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649c7b5503460f9492f668/html5/thumbnails/37.jpg)
RPC Proxy Troubleshooting
https://rpcserver/Rpc/RpcProxy.dll https://rpcserver/RpcWithCert/
RpcProxy.dll