Transcript server
SEC312
Enabling Secure
Remote Access
In your environment
Steve Riley
Sr. Program Manager
Security Business and Technology Unit
[email protected]
blogs.technet.com/steriley
Our time today
Solving the access vs. security dilemma
Understanding the three methods
External access to internal web-based
applications
Providing users with “desktop over HTTPS”
capabilities
Building full IP-based virtual private networks
When to choose which?
The dilemma: access or security
More users require more access from more places
Increase in mobile workers and where they come from
(homes, hotels, airports, hotspots)
Wireless access is everywhere now
No longer just “employee” access: business partners,
customers
But we can’t compromise security
Remote access increases security risks
Problems with implementing many current solutions
…unmanaged…unpatched…unprotected…
High prices
Difficult to deploy client side software
Ugh! How do we do this?
Internal Applications
Via the Web
Examples
What’s in common?
Internal application
Runs on a web server
New business requirement for providing
access while not attached to corpnet
E-mail (Outlook Web Access)
File sharing (SharePoint varieties)
Custom applications
Security issues
HTTPS is the transport
Provides the necessary privacy for protecting
confidential information in transit over the
Internet
But what about checking the content?
Intrusion detection (if you still do this)
Validating conformance to information
dissemination policies—email, documents, …
Typical design
Good: performance
Bad: security
App
App
AD
DB
Isolates access based on
location
Protects internal network
Tunnel through outside
firewall: no inspection
Many holes in inside firewall
for authentication
Anonymous initial
connections
Improving security
Security goals
Inspect SSL traffic
Maintain wire privacy
Enforce conformance to HTML/HTTP
Allow only known URL construction
Block misuse of the protocol
Block URL-borne attacks
Optionally
Pre-authenticate incoming connections
Protect applications with ISA Server
ISA Server becomes
the “bastion host”
<a
x36dj23s
http://...
href…
2oipn49v
ISA
Server
App
DB
AD
Web proxy terminates
all connections
Decrypts HTTPS
Inspects content
Inspects URL (with
URLScan)
Re-encrypts for delivery
to web application
Protect applications with ISA Server
404
ISA
Server
Easy authentication to
Active Directory
Pre-authenticate
communications
App
DB
AD
ISA Server queries user
for credentials
Verifies against AD
Embeds in HTTP
headers to application
server
Requires FP1
New wizards and better rules
AuthN delegation requirements
Authenticate at the perimeter
Choice of domain membership or RADIUS
Client to ISA Server: basic or forms-based
authentication
ISA Server presents form and generates cookie
Separate timeouts for public and private computers
OWA form included; can copy and reuse code for your
own forms-based applications
ISA Server to web server: basic
Won’t work with client certificates
ISA Server has no access to client’s private key
Delegation process
access-request
401 URL
OWA form
URL + basic creds
form variables
access-accept
group attribs
RADIUS
browser
WinLogon
cookie
AD
ISA Server
data
token
URL +
basic creds
data
WinLogon
token
IIS
URLScan 2.5
Policy-based URL evaluation
Define what’s allowed; drop everything else
Just like you do in your firewall (right?)
Helps protect from attacks that—
Request unusual actions
Have a large number of characters
Are encoded using an alternate character set
Can be used in conjunction with SSL
inspection to detect attacks over SSL
Yes, the script-kiddie warez do this now, too
URLScan specifics
URL canonicalization
..\..\cmd.exe
URLScan specifics
URL canonicalization
%2e%2e\%2e%2e\cmd.exe
URLScan specifics
URL canonicalization
%252e%252e\%252e%252e\cmd.exe
?
URLScan specifics
URL canonicalization
URL length
Content length
Content types
Permitted or blocked headers
Permitted or blocked verbs
Permitted or blocked file extensions
Recall the typical design (OWA example)
ExFE
SMTP
ExBE
AD
New requirements, new designs
Move critical servers
inside for better
protection
Add ISA Server to your
existing DMZ
ISA
Server
ExFE SMTP
Increase security by
publishing web-based
applications
Few interior FW holes
ExBE
AD
Use these exact words!
RADIUS (1812,
1813/udp)
HTTPS (443/tcp)
Results
Known good content
Known good URL
Known good user
Dare I say it… trusted access?
Remote Desktop
Mechanisms
A useful “middle ground”
If Users require more access than is
possible through standard web
browser and web server
But Full IP VPNs might be too expensive or
too complex or provide too much
access
Then Consider technologies that display a
desktop remotely, probably over HTTPS
SSL VPNs
Aren’t VPNs
Appreciably simpler than other
remote desktop alternatives
Any more secure than IPsec-based
VPNs or HTTPS-protected access to
published internal web sites
Are Poorly-named glomming on a trend
A “remote desktop in a browser”
Accessed via web-based front ends
Running proprietary protocols that
require some ActiveX or Java add-on
Why not call it what it is?
It’s just remote desktop or remote display
Certainly not a new idea
Apparently not as sexy as “SSL VPN”
Two products can do this for you now
Terminal Services—basic remote desktop
display
Citrix Metaframe—more flexible preconfigured
remote desktops and application groupings
Remote Desktop client
Remote desktop MMC
RDP in detail
Based on T-120 family of protocols
Multipoint Communications Service (MCS) (T.122,125)
Generic Conference Control (GCC)
Manages channels and session connections, controls resources
Extends core T.Share functionality
Two drivers
Channel assignment, priority levels, data segmentation
wdtshare.sys—UI, compression, encryption, framing
tdtcp.sys—package RDP onto TCP
Permits up to 64,000 data transmission channels
Current version uses one channel for keyboard/mouse
activity and display output
RDP in detail
Operates independent of network and
transport protocols
Bandwidth preservation
Compression
Caching in RAM and to disk (up to 10 MB for
bitmaps)
Supports Network Load Balancing
RDP packet creation
App
App
AppApplication
App dataApp
MCS
channels
App
IP
TCP
stack
wrapping/framing
App
App
Server 2003 enhancements
Can connect to real console in admin mode
Group policy control of various options
…profile paths…wallpaper…encryption…
WMI provider for scripted TS configuration
ADSI provider for access to per-user TS
profiles
TS Manager reduces automatic server
enumeration
Can limit users to a single session
Security enhancements
Follows standard Windows paradigms better
Remote Desktop Users (RDU) security group
contains IDs of allowed users
Most people allow “Everyone”
Permits controlling through group policy
Can also use Security Policy Editor to grant
permissions
128-bit RC4 (“high”) now the default
Software Restriction Policies can limit the programs
users are allowed to run
Server certificates (TLS) in Windows Server 2003
Service Pack 1
Encryption options
FIPS Use Federal Information Processing
compliant
Standards 140-1 and 140-2
algorithms in both directions
If already configured in the system’s
policy, you can’t change it here
High 128-bit RC4 in both directions
Client Use whatever the client can support
compatible
Low 56-bit encryption from client to
server; cleartext from server to client
Securing Terminal Services
Typical layered approach
Physical security of the server computer
Secure configuration of the operating system
Secure configuration of Terminal Services
Proper security of the network path
“Locking down Windows Server 2003
Terminal Server sessions”—registry settings
for fine-grained control
Probably not necessary
Stopping MITM attacks
Yes, RDP is vulnerable to MITM attacks
SecurityFocus (1 Apr 2003)
RDP, the good, the bad, and the ugly (28 May 2005)
http://www.oxid.it/downloads/rdp-gbu.pdf
RDP’s flaw: it doesn’t authenticate the server to the
client
http://www.securityfocus.com/archive/1/317244
This is a difficult lesson to learn (PPTP v1, WEP, …)
The fix: RDP-TLS in Windows Server 2003 SP 1
Server sends digital certificate to client
Standard TLS exchange for authentication and
encryption
http://support.microsoft.com/?id=895433
Important RDP settings
TS Configuration | Connections |
RDP-Tcp | Properties
End a disconnected session: 3 hours
Active session limit: 1 day
Idle session limit: 15 minutes
TS over the web is cool
Deployment
Bandwidth
Access
Rapidly deploy several applications
to many users
Keep those applications up-to-date
Lowest bandwidth requirements
Ideal for dial-up scenarios
Works on many devices, even some
non-Windows
Good for older hardware
Remote desktop web connection
connect to web page
http://server/tsweb
IIS with
RDWC
web
browser
download ActiveX control
over HTTP (80/tcp)
or HTTPS (443/tcp)
connect to TS
over RDP (3389/tcp)
Terminal
Server
Full IP VPNs
Requirements for remote-access VPN
User
authentication
Address
management
Data
encryption
Key
management
Restrict network access only to
authorized users
Provide auditing and accounting
records
Assign client computer’s address on
private network
Provide address separation
Encrypt user’s data over Internet
Keep confidential information private
Generate/refresh encryption keys for
client and server
Important terms
Authenticatio Proof that all parties in a transaction are
n who they say they are
Privacy Only the parties entitled to see the
transaction are able to see it
Integrity Guarantees that information hasn’t
been altered or corrupted enroute
Non- Mutual, binding confirmation that a
repudiation transaction occurred—the digital analog
of a signed contract
Authorization Ability to determine what privileges a
user has after authentication
Authentication
What
you
know
What
you
have
Static passwords
One-time passwords (OTP)
Requires possession of a physical object
What
you are
Supported for IPsec, SSL/TLS, EAP
Authenticates the person
Cryptographic calculators
Public key smartcards
Fingerprint analysis
Retinal scan
Speech pattern recognition
Not based on a device or knowledge which
can be transferred
Authorization
Reasons to care about authorization
Untrusted users on internal net (vendors,
contractors)
Need for different treatment of classes of users
Machine certificates are not enough
Makes authorization difficult
Guest has the same privileges as Administrator
Issue addressed in L2TP+IPsec
IPsec machine certificates provide integrity
protection and encryption
L2TP provides user authentication
LDAP/RADIUS provide authorization
Privacy
What good is it to authenticate and then have data
sent in the clear?
Privacy achieved through encryption
Implies need for authentication and key management,
protected ciphersuite negotiation
L2TP+IPsec provides for tunnel authentication, key
management, and protected ciphersuite negotiation
EAP-TLS (PPTP) provides key management, mutual
authentication and protected ciphersuite negotiation
MS-CHAP v2 provides key management, mutual
authentication for PPTP; encryption is MPPE
Physical security does not ensure privacy
Are telco WANs really more secure than IP?
Stateful vs. stateless encryption
Stateful
Statele
ss
Ability to decrypt a packet depends on
previous packet(s)
If previous packet(s) were lost, you also
lose current packet
If packets are sent out of order can result in
loss where there was none
Result is poor performance on lossy
networks (like the Internet)
Ability to decrypt a packet does not depend
on previous packet(s)
Method of choice for use over the Internet
IPsec and MPPE are stateless
Integrity protection
What good is it to authenticate and then have
your connection hijacked?
Want mutual authentication to ensure against
rogue servers
Need per-packet integrity protection
L2TP+IPsec provides for integrity protection on
all data and control packets
PPTP v2 (with MS-CHAP v2) offers per-packet
integrity protection
Your choice of protocols
PPTP
Authenticates human
Assigns IP address to remote computer
Encrypts session with MPPE (128-bit RC4)
Requires good passwords to be secure
L2TP+IPs
ec
MS-CHAPv2 ciphers based on password
Works over NAT
L2TP
IPsec ESP transport mode
Authenticates human
Assigns IP address to remote computer
Mutually authenticates computer and server with
digital certificates or preshared keys
Encrypts session with 3DES
Works over NAT finally
L2TP+IPsec packet format
App data
IP
np
UDP
L2TP
PPP
IP
np
IP
IPsec
UDP
L2TP
PPP
App data
App data
IP
np
App data
IP
sec
L2TP+IPsec client automatically
generates IPsec security rule
Windows L2TP always uses UDP
source port 1701, dest port 1701
Outbound Filter
Source IP = My IP address
(Internet)
Dest IP = Gateway IP
Protocol = UDP
Source port 1701, dest port any
IPSec IKE negotiation is for
dest port = any, so that filter
mirror for inbound port = any
Inbound Filter
Source IP = Gateway IP
Dest IP = My IP Address
(Internet)
Protocol = UDP
Source port any, dest port 1701
Allows gateway to
float response port
(per L2TP RFC 2661)
L2TP+IPsec connection is protected
L2TP
IPsec
tunnel
IKE negotiation,
setup and
management
machine cert
inside
authN
IPsec
Establish IPsec SAs for
L2TP port 1701/udp
User authN
policy
enforcement
RADIUS
AD DC
No traffic gets in until:
IPsec SAs are established—strong security based on mutual
certificate trust
User authenticated in L2TP—all protected by IPSec. PPP could use
CHAP, MS-CHAP (userid/password), EAP (smartcard or token
card); RADIUS client in gateway permits single sign-on for Active
Directory user accounts
Where do you put the RRAS server?
How about on the firewall?
How RRAS+ISA secures connections
Broad protocol support
Authentication
PPTP and L2TP/IPSec
IPSec NAT traversal (NAT-T) for connectivity across any
network
Active Directory uses existing Windows accounts,
supports PKI for two factor authentication
RADIUS uses non-Windows accounts databases with
standards-based integration
SecurID provides strong, two-factor authentication using
tokens and RSA authentication servers
All inbound and outbound traffic is inspected by ISA
Server’s protocol filters
How RRAS+ISA controls access
Multi-network support
Control which portions of your network are
accessible from remote locations
Application layer firewall
Inspects all traffic to and from remote clients
Ensures conformance to protocol specifications
Network quarantine
Perform security checks on client before it’s
allowed access to the internal network
Provide mechanism for out-of-date clients to
update themselves
Network access quarantine
Client script checks whether client meets
corporate security policies
Personal firewall enabled?
Latest virus definitions used?
Required patches installed?
Routing table updates disabled?
Password-protected screen saver enabled?
If checks succeed, client gets full access
If checks fail client gets disconnected after
timeout period
VPN quarantine process (1)
RRAS+ISA assigns client to
quarantined VPN clients
network, allowing access to
limited resources
Internal
network
Quarantine
resources
RRAS+ISA assigns client
to VPN clients network,
providing access to
internal network
Script on client
computer checks
configuration settings
Client computer
connects
Script sends “success”
notification to RRAS+ISA
VPN quarantine process (2)
RRAS+ISA assigns client to
quarantined VPN clients
network, allowing access to
limited resources
Quarantine
resources
RRAS+ISA will
disconnect client
after timeout expires
Script on client
computer checks
configuration settings
Client can update
from quarantine
resources
Client computer
connects
Script does not send
“success” notification
to RRAS+ISA
Quarantine architecture
Quarantine
Internet
RAS client
CM profile
• Runs customizable
post connect script
• Script runs RQC
notifier with
“results string”
RRAS+ISA
Listener
• RQS receives notifier
“results string”
• Compares results to
possible results
• Removes time-out if
response received but
client out of date
• Removes quarantine filter
if client up to date
IAS
Server
Quarantine VSAs
• Timer limits time
window to receive
notify before auto
disconnect
• Q-filter sets
temporary route
filter to quarantine
access
How Microsoft
Does VPN
Current state of RAS at Microsoft
Two-factor authentication for VPN
Client placed in quarantine upon connecting
Security checks performed while in quarantine
Additional usability and security checks run outside
of quarantine as part of the connection
Three types of connection options:
Direct dial
Microsoft-contracted 3rd-party ISP
VPN over the Internet (this is >85% of use)
All connections end with a VPN session
RAS service—quick facts
User base: ~55,000 Microsoft employees and
~25,000 contract employees worldwide
Average of 45,000 unique RAS users per month
worldwide
Remote access devices globally
95 VPN servers, 17 RADIUS servers
18 standalone Cisco dial devices, 51 dial modules on
shared Cisco network device
Typical weekly RAS connections
~193,233
Total direct dial
Total VPN
Total RAS over Internet
Average connection duration (min.)
11,268
173,532
10,759
134
Special implications of VPN
Most use of VPN comes from unsecured
networks
Verifying the identity of VPN users requires a
higher bar
The higher bandwidth enabled by broadband
also increase effectiveness of brute force
attacks
Servicing the security needs of a remotely
located client brings additional challenges
The RAS security threats
Malicious users
Unpatched vulnerabilities and weak configurations
expose valid network credentials
Home users’ machines are frequently attacked
Remote network access secured only by passwords
Unauthorized activity with valid credentials is difficult
to detect and prevent
Malicious software
Unmanaged and infected remote devices put
corporate resources at risk
Viruses, trojans, worms
Always-on broadband Internet access heightens
exposure
Addressing the security threats
threat
requireme
nt
solution
Malicious
users
Malicious software
Two-factor
authentication
Enforce remote
system security
configuration
Smartcards for
RAS logon
Connection
Manager and RAS
Quarantine
Strengthening identity with smartcards
Replaced building access
cards with
proximity+smartcards
Remote access policy
(RAP) deployed on
VPN/RADIUS infrastructure
Uses existing self-hosted
PKI for digital certificate
management
Centralized card
management team formed
to manage card creation,
distribution, and support
Securing the RAS client
Infrastructure components
Windows 2003 RRAS server (~400-600 ports configured
per server)
RQS on RRAS server
Internet Authentication Services (IAS)
Responsible for authentication and policy setting
Can apply different policies based on back end rules (this is how
exceptions are granted)
Connection Manager Administration Kit (CMAK)
ISA Server 2004
Client side components
Custom connection created with CMAK
Security scanning scripts—”Secure Remote User” (SRU)
Why ISA Server 2004?
Packet size limitation with RADIUS that limits
the size of the filter list
Microsoft needs more servers in the quarantine
network then the limit allows for:
DCs
SRU Servers
DNS
Management of filter lists is easier with ISA
Server 2004 then using IAS filters
Connection Manager
Provides mechanism to manage phone book
entries for service
Enables entry points for actions executed
during connection experience
Pre-initialize
Pre-connect
Post-connect
Pre-tunnel
Post-tunnel
SRU runs in various places during the
connection
Connection Manager
Secure Remote User (SRU)
Designed and developed by Microsoft IT
Enterprise Application Services (EAS)
Performs critical security checks
Windows Firewall on
Internet Connection Sharing off
Patch management
Anti-virus using Computer Associates eTrust
Operating system version compliance
Very flexible, self updating and gathers
metrics from the users perspective
RAS infrastructure
Custom
automated
reporting
User session
data transfers,
regional
IAS / RADIUS
servers
Active Directory,
User groups,
Global catalog
Domain
controller
SQL Server
central database store
Lightweight Directory
Access Protocol (LDAP)
authorization Secure
Remote Procedure Call
(RPC) domain
authentication
IAS proxy server
RADIUS authorization
Microsoft user
account
authentication
EAP-TLS security
authentication
(smart card)
r a te
rpo
ft co undary
o
s
o
ro
Mic work b
net
Corporate
network
resources
IAS / RADIUS
server
Direct dial
Cisco router
Internet
Routing and
Remote Access
VPN server
Telephone
service
MS-CHAP v2
authentication
ISP
VPN tunnel over
broadband connection VPN tunnel
over ISP
using EAP-TLS
connection
using
VPN tunnel
EAP-TLS
over dial-up
connection
Analog / ISDN
dial connection
through ISP
Analog / ISDN
dial connection
Legend
data transfer path
authentication transfer path
physical dial connections
Modem
CHAP
authentication
Remote
client
Smart
card
The user experience
Average connect experience worldwide is
under two minutes
Failed security check results in opportunity to
remediate
Microsoft IT design decision
Incorrect smartcard PIN results in quick
notification
Since PIN unlocks card, decision is made locally
Five incorrect PIN entries will lock the smartard;
takes a help desk call to unlock
Lessons we learned
Manage change—minimize overlaps
Provide internal and external sites where users can obtain
security tools
Consider analog dial-up users when designing security
scripts
Communicate and set user expectations clearly
The solution is only as good as the components
Deploy smartcards first
Then Connection Manager and security scanning second
Monitor and measure each required element
Don’t wait until using RAS to bring machine into
compliance—encourage proactive security practices
So What
to Do Now?
Resources
Everything about VPN and RRAS
http://www.microsoft.com/vpn
ISA Server info and deployment guides
http://www.microsoft.com/isaserver
Terminal Server
http://www.microsoft.com/terminalserver
http://www.awprofessional.com/title/0321336437
promo code: JJSR6437
Steve Riley
[email protected]
blogs.technet.com/steriley
http://www.awprofessional.com/title/0321336437
promo code: JJSR6437
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
We invite you to participate in our
online evaluation on CommNet,
accessible Friday only
If you choose to complete the evaluation online,
there is no need to complete the paper evaluation
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.