Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Similar presentations


Presentation on theme: "Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"— Presentation transcript:

1 Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

2 Network Access Technologies  VPN  SMB/SQL/LDAP/DCOM sensitive to RTT  Remote Desktop  no clipboard, no file proliferation  limited malware surface  802.1x  WiFi or Ethernet  no encryption, authorization only  DirectAccess  GPO managed IPSec tunnel over IPv6

3 RDP VPN Scenario VPN Client VPN Gateway DC FS SQL RADIUS NAT Share Point

4 RDP DA Scenario DA Client DA Server DC FS SQL RADIUS NAT Share Point

5 Wks RDP RDP Scenario RDP Client RDP Gateway DC FS SQL RADIUS NAT Share Point Wks

6 RDP 802.1x WiFi Scenario WiFi Client DC FS SQL RADIUS WiFi AP Share Point

7 RDP 802.1x Ethernet Scenario Wks DC FS SQL RADIUS Switch Share Point Wks Printer

8 VPN Compared ProtocolTransportClientRRAS Server Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer- - L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000 and newer IPSec certificate public name Public IP IPSec machine certificate SSTP TCP 443 TLS Vista/2008 and newer 2008 and newer TLS certificate public name - IKEv2 UDP 500, 4500 IP ESP 7/2008 R2 and newer 2008 R2 and newer IPSec certificate public name Public IP IPSec machine certificate

9 VPN Compared ProtocolTransportClientRRAS Server Server Requirements RD Gateway TCP 443 TLS RDP Client 6.0 and newer 2008 and newer TLS certificate public name - DirectAccess IPSec inside IPv6 inside TCP 443 TLS or Teredo/6-to-4 7/2008 R2 Enteprise IPv6 enabled, GPO 2012 and newer IPSec certificate TLS certificate public name IPSec machine certificate

10 Network Access Protection (NAP)  Client health validation before connecting  Firewall on?  Windows up-to-date?  Antimalware up-to-date?  SCCM compliance items in order?  Client validates itself  no security, only an added layer of obstruction

11 Microsoft RADIUS Server  Standard authentication server  IAS - Internet Authentication Service (2003-)  NPS - Network Policy Service (2008+)  Authentication options  login/password  certificate  Active Directory authentication only  Clear-text transport with signatures  message authenticator (MD5)

12 RADIUS General Access Client RADIUS Active Directory VPN WiFi Ethernet RDP GW RADIUS Access Server AD Passthrough Authentication RRAS VPN WiFi AP Ethernet Switch RDP GW DHCP DHCP Server

13 RADIUS Terminology Access Client RADIUS Active Directory VPN WiFi Ethernet RDP GW RADIUS RADIUS Client AD Passthrough Authentication RRAS VPN WiFi AP Ethernet Switch RDP GW DHCP DHCP Server

14 Authentication Methods  PAP, SPAP  clear, hash resp.  CHAP  MD5 challenge response  Store passwords using reversible encryption  MS-CHAP  NTLM equivalent  DES(MD4)  MS-CHAPv2  NTLMv2 equivalent plus improvements (time constraints)  HMAC-MD5 (MD4)  EAP-TLS, PEAP  client authentication certificate  in user profile or in smart/card  No authentication  sometimes the authentication occurs on the Access Server itself (RD Gateway)

15 PPTP issues  MPPE encryption  proprietary, RC4  Encrypted by authentication products  "by" password or "by" certificate  PAP/SPAP/EAP travels in clear

16 EAP-TLS vs. PEAP  EAP-TLS is designed for protected transport  does not protect itself  Protected EAP  EAP wrapped in standard TLS

17 EAP/PEAP Generic Access Client RADIUS Active Directory EAP/PEAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate VPN Tunnel Client Certificate

18 MS-CHAPv2 with SSTP Access Client RADIUS Active Directory Access Server VPN Tunnel Server Certificate

19 EAP with SSTP Access Client RADIUS Active Directory EAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate

20 PEAP with SSTP Access Client RADIUS Active Directory PEAP Server Certificate Access Server EAP/PEAP Client Certificate VPN Tunnel Server Certificate EAP Server Certificate

21 RADIUS Clients configuration  IP address of the device  can translate from DNS, but must match IP address of the device (no reverse DNS)  Shared secrets  MD5(random message authenticator + shared secret)  NETSH NPS DUMP ExportPSK=YES

22 Implementing NPS Policy

23

24

25

26 NPS Auditing

27 PEAP on NPS

28

29 VPN Client Notes  Validates CRL  SSTP  does not use CRL cache  HKLM\System\CCS\Services\SSTPSvc\Parameters  NoCertRevocationCheck = DWORD = 1  IPSec  set global ipsec strongcrlcheck 0  HKLM\System\CCS\Services\PolicyAgent  StrongCrlCheck = 0 = disabled  StrongCrlCheck = 1 = fail only if revoked  StrongCrlCheck = 2 = fail even if CRL not available  HKLM\System\CCS\Services\IPSec  AssumeUDPEncapsulationContextOnSendRule = 2

30 PEAP Client Settings

31 VPN Client Configuration  Group Policy Preferences  limited options  Connection Manager Administration Kit (CMAK)  create VPN installation packages

32 802.1x Notes  Required services  WLAN Autoconfig (WlanSvc)  Wired Autoconfig (Doc3Svc)  Group Policy Settings  Windows XP SP3 and newer  full configuration options

33 802.1x Authentication  User authentication  login/password  client certificate in user profile or in smart card  Computer authentication  MACHINE$ login/password  client certificate in the local computer store  Computer authentication with user re- authentication  since Windows 7 works like charm

34 MS-CHAPv2 with 802.1x Access Client RADIUS Active Directory AP switch single Ethernet cable WiFi

35 EAP/PEAP with 802.1x Access Client RADIUS Active Directory AP switch single Ethernet cable WiFi EAP/PEAP Client Certificate UserMachine EAP-TLS Server Certificate EAP/PEAP Server Certificate

36 RD Proxy Troubleshooting  RPCPING -t ncacn_http -e s localhost (local TSGateway COM service) -v 3 (verbose output 1/2/3) -a connect (conntect/call/pkt/integrity/privacy) -u ntlm (nego/ntlm/schannel/kerberos/kernel) -I "kamil,gps,*" -o RpcProxy=gps-wfe.gopas.virtual:443 -F ssl -B msstd:gps-wfe.gopas.virtual -H ntlm (RPCoverHTTP proxy authentication ntlm/basic) -P "proxykamil,gps,*" -U NTLM (HTTP proxy authentication ntlm/basic)  rpcping -t ncacn_http -e s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"

37 RPC Proxy Troubleshooting  https://rpcserver/Rpc/RpcProxy.dll  https://rpcserver/RpcWithCert/RpcProxy.dll


Download ppt "Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"

Similar presentations


Ads by Google