- Monthly Newsletter - March 2014

Welcome to the newsletter by Richard Hicks (MCSE, MCITP:EA, MVP), Sales Engineering Director for Iron Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to

Editor's Corner

Historically, remote access solutions such as virtual private networks (VPNs) were deployed to allow for the remote administration of networks and systems by administrators. In recent years, however, remote access is increasingly deployed to improve end user productivity. With the proliferation of portable computing devices (laptops, tablets, smartphones, etc.), today's highly mobile workforce requires, even demands, remote corporate network connectivity to applications and data. A remote access solution is no longer an option today, it is a requirement.

In the early days, remote access was often established using plain-old telephone service (POTS) with a dial-up VPN client used to dial directly in to the remote access server using modems. With the ubiquity of broadband home Internet access, VPN clients could be used to connect to the corporate network over the Internet. As time goes on, we've developed better remote access protocols (e.g. L2TP/IPsec, SSTP, and IKEv2), but fundamentally the process is still the same. When a user requires remote access to the corporate network they must manually and proactively establish a VPN session. A number of challenges arise from this, including authentication and credential synchronization, name resolutions issues, and much more. From a security perspective, having a remote access server available on the public Internet invites cybercriminals to attempt to access the corporate network by obtaining or guessing the valid credentials for a user. In addition, a major limitation of traditional client-based VPN solutions is that they offer only remote access from the client to the corporate network, and not vice versa. Remote management of VPN clients is often difficult or even impossible.

With the introduction of Windows Server 2008 R2, Microsoft has included a new remote access feature called DirectAccess. DirectAccess is the natural evolution of traditional VPNs and provides seamless and transparent, bi-directional remote access connectivity. In this month's monthly newsletter I'll provide you with a high-level overview of DirectAccess and talk about the security features and benefits this new, modern remote access solution provides.



DirectAccess is a seamless, transparent remote access solution that was first introduced with Windows Server 2008 R2. Unlike traditional client-based VPN solutions, it does not require any input from the user to establish secure, remote network connectivity (unless strong authentication is enabled, of course!). DirectAccess also provides bi-directional network connectivity, allowing systems administrators to effectively "manage out" to monitor, maintain, and support connected DirectAccess clients. DirectAccess is not a protocol, however. It is a collection of Windows technologies that include IPsec, IPv6, certificates, Active Directory, and more to build this remote access solution. DirectAccess uses IPv6 exclusively for network connectivity, and as such required that IPv6 be deployed on the corporate intranet in order to take advantage of it. For this reason, DirectAccess in Windows Server 2008 R2 was never widely deployed.

With the introduction of the Forefront Unified Access Gateway (UAG) 2010 remote access gateway, adoption increased greatly as UAG included advanced support for DirectAccess. Along with simplified deployment wizards, UAG also included two new translation protocols, DNS64 and NAT64, that eliminated the requirement for IPv6 on the corporate intranet. Today, DirectAccess no longer requires UAG and is now a native part of the Windows Server 2012 R2 operating system and includes many new additional features that greatly reduce infrastructure requirements, simplify deployment, and provide better scalability, high availability, and redundancy.

At its core, DirectAccess makes use of the Windows Firewall with Advanced Security (WFAS) connection security rules to establish IPsec authenticated and encrypted tunnels to the DirectAccess server on the corporate network. As a DirectAccess client uses only IPv6 to communicate with the corporate network, IPv6 transition protocols, such as 6to4, Teredo, and IP-HTTPS, are used to tunnel this IPv6 traffic over the IPv4 public Internet. All of the client and server settings for DirectAccess, including authentication mechanisms, IPsec security association endpoints and parameters, and IPv6 transition protocol settings are deployed using Active Directory Group Policy Objects (GPOs). Once you've configured DirectAccess, it is, essentially, a "set it and forget it" solution.

DirectAccess connectivity is fully authenticated, and much more thoroughly than traditional client-based remote access VPN solutions. To start, a DirectAccess client must be a domain member. There are a few different DirectAccess deployment models, but in the most common (and most secure!) model the DirectAccess client is authenticated initially via a computer certificate issued by an internal Public Key Infrastructure (PKI) and with NTLM using its Active Directory computer account. This "first tunnel", often referred to as the "infrastructure tunnel" provides limited access to the corporate network for the purpose of connecting to internal corporate domain controllers, DNS, and management servers, and is established transparently, without user interaction, any time the DirectAccess client is outside of the corporate network and has an active Internet connection. Once the user decides to log on to their remote machine, another IPsec tunnel is established. This "second tunnel", often referred to as the "intranet tunnel" provides full corporate network connectivity and is authenticated with NTLM using the computer's Active Directory computer account and with Kerberos using the user's Active Directory user account. As you can see, a DirectAccess user is much more effectively authenticated than traditional client-based VPN users. Also, DirectAccess supports common strong authentication mechanisms such as smart cards (physical or virtual) along with One-Time Password (OTP) solutions. DirectAccess also supports integration with Network Access Protection (NAP), which can further improve the overall security posture of the remote access solution.

Once DirectAccess is installed and configured, a remotely connected user on a DirectAccess client will access internal corporate network resources in the same manner regardless if they are inside the corporate network or out. For example, if the internal corporate intranet site is http://intranet, they can access that same URL internally or externally. That's right…no need to use a different URL! The single-label hostname works just like that. Need access to a mapped drive? Just double-click it in explorer and launch from an existing desktop shortcut. With DirectAccess, the user experience is significantly improved and streamlined, allowing the user to just work as they would if they were inside the corporate network. Doesn't get any better than that!

A better user experience and improved productivity is nice, but there are more benefits to deploying DirectAccess, especially from a security perspective. With DirectAccess, not only do you get the substantially improved authentication it provides, you can leverage the always-on, bi-directional nature of DirectAccess to improve security as well. With always-on connectivity that doesn't require user input, a DirectAccess client is always connected to the corporate network, even when it is remote (as long as it has an active Internet connection). This means that the DirectAccess client, with secure connectivity established to domain controllers and systems management servers, can do things like update group policy and obtain security and anti-virus signature updates much more frequently than is possible with traditional VPN solutions. With bi-directional connectivity capabilities, it is now possible to "reach out" proactively from the corporate network to a connected DirectAccess client in order to conduct vulnerability scans and use software push mechanisms, if required.

As you can see, DirectAccess is a significant improvement in remote access technologies. With always-on, seamless and transparent bi-directional corporate network connectivity that is much more strongly authenticated than traditional VPNs, not only will your user community appreciate the improved user experience and productivity gains it provides, security administrators will gain the additional visibility and manageability as well. If you are still using traditional client-based VPN, consider deploying a modern remote access solution using Windows Sever 2012 R2 DirectAccess today. You'll be glad you did!

Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.


Click here to order your copy today!

Microsoft Security Bulletins for March 2014

For the month of March, Microsoft released 5 security bulletins. 2 bulletins are rated as critical and 3 are rated as important. Affected software includes all supported versions of Windows, DirectShow, and Silverlight. In addition, a cumulative security update for Internet Explorer is also available. For more information about March's security bulletins click here.

Security Articles of Interest

  1. A serious vulnerability in Apple iOS and OS X was discovered recently that affects SSL/TLS. The flaw prevents the OS from properly validating certificates, allowing for the interception and decryption of communication by a man-in-the-middle attack. The vulnerability has been patched for all affected operating systems and users are urged to update immediately.

  2. Multi-factor authentication is now available for Microsoft Office 365 users! This is great news for organizations that leverage this cloud-based service. Strong authentication is essential for protecting access to critical applications and data, and any security-minded company using Office 365 should enable this feature as quickly as possible.

  3. Denial of Service (DoS) attacks have been around for quite some time, and with the explosion of the Internet, Distributed Denial of Service (DDoS) attacks are becoming common. Recently attackers used a clever NTP Amplification DDoS attack to generate more than 400Gbps of traffic for an attack. You can prevent your NTP server from being leveraged in this attack by using up-to-date software in a secure configuration.

  4. Earlier this month Microsoft announced the availability of the technical preview of the Enhanced Mitigation Experience Toolkit (EMET) v5.0. EMET is an important free security tool that can significantly improve the security posture for Windows systems and is designed to prevent systems from being exploited via software vulnerabilities.

  5. In response to concerns that the National Security Agency (NSA) may have corrupted cryptography guidance for generating random bits, the National Institute for Standards and Technology (NIST) has issued a draft report proposing how it develops cryptographic standards. NIST is seeking input from the public to address any potential issues with the current guidance and will make revisions as required based on feedback received.

  6. With the recent revelation of NSA spying, the general consensus in the security community is to "encrypt all the things". In support of this initiative, Microsoft Office 365 and Exchange Server 2013 SP1 now support S/MIME encryption. Customers will now have S/MIME support in the native Outlook client, Outlook Web App (OWA), and Exchange ActiveSync (EAS).

  7. An area of concern that I have been preaching about for many years are the "security questions" associated with many online web sites and services. The idea is that if you forget your password you can answer some additional questions to gain access to the site and reset your password. The problem stems from the fact that these question are often overly simplistic, easily guessed, or trivial to research for answers on the public Internet and across various social media platforms. Ultimately, security questions are essentially passwords, and special care and handling must be made for them!

  8. As a direct result of numerous serious security challenges with its products in the late 90's and early 2000's, Microsoft launched a monumental effort to better secure their code and reduce or prevent many vulnerabilities. This effort lead to the Security Development Lifecycle (SDL), which today is widely considered a model for many organizations. Microsoft recently created a new web site to tell the inside story behind the SDL. It's an interesting read, for sure. Articles of Interest

  1. Windows Compliance vs. Security
  2. Web Browser Security Revisited – Part 3
  3. Acunetix Web Vulnerability Scanner voted Reader's Choice Award Winner – WebApplication Security
  4. Developing an Information Security and Risk Management Strategy – Part 2
  5. Web Browser Security Revisited – Part 4

Windows Security Tip of the Month

As I outlined earlier, DirectAccess is a much more secure remote access solution than traditional client-based VPN. However, late last year Microsoft released security advisory KB2862152 which addressed a vulnerability in IPsec (which is used by DirectAccess) that could allow security feature bypass. The vulnerability leaves open the possibility that an attacker could spoof a DirectAccess server and perform a man-in-the-middle attack and intercept encrypted network communication. The issue has to do with how the DirectAccess client validates the DirectAccess server. A security update was made available that allows security administrators to configure additional and more rigorous validation checks in order to reduce the likelihood of this attack. The update itself does not do anything by default, however. After installation, an administrator must make additional changes in order to leverage this new feature. Many have found the update to be confusing, so my good friend and resident DirectAccess expert Jason Jones authored a post to provide some clarification for installing the update. As I deploy DirectAccess on a regular basis, I also authored a post that provides additional configuration guidance for deploying and configuring security update KB2862152. If you have deployed DirectAccess, it is recommended that you deploy and configure this security update in order to provide the highest level of security for your remote access solution.