S 4.411 Secure use of DirectAccess under Windows
Initiation responsibility: Head of IT
Implementation responsibility: Administrator
Since Windows 7 and Server 2008 R2 and higher, a VPN technology is integrated into the operating system with DirectAccess. It is meant to simplify the remote access to resources in the local network and allow users to use their clients everywhere as if they were directly connected to the LAN.
In order to achieve this, DirectAccess sets up a IPSec tunnel to a receiver based on Windows Server 2008 R2 in the LAN without any intervention of the users and already prior to logging in to the operating system. It should be taken into account that only the two Windows 7 versions Enterprise and Ultimate are able to access resources activated by a DirectAccess server under Windows Server 2008 R2.
By means of this receiver, central infrastructure components such as Active Directory and DNS can be reached ("infrastructure tunnel"). For this first tunnel, only the computer account of the client computer is used for authentication, this means that this tunnel is in principle open to an attacker acquiring unauthorised access to the client system.
After the user has logged in, a second IPSec tunnel by means of which other internal resources are accessed ("Intranet tunnel") is set up.
When setting up the DirectAccess access, there are different configuration options:
- Full Intranet access: In this scenario, systems connected via DirectAccess have unrestricted access to all resources in the Intranet.
- Selected servers: Systems connected via DirectAccess have only access to selected servers in the Intranet.
- End-to-end: If the system connected via DirectAccess is to access a server in the Intranet, for example for a certain internal application, the channel encrypted by means of IPSec can be routed from the client to the target server. In this manner, not only the access from the outside, but also the transportation through the LAN is secured.
In this case, it must be taken into account that the computers in the internal network can only be accessed via IPv6 when using DirectAccess. Systems which can only be reached in the internal network using IPv4 cannot be accessed using DirectAccess. The restriction can be bypassed using NAT64 or proxies, which, however, can cause problems with applications.
For the communication between external DirectAccess client and gateway, there is no such restriction. Here, a number of options are implemented to realise the necessary IPv6 connection also via an existing IPv4 connection so that there are no higher requirements for the connection of the clients. The DirectAccess client checks the existing connection options and automatically selects an appropriate log.
DirectAccess can be configured either via the DirectAccess Management Console provided for this purpose or via the Network Shell command line tool and group policy objects.
In the operational scenario with full Intranet access in particular, DirectAccess is a critical access to the internal network. This access requires special security safeguards. It is possible to request a certain security level during the authentication for the access via DirectAccess, for example based on a chip card with PIN (two-factor authentication). This restriction option should be made use of when using DirectAccess.
In addition to this, it is important that the tunnel in the internal network is only set up when the connected system is in the possession of a rightful user. Therefore, a hard drive encryption should be provided for such systems (for example according to S 4.337 Use of BitLocker drive encryption) and be equipped with automatic locking if the user is inactive (see S 4.2 Screen lock).
When accessing the internal network from mobile systems, there is always a higher risk of malicious software infections, since the mobile systems could be infected under certain circumstances. In order to check at least essential security features of the end device, before a connection by means of DirectAccess is allowed, the access via DirectAccess can be equipped with a network access protection examination (see S 4.410 Use of network access protection under Windows).
The DirectAccess server must be reachable by the clients from the outside; thus, the DirectAccess server is a potential point of attack to the internal IT network. For its integration into the network, S 4.224 Integration of VPN components into a security gateway must be taken into account. Here, it must be considered that the DirectAccess server has to be a member of the Windows domain.
In the default setting, DirectAccess clients separate their data traffic to the Intranet and their data traffic to the Internet. Whereas connections to resources in the Intranet are automatically routed through the DirectAccess tunnel, the client system establishes connections to the Internet directly and outside the tunnel. This is to relieve the internal network and the tunnel from the data traffic load.
In this scenario, however, the DirectAccess client can also be a gateway point which an attacker uses to acquire access to the internal network from the Internet via the client. At the same time, the Internet connections directly established by the client are not protected by any existing central security systems such as proxy servers with content filtering.
For the reasons stated above, deviating from the default setting, all data traffic from the client should be routed through the DirectAccess tunnel ("force tunnelling"). Thus, controlled and secure Internet access via the existing security systems is implemented and "back entrances" into the internal network are avoided.
This may be to say that: If external access via DirectAccess is necessary for business processes with high availability requirements, the involved servers and network components must be designed redundantly.
Review questions:
- Is the two-factor authentication required for establishing connections via DirectAccess?
- Is a hard drive encryption enabled on all DirectAccess clients?
- Is the DirectAccess server integrated into a security gateway in a suitable manner?
- Is the data traffic from the client routed through the DirectAccess tunnel both in the Internet and in the Intranet ("force tunnelling")?