S 4.411 Secure use of DirectAccess under Windows

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

Since Windows 7 and Server 2008 R2 and higher, a VPN technology is integrated into the operating system with DirectAccess. It is meant to simplify the remote access to resources in the local network and allow users to use their clients everywhere as if they were directly connected to the LAN.

In order to achieve this, DirectAccess sets up a IPSec tunnel to a receiver based on Windows Server 2008 R2 in the LAN without any intervention of the users and already prior to logging in to the operating system. It should be taken into account that only the two Windows 7 versions Enterprise and Ultimate are able to access resources activated by a DirectAccess server under Windows Server 2008 R2.

By means of this receiver, central infrastructure components such as Active Directory and DNS can be reached ("infrastructure tunnel"). For this first tunnel, only the computer account of the client computer is used for authentication, this means that this tunnel is in principle open to an attacker acquiring unauthorised access to the client system.

After the user has logged in, a second IPSec tunnel by means of which other internal resources are accessed ("Intranet tunnel") is set up.

When setting up the DirectAccess access, there are different configuration options:

In this case, it must be taken into account that the computers in the internal network can only be accessed via IPv6 when using DirectAccess. Systems which can only be reached in the internal network using IPv4 cannot be accessed using DirectAccess. The restriction can be bypassed using NAT64 or proxies, which, however, can cause problems with applications.

For the communication between external DirectAccess client and gateway, there is no such restriction. Here, a number of options are implemented to realise the necessary IPv6 connection also via an existing IPv4 connection so that there are no higher requirements for the connection of the clients. The DirectAccess client checks the existing connection options and automatically selects an appropriate log.

DirectAccess can be configured either via the DirectAccess Management Console provided for this purpose or via the Network Shell command line tool and group policy objects.

In the operational scenario with full Intranet access in particular, DirectAccess is a critical access to the internal network. This access requires special security safeguards. It is possible to request a certain security level during the authentication for the access via DirectAccess, for example based on a chip card with PIN (two-factor authentication). This restriction option should be made use of when using DirectAccess.

In addition to this, it is important that the tunnel in the internal network is only set up when the connected system is in the possession of a rightful user. Therefore, a hard drive encryption should be provided for such systems (for example according to S 4.337 Use of BitLocker drive encryption) and be equipped with automatic locking if the user is inactive (see S 4.2 Screen lock).

When accessing the internal network from mobile systems, there is always a higher risk of malicious software infections, since the mobile systems could be infected under certain circumstances. In order to check at least essential security features of the end device, before a connection by means of DirectAccess is allowed, the access via DirectAccess can be equipped with a network access protection examination (see S 4.410 Use of network access protection under Windows).

The DirectAccess server must be reachable by the clients from the outside; thus, the DirectAccess server is a potential point of attack to the internal IT network. For its integration into the network, S 4.224 Integration of VPN components into a security gateway must be taken into account. Here, it must be considered that the DirectAccess server has to be a member of the Windows domain.

In the default setting, DirectAccess clients separate their data traffic to the Intranet and their data traffic to the Internet. Whereas connections to resources in the Intranet are automatically routed through the DirectAccess tunnel, the client system establishes connections to the Internet directly and outside the tunnel. This is to relieve the internal network and the tunnel from the data traffic load.

In this scenario, however, the DirectAccess client can also be a gateway point which an attacker uses to acquire access to the internal network from the Internet via the client. At the same time, the Internet connections directly established by the client are not protected by any existing central security systems such as proxy servers with content filtering.

For the reasons stated above, deviating from the default setting, all data traffic from the client should be routed through the DirectAccess tunnel ("force tunnelling"). Thus, controlled and secure Internet access via the existing security systems is implemented and "back entrances" into the internal network are avoided.

This may be to say that: If external access via DirectAccess is necessary for business processes with high availability requirements, the involved servers and network components must be designed redundantly.

Review questions:

© Federal Office for Information Security. All rights reserved.