⬆️ ⬇️

Secure access from anywhere in the world using Microsoft DirectAccess and Windows To Go. Part One - Theory

The most common method used for remote access to the internal resources of organizations is to configure a VPN connection. This technology has a number of disadvantages such as:





I propose to consider replacing the VPN technology developed by Microsoft - DirectAccess. This will allow the remote computer to be regarded as a component of the organization’s computer network, due to which it will be possible to perform the following operations to ensure information security:





I will consider DirectAccess in conjunction with Windows To Go. Windows To Go is an operating system of Windows 8 and higher, installed on an external USB-drive with all the necessary software. The OS installed in this way can be downloaded on any equipment that meets the minimum requirements. However, the software and data on the computer being used are not affected.



Microsoft DirectAccess 2012



The description of the key technologies used will start with Microsoft DirectAccess, since it will be the main component of the created mobile remote access system for the corporate environment. It makes sense to consider the most current version based on Microsoft Windows Server 2012 R2 and the Windows 8.1 client operating system.

')

DirectAccess technology was first introduced as a component of Micrisoft Windows Server 2008 R2 and was designed to provide transparent access of remote computers to internal company network resources. DirectAccess allows remote users to fully utilize corporate network resources and use domain services.



Also, DirectAccess technology allows employees of various technical departments (Help Desk, IT and IB administrators) to manage remote user accounts, anti-virus protection components, local security policies, and monitor the timely installation of operating system updates and application programs. This allows the remote system to be kept up-to-date from the point of view of information security.



At its core, DirectAccess is a lot like a traditional VPN connection to a corporate network, but there is a difference, and quite substantial. Windows Server 2012-based DirectAccess makes the difference between computers on the internal corporate network and computers of remote clients less noticeable.



Below is a comparison of the new DirectAccess with VPN technology.





DirectAccess is built on top of IPv6 and requires all endpoint devices to support IPv6. Currently, the Internet protocol is dominated by IPv4, therefore the following technologies are used for communication between IPv6 devices via IPv4 networks: IPv6 tunneling over IPv4:





The Windows Server 2012, Windows 7 and Windows 8 operating systems support the transition protocols ISATAP, 6to-4 and Teredo. The end result is that clients connect to hosts using IPv6.



IPv6 to IPv4 Encapsulation




The DirectAccess client establishes two tunnels, which are the key to the versatility of this remote access method. These are IPsec ESP tunnels — payload with integrated security that is authenticated and encrypted to ensure confidentiality.



The computer tunnel is installed first when the DirectAccess client starts. This tunnel is authenticated only by a computer certificate and provides access to intranet DNS and domain controllers. This tunnel is also used to load the computer group policy and user authentication request.



The user’s tunnel is authenticated by a computer certificate and user credentials and provides access to intranet resources. This tunnel is also used to load user group policy.



Two DirectAccess Tunnels


Both of these tunnels are installed transparently to the user. To set up remote access, the user does not need to enter registration information other than what he enters when logging into Windows.



There are three models of DirectAccess operation:



  1. End-to-edge model — The DirectAccess client will establish an IPsec tunnel to the DirectAccess server. The DirectAccess server then redirects unprotected traffic to intranet resources.



    DirectAccess. Full access model.


  2. The end-to-end model is a DirectAccess client that establishes an IPsec tunnel with each application server to which it connects. This guarantees the protection of traffic, including that transmitted over the intranet.



    DirectAccess. Restricted access model


  3. The remote control support model is used to control devices without providing user access. This deployment model provides DirectAccess clients only access to dedicated management servers, which in turn have access to DirectAccess clients.



    DirectAccess. Remote Management Model




One of the advantages of DirectAccess is the ability to separate intranet traffic from Internet traffic, which has a positive effect on the throughput of the corporate network. However, in some cases, administrators can send all traffic through a DirectAccess connection. For example, to fully control the Internet traffic of a remote user.



In DA 2012, in contrast to the previous version implemented in Windows Server 2008, the presence of a PKI infrastructure is not a requirement. A PKI infrastructure is required when using clients on Windows 7 Enterprise or Ultimate, or when advanced options are required. When you plan to use Windows 8 Enterprise as a client OS, you can do without PKI. In this case, client computers will be authenticated using the Kerberos protocol. The DA server will be used as a Kerberos proxy, that is, authentication requests from clients are sent to the Kerberos proxy service, which runs on the DirectAccess server. Then the Kerberos proxy, on behalf of the client, sends Kerberos requests to the domain controllers.



Consider the process of connecting a client to a DirectAccess server.



The computer becomes a DirectAccess client after applying group policies to it, passing on the settings for connecting through the DA. Group policies are created during the configuration of the DirectAccess server and are distributed to security groups in Active Directory.



After applying group policies, the client determines its location relative to the corporate network. To do this, check the availability of the NLS server (Network Location Server). NLS server is a normal web server that uses the HTTPS protocol in its work. An NLS server can be any web server (IIS, Apache, etc.). In Windows Server 2012, the DirectAccess server can perform NLS functions. To decide on further actions of the client, depending on the availability of the NLS server, the name resolution policies are used - NRPT . If the NLS server is called by a name whose suffix matches the domain suffix of the local network, the client will use the corporate network’s DNS servers, if not, then use the DNS servers specified in the client’s network adapter settings. To properly check the NLS, its DNS name is entered into NRPT exceptions so that name resolution occurs through the DNS servers specified on the network adapter. When the client is located inside the corporate network, the internal DNS servers know the corresponding NLS address of the server.



DirectAccess client connection within corporate network


Being outside the corporate network, the client uses external DNS servers (local Internet service provider), which does not indicate how to convert the name of the NLS server. If the NLS server is detected, the client operates on the network as a normal workstation, that is, IPsec does not apply.

In the case when the client is outside the corporate network, when trying to connect to the NLS server using a DNS name that is added to the NRPT exceptions, the client contacts the DNS servers specified in the network adapter settings. Since this uses the ISP's DNS server, on which the NLS server’s DNS name resolution rule is not specified, the client is denied name resolution. When the client computer rejects the DNS server, the client computer applies IPsec policies and contacts the DirectAccess server using its DNS name, which must be spelled out in the outer zone of the corporate domain.



The DirectAccess client establishes a tunnel on the DirectAccess server using IPv6. If there is an IPv4 network between them, the client uses the Teredo or 6to4 protocol to encapsulate IPv6 to IPv4, or it will try to connect using IP-HTTPS. Once established, the client and the DirectAccess server perform mutual authentication during the IPsec tunnel setup process. The DirectAccess client then connects to the domain controller to get group policies.



Next, the DirectAccess user logs in or uses the credentials of an already logged in user in conjunction with certificates to establish an IPsec user tunnel. User Group Policy applies to the DirectAccess client. The DirectAccess server begins to forward traffic from the DirectAccess client to authorized intranet resources.



DirectAccess client connection outside the corporate network


Windows To Go



Due to the fact that DirectAccess requires the client’s computer to be included in the corporate domain, this option is not suitable for users using personal computers. But there is a technology, the use of which will allow Windows To Go to use DirectAccess on any computer that meets the minimum requirements for running Windows 8 and is connected to the Internet.



The Windows To Go technology is one of the new features of Windows 8 that allows you to create a properly configured OS image with the necessary software installed, which will be downloaded directly from the USB media, regardless of which OS is installed on the computer.



Differences between Windows To Go and a typical Windows installation:





To install and download Windows To Go, you must meet the following requirements:



There is a list of certified for use with WTG USB media:





If for the installation of Windows To Go will be used media that is not included in this list, then this may impose additional requirements for the computer on which WTG will run, for example, USB 3.0 support. Also because of this, Microsoft tech support is not worth counting on.



When choosing a computer to use as a Windows To Go workspace node, you must consider the following criteria:





When you first start Windows To Go on your computer, it detects all the hardware on your computer and installs the necessary drivers. Subsequently, the Windows To Go workspace loads on this computer more quickly, since the required set of drivers is already installed.



There are three ways to deploy WTG:



  1. using the Windows To Go Creator Wizard;
  2. using a script (PowerShell + utilities for working with DISM or ImageX images);
  3. using the User Self-Provisioning tool in System Center 2012 Configuration Manager SP1.


If the Windows To Go Creator Wizard is selected for the WTG deployment, then on the computer on which you plan to create the WTG, you will need to use the Windows 8 Enterprise

Each of the methods described above presupposes the preparation of a wim file (Windows Imaging Format is an oriented disk image format). WIM-file can contain not only the files of the operating system, but also a pre-configured OS with installed standard software.



This file can be obtained in several ways:





WIN file must contain Windows 8 Enterprise. Other OS editions are not supported by Windows To Go.



Bitlocker



In the case of Windows To Go, encrypting the alienable media using BitLocker Drive Encryption technology is a mandatory requirement, since the disk can contain confidential information containing data that can be attributed to trade secrets or to personal data of partners, employees or customers of the company. BitLocker (full name BitLocker Drive Encryption) - data protection technology by full disk encryption, which is part of the operating systems Microsoft Windows Vista Ultimate / Enterprise, Windows 7 Ultimate / Enterprise, Windows Server 2008 R2, Windows 8, Windows 8.1 and Windows 10 With BitLocker, you can encrypt a logical drive, SD card or USB drive. At the same time, AES 128 and AES 256 encryption algorithms are supported.



The key itself can be stored on a USB drive, in a hardware TPM module or on a hard disk.



To obtain a key from the TPM, an additional method of user authentication using a USB key and / or password can be configured.



If a trusted platform module is absent on the motherboard used, or if a USB-drive with Windows To Go is used as the download and encryption object, the encryption key must be stored on an external USB-drive or a password can be used instead of the encryption key. In order to configure access to the encrypted media via USB-drive or password, you need to make changes to local group policies.



Conclusion



As a result of the considered combination of DirectAccess, Windows To Go and BitLocker technologies, we get a solution that will allow:





From the above, we can conclude that the sharing of the described technologies allows for the implementation of a remote connection to the corporate environment controlled by the organization’s services, not tied to specific client equipment and having a high degree of security.



In the next chapter, I will describe the practical implementation of the above described remote access system.

Source: https://habr.com/ru/post/325458/



All Articles