Security Assessment of Microsoft Directaccess
Total Page:16
File Type:pdf, Size:1020Kb
Security Assessment of Microsoft DirectAccess A thesis for the completion of Master of Science in Communication and Media Engineering CME By Ali Hardudi Supervised by Prof. Dr. rer. nat. habil. Dirk Westhoff M. Sc. Enno Rey ERNW GmbH. Agenda ¬ Introduction . Objective . A Quick Look into DirectAccess ¬ DirectAccess Lab ¬ Assessment . Scenarios and Attacker . IPv6 Attacks . TLS and IPSEC Default Configuration ¬ Conclusion 14.03.2016 Security Assessment of Microsoft DirectAccess #2 ERNW GmbH. Introduction 14.03.2016 Security Assessment of Microsoft DirectAccess #3 ERNW GmbH. Thesis Objective ¬ Thesis objective . Study the DirectAccess . Performing a security evaluation 14.03.2016 Security Assessment of Microsoft DirectAccess #4 ERNW GmbH. DirectAccess Features Pure IPv6 No user interaction Remote management and administration Bidirectional access Enhanced security features Working over IPv4 Internet infrastructure 14.03.2016 Security Assessment of Microsoft DirectAccess #5 ERNW GmbH. DirectAccess Limitations Not all Windows OS’s are supported The following options are not always possible: End to End encryption Force tunneling Performance degradation when IP-HTTPS tunneling is used Complex technology 14.03.2016 Security Assessment of Microsoft DirectAccess #6 ERNW GmbH. Technologies and Protocols IKE, HTTPS, DNS64, ISAKMP, Kerberos, ¬ Active Directory Domain Controller (AD DC). PKI, NTLM, DHCPV6 ¬ IPSEC ¬ Public Key Infrastructure (PKI) ¬ HTTPS server as Network Location Service (NLS) TCP, UDP ¬ Name Resolution Policy Table (NRPT) ¬ IPv6 tunneling technologies ¬ NAT64/DNS64 IPv6, IPv6 Tunneling, ICMPv6 ¬ Others (e.g. Forefront Unified Access Gateway IPsec (ESP, AH), NAT64 (UAG), Network Access Protection (NAP)) Figure 1 DirectAccess stack of main protocols 14.03.2016 Security Assessment of Microsoft DirectAccess #7 ERNW GmbH. TLS handshake HTTPS service DirectAccess C lie n t DirectAccess S e rv e r Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #8 ERNW GmbH. HTTPS service DirectAccess C lie n t DirectAccess S e rv e r IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #9 ERNW GmbH. HTTPS service DirectAccess C lie n t Complete ND protocol DirectAccess S e rv e r IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #10 ERNW GmbH. IP-HTTPS in te rfa c e HTTPS service DirectAccess C lie n t DirectAccess S e rv e r IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #11 ERNW GmbH. N T L M v 2 HTTPS service DirectAccess C lie n t Authenticating and Building the DirectAccess IPSEC infrastructure tunnel S e rv e r IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #12 ERNW GmbH. HTTPS service DirectAccess C lie n t DirectAccess S e rv e r IPSEC Infrastructure tunnel IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #13 ERNW GmbH. HTTPS service DirectAccess C lie n t DNS conversation DirectAccess S e rv e r IPSEC Infrastructure tunnel IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #14 ERNW GmbH. AD DC HTTPS service DirectAccess C lie n t DirectAccess S e rv e r IPSEC Infrastructure tunnel IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #15 ERNW GmbH. AD DC HTTPS service DirectAccess C lie n t DirectAccess S e rv e r IPSEC Infrastructure tunnel IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #16 ERNW GmbH. AD DC K e rb e ro s HTTPS service DirectAccess C lie n t DirectAccess Authenticating and Building the S e rv e r IPSEC intranet tunnel IPSEC Infrastructure tunnel IP-HTTPS tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #17 ERNW GmbH. AD DC HTTPS service DirectAccess C lie n t DirectAccess S e rv e r IPSEC Infrastructure tunnel IPSEC Intranet IP-HTTPS tunnel tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #18 ERNW GmbH. AD DC HTTPS service DirectAccess C lie n t DNS conversation DirectAccess S e rv e r IPSEC Infrastructure tunnel IPSEC Intranet IP-HTTPS tunnel tunnel Figure 2 DirectAccess connection steps using IP-HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #19 ERNW GmbH. AD DC HTTPS service DirectAccess C lie n t DirectAccess S e rv e r IPSEC Infrastructure tunnel IPSEC Intranet IP-HTTPS tunnel tunnel Figure 2 DirectAccess connection steps using IP-HTTPS R e s o u rc e s 14.03.2016 Security Assessment of Microsoft DirectAccess #20 ERNW GmbH. Lab Deployment 14.03.2016 Security Assessment of Microsoft DirectAccess #21 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client) Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM) Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #22 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client) Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM) Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #23 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client) Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM) Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #24 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client) Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM) Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #25 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 IP-HTTPS (Internal resources) Interface Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client) Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM) Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #26 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client) Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM) Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #27 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client) Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM) Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #28 ERNW GmbH. Windows server 2012 R2 (Internet Service Provider (ISP)) Windows server 2012 R2 (Certificate Authority) Windows server 2012 R2 (AD DC) Windows server 2012 R2 (Internal resources) Windows server 2012 R2 Windows 8.1 Enterprise (DirectAccess server) (DirectAccess client) Ubuntu 14.04.3 TLS (Attacking computer) Windows server 2012 R2 (Host VM) Cisco Catalyst 2950 series Figure 3 DirectAccess lab components 14.03.2016 Security Assessment of Microsoft DirectAccess #29 ERNW GmbH. DirectAccess configuration Full access model DirectAccess server is an edge topology The DirectAccess computers are assigned to a security group The IPv6 tunneling is IP-HTTPS All the certificates are issued by the corpnet Certificate Authority (CA) IPSEC Encapsulated Security Payload (ESP) Figure 4 Screenshot for the configuration panel protocol tunnel mode of DirectAccess Windows 8.1 uses Null cipher suites for IP- HTTPS 14.03.2016 Security Assessment of Microsoft DirectAccess #30 ERNW GmbH. Figure 5 DirectAccess lab topology 14.03.2016 Security Assessment of Microsoft DirectAccess #31 ERNW GmbH.