Wednesday, January 30, 2013 2:02 AM
I'm thinking of using Direct Access (Windows Server 2012 and Windows 7 clients) for remote access of our corporate laptops.
Our security people tell me that I can't go there because it is not PCI DSS compliant. End of story.
They say I need a two factor authentication solution, such as RSA tokens, which we use now. Avoiding the need for tokens (or any other user action) is the one compelling feature of Direct Access that I desperately want, so we appear to be at a roadblock.
Is there an authoritative source out there that can answer this question explicitly: Is Windows Server 2012 Direct Access PCI DSS compliant?
Thursday, February 07, 2013 4:32 PM
I have a couple pieces of information related to this that may help:
1. Based on my experience, "PCI Compliance" is a relative term. It's up to your PCI "rep" to make the decision on whether or not your network fits the standards. Unfortunately it is also my experience that they, like so many folks so far, don't understand what DA is, so a lot of times it's hard to make an informed decision on it and sometimes that results in them shying away from approving it. That being said, I have customers who are using DirectAccess and are PCI shops. So it certainly passes the tests in some cases. One specific example that sticks out at me, I was working with someone to implement DirectAccess and this same question came up. PCI was going to deny approval of DirectAccess, and their reason was that the Teredo protocol was not encrypted. This tells me that whoever was making the decision was obviously not informed on how DirectAccess worked at all, they just had snippets of information. Technically they were correct, Teredo isn't encrypted, but the IPsec tunnels that run inside the Teredo tunnel certainly are :)
2. For some companies, though not all, DirectAccess is by default two-factor authenticated. So if that is their argument, you might be able to use this info. I'm not talking about adding RSA authentication to DirectAccess (though you can do that as well, but like you said it takes away from the user experience to make them enter a PIN). If you use certificate authentication with DirectAccess, which you will have to if you are using Windows 7 clients, then the IPsec tunnels that DirectAccess uses for sending traffic are authenticated by NTLM (the computer account), combined with the certificate that was issued from your CA server, plus the Kerberos ticket acquired for the user credentials. This technically meets the definition of "something you have plus something you know" that is the basis of 2FA. Some companies accept this, and some do not, it depends on your own definition of 2FA.