none
DirectAccess Security Questions RRS feed

  • Question

  • We are considering deploying DirectAccess to laptops and have some questions.

    People are concerned that this is less secure than VPN because the laptop will connected to our LAN at all times it is online and therefore is a bigger risk of data loss (laptop stolen while connected to DA or data stolen while laptop connected to insecure public network).  Is it less secure than a traditional VPN client such as AnnyConnect where the user must manually launch the connection and use MFA?

    Can you limit DirectAccess to only access certain services such as ConfigMgr management and access to things like domain controllers, KMS etc and still require users to connect to VPN to access other resources such as file shares?

    We do not have UAG.  If DirectAccess is behind an edge firewall, what are benefits of the DA server having 2 vs 1 network interface?

    Monday, August 15, 2016 11:11 PM

Answers

  • It's definitely perception, not reality. Fundamentally it uses the same encryption that traditional client-based VPN uses. It's AES-encrypted IPsec. DirectAccess requires more authentication than VPN though. DirectAccess requires that the machine have an account in Active Directory, and optionally (but highly recommended) a certificate issued by your internal PKI. Multifactor authentication is optional, but also supported. There are some additional (but unsupported) methods you can use to further improve the security solution too.

    Send me an email and I'll share that DirectAccess security whitepaper I wrote. I think you'll find it informative.

    • Marked as answer by MyGposts Tuesday, August 23, 2016 2:16 AM
    Tuesday, August 16, 2016 3:13 PM

All replies

  • DirectAccess is quite secure, arguably more so than traditional client-based VPN. There are a number of things you can do to improve upon the security of DirectAccess too, much more than can be covered here. In a nutshell though, yes, you can limit access to individual internal servers, if that is desired. As for the benefits of having two network interfaces on the DirectAccess server, the main benefit is reduced exposure to untrusted networks. The DirectAccess server must be domain-joined, making it unsuitable for deploying in a DMZ with just one adapter. With two adapters, the external network interface can safely reside in the DMZ and have a more restrictive firewall policy applied to it.

    If you send me an email, I'll send you a whitepaper I wrote a while back about security considerations for DirectAccess deployments.

    Hope that helps!

    Monday, August 15, 2016 11:46 PM

  • The wizard has an option to put it behind a NAT device and use either one or two adapters for the DA server.  i don't understand why you would use two adapters. Wouldn't it be more secure to not have any adapters touching the DMZ?


    • Edited by MyGposts Tuesday, August 16, 2016 12:16 AM
    Tuesday, August 16, 2016 12:16 AM
  • It's a design choice. You are absolutely right, placing the DirectAccess server on the LAN with a single network interface reduces the exposure to the DMZ. However, there is still unauthenticated network traffic sourcing from an untrusted network (public Internet) that is terminating on the DirectAccess server. Some organizations have a policy against this, and require it to be terminated in a DMZ. In this case, having two network adapters is ideal. Another alternative is to terminate on a third-party device such as a load balancer, but that is not formally supported by Microsoft.

    Tuesday, August 16, 2016 2:57 PM
  • Where can I fond information on how security compares between DirectAccess and commercial VPN clients?  

    There is concern about implementing DirectAcess because of a perception that it is a larger security risk than regular VPN.

    Tuesday, August 16, 2016 3:05 PM
  • It's definitely perception, not reality. Fundamentally it uses the same encryption that traditional client-based VPN uses. It's AES-encrypted IPsec. DirectAccess requires more authentication than VPN though. DirectAccess requires that the machine have an account in Active Directory, and optionally (but highly recommended) a certificate issued by your internal PKI. Multifactor authentication is optional, but also supported. There are some additional (but unsupported) methods you can use to further improve the security solution too.

    Send me an email and I'll share that DirectAccess security whitepaper I wrote. I think you'll find it informative.

    • Marked as answer by MyGposts Tuesday, August 23, 2016 2:16 AM
    Tuesday, August 16, 2016 3:13 PM
  • As Richard mentioned, this is just a perception. Once they start using Direct Access vs the old VPN they will realize the difference.

    I would highly recommend using Machine certificates as well from your internal PKI. Now for Direct Access to connect it will need to verify both the machine (Certificate) and the user credentials (which can be on laptops anything MFA, Windows hello, Finger print, passwords, tokens.........etc.)

    Direct Access won't connect automatically unless both machine and user are authenticated then the next step is to limit the resources this machine or this user can access to completely secure the process.

    Wednesday, August 17, 2016 8:51 AM
    Moderator
  • It has to be able to connect without user authentication or else the PC wouldn't be able to communicate with the network while it's booted up at the login screen to reach a domain controller and verify the user's credentials.

    Windows Hello isn't really added security because it's optional replacement for a password.  Windows Hello is a convenience for the user to avoid having to key in their password, not MFA.

    Wednesday, August 17, 2016 1:10 PM