locked
UAG DirectAccess and read only DC RRS feed

  • Question

  • Hi,

    would it be possible to use a read only DC with UAG and DirectAccess? From my understanding it is essential (for remote management of the DA clients) that the client registers his IPv6 address in DNS. Is this possible with a read only DC (when used also as DNS)? Or might it be better to use the RO DC only for authentication and for dynamic DNS registration a different (dedicated) DNS server?

    Best regards

    Thomas

    Friday, November 19, 2010 3:30 PM

Answers

  • Hi Thomas,

    Isn't that true for internal clients as well - regarding vulnerability? The DA client threat profile is little different than that exhibit by an hosts on the intranet.

    So, I guess the question is, what mechanisms do you use for your intranet DCs to protect them from compromised hosts on the intranet? I would apply the same mechanisms.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 6:09 PM
    Wednesday, November 24, 2010 11:11 AM

All replies

  • Hi

     

    In a standard environment without DirectAccess, clients comuters are able to register in DNS even if it is a RODC. Have a look at : http://technet.microsoft.com/en-us/library/cc754956(WS.10).aspx

    Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a "writable DNS server." When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.

    The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.

    If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.

     

    In my understanding, client computer must be able to reach the closest domain controller. This will be the same with DirectAccess.

     

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Friday, November 19, 2010 5:48 PM
  • Hi,

    would it be possible to use a read only DC with UAG and DirectAccess? From my understanding it is essential (for remote management of the DA clients) that the client registers his IPv6 address in DNS. Is this possible with a read only DC (when used also as DNS)? Or might it be better to use the RO DC only for authentication and for dynamic DNS registration a different (dedicated) DNS server?

    Best regards

    Thomas


    Hi Thomas,

    Are you wanting to use a RODC just for the DNS service? What would be the advantage of using a RODC? Given that all IPv4 and IPv6 traffic needs to be allowed from the DA clients and UAG server to the intranet, it's not clear to me what advantages would be conferred.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, November 22, 2010 7:35 PM
  • Hi Tom,

    the reason for asking this is the following scenaro:

    When using NAP/Infrastructure tunnel the remediation servers (including DCs) are to some extend vulnerable to malware which could reside on infected and unprotected clients. Therefore the question arose who to secure those servers. One possibility would be using the windows firewall on those servers or an IPS in between UAG and those servers. The TMG on the UAG might be also an option but it's not easily possible to create IPv6 access rules afik.

    Best regards

    Thomas

    Tuesday, November 23, 2010 9:46 AM
  • Hi Thomas,

    Isn't that true for internal clients as well - regarding vulnerability? The DA client threat profile is little different than that exhibit by an hosts on the intranet.

    So, I guess the question is, what mechanisms do you use for your intranet DCs to protect them from compromised hosts on the intranet? I would apply the same mechanisms.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 6:09 PM
    Wednesday, November 24, 2010 11:11 AM
  • Hi Tom,

    yes indeed you are right, the DA clients are in a way "internal" clients. Therefore the DCs and other internal infrastructure servers should be protected in the same way from DA clients than internal ones. However the threat is maybe a bit higher as those clients are usually also in other networks (customers, hotels, UMTS etc.). I would apply Windows firewall policies to those infrastructure servers and maybe put in an IPS in between. Do you have other ideas?

    Best regards

    Thomas

    Monday, November 29, 2010 2:09 PM
  • Hi Tom,

    yes indeed you are right, the DA clients are in a way "internal" clients. Therefore the DCs and other internal infrastructure servers should be protected in the same way from DA clients than internal ones. However the threat is maybe a bit higher as those clients are usually also in other networks (customers, hotels, UMTS etc.). I would apply Windows firewall policies to those infrastructure servers and maybe put in an IPS in between. Do you have other ideas?

    Best regards

    Thomas


    Hi Thomas,

    The DirectAccess clients will pass through the same IDS/IPS devices on your intranet (make sure they are IPv6 aware though, if you're not using NAT64/DNS64). Windows firewall policies would also be applied to DirectAccess clients - so that they use only the protocols they need to in order to reach the DCs (same as internal clients). The thing to keep in mind is that anything an external client can do, and internal client can also do - and they can do it a lot faster because the bandwidth on the intranet is a lot higher! :)

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, December 1, 2010 3:17 PM
  • Hi Thomas,

    This is exactly what I wrote in the following thread:

    http://forums.forefrontsecurity.org/default.aspx?g=posts&m=2145

    Almost all the customers I meet regarding DA, have a conceptual problem when thinking about AD security

    IT and Security managers understand that AD is the most critical server in their infrastructure

    Best regards,

    Idan Plotnik, Security Engineer, ForefrontSecurity.org

    Thursday, January 20, 2011 8:03 PM
  • I think what they don't understand is that the DA client is NO DIFFERENT than any other client on the intranet when it comes to the security profile.

    The DA client on the Internet moves on and off the intranet just like the intranet client.

    The same mechanisms that protect the DC from compromised intranet clients protect them from compromised Internet DA clients.

    Remember - insider attacks are more dangerous from anything that comes from the outside -c.f., Wikileaks

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, January 21, 2011 11:15 AM