DirectAccess laptop gets stolen. How big of a security concern is it? RRS feed

  • General discussion

  • I am trying to think of any large security concerns from having DirectAccess 2016 on Windows 10 clients.  We would use split-tunneling and I know the clients could get malware, but that same threat happens when people bring their laptops back into the office the following day.  The biggest security concerns I can think of is if the laptop is stolen, the malicious user resets the local admin passwd with a CD(thinking this is still possible), then is able to login locally as an admin and has access to the IPSec certificate, which he could use to get the computer connected to the domain.  I know this would not enable him to login to the domain, but if anyone has heard of any DirectAccess vulnerabilities please let me know.


    • Edited by DaveBryan37 Tuesday, January 23, 2018 12:25 AM
    Tuesday, January 23, 2018 12:25 AM

All replies

  • Even if someone stole a DirectAccess laptop and was able to change the local admin password (though this is not nearly as easy as it was in the XP days), logging into a DA laptop with a local account means they will not have access to resources over DA. The computer account would still have some form of access for management duties over the infrastructure tunnel, but the intranet tunnel that carries the users traffic would never establish because that tunnel is authenticated based on the computer account/cert plus the user's credentials, so any local account would never be able to open the full DA tunnels.

    Another point to consider is that disabling a DA laptop from connecting is very simple. If you disable the computer account in Active Directory, that laptop is cut off from connecting via DA.

    And to the certificate point - if someone were to steal the IPsec (machine) cert off a laptop, it could not be used to duplicate a DA connection from another computer, there are way more things on the laptop than just the cert that are in progress to make a successful DA connection. First and foremost domain membership, which couldn't be spoofed on another nefarious machine.

    Thursday, January 25, 2018 8:39 PM
  • For more security you could implement BitLooker on all laptops
    Tuesday, December 31, 2019 8:29 PM