none
How to deny a computer access to DirectAccess? RRS feed

  • Question

  • Hi,

     

    Let's say a corporate laptop is lost/stolen.  How do you prevent that laptop from connecting via DirectAccess going forward?

     

    I guess you can simply disable the computer object in AD, but is there a "better" way of doing it?

    Monday, July 25, 2011 7:50 PM

Answers

  • Hi

     

    Disabling is an excellent solution because your infrastructure tunnel authentication is based on a combination of NTLMv2 and computer certificate. Once account is disabled, infrastructure tunnel cannot initialize. Have a look at this : http://technet.microsoft.com/en-us/library/ee382307(WS.10).aspx

    "

    Enabling strong CRL checking for IPsec authentication

    By default, the DirectAccess server and DirectAccess clients uses weak CRL checking when performing certificate-based IPsec peer authentication. With weak CRL checking, certificate revocation checking fails only if the validating computer confirms that the certificate has been revoked in the CRL. Revoking computer certificates is one way of blocking DirectAccess for specific DirectAccess clients. A simpler and preferred method is to disable the computer account in Active Directory. This method immediately prevents DirectAccess connections, such as when a laptop computer is lost or stolen, and does not have the delay associated with propagating CRL updates to CRL distribution points.

    For an additional level of protection, you can configure strong CRL checking, in which certificate revocation checking fails if the validating computer confirms that the certificate has been revoked or for any error encountered during certificate revocation checking, including the inability to access the CRL distribution point. For more information, see Configure Strong Certificate Revocation Checking for IPsec Authentication in the DirectAccess Deployment Guide."

     

    You can try this solution but you will loose NAP. So disabling the computer account is the best solution we have today.

     

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by MacAddict1 Tuesday, July 26, 2011 1:54 AM
    Monday, July 25, 2011 9:03 PM

All replies

  • Hi

     

    Disabling is an excellent solution because your infrastructure tunnel authentication is based on a combination of NTLMv2 and computer certificate. Once account is disabled, infrastructure tunnel cannot initialize. Have a look at this : http://technet.microsoft.com/en-us/library/ee382307(WS.10).aspx

    "

    Enabling strong CRL checking for IPsec authentication

    By default, the DirectAccess server and DirectAccess clients uses weak CRL checking when performing certificate-based IPsec peer authentication. With weak CRL checking, certificate revocation checking fails only if the validating computer confirms that the certificate has been revoked in the CRL. Revoking computer certificates is one way of blocking DirectAccess for specific DirectAccess clients. A simpler and preferred method is to disable the computer account in Active Directory. This method immediately prevents DirectAccess connections, such as when a laptop computer is lost or stolen, and does not have the delay associated with propagating CRL updates to CRL distribution points.

    For an additional level of protection, you can configure strong CRL checking, in which certificate revocation checking fails if the validating computer confirms that the certificate has been revoked or for any error encountered during certificate revocation checking, including the inability to access the CRL distribution point. For more information, see Configure Strong Certificate Revocation Checking for IPsec Authentication in the DirectAccess Deployment Guide."

     

    You can try this solution but you will loose NAP. So disabling the computer account is the best solution we have today.

     

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    • Marked as answer by MacAddict1 Tuesday, July 26, 2011 1:54 AM
    Monday, July 25, 2011 9:03 PM
  • Also keep in mind that some consider it an advantage that DA can automatically connect itself after being stolen. This potentially gives you a way of tracking the laptop, and also if the thief were to get internet access on the device, that only means that the Infrastructure/management tunnel is active. So they still don't have any access into your network (unless they also stole the user's credentials), but it does give you management access back to the laptop. So for instance, if a laptop is stolen and they plug it in somewhere and boot to the login screen, they won't be able to authenticate and gain access to anything, but you will have a management tunnel established that you can use to issue some kind of "remote wipe" command and kill the hard drive on the laptop. I could see this being very useful to some companies.
    Tuesday, July 26, 2011 1:38 PM