29 Sep 2014

Windows Server VPN Protocols

Leave a Comment
Windows Server VPN Protocols
In the past article we've discussed a bit about VPN authentication protocols used with Windows Server Editions. We cannot talk about VPN authentication protocols without talking about the different VPN protocols that can be used with Windows Server 2008 and 2012. Based on the necessities of your company, you can opt for one of the four VPN protocols, as follows:

PPTP (Point-to-Point Tunneling Protocol) - one of the first VPN protocols that are still used today. It uses MPPE (Microsoft Point-to-Point Encryption) protocol to encrypt data sent by VPN clients. Even if this protocol provides features for data confidentiality it does not support data origin authentication nor data integrity so it's susceptible to exploits. PPTP connections can be authenticated using either MS-CHAP, MS-CHAPv2, PEAP or EAP. PPTP can be used with EAP-TLS but for that you will need a local CA (Certification Authority) deployed with a certificate installed on the VPN Server. Note that unlike other protocols, with PPTP EAP-TLS you don't need to install the certificate on the VPN clients. PPTP is mostly used with non-Microsoft products because it offers compatibility with all Operating Systems. You should opt for a newer VPN protocol whenever possible because others offer increased security.

L2TP/IPSec (Layer 2 Tunneling Protocol with Internet Protocol Security) - tunneling protocol that does not provide encryption or confidentiality alone. With Microsoft VPN Server, it's used with IPSec which deals with data encryption before it's sent on the tunnel. There are two levels of authentication that occurs within a L2TP/IPSec communication:
Computer authentication - made using digital certificates issued by a Certificate Authority trusted by both the Server and the Client.
Client authentication - this authentication mechanism is made using one of the PPP authentication Protocols discussed in the previous article.
This protocol offers data origin authentication, data confidentiality, data integrity and replay protection.

SSTP (Secure Socket Tunneling Protocol) - an authentication protocol which encapsulates PPP or L2TP traffic through an SSL 3.0 channel. The SSL traffic is passed using HTTPS (Hypertext Transfer Protocol Secure) which means that the traffic is passed by almost all routers or firewalls because 443 port is usually opened in the public Internet. The use of SSL provides transport-level security with key-negotiation, integrity checking and encryption. To successful deploy SSTP within your organization, you will need to take into consideration several factors. SSTP is supported only by Windows Server 2008 or newer Editions this is why it cannot be used with Windows Server 2003. You will also need a trusted CA to issue certificates for your Server and the Server must first install the certificate before enabling Routing and Remote Access. The client will then be able to connect using the VPN Server hostname that must be the same to the subject name specified in the SSL Certificate. Note that with SSTP you cannot create site-to-site tunnels and you cannot tunnel SSTP traffic on proxies which require authentication.

IKEv2 (Internet Key Exchange) a VPN tunneling protocol supported by Routing and Remote Access Service (RRAS). The protocol is used to configure a SA (Security Association) in the IPSec communication. Read more about Security Associations here. You will need a local CA issuing certificates with Enhanced Key Usage (EKU) options. You will then need to generate the authentication certificate and import it to the VPN Server store. IKEv2 offers support for VPN Reconnect (also known as Agile VPN) which is a technology that tolerates network interruptions. The VPN connection is re-established without the user intervention once the Internet connection is established again. Read more about IKE on this article from Wikipedia.

This was a short introduction to VPN Protcols that can be used on Windows Server Editions. The article should provide an overview of these protocols so you will better understand VPN technologies. For any questions on this topic, use my comments section. Wish you a wonderful day!
Read More
18 Sep 2014

Windows Server VPN Authentication Protocols

Leave a Comment
VPN authentication Methods  VPN or Virtual Private Network is a technology that offers a secure way to establish communication channels between devices by using the public Internet. As a concept, VPN offers three main features: encapsulation, authentication and encryption. These features play an important role because they ensure data is not compromised by a potential attacker. A common VPN scenario would be something like in the following example: a client would try to connect to a VPN server or a dedicated VPN equipment to establish a secure tunnel with the destination network. Before the client can access network resources, the VPN server must first authenticate the connection. There are several authentication protocols supported by Windows Server 2012 or 2008. The Server will always try to use the strongest authentication method and then proceed with the others if the process is not successful. In this article I will try to create a summary of the authentication protocols used with Windows Server Editions and we'll see what are the differences between them. 

   EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) - One of the most secured authentication protocols used today that takes advantage of TLS (Transport Layer Security). Can be implemented on a Windwos Server 2008 or 2012 that is part of an Active Directory Infrastructure. EAP-TLS can be used by VPN clients authenticating using either smart-cards or certificates. This technology offers a secure authentication protocol because each client must store a valid X.509 certificate. This means that besides the client's password, an attacker must get access to the private key of the certificate in order to infiltrate the network. If your company decides to store certificates within smart-cards, you increase network security even further because smart-cards can be compromised only by physical theft. Within the corporate network you would need to deploy a Certificate Authority to issue digitally signed certificates for VPN clients.

   MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) - this authentication protocol is enabled by default on Windows Server Editions. MS-CHAP v2 offers a two-way authentication mechanism which verifies the identity of the VPN server and the VPN client. Both parties authenticate with each other by using two different  cryptographic keys. MS-CHAP v2 uses a unique session identifier and user credentials to generate encryption keys unlike EAP-TLS which takes advantage of digital certificates.

   CHAP (Challenge Handshake Authentication Protocol) - is an older authentication protocol that uses MD5 hash algorithms to send the authentication requests. The VPN Server sends a challenge to the VPN client which in turn responds with an MD5 hash result that is composed of the challenge and the user's password. The VPN Server calculates the user's hash locally and compares the result with the hash received from the VPN client. If these two hashes match, then the user is granted network access. You should use this authentication mechanism if EAP-TLS is not supported within your network.

   EAP-MD5 CHAP (EAP-Message Digest 5 Challenge Handshake Authentication Protocol) - a version of CHAP that takes advantage of EAP framework. Offers encryption of authentication data using MD5 hasing. It has a lot of weakness and it's known as being vulnerable to dictionary attacks. It offers authentication from client to server but not the other way around, this is why  EAP-MD5 CHAP is vulnerable to man-in-the-middle attacks. Was used with older Windows Server Editions and should not be used anymore.

   SPAP and PAP - two simple authentication protocols that are not widely used since they use basic authentication mechanisms and are susceptible to external attacks. PAP uses plain-text passwords that are sent to the server for authentication. With SPAP the password is encrypted before it's sent to the server. SPAP uses a two-way encryption algorithm, but it's not a secured authentication protocol. You should not use these two protocols for VPN authentication

These are the VPN authentication protocols that can be used with Windows Server Editions. Whenever possible choose the strongest algorithm to ensure data confidentiality against foreign attacks. Hope you'll find this article interesting and use it to enhance your Windows Server VPN knowledge. Wish you all the best and stay tuned for the following articles.
Read More
16 Sep 2014

Active Directory Forest Trust

Leave a Comment
Active Directory Forest Trust
  If you've been working with Active Directory for a while, you'd probably know most of the features that this technology supports. Large companies that span over multiple geographical areas implement domains and forests across their entire network for a centralized and manageable infrastructure. If your forests are part of the same network and you want to enable cross communication between them, you'll need to establish forest trusts. This feature was introduced with Windows Server 2003 and offers several trust mechanisms. You can configure one-way incoming, one-way outgoing and two-way trusts. I will try to cover them in this article so that you will be able to choose the right option for your network. But why you should opt for forest trusts instead of incorporating multiple domains and forests under the same AD infrastructure? One possibility may be that you want to have separate Active Directory infrastructures so you can manage your forests individually. Another aspect may be that your forests use different domain and forest functional levels and you cannot combine them or that your company acquired a new office recently and they were using different AD organization and you don't want to mix them.

   Note that you can create trusts at the domain or forest level. There are multiple trusts types that you can establish between forests and they include:
Shortcut trust - when you create a shortcut trust between two forests, any domain from one forest will trust any domain from the second one. You would choose this type of trust if resources from different domains must be accessed frequently. This trust may be implemented to improve logon times between two domains. Also note that response time may decrease if each forest includes several layers of child domains. The direction of trust can be one-way or two-way
External trust - you can implement this when you want to create a trust between a domain that's part of your forest and another external domain that's not part of any forest. "External trusts are sometimes necessary when users need access to resources located in a Windows NT 4.0 domain or in a domain located within a separate forest that is not joined by a forest trust". External trust direction can be one-way or two-way.
Forest trust - it's used to allow shared resources between multiple forests. The direction of forest trust can be either one-way or two-way so this really depends on the necessities of your network. "Forest trusts are useful for Application Service Providers, companies undergoing mergers or acquisitions, collaborative business extranets, and companies seeking a solution for administrative autonomy."
Realm trust - this type of trust is established between Windows forests and UNIX/Linux based systems. You'd need to use Kerberos V5 authentication to establish a ream trust between your Linux and Windows infrastructures. Realm trusts can be either one-way or two-way.

Trust direction 
To every trust created between multiple domains or forests, there is a trust direction assigned. The direction points out the path used to authenticate machines that are part of a trust relationship. A trust relationship is based on two entities: the trusted domain and the trusting domain. When a resource is accessed from the trusted domain in the direction of the trusting domain, the security systems on the local Domain Controllers will verify if there is a trust relationship between these two domains. To be able to access a specified resource, there must be a trust direction set from the trusting DCs to the trusted DCs. The following picture displays a trust relationship between two domains:
Trust Relationship

"One-way trust - A one-way trust is a unidirectional authentication path created between two domains. This means that in a one-way trust between Domain A and Domain B, users in Domain A (trusted domain) can access resources in Domain B (trusting domain). However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be a nontransitive trust or a transitive trust depending on the type of trust being created. For more information about trust types, see Trust types.
Two-way trust - All domain trusts in a Windows Server 2003 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, both domains that are involved in a trust relationship trust each other. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. For more information, see Trust types." (from here):

When discussing about Forest Trust we must also talk about trust transitivity. The term refers to the capability of extending an existing trust between two domains to other external entities. A transitive trust is used to extend the trust to other domains while a nontransitive trust is used to deny a trust relationship to external domains. Read more about trust transitivity here.
Hope you've read and enjoyed this article, if you think there are things left unclear on this topic, post a comment and I will try to respond as soon as possible. Wish you all the best and stay tuned for the following articles.
Read More
11 Sep 2014

How to use Microsoft Baseline Security Analyzer

Leave a Comment
Microsoft Baseline Security Analyzer or MBSA is a tool that System Administrators may use to detect possible security vulnerabilities on their workstations. MBSA works closely with WSUS or SCOM servers to detect missing updates on Windows Desktop computers. You can use this tool to manually create a health report for each of your network's devices. The tool offers a fast and reliable way to create system reports that can later be used to increase network security.
You can download the Microsoft Baseline Security Analyzer from Microsoft's website. The tool is easy to install and configure, just double click it and follow the Wizard instructions. Once the software has been installed, open it to check out its interface.
MBSA offers two ways to scan your devices: scan a computer using its name or IP address or scan multiple computers using a domain name or a range of IP addresses. For this demonstration I will use the first method so simply click on Scan a computer from the left side of the panel:
Baseline Security Analyzer

Simply type in the computer's name or its IP address and set the security report name. From the Options section you can choose what checks will be performed on the specified machine. Once all options have been checked, simply press the Start Scan button:
Baseline Security Analyzer tutorial

The report offers an overview of installed updates on your workstations.
Microsoft Baseline Security Analyzer

There are other tools that can be used to achieve similar results but, Microsoft Baseline Security Analyzer is fast and easy to use. That's about it for this article folks, wish you all the best and stay tuned for the following articles.
Read More
29 Aug 2014

How to install and configure Hyper-V on a Windows Server 2012 machine

Leave a Comment
Hyper-V installation
In today's article I will show you how to install and configure Hyper-V Server Role on a Windows Server 2012. Note that for this tutorial I will be using a Virtual Machine hosted on VMware. We've had a short introduction to Hyper-V in a past article and I think it's better if you read it before proceeding with this post.

Because Hyper-V ships as an inbuilt role into Windows Server 2012, it can easily installed using the Server Manger Console. Once you've opened the console, navigate to the Roles section and select Hyper-V from the list. Hyper-V Module for Powershell and Hyper-V GUI Management Tools features will be added during the installation process.
Hyper-V tutorial
The wizard prompts you to create a new virtual switch. This is a virtual device that binds to your physical interface and allows your Server to communicate with the rest of the network. From the available menu choose the interface used for this Hyper-V Server.

Hyper-V live migrationServer live migration can be enabled in the following section. For now, it's best not to enable this feature because this is a testing environment and we will not interact with this feature.
Hyper-V installation
We'll need to specify the location for our virtual hard disk and configuration files. It's best that you keep these files in separate folders this way you isolate any problem that may occur. I will leave the default locations and proceed with the Installation. You will need to be patience for a short period of time until the wizard is completed. Note that you will need to reboot the Server once the wizard is finished.

Hyper-V training
You can now open Hyper-V Manager console from Administrative Tools. Open Hyper-V Settings by right clicking on your Hyper-V mode. There are many configurable sections in this menu and you will need to access them when customizing your System. From this section you can configure the following: Virtual Hard Disks and Virtual Machines location, Physical GPU Settings, NUMA Spanning to allow non-uniform memory spanning, Live and Storage Migrations, Enhanced Session Mode Policy, Replica Configuration and User settings. Each option has a short description that will make you understand its basic role within Hyper-V. I like this menu because it's pretty intuitive and allows you to configure Hyper-V pretty easy:

Hyper-V Settings

Using the Hyper-V Manager Console we can also Create, Edit or Inspect Virtual Disks. I will show you how to deploy a new Virtual Machine with Hyper-V in a future article and we will see how to edit a virtual disk. From the upper menu in the Action section you can see all available actions:
Hyper-V console

In the Virtual Switch Manager we can add virtual network devices which can be used within our virtualization infrastructure. If you are familiar with other virtualization products then this section may sound familiar. Hyper-V offers three types of virtual network switch, as follows:
  • external - this virtual device binds to the physical network adapter. Used to allow connectivity between VMs and physical network
  • internal - can be used only between the physical server and its Virtual Machines. No external access can be provided using this network switch
  • private - can be used only between Virtual Machines that are part of the same Hyper-V server.
Virtual Switch Manager

You can create one external virtual switch per physical interface but, you can create unlimited internal or private virtual switch. Once the virtual devices have been added in your Hyper-V Server, they can be configured just as physical interfaces from Control Panel\Network and Internet\Network Connections
Hyper-V Virtual Switch

You can configure virtual devices just as physical interfaces, you should already be familiar with this operation:
Hyper-V Virtual devices

On the Virtual SAN Manager page, you can create virtual Fibre Channels for your SAN (Storage Area Network). I haven't got the oportunity to work with this feature since I don't have a testing storage device.

The Windows Service that manages Hyper-V is Hyper-V Virtual Machine Management and you can view its status using the Services Console or by using Server Manager in the Hyper-V section. Note that if this service crashes or is stopped, all Hyper-V dependencies and the whole virtualization platform will not work:
Hyper-V Service

Hyper-V offers a lot of features that can be used within your virtual environment and we haven't covered all aspects about this technology. This article should at least offer your some basic information on how to install and configure Hyper-V. In the next tutorial I will show you how to create a new VM using Hyper-V and we will later see how to use these machines to deploy new Windows Servers using WDS. Please use my comments section to post questions regarding this topic or if you think there are things that were not covered properly. Wish you all the best and don't forget to enjoy your day!
Read More
© 2014 All Rights Reserved.
IT training day & Powered By BloggerHero