Security
Reader small image

You're reading from  Mastering Windows Server 2022 - Fourth Edition

Product typeBook
Published inMay 2023
PublisherPackt
ISBN-139781837634507
Edition4th Edition
Tools
Windows Server
Concepts
Information Security
Right arrow
Author (1)
Jordan Krause
Jordan Krause
author image
Jordan Krause

Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
Read more about Jordan Krause

Right arrow

Always On VPN

Giving a user access to a VPN connection traditionally means providing them with a special network connection link that they can launch and enter credentials to pass authentication to connect to their work environment's network and then communicate with company resources. This is what we configured inside RRAS. After launching a VPN, users can open their email, find documents, launch their line-of-business applications, or otherwise work in the same ways that they can when physically sitting in their office. Also, when connected via a VPN, management of their laptop is possible, enabling successful communication flow for systems such as Group Policy and SCCM. VPN connections offer great connectivity back to your network, but (remember, we are talking about traditional, regular VPN connections here) they only work when the user manually launches them and tells them to work. Anytime that a user has not connected to their VPN, they are navigating the internet with no connectivity...

DirectAccess

Throughout our discussion about Always On VPN, I mentioned Microsoft DirectAccess a couple of times. DirectAccess is another form of automatic VPN-like connectivity, but it takes a different approach than that of Always On VPN. Where AOVPN simply uses expected, well-known VPN protocols and does some crafty magic to automatically launch those otherwise traditional VPN tunnels, DirectAccess tunnels are quite proprietary. Tunnels are protected by IPsec and are essentially impenetrable and also unable to be impersonated. I find that security teams love the protections and complexity surrounding DA tunnels because it is a connection platform that attackers have no idea how to tamper with or how to replicate.

In my experience, at this point in the game, Microsoft DirectAccess is the most common reason that administrators deploy the Remote Access role on a Windows Server instance. As stated, the easiest way to think about DirectAccess is to think of it as an automatic VPN. Similar...

Remote Access Management Console

You are well on your way to giving users remote access capabilities on this new server. As with many networking devices, once you have established all of your configurations on a Remote Access server, it is pretty common for admins to walk away and let it run. There is no need for a lot of ongoing maintenance or changes to that configuration once you have it running well. However, Remote Access Management Console in Windows Server 2022 is useful not only for the configuration of remote access parts and pieces but for monitoring and reporting as well.

When working with DirectAccess, this is your home for pretty much everything: configuration, management, monitoring, and troubleshooting. On the VPN/AOVPN side of the remote access toolset, you will be making many of the VPN configuration decisions inside RRAS, but RAMC is the place to go when checking over server-side monitoring, client-connection monitoring, and reporting statistics. Whether you use DA,...

DA, VPN, or AOVPN? Which is best?

VPN has been around for a very long time, making it a pretty familiar idea to anyone working in IT. Always On VPN certainly brings its share of new capabilities, but under the hood what AOVPN is doing is launching a traditionally configured VPN connection, so the connection flow is similar to what we have always known. In this chapter, we have also discussed quite a bit about DirectAccess in order to bring you up to speed on this alternative method of automatically connecting your remote clients back to the datacenter. Now that you know there are two great connectivity platforms built into Windows Server 2022 for enabling your mobile workforce, which one is better?

You don't have to choose! You can run both of these technologies side by side, even on the same Remote Access server. Each technology has its pros and cons, and the ways that you use each, or both, will depend upon many variables. Your users, your client computers, and your organization...

Web Application Proxy

DirectAccess and VPN are both great remote access technologies, and combining the two of them together can provide a complete remote access solution for your organization, without having to pay for or work with a third-party solution. Better still, in Windows Server 2022 there is yet another component of the RemoteAccess role available to use. This third piece of the remote access story is Web Application Proxy (WAP). This is essentially a reverse-proxy mechanism, giving you the ability to take some HTTP and HTTPS applications that are hosted inside your corporate network and publish them securely to the internet. Any of you who have been working with Microsoft technologies in the perimeter networking space over the last decade will probably recognize a product called Forefront Unified Access Gateway (UAG), which accomplished similar functionality. UAG was a comprehensive SSLVPN solution, also designed for publishing internal applications to the internet via SSL...

Requirements for WAP

Unfortunately, the ability to make use of Web Application Proxy comes with a pretty awkward requirement: you must have AD FS installed in your environment to be able to use it—even to test it, because the WAP configuration is stored inside AD FS. None of the WAP configuration information is stored on the Remote Access server itself, which makes for a lightweight server that can be easily moved, changed, or added to. The downside to this is that you must have AD FS running in your environment so that WAP can have a place to store that configuration information.

While a tight integration with AD FS does mean that we have better authentication options, and users can take advantage of AD FS single-sign-on to their applications that are published through WAP, so far this has proven to be a roadblock to implementation for smaller businesses. Many folks are not yet running AD FS, and if the only reason they are looking into implementing AD FS is so that they can use...

Latest improvements to WAP

Web Application Proxy was introduced in Server 2012 R2 and had many improvements when Windows Server 2016 was released. There have been few major modifications since that time, but it is still important to point out the latest benefits that have been rolled into this feature, to show that it is still learning to do new things. The following are some of the improvements that have been made if you haven't taken a look at WAP since its first iteration.

Preauthentication for HTTP Basic

There are two different ways that users can authenticate to applications that are being published by Web Application Proxy—preauthentication or pass-thru authentication. When publishing an application with preauthentication, this means that users will have to stop by the AD FS interface to authenticate themselves before they are allowed through to the web application itself.

In my eyes, preauthentication is a critical component to any reverse-proxy and I would have to...

Summary

The nature of the world today demands that most companies enable their employees to work from wherever they are. Working from home has become normal over the past few years, with a worldwide pandemic, we have seen staggering increases in the percentage of employees who work outside of an office building. Companies need a secure, stable, and efficient way to provide access to corporate data and applications for these mobile workers. The Remote Access role in Windows Server 2022 is designed to do exactly that. With three different ways of providing remote access to corporate resources, IT departments have never had so much remote access technology available at their fingertips, built right into the Windows operating system that they already own. If you are still supporting a third-party or legacy VPN system, you should explore the new capabilities provided here and discover how much they could save your business.

DirectAccess and Always On VPN are particularly impressive and compelling...

Questions

  1. What does AOVPN stand for? (Answer: Always On VPN)
  2. What are the two primary protocols used for connecting AOVPN clients? (Answer: IKEv2 and SSTP)
  3. In which version of Windows 10 was AOVPN released? (Answer: Windows 10 1607)
  4. In what special instance would an AOVPN client be required to be joined to your domain? (Answer: When you want to utilize the AOVPN Device Tunnel)
  5. Does DirectAccess require your corporate internal network to be running IPv6? (Answer: No, your internal network can be completely IPv4)
  6. What is the name of the internal website that DirectAccess clients check in with to determine when they are inside the corporate network? (Answer: Network Location Server (NLS))
  7. What ports are used by Teredo and IP-HTTPS? (Answer: Teredo uses UDP 3544, while IP-HTTPS uses TCP 443)
  8. How do you provision DirectAccess configuration settings to the client machines? (Answer: Group Policy)
  9. What role does a Web Application Proxy server hold in a federation environment? (Answer: WAP can...

Questions

  1. What is the name of the antimalware product built into Windows Server 2022?
  2. When a domain-joined computer is sitting inside the corporate LAN, which Windows Defender Firewall profile should be active?
  3. Other than the Domain Profile, what are the other two possible firewall profiles inside Windows Defender Firewall?
  4. When creating a firewall rule to allow IPv4 ping replies, what protocol type must you specify inside your inbound rule?
  5. What is the easiest way to push standardized Windows Defender Firewall rules to your entire workforce?
  6. A virtual machine whose virtual hard disk file is encrypted is called a...?
  7. What is the name of the Microsoft technology that parses domain controller information in order to identify pass-the-hash and pass-the-ticket-attacks?
  8. Which inbound RDP port number is considered safe to open on your external firewall?
  9. What third-party tool can you use to disable TLS 1.0 on Windows Server?
...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 10 of 20
Next Chapter
You have been reading a chapter from
Mastering Windows Server 2022 - Fourth Edition
Published in: May 2023Publisher: PacktISBN-13: 9781837634507
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Jordan Krause

Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
Read more about Jordan Krause

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages