M$ - AlwaysOn VPN first thoughts
AlwaysOn, initial thoughts and ideas
tl;dr
Microsofts' AlwaysOn VPN, thoughts on how it might work, lazy threat modelling
What
AlwaysOn, from https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy:
Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices, even >personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you >could enable device authentication for remote device management, and then enable user authentication for connectivity to internal company sites and services.
- I don’t care about the site-to-site features, I’m more interested in the Win10 clients
- Especialy interested in the nondomain-joined hosts and how that works
- This is the replacement to DirectAccess
- It can do split tunneling or forcibly route all traffic
- It can also do this on a per app (App-Based rules) or per CIDR (or DNS suffix) basis (Traffic-based rule)
- Per app basis is interesting, especially if someone relies on it to be a routing control
Prereqs
- Active Directory core services (i.e. Active Directory, DNS)
- End up just enabling AlwaysOn for a given group
- Active Directory Certificate Services
- User Cert template
- VPN cert profile
- NPS cert template
- A box running the Network Policy Server role (NPS)
- RRAS, probably for the actual heavy lifting here
Client
- PEAP-TLS with TPM–protected user certificates
- Windows Hello can be used here too (and/or Azure MFA + Azure conditional access)
- Unsure of other options
- Config relies on a large XML blob
Client config
- Sample ref points to a CSP
/Vendor/MSFT/VPNv2https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#configure-the-vpn-device-tunnel- CSP - Configuration Service Provider - https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers
- TODO - Further looks into CSP (it’s just a big XML blob, and it appears to be the future for M$’s idea of mobile device management)
- VPNv2 CSP is defined at https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
Simple breakdown:
<SyncML xmlns="SYNCML:SYNCML1.2" xmlns:A="syncml:metinf">
<SyncBody>
<Atomic>
<CmdID>10000</CmdID>
<!-- Configure VPN Server Name or Address (PhoneNumber=) [Comma Separated]-->
<Add>
<CmdID>10001</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML</LocURI>
</Target>
<Data><VPNProfile>
<ProfileName>VPN_Demo</ProfileName>
<NativeProfile>
<Servers>VPNServer.contoso.com</Servers>
<NativeProtocolType>Automatic</NativeProtocolType>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig>
</Configuration>
</Eap>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
</NativeProfile>
<DomainNameInformationList>
<DomainName>.contoso.com</DomainName>
<DNSServers>10.5.5.5</DNSServers>
</DomainNameInformationList>
<TrafficFilter>
<App>%ProgramFiles%\Internet Explorer\iexplore.exe</App>
</TrafficFilter>
<TrafficFilter>
<App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App>
</TrafficFilter>
<Route>
<Address>10.0.0.0</Address>
<PrefixSize>8</PrefixSize>
</Route>
<Route>
<Address>25.0.0.0</Address>
<PrefixSize>8</PrefixSize>
</Route>
<RememberCredentials>true</RememberCredentials>
</VPNProfile></Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
- According to CSP, there can be multiple TrafficFilter tags
- They can include Apps, Claims, protocols and general port range stuff for limitations
- Claims are reserved, no further info
- Protocol is an int field, TCP is 6, UDP is 17
- LocalAddressRange is a filter, curiously. Unsure of use
- RemoteAddressRange is also a filter, more self explanatory
- Notice the
TrafficFilterattribute takes an<app>, which can either be an app name or a file pathPackageFamilyNameis the Microsoft store name- Notably theres' the option for
SYSTEM, which will allow kernel drivers to send things through, the published example is for ICMP traffic - File path might be a bad design decision to rely on :)
VPNv2/ProfileName/LockDown- Apparently this will force there to only be one policy, and to not have networking without it enabled
- How does this interact with captive portals?
VPNv2/ProfileName/RegisterDNS- Apparently used to ask the client to update AD/DNS
- Good for device management purposes
- Could this be used to help redirect traffic for other services? (i.e. rename host to
Sharepoint, and now all traffic destined forsharepoint.target.compoints here, responder to win?)- Ignoring obvious permission issues and other things of existing objects
VPNv2/ProfileName/PluginProfile/CustomConfiguration- “Html encoded XML blob for SSL plug-in specific configuration including authentication information”
- Good place for persistence? Will always launch when user (automatically) connects to VPN
VPNv2/ProfileName/EdpModeId- Windows Information Protection policy blob goes here
- See below
Windows Information Protection (WIP)
Probably worth its own post, seems fairly big.
Seems to basically let people pretend they’re still using Citrix without clipboard access. Offers the following:
- Core functionality: File encryption and file access blocking
- Encryption is probably leveraging the older DRM style offering, or is the next iteration https://docs.microsoft.com/en-us/azure/information-protection/develop/ad-rms-server
- UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
- WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN
- Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
Sales pitch / no technical data at https://docs.microsoft.com/en-au/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip
Deployment
- SCCM / Intune
- Not really much published here, SCCM probably has a silly prereq of a particular version
Misc
- Apparently you can’t revoke machine certificates yet https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-adv-options#blocking-vpn-clients-that-use-revoked-certificates
- Typical shitty MS stuff, yo
- If your internal network sucked, making it suck over the internet is going to make it suck more when someone steals a laptop
- Per app routing (TrafficFilter/App) - Does this propogate to child PIDS or just the parent process?
- Apparently theres a
HealthAttestationCSP, which can tie in with this