AlwaysOn, initial thoughts and ideas
Microsofts' AlwaysOn VPN, thoughts on how it might work, lazy threat modelling
AlwaysOn, from https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy:
Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices, even >personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you >could enable device authentication for remote device management, and then enable user authentication for connectivity to internal company sites and services.
/Vendor/MSFT/VPNv2
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#configure-the-vpn-device-tunnelSimple breakdown:
<SyncML xmlns="SYNCML:SYNCML1.2" xmlns:A="syncml:metinf">
<SyncBody>
<Atomic>
<CmdID>10000</CmdID>
<!-- Configure VPN Server Name or Address (PhoneNumber=) [Comma Separated]-->
<Add>
<CmdID>10001</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML</LocURI>
</Target>
<Data><VPNProfile>
<ProfileName>VPN_Demo</ProfileName>
<NativeProfile>
<Servers>VPNServer.contoso.com</Servers>
<NativeProtocolType>Automatic</NativeProtocolType>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig>
</Configuration>
</Eap>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
</NativeProfile>
<DomainNameInformationList>
<DomainName>.contoso.com</DomainName>
<DNSServers>10.5.5.5</DNSServers>
</DomainNameInformationList>
<TrafficFilter>
<App>%ProgramFiles%\Internet Explorer\iexplore.exe</App>
</TrafficFilter>
<TrafficFilter>
<App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App>
</TrafficFilter>
<Route>
<Address>10.0.0.0</Address>
<PrefixSize>8</PrefixSize>
</Route>
<Route>
<Address>25.0.0.0</Address>
<PrefixSize>8</PrefixSize>
</Route>
<RememberCredentials>true</RememberCredentials>
</VPNProfile></Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
TrafficFilter
attribute takes an <app>
, which can either be an app name or a file pathPackageFamilyName
is the Microsoft store nameSYSTEM
, which will allow kernel drivers to send things through, the published example is for ICMP trafficVPNv2/ProfileName/LockDown
VPNv2/ProfileName/RegisterDNS
Sharepoint
, and now all traffic destined for sharepoint.target.com
points here, responder to win?)VPNv2/ProfileName/PluginProfile/CustomConfiguration
VPNv2/ProfileName/EdpModeId
Probably worth its own post, seems fairly big.
Seems to basically let people pretend they’re still using Citrix without clipboard access. Offers the following:
Sales pitch / no technical data at https://docs.microsoft.com/en-au/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip
HealthAttestation
CSP, which can tie in with this