http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9005756 By Martin Heller December 08, 2006 Computerworld Microsoft Corp. has long encouraged its employees to "RAS" into the corporate network from home or from the road to access e-mail, shared files and applications. RAS, short for Remote Access Services, is an old Microsoft term for what most people now call a client VPN. Microsoft, of course, maintains valuable intellectual property on its internal network, including the source code to all its operating systems and applications. These are constant targets for hackers, and Microsoft tries to protect its most valuable assets with defenses in depth; they are behind firewalls and on networks segmented with IPsec. In addition, the entire network is monitored for suspicious activity, scanned for malware and so on. What do I mean by a constant target? Last year, Microsoft IT said it was the target of more than 100,000 intrusion attempts per month. Currently, Microsoft filters out about 9 million spam and virus e-mails a day out of 10 million received. Yes, that means that roughly 90% of incoming e-mails are spam. In that environment, you'd think that VPN connections might expose Microsoft to serious security risks. So how does Microsoft mitigate those risks while continuing to offer VPN access to remote employees and contractors? The answer to that is manifold. Two-factor authentication The first layer of protection for the Microsoft VPN is two-factor authentication. After an infamous incident in fall 2000, Microsoft installed a certificate-based public-key infrastructure and rolled out smart cards to all employees and contractors with remote access to the network and individuals with elevated access accounts such as domain administrators. Two-factor authentication requires that you have something physical. In this case, it means the smart card and a password. (The intrusion incident to which I refer was reported by the Wall Street Journal and others, including Computerworld. The news reports said that crackers gained access to Microsoft's network using a stolen username and password, and were able to view, but not alter, some source code. Microsoft disagrees with the information reported.) "Today, we require a smart card with a valid certificate and PIN, as well as network credentials and authorization to use the network remotely," said Mark Estberg, director of Microsoft's internal security. "We are 'dog-fooding' a deployment using Longhorn Server to implement the same two-factor authorization with SSL VPN from ISA/Whale [acquired by Microsoft in 2006], and with Network Access Protection for endpoint scanning. The back-end authentication and authorization is handled by integration with Active Directory and the Network Policy Server Windows Server." You might expect Microsoft to adopt biometric security. The company has said it's evaluating it. As yet, however, it's sticking with smart cards. 'Sandbox' connections The second layer of protection for the Microsoft corporate VPN is a connection "sandbox," implemented using Windows Server 2003s Network Access Quarantine Control. Before a connected computer can access any resources on the corporate network, a program scans the computer for security. An approved operating system must be installed, along with all critical security patches; the scanning program coordinates with Microsofts methods for deploying patches, such as the Microsoft Update site. In addition, Windows Firewall must be enabled. Finally, the remote computer must not be connected to any other VPNs or be using any other type of remote-access software. If the scan finds a deficiency, it attempts to correct it. For example, it will update antivirus signatures and force the installation of critical security patches. If the user rejects these updates, the scanner ends the connection. Once the scan has determined that the computer is clean and fully patched, the connection is allowed out of the sandbox and onto the corporate network. All of this due diligence can be time-consuming, and potentially annoying to users. According to Microsoft IT, scanning at VPN sign-in can sometimes take as long as five minutes, and on rare occasions up to 15 minutes, for a computer that is not compliant with the standards and has not recently connected to the network. It would be normal human behavior to hold on to a connection that took you 15 minutes to establish for as long as you conceivably could, and VPN connections are a limited resource that shouldn't be squandered. Therefore, the Microsoft VPN system speeds up the log-in process for frequent VPN users. The network servers remember what has been scanned at each log-in, and grant a grace period before requiring a rescan. Frequent users of the VPN can often log into the network in under a minute. Encryption and strong passwords Microsoft follows its own recommendations for VPN encryption, authentication, password strength, and password updates. Microsoft says that the most secure VPN authentication is provided by Extensible Authentication Protocol-Transport Level Security (EAP-TLS) used with smart cards, and thats exactly what it uses itself. Point-to-Point Tunneling Protocol (PPTP) with EAP-TLS provides the primary VPN services of encapsulation and encryption. Windows Server 2003 comes set to a default password policy that requires moderately long passwords with a mix of character types (uppercase, lowercase, numeric and symbol characters), along with a mandatory password change every so many days. Microsoft uses what is a slightly stricter version of the standard Windows Server 2003 password policy for its own network, or perhaps I should say that Windows Server 2003 comes standard with a slightly relaxed version of the secure password policy Microsoft first deployed and vetted internally. E-mail and IM without RAS At one time, Microsoft would run out of VPN connections every time there was snow in the Puget Sound area, because most employees working from home would connect to the VPN to send and receive e-mail to and from their Exchange server for extended periods. Microsoft employees, in general, send and receive huge amounts of e-mail, and use it as one of their principal ways to collaborate and manage. Eventually, the Exchange group developed a method for connecting to mail servers with full functionality without requiring the client to be on the network. This method involves setting up an Exchange proxy server to allow Outlook to access Exchange via RPC over HTTP, protected by SSL encryption. Microsoft deployed Exchange proxy servers, as well as scripts to simplify the proxy setup for Outlook clients, several years ago. This is ideal for employees and contractors working remotely from their own computers, and eliminates the need to use the VPN for e-mail. It offers more functionality than standard POP3 or IMAP mail or Web mail. Exchange also has Web mail, and Microsoft has heavy internal usage of Outlook Web Access. Many Microsoft employees have so much e-mail that they develop a backlog of unread noncritical messages. One way to cut through that backlog is instant messaging, and Microsoft offers an Enterprise-class product in that area, Microsoft Office Communicator 2005. That product can work securely over the Internet without a VPN connection, using a proxy. It evolved from earlier internal instant messaging systems that forced users to connect to the VPN to send secure instant messages. External SharePoint sites Another common reason for connecting to the VPN is to work with files from the network. That's perfectly reasonable when only a few people need access to the files, or the files are very sensitive. On the other hand, it doesn't make a lot of sense to tie up the VPN for low-sensitivity files that many people need when they're working remotely, such as the official Microsoft glossary of computer terms. To serve those needs, Microsoft IT has set up several SharePoint sites as secure password-protected extranets. More accurately, what Microsoft IT did was empower employees to set up their own SharePoint sites as intranets or extranets, depending on the target audience and sensitivity of the material, and post their own content. So, for example, writers working on Microsoft projects can download the Word templates they need from an extranet site run by the group that manages that kind of writing project, and download the current copyright and trademark list from another extranet site maintained by Microsoft's legal department. "Recently, we had a snowstorm hit at our headquarters, and we estimate that more than three quarters of Microsoft's Seattle-area workers checked e-mail and did other work from home," said Microsoft CIO Stuart Scott. "Our network and exchange environments scaled to meet this need while doing so securely." Martin Heller develops software and writes from Andover, Mass. Reach Martin at cw (at) mheller.com. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Sun Dec 10 2006 - 23:29:38 PST