COVID-19 AND CYBERSECURITY 4: THE YEAR IS 2012… MICROSOFT DIRECTACCESS

…the Surface RT has been launched, the Curiosity Rover lands on Mars and Microsoft makes its most recent update to DirectAccess.

In our first article we discussed the three main categories that many organisations have found themselves in for handling remote working; in particular over the last week we’ve seen a lot of organisations that have gone down the first option with a VPN and are deploying Microsoft DirectAccess.

We entirely understand why; it’s effectively ‘free’ at point of use (just keep your Windows Server licences and CALs up to date), only requires a single inbound port on your firewall and with the software required built right into Windows it only requires a few Group Policies (which are also automatically configured for you) plus some security certificates to get going.

However it would be remiss of me to not offer a few words of caution.  Security threats are ever changing and Microsoft hasn’t invested in DirectAccess for nearly 8 years, which is a lifetime in our world, and as a result it hasn’t kept up with the evolution of secure remote access services.

So what are the gaps that you need to be wary of?

Today patching and ensuring that devices are compliant with policy should be at the forefront of any administrators mind, and a notable gap in features against a modern service is the lack of health checks of the devices connecting over DirectAccess. Without the ability to perform health checks, and with so many corporate devices exposed to the (totally untrusted) home environment as a result of our new COVID-19 ways of forced home working, just how sure can we be that unpatched systems don’t have the ability to compromise sensitive data?

Once on the network it’s also important to keep in mind that the DirectAccess server has no features to control the flow of traffic. Without a network firewall in the way of the traffic you may quickly find that remote users can not only get to their network shares but also the management interfaces for key systems. This issue is further compounded by the DirectAccess server acting as a ‘proxy’ into your network where all internal traffic appears to originate from the DirectAccess server and not the connected VPN clients – making fine grained policies based upon groups of users (instead of just IP address ranges) impossible.

Finally the reality is that COVID-19 has brought on a new wave of cyber-attacks with many of these attacks going undetected for upwards of 200 days. A key method of getting ahead of these Threat Actors (or at least being able to tell what they have done) is in log analysis. Here I simply challenge any DirectAccess administrator to produce a daily report on the clients connected, the network locations visited and if any threats (malware or vulnerability exploit attempts) were detected along the way.

Back to 2020

Many administrators may think back to 2012 and remember the foibles of the old AnyConnect client or perhaps the difficulty in diagnosing issues with RADIUS servers – indeed in researching this article I even found a blog post from myself extoling the virtues of DirectAccess.  However, as we stand in 2020 it’s now the age of SAML, MFA and zero trust methodologies, all the while delivering ubiquitous access from any device of your choosing while enforcing a strong security policy.

Today we ask…

• What technologies are you using to ensure that your remote clients are patched and compliant with policy?
• Just how much of your internal network can a client on your DirectAccess/VPN service see? Have you tested this and are you happy with the results?
• What insight into client activity through logs do you have? Is it the same level as you might have from clients within the corporate network?
• Have you run a Vulnerability Scan (or perhaps even a full Penetration Test) of any new or existing DirectAccess servers/VPNs that are exposed to the internet?

As a business we are committed to providing help, guidance and support to our customers, particularly those on the front line and in critical industries.  We want to do our part to help, so if you have questions, want to chat some things through, you know where we are.