Shifting to Adaptive Authentication and Cloud-Based Security

There’s a significant shift in how organizations are viewing information security, according to The Global State of Information Security Survey 2017 (click to download the original publication) from PricewaterhouseCoopers (PwC).

Here’s a short summary of a few of the major trends mentioned in the document:

Opting for Cloud-Based Security

Instead of traditional on-premises systems, 62 percent of organizations are opting for cloud-based managed security services to provide:

  • Authentication
  • Identity and access management
  • Real-time monitoring and analytics
  • Threat intelligence

PwC calls out real-time monitoring and analytics as key to proactive threat intelligence – 51 percent of respondents monitor data to detect security risks and incidents.

To help you gain insight into the users and devices accessing your applications, Route443 is able to assist you on the area of Identity & Access Management, that can be used to make access policy decisions.

Advanced Authentication

Identity has been at the heart of most every breach in the past two years“. – Richard Kneeley, PwC US Managing Director, Cybersecurity and Privacy.

Phishing has emerged as a significant risk across all companies and every industry. Thirty-eight percent of those surveyed reported phishing scams. Criminals will send phishing emails to employees in order to trick them into sharing their legitimate user credentials, gaining access to company systems and data.

Passwords alone aren’t secure enough to protect against phishing attacks. PwC reports that businesses are adopting advanced authentication, or multi-factor authentication  technology such as software tokens, biometrics and smartphone tokens.

As security perimeters dissolve and identity expands from  people to connected devices, identity and access management (IAM) tools are more essential than ever to protect access and prevent incursions.

As PwC stated in their survey, “authentication must be frictionless and intuitive for end users.”

Route443 is able to assist you by implementing conditional access, contextual based where having the password is just not enough. Getting devices into the context of authentication and authorization, enables frictionless and intuitive authentication for your end users.

Adaptive Authentication

Another trend listed by PwC is the use of additional data points to identify suspicious behaviors and patterns – data such as a user’s login time and location, type of device, network, etc. to create risk-based access decisions.

“Identity has been at the heart of most every breach in the past two years,” said Richard Kneeley, PwC US Managing Director, Cybersecurity and Privacy. “Many of these breaches have involved someone gaining access by using compromised identity, then changing their identity once inside the network to ratchet up access to data and systems by taking over a privileged account and in the process gaining unlimited access to the network, to systems and to data .”

Protecting the Identity is the fundamental ground rule of our Identity Driven Security approach, Route443 is able to assess, guide and implement all required measures.
By blocking authentication attempts based on user location, network type or their device, you can reduce risks associated with anonymous networks, countries you don’t do business in, or exposure to out-of-date and risky devices.

Please stay tuned, follow our website (www.route443.eu) our blog (blog.route443.eu) to receive the latest information from us.

 

Transformation of the Desktop

For more than twenty years the Desktop PC has been the staple of enterprise computing, as the main productivity tool for knowledge workers. This dominance is being increasingly challenged as the modern workforce shifts to a more mobile experience, with modern operating systems reflecting this commoditized (read: BYOD) trend. Within this new generation of computing the traditional way of managing (thereby controlling) those devices will no longer apply or suffice. The reality is that as we see the desktop shifting toward a more mobile form, our traditional view of how we perceive infrastructure and security is fundamentally challenged. Not convinced? Stay tuned and we’ll delve into how we see this next generation computing mapping out.

Within the mobile world there’s a powerful and agile model of security and management called Enterprise Mobility Management (EMM). It contains three major management components Mobile Device Management (MDM), Mobile Application Management (MAM) and Mobile Content Management (MCM).

…With Windows 10, Microsoft has re-architected the Windows operating system to adopt EMM…

Here’s why: With the rise of mobile computing, employees don’t use (or not only) a locked-down PC on the corporate network to do their jobs. Instead they use many different devices, some company-owned and some personally owned. These devices run a vast array of (mobile) apps and connect across networks that are outside of IT’s control. Legacy Windows client management tools (like Microsoft’s System Center Configuration Manager (SCCM) are too inflexible for modern computing environments. They imply management of a client through installation of a complex system image on the PC, constrained by the boundaries of the organization. Solutions such as DirectAccess are last gasp entreaties to modernize the managed client in the conventional sense.

…The era of the domain-joined PC is coming to a close…

EMM moves the legacy PC paradigm from complex and hard-coded system image to context-based policy. With Windows 10, Microsoft is addressing the need for greater security and management flexibility in the enterprise. Yet, the Apple MacOS platform has been in this position for many years. From the start of the “mobile century”, the MacOS platform has been considered a mobile device next to the smartphones and tablets using the Android and iOS platform. So why is this development now taking momentum ? Could it have something to do with the impressive number of 400 million Windows 10 devices already in the field ? Clearly an operating system that is imposing itself on the market in such volume, while supporting much of the desired functionality organizations and their users are looking for,  is going to have impact on the conversation.

Gartner retired the Magic Quadrant for Client Management Tools in March 2016…

The traditional Windows architecture offered a broad attack surface because both the file system and the operating system itself presented vectors. To counter the risk, IT had to install, as part of the image, additional security agents to monitor threats and remediate accordingly.  Maintaining the integrity and security of data on the PC was a constant struggle. Likewise, this model required devices to join a Windows domain governed by policy (GPOs) , or third-party management software, controlling what employees could or could not do on this PC. It assumed devices were corporate-owned, Windows-based, and connected to a persistent local area network (LAN).

For the most part, the modern enterprise, moreover the IT department, no longer has the latitude to work this way. The demands of today’s employees; working on any device, in a variety of environments — home, airports, coffee shops, hotels, etc., means the traditional approach can no longer support this work style. Mobile devices are not LAN-bound and are frequently owned by the employee, rather than the company. The clouding of business v personal and the way in which the focus shifts freely from device to application to data, means overlapping is inevitable. Flexible use of devices becomes deeply embedded in many aspects of an employee’s personal and work life.

To address this new vista (no pun intended), Microsoft has re-architected Windows 10 to move beyond the legacy management systems and fully supporting EMM.

3
EMM solutions like Microsoft Intune are providing an efficient and flexible way to provision services to employees and secure business data on modern operating systems. The move to EMM represents a major change in how the desktop will be secured and managed moving forward.

…Our vision on this…

We believe that organizations need to start planning now for the moment where PCs are managed and secured like mobile devices, and desktop apps are developed and deployed like mobile apps. That’s a major upcoming shift within the technology landscape, enabling the transformation of the desktop.

In a upcoming blog post we’ll explain the technology behind EMM solutions, in specific the Microsoft Intune EMM solution and will also provide you a sneak preview in the near future to help you make the right decisions.

Please stay tuned, follow our website (www.route443.eu) our blog (blog.route443.eu) to receive the latest information from us.

 

 

DirectAccess with PointSharp ID

Microsoft DirectAccess continues to be a strong remote access solution in the on-premise space. On 27th July 2016, Richard Hicks, MVP in Cloud and Data Center Management and well-known DirectAccess expert, will be hosting a webinar with PointSharp to describe the combination of strong authentication using DirectAccess with PointSharp ID. You can enroll for this webinar here.

Meanwhile, if you can’t make the webinar, Route443 will demonstrate in this blog post how the two technologies can work together. PointSharp ID, for those not familiar, is a robust two-factor authentication (2FA) service that combines One-Time Passwords (OTP), and other alternate authentication mechanisms, for use in a wide variety of logon scenarios. Developed by PointSharp AB, a Swedish based security company, it’s a flexible, low cost, easy to use product, that provides a comprehensive set of authentication and security features .  In this post, we look at how DirectAccess and PointSharp ID can be used to strengthen the DA authentication process.

 

DA Client/Authentication Kerberos Proxy Machine Certificate User OTP
Windows 7 Enterprise X X 1
Windows 8.x Enterprise X X X
Windows 10 Enterprise X X X
1 requires Connectivity Assistant

Windows 8.x and beyond support a simplified access model using DirectAccess a kerberos proxy. For OTP configurations, use of a Public Key Infrastructure (PKI) is mandatory. Through an appropriately configured Active Directory Certificate Services (AD CS) certificate authority, DirectAccess acts as a certificate enrollment agent, thereby providing successfully authenticated clients with “OTP” certificates for veracity.

While Windows 7 is supported for two-factor authentication, it requires the installation of a separate application, the DirectAccess Connectivity Assistant, to provide the necessary OTP capability.  For expediency, we’ve limited this test setup to Windows 8.x and Windows 10 Enterprise, both with support for 2FA in DirectAccess built-in.

A reference document outlining what is required for this configuration can be found on Microsoft Technet here. Richard Hicks has also written an excellent post about DirectAccess with OTP.

Let’s take a peek at our basic test logon workflow.

DirectAccess with PointSharp ID

In this configuration Windows 8.1 / 10 Enterprise Client(s) are configured with machine certificates issued by an AD Enterprise Certificate Authority. DirectAccess relies on IPsec policies for authenticating and securing traffic from Internet-connected clients. In order to authenticate to domain resources, the client must first establish connectivity to DNS servers and Domain Controllers (DCs) through what we refer to as the Infrastructure Tunnel (1). Once authenticated successfully, the machine is available to reach management servers identified during the DA installation, for example SCCM server(s) to process software updates.

At this point, the user has not authenticated and from the Windows side bar (2), they need to press <CTRL><ALT><DEL> . The user has been issued with a soft token on their Smartphone by PointSharp ID. They reference this token (2a),  input the time-based OTP (TOTP) on the logon screen and their credentials are sent to DA. As a RADIUS client, DirectAccess forwards (2a) the request to the PointSharp ID RADIUS server, where a user lookup in AD is performed (2b) and the OTP validated by PointSharp ID. Upon successful authentication, the DirectAccess server enrols a short-lived OTP certificate on behalf of the user (2c) and this certificate is then used by the DA client together with the machine certificate for authentication of the Intranet/User tunnel (3).

With the DirectAccess role installed, let’s  have a look at some of the specifics of this configuration. Rather than cover the entire DA configuration, we’ll jump to the pertinent parts of a DA/PointSharp configuration. We begin midway through Step 1 of our DirectAccess server setup.

2016-06-28_21-32-31

On the Select Groups option, we can determine which managed clients will receive the DirectAccess group policy (GPO). By default, the built-in Domain Computers group is enabled.

2016-07-10_11-05-56.png

As the above graphic and the warning illustrate, it’s not a good idea to uncheck the “Enable DirectAccess for mobile computers only” as the combination of Domain Computers and the cleared checkbox will mean all domain computers will receive this configuration.

It’s common for organizations to replace the default Domain Computers group with an AD security group to filter application of the DirectAccess group policy. Although this requires manual intervention, requiring adding computers to the created group, it does add an additional level of control in determining which (computer) clients are allowed remote access.

Moving onto the Network Connectivity Assistant (NCA) screen, add an HTTP endpoint from your corporate network that the NCA can use to validate the connection.

2016-07-09_16-08-22

In Step 2, we enable the two-factor authentication elements.

2016-07-09_16-10-11

Before we leap ahead, let’s have a look at what’s being done to prepare the PointSharp ID server and AD Certificate Services.

PointSharp ID acts as a RADIUS Server for DirectAccess.  This requires adding the DA server as a RADIUS client to the PointSharp configuration. A shared secret is used between the two to pair the RADIUS “trust”.

2016-06-29_17-46-56

Once the RADIUS client is added, an authentication method can be created in PointSharp ID to support OTP logon through DirectAccess. In the example below, a specific listener is setup for DA. Since DirectAccess does not support challenge/response, the Password Type Stateless:OTP is used.

2016-07-09_13-00-42

Our Certificate Authority (CA), a subordinate enterprise CA, is configured as per the documented requirements. Two templates have been created (Windows 8/2012 R2 compatibility level).

2016-06-29_17-52-43

The first template is for the DirectAccess server acting as a registration authority, or in PKI parlance an Enrollment Agent.  This template uses an Object Identifier (OID) specific for this task- 1.3.6.1.4.1.311.81.1.1 and in the Application Policy, the original OIDs are removed and replaced them with the DirectAccess OTP identifier.

NB: This template is a duplicate of a Computer template.

2016-06-28_21-42-24

The DirectAccess computer account then needs to be given permission to auto-enroll on this template.

2016-07-10_13-37-30.png

Also in this setup, the Default Domain Policy Group Policy Object (GPO) in Active Directory is providing the requisite auto-enrollment policy, so the DA server may request and receive certificates and updates.

2016-07-20_21-09-14

Back in AD Certificate Services, the validity period is set to 2 days and renewal period to 1 day.  For certificate naming, this is based on the DNS Name of the server, with subject alternate name (SAN) also set to the DNS name.

2016-06-28_21-43-54

The second template, DirectAccess PointSharp OTP Logon, is a duplicate of the Smart Card logon template, with the Client Authentication OID removed from the Application Policy. This template has issuance requirements that specify that the application policy from the RA template  (1.3.6.1.4.1.311.81.1.1) is present in the signature, in other words the DirectAccess server

2016-06-29_16-25-41

The validity period we set for this cert is extremely short-lived (1 hour). By default, certificate processing each client would entail storing a record of each certificate request and issued certificate in the CA database. When dealing with a relatively high volume of these requests for OTP certs from a number of DA Clients, over time this could significantly increase the CA database size.  Given the longevity of the certificate it doesn’t make much sense to store this in the Certificate Services database. Accordingly, we enable non-persistent certificate processing on the CA.  This needs to be enabled by running:

certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS

Certificate Services then needs to be restarted. Similarly, the DA OTP template also needs to be told (configured) to not persist certs/requests to the database. This is done by checking the Do not store certificates… checkbox

2016-07-10_13-54-34

Back to the DirectAccess server, the PointSharp ID server information (OTP RADIUS Server) needs to be filled in, a shared secret specified and authentication port to be used.

2016-07-20_21-21-39

The Certificate Authority hosting the OTP template(s) then needs to be identified to the DirectAccess Server configuration.

2016-07-20_21-23-18

The templates created earlier are then viewable.

2016-07-20_21-25-33

If there are any accounts that are exempt for using two-factor authentication, then these should be added.

2016-07-23_15-48-37

In Step 3 of the configuration wizard, ensure adding the FQDN of the enterprise CA as a management server.

2016-07-23_15-54-10

Once the DirectAccess server configuration is complete, GPO’s created etc., the relevant clients (members of the specified security group) will receive their DA configuration on reboot.

Testing from the Internet, the Infrastructure (computer) tunnel is negotiated during client startup. This aspect of the configuration remains unchanged from a base DA setup. It’s the User (Intranet) tunnel that requires further interaction once the user has logged in to Windows.

From a Windows 8.1 client, clicking on the Networking icon in the system tray.

2016-07-24_10-49-04

We are informed that the connection requires additional attention.

2016-07-24_10-49-58

Clicking on Continue, the user is prompted to press <CTRL><ALT><DEL> to enter additional credentials.

2016-07-24_10-50-39

This can be either a smart card, a virtual smart card or (in this case) a One-Time Password (OTP).

2016-07-07_20-22-02

Clicking on One-time password (OTP) shifts the login focus to entering the OTP credential.

2016-07-24_10-56-26

Referencing the smartphone, we enter the PointSharp One-Time Password (OTP).  Since PointSharp ID supports OATH tokens, we’re pretty much free to choose which type of authenticator client we wish to use on our smartphone. In this instance we are using the Microsoft Authenticator app on Windows Phone.

2016-07-07-13-23-50

In another setup using Google Authenticator, we’ve enrolled an iPhone 6 for OTP integration.

IMG_1153

Once credentials have been enter at logon, these are sent to the DA Server as a RADIUS Client and then  forward to the PointSharp RADIUS Server for authentication. If the OTP is valid then an authentication successful event is generated.

2016-07-24_11-02-34.png

An OTP Certificate is issued to the client, via the DA Enrollment Agent and Enterprise CA, and the second User (Intranet) tunnel is established.

2016-07-24_11-03-49

For Windows 10 clients, the behavior is similar,  albeit with some slightly nuanced user interface changes. Again, clicking on the Network icon will take us to the network summary screen.

2016-07-23_22-34-07

Click on the Action needed icon

2016-07-23_13-11-38

The user is taken to the Network & Internet settings section.

2016-07-24_11-09-10

Click again in the Action needed area.

2016-07-24_11-09-31

Click on the Continue button and the user is prompted to press CTRL><ALT><DEL> to enter their credentials.

2016-07-24_11-09-53

Under Windows 10, we’re directly asked to enter our One-Time Password (OTP) credentials. We enter the OTP from the smartphone.

2016-07-24_11-10-24

And the connection is established.

2016-07-24_11-11-03

From our Windows 10 client, we can then use Powershell to check our connection using the Get-DAConnectionStatus cmdlet.

Notes

If you’re building this environment from scratch, ensure that basic DirectAccess connectivity is working before proceeding with building in two-factor authentication; check the DA server is fully operational, clients are auto-enrolled with computer certificate, both tunnels are starting etc. Similarly, we recommend building out your PointSharp ID configuration, before beginning integration with DA.

If you’d like to know more on implementing DirectAccess or similar technologies, please contact us. We’ll be happy to assist.