Windows 7 Security – Microsoft DirectAccess

Following my earlier examination of Windows 7 security, I have decided to create a series of blog entries detailing the security features of Windows 7 (and Windows Server 2008 R2) and what implications they have for the enterprise.

Today I am going to highlight the features of Microsoft DirectAccess, which is a new VPN-like tunneling feature newly added to Windows 7 and 2008 R2.

Essentially DirectAccess is an always-on enterprise VPN technology that requires no user intervention, is more compatible with firewall and NAT functionality and allows remote management of PCs and laptops that are not logged in with a user, but have an Internet connection available.

In order to implement DirectAccess, Microsoft requires the use of IPv6 both on your intranet, and on the workstation. This will turn off many administrators and organizations, as few administrators today have knowledge of IPv6 and almost none have it deployed within their infrastructure.

Microsoft’s technical overview recommends using 6to4 or Teredo for clients that are using IPv4 addresses (all of them?) adding additional overhead and complexity for administrators to support.

Once you are able to establish a connection from your computer to the enterprise network, the computer is able to communicate with IPv6 enabled corporate resources. Oh wait, you don’t have any? This requires you to deploy yet another server (referred to as NAT-PT) on your network to accommodate communications between your endpoints and IPv4 only intranet assets. This is a very complex arrangement, and as I am fond of saying complexity is the enemy of security.

Windows 7 small drive

One benefit of this technology is that it will seamlessly connect users without requiring them to click on anything to open a VPN connection. To a large degree this will increase the ease and security of accessing corporate resources. It will also allow administrators to ensure group policies are applied to company computers when they are on the Internet, and deploy anti-virus updates, etc. without the user having to log in and open their VPN. Microsoft uses strong computer and domain based certificates to ensure the integrity of this automatic process.

One drawback might be users leaving WiFi enabled and laptops on when not in use. This defeats much of the security of technologies like Sophos Security and Data Protection and Microsoft’s own BitLocker technologies.

Looking back to the days of Microsoft’s original VPN effort, PPTP, we see they still don’t always take security seriously.

PPTP was a split-tunnel style VPN meaning that users only accessed company resources through the protected tunnel and could surf the Internet directly through their unsecured WiFi or other internet connection.

Microsoft has chosen this to be the default method of using DirectAccess as well continuing a tradition of insecure default settings. They proclaim it to be for performance reasons, which has a degree of truth to it, but the risk associated with allowing endpoints to communicate directly with their home LANs, the internet, and unsecured WiFi access points in public negates any minor performance increase that may be had.

The majority of attacks against computers are over the web, so leaving a workstation open to the web while accessing sensitive corporate data is counter-intuitive.

In conclusion, I am quite excited by the possibilities this technology offers to the ease of access and security of enterprise data and applications. Deployment, though, requires careful thought on how it should be configured, what enabling it means to security, and most of all how you will migrate to Windows 7, Windows 2008 R2 and IPv6.

* Image source: Bfishadow’s Flickr photostream (Creative Commons)