DirectAccess means 'always on' in Windows Server 2008 R2

Microsoft's new DirectAccess feature has the potential to change the way admins manage remote computers. But is it really secure?

Put simply, DirectAccess in Windows Server 2008 R2 is a consultant's dream.

Integrating the stratospherically-challenging technologies of IPsec with IPv6 and its Teredo, 6to4, and new IP-HTTPS protocols, DirectAccess looks like one technology that all but the most determined administrators will scratch their heads over and potentially take a pass. Add in a dose of optional-but-highly-suggested Network Access Protection (NAP) with some entirely new DNS server features, and you'll find yourself wading through enough acronyms to make your head spin.

More on Windows Server 2008 R2

File classification the automated way with Windows Server 2008 R2

Hyper-V gains new resiliency features with Windows Server 2008 R2

Terminal Services grows up with Windows Server 2008 R2

It's not that DirectAccess isn't a fantastically useful technology. In fact, it's quite the opposite. DirectAccess effectively enables you to stretch the boundary of your internal Windows domain to everywhere on the Internet. The functional result is that your company's laptops will be able to seamlessly interact with your internal domain services, such as applications, email and file and update services. Using DirectAccess, your laptops in coffee shops, airports and hotels will be able to simultaneously surf the Internet through their local provider while working with applications at the home office, all through the same network connection.

Does that idea give you the heebie-jeebies? From a network security perspective, it probably does. But that's exactly why Microsoft's DirectAccess requires so many security acronyms in place for it to work. It's also why most IT organizations who want this seamless access may consider outsourcing its implementation to the experts in order to get it right on the first go.

The use case for DirectAccess

With all the scary talk behind us, let me back down a bit and talk about how DirectAccess can dramatically change your business. Consider for a minute how the world of work has changed over just a few short years. More people are working outside the traditional brick-and-mortar office, as remote users often work from home or directly in the offices of partner companies. Others must travel frequently to interface with business partners and clients.

The traditional remote access approach for these types of workers involves some kind of VPN service at the edge of your internal network. This can be an IPsec-based VPN that requires a VPN client to be installed to the laptop. Or it might be an SSL-based VPN that commonly uses a Web-based front end a la Microsoft's Remote Desktop Services or Citrix's XenApp.

Businesses everywhere have chosen one of these solutions as their path of choice, yet both require a significant amount of end user hassle. With IPsec-based VPNs (such as the Cisco VPN Client), connecting to your home office means you've created little more than a network route. Now, as a node on the LAN, your next job is to find and connect to the resources you need, such as file shares or email servers. This usually involves some element of education for your users to help them recreate drive mappings or locate their needed resources. Using the VPN client software is also challenging for users that aren't all that technically savvy.

This forces the question, 'What if I want to access my company applications on my laptop in the airport, but in the exact same way I would if I were sitting at my desk?'
,

SSL-based VPNs, such as those that integrate with Remote Desktop Services or XenApp, make things easier by directing users to a publicly-accessible Web page or some other construct for application access. Rather than just getting a network connection, authenticated users are presented with a list of applications or desktops, that they can click to launch remotely. The added burden here is in managing the hosted desktops and applications that are required by remote users.

Both of these solutions, however, suffer from a problem: They require users to undergo a series of additional steps to get to corporate applications. Neither is fully "seamless" in how they present application access to users.

This forces the question, "What if I want to access my company applications on my laptop in the airport, but in the exact same way I would if I were sitting at my desk?"

This solution is DirectAccess.

What you need and what you get

What makes DirectAccess particularly unique is its ubiquity. Most organizations that leverage IPsec-based VPNs configure the solution to disable what is generically called split tunneling. This causes all other external connections to be severed at the very moment a client is connected to the VPN server and means that a user in a hotel has the choice of connecting to either the office or "everything else on the Internet."

Split tunneling is usually disabled because of the obvious security concerns associated with having a laptop in a known-insecure network (the hotel) connecting directly to a known-secure network (the office). In this case, any attack that compromises the laptop immediately enjoys a shortcut path around your network's hardened perimeter security and into its soft and squishy insides.

Microsoft's approach with DirectAccess flies directly in the face of the anti-split-tunneling crowd because by nature it's an always-on solution. Once your DirectAccess infrastructure is in place, your laptops are always connected to your local LAN and the Internet. In other words, find a publicly-accessible access point and BAM -- everything's available.

That means your corporate applications are always available in the same way, whether you're directly connected to the internal LAN or if you head out for a cup of coffee or home for the night. Connect the laptop, and it's the same experience everywhere. For DirectAccess, this architecture is its great power as well as the source of its fundamental scariness for those who are paid to think about security.

Obviously Microsoft wouldn't even consider a solution like this if it weren't secured to the hilt. If you're to implement its technologies, you'll also be implementing a host of supporting security structures that validate every laptop's identity (authentication), the security of its data transfer (encryption) and the assurance that its configuration is uncompromised (enforcement, via Network Access Protection).

IPv6 is a further requirement because it provides the necessary end-to-end addressing no matter where the laptop resides. Microsoft knows that virtually every environment hasn't yet moved to IPv6, and the Internet itself is far from ever fully supporting it. Therefore, IPv6-to-IPv4 translation protocols, such as Teredo, 6to4 and ISATAP, are supported.

Finally, since most LAN-based applications are usually resolved via short names – server1 versus server1.contoso.com, for example – specially-secured and externally-accessible DNS servers must be available and addressable to provide short-name resolution for clients on the Internet.

An optional but highly-suggested add-on technology for this architecture is Network Access Protection. Using NAP, the administrator sets policies to assure that the only clients who get network access are those who are fully patched with current anti-malware and antivirus signature, and the right firewall settings. While technically considered optional, the always-on approach makes NAP's additional infrastructure a veritable requirement for DirectAccess, as you don't want your external clients contracting Internet-based diseases and propagating them into your internal LAN.

Always on -- at a price

Technically speaking, implementing a technology like DirectAccess involves zero added cost, as all the necessary pieces are built right into your existing Windows operating systems. At the time of this writing, clients must be running Windows 7 to use DirectAccess, and the server running the DirectAccess role has to be Windows Server 2008 R2. Microsoft has provided no information suggesting that it will back-port the client pieces to earlier versions of the operating system.

Your price will go toward the manpower expenses involved with getting this architecture up and operational, which is why I described it earlier as "a consultant's dream." Yet the power of DirectAccess and what it can do for your mobile workforce is downright earth-shattering. It's patently cool that the same instance of Outlook, Microsoft Dynamics or even your home-grown client/server applications will work no matter where your laptops connect.

It also fundamentally changes the game in terms of the agility in which your business can operate, completely removing the walls from the traditional brick-and-mortar office.

Unfortunately, Microsoft's most difficult job here is convincing the corporate security types that this fundamental shift in access is a solution that's wholly securable.

Next: BranchCache makes branch offices feel like home

ABOUT THE AUTHOR
Greg Shields, Microsoft MVP, is a partner at Concentrated Technology. Get more of Greg's Jack-of-all-Trades tips and tricks at www.ConcentratedTech.com.

This was first published in July 2009

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close