DirectAccess -- a new Windows Server 2008 R2 and Windows 7 technology -- seamlessly connects users to their corporate
networks from any location.
Users can access applications, files, etc. in the same way they would if they were at the actual corporate campus. The feature eliminates the substandard resources and kludgy workarounds remote users have been dealing with for years.
Still, while DirectAccess may be a consultant's dream, there are definitely some security concerns surrounding it. Here are four common questions regarding security and DirectAccess for Windows Server 2008 R2.
1. How secure is the core of DirectAccess?
DirectAccess uses well-understood and highly-secure technologies and protocols like IPsec and the newer IPv6. IPsec is used to authenticate the computer and user, which reduces the possibility of man-in-the-middle attacks -- or other holes that take advantage of compromised identity -- to nearly zero.
This protocol also allows centralized IT departments to set computer policies before users log on, while providing encryption for Internet transmissions through Advanced Encryption Standard (AES) and other encryption mechanisms. Furthermore, with IPsec, certificate-based authentication can be enabled with smart cards and other in-hand devices.
2. What is the biggest liability with DirectAccess?
Setting up DirectAccess can be very difficult as the deployment uses many features layered together with dependencies. Solutions like Forefront Unified Access Gateway (UAG) help ease the pain of deployment and user access, though many companies would still benefit from outsourcing most of the job to third-party firms or their Internet service providers. Remember that any technology is only as secure as the installation, so this is not the area to scrimp and save.
3. What types of policies should I consider implementing -- or modifying -- after deploying DirectAccess?
You will likely take one of the following two angles with your DirectAccess deployment:
- Upgrade and update computers for mobile workers, specifically those who travel to and from the corporate office, but are primarily stationed on the premises.
- Allow access to workers who permanently work away from the office.
There are many pitfalls and potential obstacles involved with adding previously unmanaged computers to a clean network, so it's important to be careful with this step. Before your DirectAccess deployment is complete, you will need to look at several policies such as hardware and software refreshes, endpoint security, password/authentication and expected support.
4. Overall, is DirectAccess a convenience tool or a way to manage a more secure enterprise?
DirectAccess is a security tool masked as a user convenience tool -- a sort of duality that rarely exists since the concepts are usually mutually exclusive.
Making it seamless for workers to be on your corporate network gives you a much greater chance to manage any system, whether it be patching, maintaining security policies or pushing out updates and upgrades. Disconnected machines are a ticking time bomb, so the ability to touch users and computers, regardless of their location, is a huge benefit to overall network security.
ABOUT THE AUTHOR
Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS, Learning Windows Server 2003, Hardening Windows and most recently Windows Vista: Beyond the Manual.