Is DirectAccess a threat to Windows security?

DirectAccess -- a new Windows Server 2008 R2 and Windows 7 technology -- seamlessly connects users to their corporate networks from any location.

Users can access applications, files, etc. in the same way they would if they were at the actual corporate campus. The feature eliminates the substandard resources and kludgy workarounds remote users have been dealing with for years.

Still, while

Requires Free Membership to View

DirectAccess may be a consultant's dream, there are definitely some security concerns surrounding it. Here are four common questions regarding security and DirectAccess for Windows Server 2008 R2.

1. How secure is the core of DirectAccess?

DirectAccess uses well-understood and highly-secure technologies and protocols like IPsec and the newer  IPv6. IPsec is used to authenticate the computer and user, which reduces the possibility of man-in-the-middle attacks -- or other holes that take advantage of compromised identity -- to nearly zero.

This protocol also allows centralized IT departments to set computer policies before users log on, while providing encryption for Internet transmissions through Advanced Encryption Standard (AES) and other encryption mechanisms. Furthermore, with IPsec, certificate-based authentication can be enabled with smart cards and other in-hand devices.

2. What is the biggest liability with DirectAccess?

Setting up DirectAccess can be very difficult as the deployment uses many features layered together with dependencies. Solutions like Forefront Unified Access Gateway (UAG) help ease the pain of deployment and user access, though many companies would still benefit from outsourcing most of the job to third-party firms or their Internet service providers. Remember that any technology is only as secure as the installation, so this is not the area to scrimp and save.

3. What types of policies should I consider implementing -- or modifying -- after deploying DirectAccess?

You will likely take one of the following two angles with your DirectAccess deployment:

  • Upgrade and update computers for mobile workers, specifically those who travel to and from the corporate office, but are primarily stationed on the premises.
  • Allow access to workers who permanently work away from the office.

There are many pitfalls and potential obstacles involved with adding previously unmanaged computers to a clean network, so it's important to be careful with this step. Before your DirectAccess deployment is complete, you will need to look at several policies such as hardware and software refreshes, endpoint security, password/authentication and expected support.

4. Overall, is DirectAccess a convenience tool or a way to manage a more secure enterprise?

DirectAccess is a security tool masked as a user convenience tool -- a sort of duality that rarely exists since the concepts are usually mutually exclusive.

Making it seamless for workers to be on your corporate network gives you a much greater chance to manage any system, whether it be patching, maintaining security policies or pushing out updates and upgrades. Disconnected machines are a ticking time bomb, so the ability to touch users and computers, regardless of their location, is a huge benefit to overall network security.

Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS, Learning Windows Server 2003, Hardening Windows and most recently Windows Vista: Beyond the Manual.

This was first published in March 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.