VPN Client Security

[David]

I'm interested in client security from the VPN.

For example if a VPN is established on a client (say either via a DLL or
Microsoft VPN), how does the client configure their machine to keep the
server side from using the VPN to browse or copy files from the client
machine?

Thanks
David

 

[Dan]

VPN is very tricky and the computers on your end must be properly configured
and tightened down all with custom settings. I would suggest a special brand
of varying computers to be given to clients that have automatic updates
locked. The clients must know these are the company's computers and if taken
off campus then the client is fully responsible for the computer. The
computer must not have any special and/or confidential information and should
be used only as needed. VPN is too easy to hack if a system admin. leaves
settings too weak and not properly configured. I hope never to have to use
VPN again because it sucks when the business does not have the proper
settings and they are hacked and you are hacked and you lose your identity as
well as your clients who happen to be 1st grade students. Just my 2 cents
and please forgive the rant but it felt good. <smile>

"David" wrote:

> I'm interested in client security from the VPN.
>
> For example if a VPN is established on a client (say either via a DLL or
> Microsoft VPN), how does the client configure their machine to keep the
> server side from using the VPN to browse or copy files from the client
> machine?
>
> Thanks
> David
>
>
>

 

[Paul Adare - MVP]

On Fri, 29 Aug 2008 10:52:01 -0700, Dan wrote:

> VPN is very tricky and the computers on your end must be properly configured
> and tightened down all with custom settings.

What does this mean exactly?

> I would suggest a special brand
> of varying computers to be given to clients

What exactly is a "special brand of varying computers"? That makes
absolutely no sense at all.

> that have automatic updates
> locked.

Again, what does that mean?

> The clients must know these are the company's computers and if taken
> off campus then the client is fully responsible for the computer. The
> computer must not have any special and/or confidential information and should
> be used only as needed.

You don't live in the real world Dan. I have customers with 10's of
thousands of road warriors who use secure VPNs every day, both with
corporate computers and home computers.

> VPN is too easy to hack if a system admin. leaves
> settings too weak and not properly configured.

Anything is easy to hack if it is not properly configured. This statement
does nothing at all to help anyone.

> I hope never to have to use
> VPN again because it sucks when the business does not have the proper
> settings and they are hacked and you are hacked and you lose your identity as
> well as your clients who happen to be 1st grade students. Just my 2 cents
> and please forgive the rant but it felt good. <smile>

More weird nonsensical ramblings.
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Computer programmers do it byte by byte.

 

[David]

Glad you got that off your chest -- but doesn't answer my question.

My interest lies on the client side Not the server side.
I've been trying for some time to get an answer to "How" or "If" the client
can protect themselves from the server side.

For example if as a client you are provided a DLL or VPN to link to a
specific server, what keeps someone from the server side from using the DLL
or VPN to view or manipulate the client system????





"Dan" <Dan@discussions.microsoft.com> wrote in message
news:6B2A184A-2DF2-4215-87F9-421D30EABA2B@microsoft.com...
> VPN is very tricky and the computers on your end must be properly
> configured
> and tightened down all with custom settings. I would suggest a special
> brand
> of varying computers to be given to clients that have automatic updates
> locked. The clients must know these are the company's computers and if
> taken
> off campus then the client is fully responsible for the computer. The
> computer must not have any special and/or confidential information and
> should
> be used only as needed. VPN is too easy to hack if a system admin. leaves
> settings too weak and not properly configured. I hope never to have to
> use
> VPN again because it sucks when the business does not have the proper
> settings and they are hacked and you are hacked and you lose your identity
> as
> well as your clients who happen to be 1st grade students. Just my 2 cents
> and please forgive the rant but it felt good. <smile>
>
> "David" wrote:
>
>> I'm interested in client security from the VPN.
>>
>> For example if a VPN is established on a client (say either via a DLL or
>> Microsoft VPN), how does the client configure their machine to keep the
>> server side from using the VPN to browse or copy files from the client
>> machine?
>>
>> Thanks
>> David
>>
>>
>>

 

[Paul Adare - MVP]

On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:

> For example if as a client you are provided a DLL or VPN to link to a
> specific server, what keeps someone from the server side from using the DLL
> or VPN to view or manipulate the client system????

That isn't a client side setting, it is a server side setting. How it gets
set depends entirely on the VPN device in question.
Configuring security on the client side can mitigate this "issue". How you
go about that depends on the OS being used on the client. Whether or not it
is really an issue depends to a large degree on who owns the client
computer and whose VPN you're connecting to. If you're using a corporate
owned computer to access the corporation's VPN server then you really don't
have any expectation of privacy.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
This screen intentionally left blank.

 

[Steve Riley [MSFT]]

Think of the VPN'ed client as being a full member of the remote network it
connected to. Clients locally-attached to that network can be accessed by
anything on that network. That's why I'm a big fan of using the Windows
firewall even on LANs. VPN clients are no different, really. Anything on the
remote network can connect to the VPN'ed client -- so proper client-side
security remains essential.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Paul Adare - MVP" <pkadare@gmail.com> wrote in message
news:1uwrwvyzt2w$.kgppzhqfsozo.dlg@40tude.net...
> On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:
>
>> For example if as a client you are provided a DLL or VPN to link to a
>> specific server, what keeps someone from the server side from using the
>> DLL
>> or VPN to view or manipulate the client system????
>
> That isn't a client side setting, it is a server side setting. How it gets
> set depends entirely on the VPN device in question.
> Configuring security on the client side can mitigate this "issue". How you
> go about that depends on the OS being used on the client. Whether or not
> it
> is really an issue depends to a large degree on who owns the client
> computer and whose VPN you're connecting to. If you're using a corporate
> owned computer to access the corporation's VPN server then you really
> don't
> have any expectation of privacy.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> This screen intentionally left blank.

 

[David]

From responses it appears I'm either misunderstanding the response OR not
properly phrasing my question.

If I am a Independent client (not affiliated or an employee of the company
that owns the server) , and provided a DLL or VPN setup by a company to
access their server, how do I (as the client) protect myself under Windows
XP Pro from someone on the server side gaining access to my computer
(client) directories -- In other words can I keep them within their own
directory or user account -- details please on how to set up?





"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:7C09F566-6BC0-4C2C-AB3E-9A82E97F0654@microsoft.com...
> Think of the VPN'ed client as being a full member of the remote network it
> connected to. Clients locally-attached to that network can be accessed by
> anything on that network. That's why I'm a big fan of using the Windows
> firewall even on LANs. VPN clients are no different, really. Anything on
> the remote network can connect to the VPN'ed client -- so proper
> client-side security remains essential.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Paul Adare - MVP" <pkadare@gmail.com> wrote in message
> news:1uwrwvyzt2w$.kgppzhqfsozo.dlg@40tude.net...
>> On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:
>>
>>> For example if as a client you are provided a DLL or VPN to link to a
>>> specific server, what keeps someone from the server side from using the
>>> DLL
>>> or VPN to view or manipulate the client system????
>>
>> That isn't a client side setting, it is a server side setting. How it
>> gets
>> set depends entirely on the VPN device in question.
>> Configuring security on the client side can mitigate this "issue". How
>> you
>> go about that depends on the OS being used on the client. Whether or not
>> it
>> is really an issue depends to a large degree on who owns the client
>> computer and whose VPN you're connecting to. If you're using a corporate
>> owned computer to access the corporation's VPN server then you really
>> don't
>> have any expectation of privacy.
>>
>> --
>> Paul Adare
>> MVP - Identity Lifecycle Manager
>> http://www.identit.ca
>> This screen intentionally left blank.
>

 

[Shenan Stanley]

David wrote:
> From responses it appears I'm either misunderstanding the response
> OR not properly phrasing my question.
>
> If I am a Independent client (not affiliated or an employee of the
> company that owns the server) , and provided a DLL or VPN setup by
> a company to access their server, how do I (as the client) protect
> myself under Windows XP Pro from someone on the server side gaining
> access to my computer (client) directories -- In other words can
> I keep them within their own directory or user account -- details
> please on how to set up?

If they setup your computer - and did it so you do not have administrative
rights and it is technically theirs - you are probably between a rock and a
hard place.

If it is your computer (or a computer provided by another company) and you
are an administrator - put anything you don't want them accessing in some
encrypted format (using Windows EFS or TrueCrypt or something else.)

Basically - what you seem to be asking has nothing to do with VPN in
particular - as you would have the same issue if using their wireless, their
wired networking, etc... You should secure your computer with file/folder
permissions and a Software Firewall if you will be using it on other
people's networks. Just connecting to another network (VPN or otherwise)
does not change your security settings or how they work. Your software
firewall should keep them from accessing your computer. Your file and
folder permissions are still in effect. Any other protection you have
(antivirus, antispyware, intrusion detection, etc) all still work the same.

If you are setup to stay protected - connecting to a VPN should just add to
that and encrypt the data you send/receive over said VPN connection. It
does not (or should not) eliminate or bypass your other protections.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

 

[Anteaus]

I don't see how this situation differs from the client being directly
connected to the server. If the client has unsecured shares, or unsecured
remote-registry access, this is the problem, not VPN.

The key security issue (as I see it) with MS VPN is the very heavy reliance
it places on user-passwords to keep intruders out. I would be inclined to
supplement that with a requirement for fixed IP addresses on all clients, and
a suitable set of firewall rules on the server or gateway which will
lock-down access from unauthorised locations.

If you need true roaming access, then I would think in terms of secure
tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit
key instead of, or as well as, a user password.

"David" wrote:

> I'm interested in client security from the VPN.
>
> For example if a VPN is established on a client (say either via a DLL or
> Microsoft VPN), how does the client configure their machine to keep the
> server side from using the VPN to browse or copy files from the client
> machine?

 

[Dan]

So using a multi-layered security and safety approach is good. BTW, why do
we still only use 128 bit cipher strength so frequently and why not upgrade
the entire industry to start using 168 bit cipher strength as a new bare
minimum. One thing I do like about Windows Live One Care is the ability to
customize what you let in and out of your computer with the firewall by
allowing or blocking it. In addition, shouldn't all company networks have
the sort of firewall that Zone Alarm Professional reporting has so at least
the company can try to figure out where the port scan is coming from even if
the port scan is being hidden through numerous points throughout the world

"Anteaus" wrote:

> I don't see how this situation differs from the client being directly
> connected to the server. If the client has unsecured shares, or unsecured
> remote-registry access, this is the problem, not VPN.
>
> The key security issue (as I see it) with MS VPN is the very heavy reliance
> it places on user-passwords to keep intruders out. I would be inclined to
> supplement that with a requirement for fixed IP addresses on all clients, and
> a suitable set of firewall rules on the server or gateway which will
> lock-down access from unauthorised locations.
>
> If you need true roaming access, then I would think in terms of secure
> tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit
> key instead of, or as well as, a user password.
>
> "David" wrote:
>
> > I'm interested in client security from the VPN.
> >
> > For example if a VPN is established on a client (say either via a DLL or
> > Microsoft VPN), how does the client configure their machine to keep the
> > server side from using the VPN to browse or copy files from the client
> > machine?
>

 

[Paul Adare - MVP]

On Sat, 30 Aug 2008 01:34:01 -0700, Dan wrote:

> So using a multi-layered security and safety approach is good. BTW, why do
> we still only use 128 bit cipher strength so frequently and why not upgrade
> the entire industry to start using 168 bit cipher strength as a new bare
> minimum.

What do you mean "upgrade the entire industry"? No one uses 168-bit
encryption and for good reason. Vista supports AES128, AES256, and 3DES.

> One thing I do like about Windows Live One Care is the ability to
> customize what you let in and out of your computer with the firewall by
> allowing or blocking it.

And your point is? The Vista firewall by itself provides this ability, no
need for OneCare on top of it.

> In addition, shouldn't all company networks have
> the sort of firewall that Zone Alarm Professional reporting has so at least
> the company can try to figure out where the port scan is coming from even if
> the port scan is being hidden through numerous points throughout the world

And in your vast experience company networks don't have this already? BTW -
what you're talking about is an Intrusion Detection System (IDS) and not a
firewall, however, any enterprise level firewall will have good reporting
features.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Transistor: A sibling, opposite of transbrother.

 

[Paul Adare - MVP]

On Sat, 30 Aug 2008 01:04:01 -0700, Anteaus wrote:

> The key security issue (as I see it) with MS VPN is the very heavy reliance
> it places on user-passwords to keep intruders out.

There is no suck reliance. Microsoft's VPN solutions have supported
authentication methods other than user names and passwords, including but
not limited to certificate based authentication for years now.

> I would be inclined to
> supplement that with a requirement for fixed IP addresses on all clients,

That simply isn't possible in the real world. I travel all over the world
and need to connect to my corporate network. You're going to tell me that I
can't connect from my hotel? Well, guess what, the bad guys just won as I
can't do my work.

> and
> a suitable set of firewall rules on the server or gateway which will
> lock-down access from unauthorised locations.

This is possible now but as above is completely impractical in the real
world.

>
> If you need true roaming access, then I would think in terms of secure
> tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit
> key instead of, or as well as, a user password.

Again, in the real world, pre-shared keys are not secure and even if they
were, they are simply unmanageable on a large scale.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Nice computers don't go down.

 

[Paul Adare - MVP]

On Sat, 30 Aug 2008 05:21:16 -0400, Paul Adare - MVP wrote:

> suck

such
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

 

[Dan]

3 DES --- 168 bit encryption according to Mozilla Firefox

Vista still has some issues and why do you think the FAA for the pilots
taking the flight exam would not allow Vista to be used if it has indeed been
perfectly perfected? I still hear from so many users that they hate Vista
because it is so complicated and they do not understand it and these users
just want the simplicity of an os like Windows 98 Second Edition.

"Paul Adare - MVP" wrote:

> On Sat, 30 Aug 2008 01:34:01 -0700, Dan wrote:
>
> > So using a multi-layered security and safety approach is good. BTW, why do
> > we still only use 128 bit cipher strength so frequently and why not upgrade
> > the entire industry to start using 168 bit cipher strength as a new bare
> > minimum.
>
> What do you mean "upgrade the entire industry"? No one uses 168-bit
> encryption and for good reason. Vista supports AES128, AES256, and 3DES.
>
> > One thing I do like about Windows Live One Care is the ability to
> > customize what you let in and out of your computer with the firewall by
> > allowing or blocking it.
>
> And your point is? The Vista firewall by itself provides this ability, no
> need for OneCare on top of it.
>
> > In addition, shouldn't all company networks have
> > the sort of firewall that Zone Alarm Professional reporting has so at least
> > the company can try to figure out where the port scan is coming from even if
> > the port scan is being hidden through numerous points throughout the world
>
> And in your vast experience company networks don't have this already? BTW -
> what you're talking about is an Intrusion Detection System (IDS) and not a
> firewall, however, any enterprise level firewall will have good reporting
> features.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> Transistor: A sibling, opposite of transbrother.
>

 

[Dan]

Why not require all keys to be updated more frequently and if the
corresponding key is lost then the user has no access === period? I ran into
an expired key recently at boards.live.microsoft.com and wondered to myself
why Microsoft had not updated the key. I emailed Microsoft and got the
response --- oh, that is a msn problem so you need to contact them -- contact
them -- nope it is not our problem and you need to contact Microsoft --- this
shifting of responsibility is stupid because no one wants to own up and be a
man or woman and say this is a problem that needs to be remedied and I if
they do indeed have the skills then let them say that I have the skills so I
can take action with the proper approval and fix the problem and then it is
no longer a problem

"Paul Adare - MVP" wrote:

> On Sat, 30 Aug 2008 01:04:01 -0700, Anteaus wrote:
>
> > The key security issue (as I see it) with MS VPN is the very heavy reliance
> > it places on user-passwords to keep intruders out.
>
> There is no suck reliance. Microsoft's VPN solutions have supported
> authentication methods other than user names and passwords, including but
> not limited to certificate based authentication for years now.
>
> > I would be inclined to
> > supplement that with a requirement for fixed IP addresses on all clients,
>
> That simply isn't possible in the real world. I travel all over the world
> and need to connect to my corporate network. You're going to tell me that I
> can't connect from my hotel? Well, guess what, the bad guys just won as I
> can't do my work.
>
> > and
> > a suitable set of firewall rules on the server or gateway which will
> > lock-down access from unauthorised locations.
>
> This is possible now but as above is completely impractical in the real
> world.
>
> >
> > If you need true roaming access, then I would think in terms of secure
> > tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit
> > key instead of, or as well as, a user password.
>
> Again, in the real world, pre-shared keys are not secure and even if they
> were, they are simply unmanageable on a large scale.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> Nice computers don't go down.
>

 

[Dan]

What are you trying to say Paul?

"Paul Adare - MVP" wrote:

> On Sat, 30 Aug 2008 05:21:16 -0400, Paul Adare - MVP wrote:
>
> > suck
>
> such
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)
>

 

[David]

Thanks for response Mr. Stanley:
My computer, one user Administrator, me.
Have several computer programs I wrote which include DLL's
(API's) furnished by the hosting server companies.

You should secure your computer with file/folder
> permissions

Makes sense. Newbie to User Accounts, File/Folder Permissions.

Anyway to do this easily? For example if I create a user account and set
permissions on the file/folders under that account, will that limit the VPN
or DLL within the file/folders within that account

OR

Do I need the reverse where all file/folders NOT in that account have
permissions set.

put anything you don't want them accessing in some
> encrypted format (using Windows EFS or TrueCrypt or something else.)

I assume you mean within the same file/folder

===========================

With all the password breaking programs around, and basically a continuous
open line to the server, are file/folder permissions really secure?

Thanks
David


"Shenan Stanley" <newshelper@gmail.com> wrote in message
news:%23oOWEhiCJHA.5196@TK2MSFTNGP04.phx.gbl...
> David wrote:
>> From responses it appears I'm either misunderstanding the response
>> OR not properly phrasing my question.
>>
>> If I am a Independent client (not affiliated or an employee of the
>> company that owns the server) , and provided a DLL or VPN setup by
>> a company to access their server, how do I (as the client) protect
>> myself under Windows XP Pro from someone on the server side gaining
>> access to my computer (client) directories -- In other words can
>> I keep them within their own directory or user account -- details
>> please on how to set up?
>
> If they setup your computer - and did it so you do not have administrative
> rights and it is technically theirs - you are probably between a rock and
> a hard place.
>
> If it is your computer (or a computer provided by another company) and you
> are an administrator - put anything you don't want them accessing in some
> encrypted format (using Windows EFS or TrueCrypt or something else.)
>
> Basically - what you seem to be asking has nothing to do with VPN in
> particular - as you would have the same issue if using their wireless,
> their wired networking, etc... You should secure your computer with
> file/folder permissions and a Software Firewall if you will be using it on
> other people's networks. Just connecting to another network (VPN or
> otherwise) does not change your security settings or how they work. Your
> software firewall should keep them from accessing your computer. Your
> file and folder permissions are still in effect. Any other protection you
> have (antivirus, antispyware, intrusion detection, etc) all still work the
> same.
>
> If you are setup to stay protected - connecting to a VPN should just add
> to that and encrypt the data you send/receive over said VPN connection.
> It does not (or should not) eliminate or bypass your other protections.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>

 

[Paul Adare - MVP]

On Sat, 30 Aug 2008 03:38:01 -0700, Dan wrote:

> Why not require all keys to be updated more frequently and if the
> corresponding key is lost then the user has no access === period?

What in the world are you talking about? This makes no sense.

> I ran into
> an expired key recently at boards.live.microsoft.com and wondered to myself
> why Microsoft had not updated the key. I emailed Microsoft and got the
> response --- oh, that is a msn problem so you need to contact them -- contact
> them -- nope it is not our problem and you need to contact Microsoft --- this
> shifting of responsibility is stupid because no one wants to own up and be a
> man or woman and say this is a problem that needs to be remedied and I if
> they do indeed have the skills then let them say that I have the skills so I
> can take action with the proper approval and fix the problem and then it is
> no longer a problem

You can't even distinguish between a pre-shared key and certificate and you
expect anyone to take you seriously when it comes to your whacked out views
on what constitutes computer security? Man, I feel sorry for whomever is
employing you if your job involves anything at all to do with computer
security.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
A computer program does what you tell it to do, not what you want it to do.

 

[FromTheRafters]

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:4C0BE077-BAD2-4A32-8349-1E31C3ECB825@microsoft.com...
> So using a multi-layered security and safety approach is good. BTW, why
> do
> we still only use 128 bit cipher strength so frequently and why not
> upgrade
> the entire industry to start using 168 bit cipher strength as a new bare
> minimum.

I want to use 129 bits - gee...nearly twice strength of the
128 bit version and I only buy one more bit. )

 

[Dan]

LOL

"FromTheRafters" wrote:

>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:4C0BE077-BAD2-4A32-8349-1E31C3ECB825@microsoft.com...
> > So using a multi-layered security and safety approach is good. BTW, why
> > do
> > we still only use 128 bit cipher strength so frequently and why not
> > upgrade
> > the entire industry to start using 168 bit cipher strength as a new bare
> > minimum.
>
> I want to use 129 bits - gee...nearly twice strength of the
> 128 bit version and I only buy one more bit. )
>
>
>