ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Installing VPN access on Windows Server 2016

    Scheduled Pinned Locked Moved Starwind
    virtual private networkvpnwindows server 2016ws2016protocolsnetworkremote connection
    70 Posts 7 Posters 16.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Carnival Boy
      last edited by

      @Carnival-Boy said in Installing VPN access on Windows Server 2016:

      And risks change over time. Scott saying because something was risky in 2004 ergo it will be equally risky forever is just nonsense.

      I didn't say that. My point, and one I'm flabbergasted to have questioned, is that network attacks have always existed, always will and by definition cannot be documented until after they are found. So the ones that exist today you can't ask for proof of because if they could be documented, they could be fixed.

      You are literally saying that hacking is no longer a threat. That's the statement this implies.

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @Carnival Boy
        last edited by scottalanmiller

        @Carnival-Boy said in Installing VPN access on Windows Server 2016:

        I'm not saying you don't understand the risks, btw, I'm just trying to understand what they are. As an SMB we have limited funds so need to prioritise our security investments, and how we prioritised in 2004 won't be the same as in 2017.

        This is true, but you can't actually think that network attacks have gone from a significant threat in 2004 to a non-existent one today? It's true that systems are getting better at being hardened, but the rate of attacks have gone through the roof, and the complexity of them. In 2004 you could pretty easily go weeks without patching, today you can't go hours.

        If you have heard of the term zero day, this is what it refers to.

        It's your zero day threats that you are exposed to without systems like this. I think you'll find that yes, threats change over time, and this one is far worse in 2017 than in 2004.

        1 Reply Last reply Reply Quote 1
        • DashrenderD
          Dashrender
          last edited by

          Exactly.

          Speaking of money, there are many inexpensive/free options to provide these extra layers of security as well. nginx is an example. it's a free reverse proxy. Sadly as noted elsewhere, it doesn't seem to work for Exchange in the free version.

          As for the Windows VPN, Unless you can find a proxy that can handle that, I don't think you can typically put anything in front of a VPN server.

          scottalanmillerS C 3 Replies Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in Installing VPN access on Windows Server 2016:

            Speaking of money, there are many inexpensive/free options to provide these extra layers of security as well. nginx is an example. it's a free reverse proxy. Sadly as noted elsewhere, it doesn't seem to work for Exchange in the free version.

            Yeah, that sucks. At least not the free version without resorting to Debian. Looks like it works on Debian.

            And Postfix for the SMTP portion. These are all solutions that you can run, for free, in any on premises environment as the VM loads for proxies are trivially small.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in Installing VPN access on Windows Server 2016:

              As for the Windows VPN, Unless you can find a proxy that can handle that, I don't think you can typically put anything in front of a VPN server.

              Except another VPN server πŸ™‚

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in Installing VPN access on Windows Server 2016:

                @Dashrender said in Installing VPN access on Windows Server 2016:

                As for the Windows VPN, Unless you can find a proxy that can handle that, I don't think you can typically put anything in front of a VPN server.

                Except another VPN server πŸ™‚

                Lol, ok that's just crazy talk πŸ˜‰

                1 Reply Last reply Reply Quote 0
                • C
                  Carnival Boy @Dashrender
                  last edited by

                  @Dashrender said in Installing VPN access on Windows Server 2016:

                  Exactly.

                  My question, which I thought was a simple one, was that have Microsoft products been hardened sufficiently in recent years to a point where best practice in 2004 isn't the same as best practice in 2017. It seems on ML (tough crowd), merely asking the question implies I'm stupid ("do you believe that the entire concept of hacking has been solved and doesn't exist today?").

                  I found this blog post by Microsoft interesting and it's kind of where I was coming from
                  https://blogs.technet.microsoft.com/exchange/2013/07/17/life-in-a-post-tmg-world-is-it-as-scary-as-you-think/
                  eg "We made a lot of progress over those ten years since then. We delivered on the goal that the security of the application can be better managed inside the OS and the application rather than at the network layer."

                  I was just asking the question because I though it might have some merit. Sorry I asked and I'll leave it now....

                  JaredBuschJ scottalanmillerS 3 Replies Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @Carnival Boy
                    last edited by

                    @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                    @Dashrender said in Installing VPN access on Windows Server 2016:

                    Exactly.

                    My question, which I thought was a simple one, was that have Microsoft products been hardened sufficiently in recent years to a point where best practice in 2004 isn't the same as best practice in 2017. It seems on ML (tough crowd), merely asking the question implies I'm stupid ("do you believe that the entire concept of hacking has been solved and doesn't exist today?").

                    I found this blog post by Microsoft interesting and it's kind of where I was coming from
                    https://blogs.technet.microsoft.com/exchange/2013/07/17/life-in-a-post-tmg-world-is-it-as-scary-as-you-think/
                    eg "We made a lot of progress over those ten years since then. We delivered on the goal that the security of the application can be better managed inside the OS and the application rather than at the network layer."

                    I was just asking the question because I though it might have some merit. Sorry I asked and I'll leave it now....

                    But the behaviour you are protecting against has not went away. You have to always continue protecting against it. As soon as you stop protecting against it, it will be attacked.

                    In regards to your linked article, Microsoft might have made managing the security of an application better inside the OS, but that does nothing for actually securing the application.

                    1 Reply Last reply Reply Quote 2
                    • scottalanmillerS
                      scottalanmiller @Carnival Boy
                      last edited by

                      @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                      I was just asking the question because I though it might have some merit. Sorry I asked and I'll leave it now....

                      I think it is a dangerous question to be asked. Systems are never going to be so secure that security basics can be abandoned. There has not been and there is never expected to be some magic bullet. But suggesting that there might be is incredibly dangerous because it implies that we don't realize how serious the threats are, how they work and think that the time might come where we can ignore them. Security does not change that way.

                      Example: This is much like saying we no longer need door locks. That other security has improved so much that we should no longer bother locking doors. Given physical security goes back thousands of years, one thing we have no expectation of is that door locks will ever be something to be abandoned.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @Carnival Boy
                        last edited by

                        @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                        My question, which I thought was a simple one, was that have Microsoft products been hardened sufficiently in recent years to a point where best practice in 2004 isn't the same as best practice in 2017.

                        That's not quite what you said, though, and it's not really a reasonable thing. Hardening is not the issue, so conceptually this isn't a thing that can happen.

                        But more importantly, you felt that because threats were "old" (2004 is recent in security terms) that they didn't warrant immediate concern today because you perceived them as old. But that's not how systems, software and security work. Threats on our systems have been, for all intents and purposes, identical over all time. The basics of how systems work and how they get compromised have not changed, so our security needs have not changed.

                        That's why I mentioned that it seemed that you felt that "hackers" had gone away and can no longer access systems (that the news about the US, Russia and China doing this constantly is all faked, for example.) The threat that you perceived as old in 2004 is the one that everyone is scared of today (plus ransomware.)

                        C 1 Reply Last reply Reply Quote 0
                        • C
                          Carnival Boy @scottalanmiller
                          last edited by Carnival Boy

                          @scottalanmiller said in Installing VPN access on Windows Server 2016:

                          you felt that because threats were "old" (2004 is recent in security terms) that they didn't warrant immediate concern today because you perceived them as old.

                          No I didn't.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • C
                            Carnival Boy
                            last edited by Carnival Boy

                            So what do Microsoft mean when they say:

                            1.We do not require traffic to be authenticated prior to hitting services in front of Exchange Online.
                            2.We do not do any form of pre-authentication of services in front of our corporate, on-premises messaging deployments either.
                            We don’t use TMG to protect ourselves any more.

                            I'm not sure what I'm missing here. Do they run reverse proxies? What does a reverse proxy protect against, if it isn't doing pre-authentication?

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Carnival Boy
                              last edited by

                              @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                              @scottalanmiller said in Installing VPN access on Windows Server 2016:

                              you felt that because threats were "old" (2004 is recent in security terms) that they didn't warrant immediate concern today because you perceived them as old.

                              No I didn't.

                              Then what did you mean when you dismissed my examples of buffer overflows as being meaningless to you because they were not current enough? What else was I (am I) supposed to think since age based dismissal was the only response.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Carnival Boy
                                last edited by

                                @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                                I need an example that's not from 2004!

                                This. What did you mean by this? Why did you need recent examples of a timeless security concept?

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Carnival Boy
                                  last edited by

                                  @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                                  So what do Microsoft mean when they say:

                                  1.We do not require traffic to be authenticated prior to hitting services in front of Exchange Online.
                                  2.We do not do any form of pre-authentication of services in front of our corporate, on-premises messaging deployments either.
                                  We don’t use TMG to protect ourselves any more.

                                  I'm not sure what I'm missing here. Do they run reverse proxies? What does a reverse proxy protect against, if it isn't doing pre-authentication?

                                  They don't require authentication before that point. And does TMG even exist anymore? I'd be pretty concerned if they were using that.

                                  Reverse proxies protect against all the things that we discussed, like buffer overflow attacks, without authentication.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Carnival Boy
                                    last edited by

                                    @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                                    That's the way it's always been done?

                                    Years ago, it was generally accepted that Microsoft products weren't very secure and that you wouldn't want to expose them. But it's 2017 now, and I'm not sure that assumption still applies.

                                    People used to explain it to me by saying "cuz it's Microsoft, duh..". Now I need to know specifics on how an attack on an exposed MS product could play out and why.

                                    Going back to the original question, maybe I could have answered it more clearly. Let me try it again...

                                    • It was never because of Microsoft of MS Products
                                    • All products, even open source ones, still have risks and always will. Software will never be perfect.
                                    • MS is closed source so will always be an additional risk that cannot be audited on top of other things.
                                    • I'm not sure who told you "it's MS duh" but they were wrong and I think that myth became the foundation of your thinking and you are applying it to us.
                                    • This is basic network security and we apply it to nearly everything, including 100% non-MS web stacks like the one we are using now which passes through two reverse proxies before getting to you.
                                    1 Reply Last reply Reply Quote 1
                                    • ObsolesceO
                                      Obsolesce
                                      last edited by

                                      I don't remember experiencing or hearing about an MS RRAS server that was compromised or hacked do to the fault of the MS Software directly. It's always been because of dirt poor implementation and security oversights... connecting a Windows server directly to the internet, not updating OS, firmware, drivers, etc.

                                      VPN on Windows Server 2016 works quite well and opens up a lot of nice options not available on other platforms and devices.

                                      I guess the trick is just doing it correctly...

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Obsolesce
                                        last edited by

                                        @Tim_G said in Installing VPN access on Windows Server 2016:

                                        I don't remember experiencing or hearing about an MS RRAS server that was compromised or hacked do to the fault of the MS Software directly. It's always been because of dirt poor implementation and security oversights... connecting a Windows server directly to the internet, .....

                                        If you consider exposing the server as a mistake leading to compromise, that's really the point that we were making πŸ™‚

                                        1 Reply Last reply Reply Quote 2
                                        • 1
                                        • 2
                                        • 3
                                        • 4
                                        • 1 / 4
                                        • First post
                                          Last post