All posts in category Security

Always On VPN May 2023 Security Updates

Hey, Always On VPN administrators! It’s the second Tuesday of the month, which means security updates for Windows have been released. This month’s batch includes an update to address a critical vulnerability likely to affect many Always On VPN implementations using Windows Server.

SSTP Vulnerability

CVE-2023-24903 documents a vulnerability on Windows Servers with the Routing and Remote Access Service (RRAS) configured to support Secure Socket Tunneling Protocol (SSTP) for VPN connections. This is a remote code execution (RCE) vulnerability that can be exploited when an attacker sends a specifically crafted malicious packet to the server. Administrators are encouraged to update as soon as possible.

Mitigation

SSTP is commonly used for Always On VPN user tunnels. However, if administrators have configured user tunnels using IKEv2, or are using the device tunnel only, consider blocking inbound TCP 443 at the edge firewall to prevent attacks from the Internet. In addition, if SSTP is not in use, consider disabling support for SSTP by opening an elevated PowerShell command window and running the following commands.

netsh.exe RAS set wanports device = “WAN Miniport (SSTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0

Restart-Service RemoteAccess -PassThru

Alternatively, SSTP can be disabled in the RRAS management console by following the steps below.

  1. Open the RRAS management console (rrasmgmt.msc).
  2. Expand the server.
  3. Right-click Ports.
  4. Choose Properties.
  5. Highlight WAN Miniport (SSTP).
  6. Click Configure.
  7. Uncheck Remote access connections (inbound only).
  8. Uncheck Demand-dial routing connections (inbound and outbound).
  9. Enter 0 in the Maximum ports field.
  10. Click Ok.

Additional Information

Windows SSTP Remote Code Execution Vulnerability (CVE-2023-24903)

May 2023 Security Updates for Windows Server 2016 (KB5026363)

May 2023 Security Updates for Windows Server 2019 (KB5026362)

May 2023 Security Updates for Windows Server 2022 (KB5026370)

1 Comment
by Richard M. Hicks on May 9, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, device tunnel, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSTP, TLS, Update, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 9, 2023

https://directaccess.richardhicks.com/2023/05/09/always-on-vpn-may-2023-security-updates/

Always On VPN at TechMentor 2023

I’m excited to announce that I’ll be presenting at this year’s TechMentor IT training conference! The event takes place July 17-21, 2023, at the Microsoft headquarters in Redmond, Washington.

My Sessions

I will be delivering two talks at this year’s event.

TT04 – Deploying On-premises Certificates using Intune

In this talk, I’ll describe in detail how to deliver on-premises enterprise PKI certificates using Intune. We’ll cover all aspects of certificate delivery, including the Intune Certificate Connector configuration, device configuration profile options, advantages of PKCS over SCEP, and certificate template security best practices.

TT07 – Windows Always On VPN: Notes from the Field

During this session, I’ll share many tips, tricks, and best practices for deploying and managing Always On VPN client configuration settings using Intune. I’ll explain the limitations of the Intune VPN profile template and how to work around them using custom XML. I will also describe how to use Intune Proactive Remediation to optimize Always On VPN client configuration settings post deployment.

Discount Code

Use the discount code Hicks and receive $400.00 off the standard pricing for the event. Don’t miss out on this opportunity to learn from some of the best IT pros in the business. Register today!

Let’s Connect!

If you’re attending TechMentor 2023 this year, let’s connect! I’ll be at the conference all week. Attend one of my sessions, join me on Thursday for a Table Topic lunch, or let’s grab a beer somewhere. Reach out to me and arrange some time!

Leave a comment
by Richard M. Hicks on May 8, 2023  •  Permalink
Posted in Always On VPN, AOVPN, certificates, education, Enterprise, enterprise mobility, Intune, Intune Certificate Connector, Intune PFX Connector, learning, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, PFX Connector, PKCS, PKI, public key infrastructure, Remote Access, SCEP, Security, Simple Certificate Enrollment Protocol, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 8, 2023

https://directaccess.richardhicks.com/2023/05/08/always-on-vpn-at-techmentor-2023/

Always On VPN at MMSMOA 2023

I’m excited to share that I’ve been invited to present at the popular Midwest Management Summit at Mall of America (MMSMOA) this year! The event takes place Monday, May 2, through Thursday, May 4, 2023.

Sessions

I will be delivering two talks at the event this year. One on Microsoft Always On VPN and Intune, the other on deploying certificate using Intune.

Always On VPN and Intune: Notes from the FieldTuesday, May 2 at 10:00 AM CDT

This session will cover all aspects of deploying and managing Always On VPN client configuration settings using Microsoft Intune.

Intune Certificate ManagementWednesday, May 3 at 10:00 AM CDT

This session will provide detailed configuration guidance and best practice recommendations for issuing on-premises enterprise PKI certificate using Microsoft Intune.

Attending MMS?

Will you be attending MMSMOA? Let’s connect! Drop in on my sessions, of course, but let’s plan to hang out! I will have copies of my book to give away too, so don’t miss out. Send me a note here or on Twitter, or just find me at the conference. Looking forward to seeing all of you soon!

Leave a comment
by Richard M. Hicks on April 11, 2023  •  Permalink
Posted in Always On VPN, AOVPN, certificates, Endpoint Manager, Enterprise, enterprise mobility, Intune Certificate Connector, Intune PFX Connector, learning, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, NDES, Network Device Enrollment Service, Network Device Enrollment Services, PFX Connector, PKI, PowerShell, public key infrastructure, Remote Access, SCCM, SCEP, Security, Simple Certificate Enrollment Protocol, System Center Configuration Manager, systems management, TPM, Trusted Platform Module, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Workshop
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 11, 2023

https://directaccess.richardhicks.com/2023/04/11/always-on-vpn-at-mmsmoa-2023/

« Older Posts
Newer Posts »