All posts in category SSL

Always On VPN April 2023 Security Updates

Heads up, Always On VPN administrators! This month’s patch Tuesday includes fixes for critical security vulnerabilities affecting Windows Server Routing and Remote Access Service (RRAS). Crucially there are remote code execution (RCE) vulnerabilities in the Point-to-Point Tunneling Protocol (PPTP) (CVE-2023-28232), the Layer Two Tunneling Protocol (L2TP) (CVE-2023-28219, CVE-2023-28220), the Point-to-Point over Ethernet (PPPoE) protocol (CVE-2023-28224), and the Internet Key Exchange (IKE) protocol (CVE-2023-28238). The vulnerabilities in PPTP and L2TP are especially urgent as they allow an unauthenticated attacker to exploit them. There is also a denial-of-service (DoS) vulnerability (CVE-2023-28234) in the Secure Socket Tunneling Protocol (SSTP) protocol.

Exposure and Risk

The RCEs in PPTP, L2TP, and PPPoE should present limited risk as these protocols aren’t commonly used for Always On VPN (PPPoE and PPTP aren’t supported for Always On VPN, in fact). However, organizations may be using these protocols for other purposes. In addition, improperly configured edge firewalls could allow these connections even though administrators may not be actively using them. An attacker could also exploit these vulnerabilities with access to the RRAS server from the internal network.

Attack Surface Reduction

Always On VPN administrators are advised to ensure that only protocols and ports for VPN protocols in use are allowed through the edge firewall. Also, administrators should disable any unused protocols and services in RRAS to reduce the attack surface on their RRAS servers. To do this, open an elevated PowerShell command window on the RRAS server and run the following commands to disable support for the PPTP, L2TP, and PPPoE protocols.

netsh.exe ras set wanports device = “WAN Miniport (L2TP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0

netsh.exe ras set wanports device = “WAN Miniport (PPTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 1

netsh.exe ras set wanports device = “WAN Miniport (PPPOE)” ddoutonly = disabled

Restart-Service RemoteAccess -PassThru

Additional Vulnerabilities

This month’s update also includes fixes for other vulnerabilities that may impact Always On VPN deployments. Specifically, there are RCEs in Windows Network Address Translation (NAT) (CVE-2023-28217) and Windows Network Load Balancing (NLB) (CVE-2023-28240), and a DoS vulnerability in Windows Transport Layer Security (TLS) (CVE-2023-28234).

Update Now

Administrators should patch their RRAS servers as soon as possible to avoid potential compromise of the RRAS server in their environments.

Additional Information

Always On VPN SSTP Security Configuration

Leave a comment
by Richard M. Hicks on April 12, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, authentication, Enterprise, enterprise mobility, Hotfix, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, SSL, SSL and TLS, SSTP, TLS, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 12, 2023

https://directaccess.richardhicks.com/2023/04/12/always-on-vpn-april-2023-security-updates/

Always On VPN SSTP and HSTS

HTTP Strict Transport Security (HSTS) is a feature commonly used by websites to protect against protocol downgrade attacks, where an attacker forces the use of insecure HTTP instead of HTTPS. If successful, the attacker can intercept unencrypted communication between the client and the web server. This is undesirable for obvious reasons. As such, web server administrators implement an HTTP response header named Strict-Transport-Security with some additional settings that instruct the user agent, in this case, a web browser, to only use secure HTTPS when communicating with the web server. Attempts to use HTTP will not work.

VPN and SSTP

As security is always a top concern when building an Always On VPN infrastructure, careful attention must be paid to VPN protocol configuration to ensure optimal security. Secure Socket Tunneling Protocol (SSTP) is a popular VPN protocol for Always On VPN user tunnel connections. SSTP uses Transport Layer Security (TLS) for encryption, so administrators are encouraged to implement recommended security configurations, such as disabling insecure protocols like TLS 1.0 and TLS 1.1 and optimizing TLS cipher suites as described here.

SSTP with HSTS

It would seem that enabling HSTS on a Windows RRAS VPN server would be ideal for improving SSTP security. However, that’s not the case. HSTS prevents protocol downgrade attacks from HTTPS to HTTP, but SSTP already uses HTTPS exclusively, making the use of HSTS irrelevant. If an attacker attempted a protocol downgrade attack on an SSTP VPN connection, it would fail because the service does not support HTTP between the client and the VPN gateway. Additionally, even if it were possible to configure RRAS to send an HSTS response header, it would be ignored by the client because the user agent is not a web browser.

Additional Information

Always On VPN SSTP Security Configuration

Always On VPN SSTP and TLS 1.3

Always On VPN SSTP Certificate Renewal

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN SSTP Certificate Binding Error

SSL and TLS Training for Always On VPN Administrators

5 Comments
by Richard M. Hicks on September 29, 2022  •  Permalink
Posted in Always On VPN, AOVPN, certificates, Cryptography, ECC, Elliptic Curve Cryptography, Encryption, Enterprise, enterprise mobility, Mobility, Operational Support, PKI, public key infrastructure, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSL, SSL and TLS, TLS, TLS 1.3, TPM, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 29, 2022

https://directaccess.richardhicks.com/2022/09/29/always-on-vpn-sstp-and-hsts/

Always On VPN Error -2146762495

DirectAccess Troubleshooting and the Windows 10 Network Connectivity Assistant

Always On VPN Administrators may encounter a scenario where Always On VPN connections suddenly stop working for all clients using the Secure Socket Tunneling Protocol (SSTP) VPN protocol. IKEv2 VPN connections continue to work, however.

Event Log

Reviewing the event log on a client machine reveals an error event ID 20227 from the RasClient source. The error message states the following.

“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is -2146762495.”

Error -2146762495?

Always On VPN administrators will be familiar with error codes such as 809, 691 and 812, 853, 858, and even 13801, 13806, and 13868. However, this error code seems to be formatted much differently. As it turns out, this message is in decimal format. Thankfully it’s pretty easy to convert it to something more meaningful, like hexadecimal. To do this, open the Windows calculator (calc.exe) and switch to programmer mode. Highlight DEC and enter -2146762495. The hexadecimal value will be displayed in the HEX field, as shown here.

Error 0x800B0101

After converting the error message from decimal to hex, use the Microsoft Error Lookup tool (err.exe) to translate the hex value of this error. As shown here, 0x800B0101 translates to CERT_E_EXPIRED.

Expired TLS Certificate

Once again, an expired certificate is to blame! In this case, the TLS certificate installed on the VPN server has expired and is no longer valid.

Resolution

The problem is simple enough to resolve, of course. Obtain a new TLS certificate from your certification authority (CA) of choice and update your VPN server configuration. You can find detailed guidance for updating the RRAS VPN server’s TLS certificate here. You will also find a video demonstration of the RRAS SSL/TLS certificate renewal process here.

Additional Information

Installing or Renewing an SSL/TLS Certificate on Windows Server RRAS for Always On VPN and SSTP

VIDEO: Installing or Renewing an SSL/TLS certificate on Windows Server RRAS for Always On VPN and SSTP

Microsoft Windows Always On VPN SSTP Security Configuration

Microsoft Windows Always On VPN SSL/TLS Certificate Requirements for SSTP

Microsoft Windows Always On VPN SSTP with Let’s Encrypt Certificates

Leave a comment
by Richard M. Hicks on February 15, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, certificates, Encryption, Enterprise, enterprise mobility, Mobility, Operational Support, PKI, public key infrastructure, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, SSL, SSL and TLS, SSTP, TLS, TLS 1.3, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 15, 2022

https://directaccess.richardhicks.com/2022/02/15/always-on-vpn-error-2146762495/

« Older Posts
%d bloggers like this: