All posts in category SSTP

Always On VPN May 2023 Security Updates

Hey, Always On VPN administrators! It’s the second Tuesday of the month, which means security updates for Windows have been released. This month’s batch includes an update to address a critical vulnerability likely to affect many Always On VPN implementations using Windows Server.

SSTP Vulnerability

CVE-2023-24903 documents a vulnerability on Windows Servers with the Routing and Remote Access Service (RRAS) configured to support Secure Socket Tunneling Protocol (SSTP) for VPN connections. This is a remote code execution (RCE) vulnerability that can be exploited when an attacker sends a specifically crafted malicious packet to the server. Administrators are encouraged to update as soon as possible.

Mitigation

SSTP is commonly used for Always On VPN user tunnels. However, if administrators have configured user tunnels using IKEv2, or are using the device tunnel only, consider blocking inbound TCP 443 at the edge firewall to prevent attacks from the Internet. In addition, if SSTP is not in use, consider disabling support for SSTP by opening an elevated PowerShell command window and running the following commands.

netsh.exe RAS set wanports device = “WAN Miniport (SSTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0

Restart-Service RemoteAccess -PassThru

Alternatively, SSTP can be disabled in the RRAS management console by following the steps below.

  1. Open the RRAS management console (rrasmgmt.msc).
  2. Expand the server.
  3. Right-click Ports.
  4. Choose Properties.
  5. Highlight WAN Miniport (SSTP).
  6. Click Configure.
  7. Uncheck Remote access connections (inbound only).
  8. Uncheck Demand-dial routing connections (inbound and outbound).
  9. Enter 0 in the Maximum ports field.
  10. Click Ok.

Additional Information

Windows SSTP Remote Code Execution Vulnerability (CVE-2023-24903)

May 2023 Security Updates for Windows Server 2016 (KB5026363)

May 2023 Security Updates for Windows Server 2019 (KB5026362)

May 2023 Security Updates for Windows Server 2022 (KB5026370)

1 Comment
by Richard M. Hicks on May 9, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, device tunnel, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSTP, TLS, Update, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 9, 2023

https://directaccess.richardhicks.com/2023/05/09/always-on-vpn-may-2023-security-updates/

Always On VPN April 2023 Security Updates

Heads up, Always On VPN administrators! This month’s patch Tuesday includes fixes for critical security vulnerabilities affecting Windows Server Routing and Remote Access Service (RRAS). Crucially there are remote code execution (RCE) vulnerabilities in the Point-to-Point Tunneling Protocol (PPTP) (CVE-2023-28232), the Layer Two Tunneling Protocol (L2TP) (CVE-2023-28219, CVE-2023-28220), the Point-to-Point over Ethernet (PPPoE) protocol (CVE-2023-28224), and the Internet Key Exchange (IKE) protocol (CVE-2023-28238). The vulnerabilities in PPTP and L2TP are especially urgent as they allow an unauthenticated attacker to exploit them. There is also a denial-of-service (DoS) vulnerability (CVE-2023-28234) in the Secure Socket Tunneling Protocol (SSTP) protocol.

Exposure and Risk

The RCEs in PPTP, L2TP, and PPPoE should present limited risk as these protocols aren’t commonly used for Always On VPN (PPPoE and PPTP aren’t supported for Always On VPN, in fact). However, organizations may be using these protocols for other purposes. In addition, improperly configured edge firewalls could allow these connections even though administrators may not be actively using them. An attacker could also exploit these vulnerabilities with access to the RRAS server from the internal network.

Attack Surface Reduction

Always On VPN administrators are advised to ensure that only protocols and ports for VPN protocols in use are allowed through the edge firewall. Also, administrators should disable any unused protocols and services in RRAS to reduce the attack surface on their RRAS servers. To do this, open an elevated PowerShell command window on the RRAS server and run the following commands to disable support for the PPTP, L2TP, and PPPoE protocols.

netsh.exe ras set wanports device = “WAN Miniport (L2TP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0

netsh.exe ras set wanports device = “WAN Miniport (PPTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 1

netsh.exe ras set wanports device = “WAN Miniport (PPPOE)” ddoutonly = disabled

Restart-Service RemoteAccess -PassThru

Additional Vulnerabilities

This month’s update also includes fixes for other vulnerabilities that may impact Always On VPN deployments. Specifically, there are RCEs in Windows Network Address Translation (NAT) (CVE-2023-28217) and Windows Network Load Balancing (NLB) (CVE-2023-28240), and a DoS vulnerability in Windows Transport Layer Security (TLS) (CVE-2023-28234).

Update Now

Administrators should patch their RRAS servers as soon as possible to avoid potential compromise of the RRAS server in their environments.

Additional Information

Always On VPN SSTP Security Configuration

Leave a comment
by Richard M. Hicks on April 12, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, authentication, Enterprise, enterprise mobility, Hotfix, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, SSL, SSL and TLS, SSTP, TLS, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 12, 2023

https://directaccess.richardhicks.com/2023/04/12/always-on-vpn-april-2023-security-updates/

SSL and TLS Training for Always On VPN Administrators

Understanding Transport Layer Security (TLS) is essential for Always On VPN administrators. TLS (formerly Security Sockets Layer, or SSL) is used not only for Secure Socket Tunneling Protocol (SSTP), the protocol of choice for the Always On VPN user tunnel in most deployments, but many other technologies such as secure websites and email, Remote Desktop Protocol (RDP), secure LDAP (LDAPS), and many more. High-quality, affordable TLS training is challenging to find, however.

UPDATE! This course has been further discounted for a limited time. Details below!

Practical TLS

Thankfully, Ed Harmoush from Practical Networking has a fantastic training course called Practical TLS that meets these requirements. It is the most comprehensive TLS training course I’ve seen and is surprisingly affordable too!

Course Content

The Practical TLS training course includes the following modules.

  • Module 1 – SSL/TLS Overview (free preview!)
  • Module 2 – Cryptography
  • Module 3 – x509 Certificates and Keys
  • Module 4 – Security through Certificates
  • Module 5 – Cipher Suites
  • Module 6 – SSL/TLS Handshake
  • Module 7 – TLS Defenses

TLS 1.3

The Practical TLS training course does not yet include a module on the newest TLS protocol, TLS 1.3. However, it is due out imminently! Ed is working on the content as we speak, and a preview module is included in the course today. Look for the final TLS 1.3 module soon.

Bonus Content

In addition to excellent TLS training, the course includes free OpenSSL training! Administrators working with certificates in non-Microsoft environments are sure to find this helpful. Understanding OpenSSL will benefit administrators working with network and security appliances such as firewalls and load balancers.

Enroll Now

The cost of the Practical TLS training course is regularly $297.00. It is a perpetual license, so you can view the content whenever you like and as often as you wish. You will also have access to future updates, such as the upcoming TLS 1.3 module. In addition, you can save $100.00 on the course by using promotional code RICHARDHICKS when you sign up. Don’t hesitate. Register for Practical TLS training now!

Special Discount

For a limited time, you can use the code PracticalTLS13 to get this entire course for just $49.00! This won’t last long, so register soon!

Additional Information

Practical Networking Blog

Practical TLS Training Course – $100 Off!

OpenSSL Training Course

Microsoft Always On VPN and TLS 1.3

Microsoft Always On VPN SSTP Security Configuration

Microsoft Always On VPN SSTP Certificate Renewal

Microsoft Always On VPN SSTP with Let’s Encrypt Certificates

Leave a comment
by Richard M. Hicks on September 6, 2022  •  Permalink
Posted in ADC, administration, Always On VPN, AOVPN, certificates, Cryptography, ECC, education, Elliptic Curve Cryptography, Encryption, Enterprise, enterprise mobility, IP-HTTPS, learning, Mobility, OpenSSL, PKI, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSL and TLS, SSTP, TLS, TLS 1.3, Training, Transport Layer Security, user tunnel, video, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 6, 2022

https://directaccess.richardhicks.com/2022/09/06/ssl-and-tls-training-for-always-on-vpn-administrators/

« Older Posts
Newer Posts »