All posts tagged Windows 11

Always On VPN and RRAS on Windows Server Core

Windows Server Core is a refactored version of the full Windows Server operating system. Server Core does not include a Graphical User Interface (GUI) and must be managed via the command line or with PowerShell. The Routing and Remote Access Service (RRAS) is a supported workload on all supported versions of Windows Server including Windows Server 2022. Always On VPN administrators should consider installing and configuring RRAS on Windows Server Core to ensure their VPN infrastructure’s best security and performance.

Server Core Benefits

Windows Server Core is a minimal installation option of the Windows Server operating system that provides numerous benefits, particularly for environments where security, resource efficiency, and reduced maintenance overhead are essential. Here are some of the key benefits of using Windows Server Core.

Minimized Attack Surface – Windows Server Core has a smaller footprint compared to the full GUI version, which means fewer components and services are installed by default. This reduces the potential attack surface and minimizes security vulnerabilities.

Enhanced Security – With fewer components and a reduced attack surface, there are fewer potential vectors for malware or unauthorized access. This makes Windows Server Core a more secure choice for critical server roles like RRAS.

Reduced Maintenance – Since there are fewer components to update, patching and maintaining a Windows Server Core system is quicker and requires less effort. This is especially beneficial in large-scale server deployments.

Improved Stability – By removing the graphical user interface (GUI), Windows Server Core has fewer processes running in the background, leading to a more stable and predictable server environment.

Simplified Management – Windows Server Core is designed for remote administration. It allows the administrator to manage it using command-line tools, PowerShell, or remote management tools like the Remote Server Administration Tools (RSAT) and Windows Admin Center. This makes it easier to manage multiple servers from a single location.

Faster Reboots – Windows Servers require periodic reboots. With Windows Server Core, reboot times are considerably faster, resulting in less downtime during maintenance periods.

RSAT

The Remote Server Administration Tools (RSAT) can be installed on Windows clients and servers to enable remote administration using the familiar Routing and Remote Access Management console (rrasmgmt.msc) and Remote Access Management console (ramgmtui.exe) GUI tools.

Windows Client

To install the Remote Access Management tools on Windows client operating systems, navigate to Settings > Apps > Optional Features. Click Add a feature, select RSAT: Remote Access Management Tools, then click Install.

Optionally the Remote Access Management tools can be installed by running the following PowerShell command.

Add-WindowsCapability -Online -Name Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0

Windows Server

To install the Remote Access Management tools on Windows Server run the following PowerShell command.

Install-WindowsFeature -Name RSAT-RemoteAccess

Windows Admin Center

The Windows Admin Center is a free remote management tool from Microsoft for managing Windows Server (core and GUI) remotely. It is especially helpful for Server Core management as it provides a GUI for many common administrative tasks.

You can download Windows Admin Center here.

Additional Information

Windows Server Core Installation Option

Windows Server Core vs. Desktop

PowerShell Remote Server Administration

Windows Admin Center

1 Comment
by Richard M. Hicks on October 2, 2023  •  Permalink
Posted in Admin Center, administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, Remote Administration, routing, routing and remote access service, RRAS, RSAT, Security, Server Core, VPN, Windows 10, Windows 11, Windows Admin Center, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 2, 2023

https://directaccess.richardhicks.com/2023/10/02/always-on-vpn-and-rras-on-windows-server-core/

Always On VPN Windows 11 Status Indicator

Viewing the status of an Always On VPN connection has been challenging since the introduction of this technology. To see if an Always On VPN connection is active, users must proactively click on the network status icon in the system tray to view the current connection status. Optionally, users can use the Settings application in Windows and select the Network & Internet tab to view the Always On VPN connection status. Further, there were no options to see VPN status in the system tray natively if the user is using a consumer VPN such as Proton VPN.

New Status Indicator

Always On VPN administrators will be happy to hear that Microsoft recently introduced a new VPN status indicator for Windows 11. Beginning with the July 2023 cumulative update (KB5028185), users will begin to see a new network status icon (a small shield) on the network connectivity indicator on the system tray in Windows. Microsoft calls this new feature “glanceable VPN“.

Source: https://blogs.windows.com/windowsexperience/2023/05/23/announcing-new-windows-11-innovation-with-features-for-secure-efficient-it-management-and-intuitive-user-experience/

Consumer VPN

While this new VPN status indicator is helpful for Always On VPN deployments, it is not limited to Always On VPN. The VPN status indicator will also display the lock icon in the system tray when the device is connected to any recognized VPN. The new VPN status indicator will include third-party enterprise VPN clients as well as some consumer VPNs.

Additional Information

Windows 11 July 2023 Update KB5028185

Always On VPN Device Tunnel Status Indicator

2 Comments
by Richard M. Hicks on July 20, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Microsoft, Mobility, NCSI, network connectivity status indicator, Operational Support, Remote Access, Security, Security Update, Update, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 20, 2023

https://directaccess.richardhicks.com/2023/07/20/always-on-vpn-windows-11-status-indicator/

Always On VPN July 2023 Security Updates

Hello, Always On VPN administrators! It’s the second Tuesday of the month, so you know what that means. Yes, it’s Patch Tuesday! This month’s security updates include several fixes for vulnerabilities potentially affecting Microsoft Always On VPN deployments.

RRAS Vulnerabilities

Microsoft’s July 2023 security updates include fixes affecting Windows Servers with the Routing and Remote Access Service (RRAS) role installed. Security vulnerabilities CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367 are all Remote Code Execution (RCE) vulnerabilities with a Critical security rating and a CVSS score of 9.8. These security vulnerabilities in Windows Server RRAS are particularly troublesome due to the nature of the workload. RRAS servers are, by design, exposed to the public Internet. Although there are no known exploits in the wild at this time, this attack requires no special privileges other than network access. Administrators running Windows Server with RRAS installed are encouraged to update as soon as possible.

AD CS Vulnerabilities

Most Always On VPN implementations leverage enterprise PKI certificates for user and device authentication. Administrators commonly deploy Microsoft Active Directory Certificate Services (AD CS) to support this. This month there are two security vulnerabilities in AD CS marked as Important. CVE-2023-35350 and CVE-2023-35351 address RCE vulnerabilities that exploit a race condition on the server. However, AD CS servers are not exposed to untrusted networks. In addition, attackers would require administrative rights on the server to exploit these vulnerabilities.

Network Load Balancing

Finally, of importance to Always On VPN administrators using Windows Network Load Balancing (NLB) to provide load balancing for their RRAS servers, there is a vulnerability in the NLB service. CVE-2023-33163 addresses an RCE vulnerability in NLB identified as Important.

Additional Information

Microsoft July 2023 Security Updates

Windows Server 2022 KB5028171 (Build 20348.1850)

Windows Server 2019 KB5028168 (Build 17763.4645)

Windows Server 2016 KB 5028169 (Build 14393.6085)

Windows 11 22H2 KB8028185 (Build 22621.1992)

Windows 11 21H2 KB5028182 (Build 22000.2176)

Leave a comment
by Richard M. Hicks on July 11, 2023  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, Certificate Services, certificates, CVE, Deployment, Device Management, Enterprise, enterprise mobility, Hotfix, Infrastructure, Load Balancing, Microsoft, Mobility, Operational Support, PKI, public key infrastructure, Remote Access, routing and remote access service, RRAS, Security, Security Update, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 11, 2023

https://directaccess.richardhicks.com/2023/07/11/always-on-vpn-july-2023-security-updates/

« Older Posts
Newer Posts »