MegaSack DRAW - This year's winner is user - rgwb
We will be in touch
I've been tasked with setting up a VPN into our work network for the purposes of accessing internal file shares remotely. We are running Windows Server 2016, so it's out of the box functionality with plenty of online guides to help. The answer I am struggling to find however, is which server to put it on.
I have a choice of 3. PDC, BDC or file server. Given the usage it's likely to get I wouldn't imagine load will be an issue, so that aside, where is the most sensible place to put it?
What's this PDC and BDC you speak of? Have you accidentally installed NT4?
In the grand scheme of things I don't suppose it matters hugely, it's an endpoint into your network and they won't be RDPing to any of those machines directly or anything. Though I'm generally of the opinion that it's a good idea to install as little shit as possible onto a DC unless it's software which explicitly needs to run on one.
Depending on what else you're running (Office 365?) I might be tempted to sack off the idea and shift the lot into OneDrive / Sharepoint.
A 3rd party VPN or are you trying to implement windows Always-on VPN (The replacement for Direct Access)? Ideally though whichever it is Cougar is right if you must VPN don't put the endpoint on the DC and even better stop using shares and go to Onedrive/SharepointOnline/Teams.
1). Never install another role onto a DC
2). Can you really not get another server to dedicate to this role? Or better yet a decent appliance VPN (e.g. a Cisco ASA). In theory setting up a Windows 2016 server based VPN can be done securely, it's just easy to screw up the config and the entry point then is straight onto where your data is which isn't a good idea.
Doing it properly is more expensive but then so is getting all your data stolen/corrupted with malware. OK, slightly alarmist but it does happen, especially if there's not rock-solid controls on your end points (e.g. can your users download anything they want from the Internet as long as it passes an AV check before they connect into your file share via the VPN)?
If you have an network firewall it's likely that it would offer VPN connectivity.
NT4 was probably about the last time I did any Windows sysadmin type work, so forgive my outdated terminology. Moving the whole lot to OneDrive isn't really an option right now.
The general consensus seems to be the file server is the best place to put it, so there it shall go.
Many thanks all for your input.
jeesus, the the RAS role really should go somewhere separate. You could put hyperv on your file server and then install it on a virtual server there. With some network skullduggery have that (the virtual server) sat in a DMZ. It really is wing-and-a-prayer IT infrastructure though and you're basically asking to be hacked.
If you want to do this "properly" on the cheaps, buy a raspberryPi, install openvpn and use that as your endpoint, or get a decent ADSL router to do the job. A little sonicwall device would be ideal here.
That, and move to ondrive.
NT4 was probably about the last time I did any Windows sysadmin type work, so forgive my outdated terminology.
Then with all due respect, I'd suggest hiring a contractor for an afternoon. There is a lot of ways this could go sideways, badly, if you're not sure what you're doing.
You could put hyperv on your file server and then install it on a virtual server there.
Ooh, that's a good idea.
I didn't suggest a separate box as I assumed there was no budget for that, but with Hyper-V you get a couple of 'free' server licences don't you.
I would also second getting a contractor in. If it all goes wrong the third party takes the blame, you just get grief for poor contractor choice. (From another bod who does networks and servers as a part-time job as well as my 'proper' one).
Just had a thought: cover your ass. Send an email to the effect of “I will implement this, but I need it to be known that I’ve looked into it and other IT professionals don’t think it’s a great idea as it presents a security risk.”
I’ve been in IT since 1998. The two best tools are: a kettle so you can go make a cuppa and see if it fixes itself and a Teflon suit.
Regardless of your choice of VPN server what about access control? How are users going to authenticate (user/pass, OTP) and will they be able to VPN from any machine or will you look at restricting access from only devices that need it? A well configured top of the range VPN is still a big hole when it’s easy to guess/steal credentials.
Just had a thought: cover your ass. Send an email to the effect of “I will implement this, but I need it to be known that I’ve looked into it and other IT professionals don’t think it’s a great idea as it presents a security risk.”
I’ve been in IT since 1998. The two best tools are: a kettle so you can go make a cuppa and see if it fixes itself and a Teflon suit.
This is a great suggestion. I think that given the response on here I might first try the "Have you considered sharepoint" approach, with a few pro's thrown in. We have a 1Gbps dedicated line for < 30 of us, so whilst it will get a workout I reckon it should cope.
As for the best IT tools, you forgot about the special turn-it-off-and-on-again finger that no end user seems to possess.
I am going to echo pretty much everything that has been said before... A DC should just do it's job and really nothing else. If that gets hit or pwned, you have lost your domain. It needs to be treated with a lot of respect.
I genuinely have to recommend looking at using an appliance for the role. There are some decent ones available now, but I would go for a reputable brand and one that offers sexurity updates and good control over how users can travel through it. I am biased towards PaloAlto (because their kit is very good), but that might be a little too expensive for you. They do offer a good client and you can configure kit to use an always on VPN so that there should be no issues about work laptops using work resources over dirty internet.
Something like this can't really be bodged, not if you want it done well. Look around for a good contractor and make sure the requirements are fully documented. Get them to document how they did it and what you need to do to maintain it. For the love of [deity] use some sort of MFA to authenticate to the portal.
What's your firewall int he office?
If it doesn't support client/P2S vpn connections i'd probably just spin up a network in Azure with a virtual network gateway, set a Site to Site VPN up with your on prem appliance and then configure a P2S connection from there.
You should be good to install RADIUS on the file server if you want your users to connect with their AD creds and 2fa with NPS extensions if you've got O365 licenses.
I would seriously look at using OneDrive and office365 though, that's by far the best solution for a small shop looking for collaborative file sharing.
Rough calculations suggest that Azure Basic VPN SKU is $315 a year with up to 128 P2S connections
SharePoint and OneDrive are still fairly weak security-wise unless MFA and conditional access is implemented...which opens another can of worms.
What firewall you using? Most will act an a VPN end point, some don't need additional licensing either, like little Draytek routers.
we've used RRAS on servers for clients and configured it securely (as secure as any remote access tool). It works well, has negligible impact on the host server, VPN clinet is native to Windows and you can lock down which users can connect to the VPN. I'd also recommend you review the password policy and ensure it locks out accounts after 10 failed attempts. Repeated lockouts shows that someone's knocking at your door! If you go down the server route, make sure the servers are patched every month, without fail.
As you;ve gathered, there's no perfect way to get remote access to your network. Pick one that suits your requirements and secure it as well as possible. Goes without saying that you need to ensure you have good backups. Lots of ransomeware doing the rounds right now, some very sophisticated.
SharePoint and OneDrive are still fairly weak security-wise
/Offtopic, how are you quantifying this? Do you actually mean they're weak as in as weak as any other service which uses a username and password or are you willing to share some other secret issues around Office 365?
Conditional access is a superb tool to secure cloud services via Azure AD (and with the new report only mode launched at Ignite last week its implementation can be planned better than ever before), but given the OP is in NT4 land, the whole cloud and federated identity thing is probably running before he can walk 😉
I’d also recommend you review the password policy and ensure it locks out accounts after 10 failed attempts.
Get your DoS on.
@mickyfinn SharePoint and OneDrive, when first setup has lots of features enabled by default which are not good from a data security point of view. They are designed and enabled by default to allow staff to access the files from anywhere, by anyone and data can be shared with other external parties with a few mouse clicks and without any authoritative checks.
Reminds me of the pre-2003 Exchange servers that had every service under the sun enabled by default and was an open relay out of-the-box. It was then up to the admin to secure it. Microsoft reversed this posture for later versions of exchange. I think they need to take this approach with 365 too. It's too open in my opinion.
MFA/conditional access should be used for all accounts and IMO, should be mandatory for 365 users, not optional. I've personally gained global admin rights for a tenant and all I started with was a standard user account in that tenant. I won't say how for obvious reasons. All it would take is a Phisher to get working creds and they could get global admin rights to the entire tenant, if & when that knowledge becomes available, unless Microsoft close that loophole ofcourse.
If the OP's experience is of the NT4 era (that's when I got into IT) then managing a VPN (server or router based) will be more familiar from a skillset point of view than setting up sharepoint in a secure way.
I agree that getting in someone who knows what they're doing is the best way to go about this.
/Offtopic, how are you quantifying this?
Because passwords are shit and not fit for purpose in 2019, 2FA all the way. I was playing with Duo recently, it seemed really good and a piece of piss to set up.
Reminds me of the pre-2003 Exchange servers that had every service under the sun enabled by default and was an open relay out of-the-box. It was then up to the admin to secure it. Microsoft reversed this posture for later versions of exchange.
Heh, I was literally just talking about this in work about two hours ago.
I'd suggest spending the cash, getting a small Fortigate firewall (even off eBay) and some Fortitokens for 2FA. The Fortigate allows for full featured VPN with a client, or client-less SSL based access to file shares/web servers via a web browser. Also, has an HTML5 RDP client if you have a terminal server on the inside (or maybe build a terminal server from one of your extra Hyper-V Server licenses and use the 120 day trial RDS license as a 'bait and switch' tactic for those that make use of it 😉 ).
Either way, I'd strongly suggest a dedicated piece of hardware built for the task. Someone suggested a Raspberry Pi with OpenVPN - these work well, just make sure you use a decent SD card! (many corrupt 'cheapie' cards with Pi's. Or, build a virtual Linux box and install OpenVPN on that.)
(more years than I care to remember working in IT - 32 at last count!)