Remote Access Windows Server 2016 Protection - Part I
Authors Mr. Benigno Rodriguez,
jrodsoto@knights.ucf.edu; Dr.
Cliff Zou,
czou@cs.ucf.edu
Prerequisite:
- Knowledge of basic usage of Linux machine and virtual machine
environment.
- Basic knowledge of networking and TCP/IP.
- Basic knowledge of Windows Server Services (DHCP, DNS, RAS)
Goals of this tutorial:
- Learning about possible vulnerabilities and protection of a Windows 2016 Server as Gateway (public internet publish server)
- DMZ server TCP services connections to Internal Domain Server and services
- Firewall Configuration to protect DMZ and Internal Windows Services
- Client Remote Access Configuration and Protection
Software Needed:
- VirtualBox (if you do not have VirtualBox installed please see lab setup).
- Kali Linux VM for VirtualBox (can be downloaded
here).
- Windows Server 2016 ISO file (download ISO file here).
- Windows 10 Enterprise ISO file (download ISO file here).
- Endian Community Firewall (donwload EFW-3.3 Version here).
Basic Introduction:
Windows Server 2016 as Gateway
External Resources about this infrastructure can be found
here.
Key Points for protecting Windows Server Gateway:
- Remote Access Service (RAS) server is configured as public server and communication with
internal services is required for remote users authentication.
- Internal services such as Active Directory, File Servies, and
Intranet Web applications access must be propertly configure for remote
users (Network Access Policy Server)
- External Internet traffic from Remote Clients Protection
- Firewall Configuration
Windows Server Gateway Insfrastruture
RAS (Remote Access Services)
The RAS server consists of windows server 2016 install as standard core. Two virtual box adapters will be required for this server; we will be configuring them with powershell from the command-line interface.
The server will be also configured as a joined server to single forest domain. Therefore, additional Windows 2016 server will be required for completing this lab.
The RAS server will also be configured to accept remote access connections from a windows remote client virtual machine. The following diagram illustrate the lab topology. Windows Client 10 will be use on two separate networks.
Figure 1: Windows Server 2016 RAS Topology
System Overview
PDC Domain Services Windows 20016 Server
The PDC server is a virtual machine with a virtual box adpater configured as host network. Two host networks and one NAT (network addresss translation) network are going to be created during the pre-configuration for the lab.
The server will be also configured as the primary domain server, therefore a single forest is required.
The PDC will authenticate the windows Remote client throghout the RAS server. Access connections from/to RAS and PDC windows virtual machines will be configured on Endian FW/Router.
Figure 2: Windows Server RAS Login Page - Virtual Box VM
Endian Community Firewall/Router
Figure 3: Endian virtual software Firewall/Router
Endian Firewall/Router is a community version software that runs a linux kernel and acts as firewall and router for virtual machines.
This VM will be configured with four adapters which will be created in Virtual Box. See PRE-Installation Configuration: here
Instructions for configuring the software, interfaces and networks rules will be done thru console and GUI web management interfaces provided by Endian.
LAB Instructions Breakdown - Below an html document link and portable downloadable file with instructions. The lab is broken down on the following main steps.
-
A) Pre-Installation and Configuration
- 1. Ensure Virtual Box is installed (instructions here)
- 2. Host Networks and NAT network creation
- a. create a host network for the DMZ network to inside traffic. (ORANGE ADAPTER on Endian FW/Router)
b. create a host network for the internal network (GREEN ADPTER on Endian FW/Router)
c. create a host network DMZ network for the outside private network traffic (BLUE ADAPTER on Endian FW/Router)
d. create a NAT network for the outside network (RED ADAPTER on Endian FW/Router)
-
B) Download software requirement (click here for download ISO files)
- 1. Endian Firewall/Router Installation (instructions)
2. Windows 2016 Server Installation (instructions)
3. Windows 10 Client Installation (instructions)
- C) Installation, Configuration, and testing of the following.
- 1. Endian FW/Router
2. Windows Server 2016 PDC
3. Windows Server 2016 RAS
4. Windows 10 Client
5. Securing