By Martin Heller
December 08, 2006
Microsoft Corp. has long encouraged its employees to "RAS" into the
corporate network from home or from the road to access e-mail, shared
files and applications.
RAS, short for Remote Access Services, is an old Microsoft term for what
most people now call a client VPN.
Microsoft, of course, maintains valuable intellectual property on its
internal network, including the source code to all its operating systems
and applications. These are constant targets for hackers, and Microsoft
tries to protect its most valuable assets with defenses in depth; they
are behind firewalls and on networks segmented with IPsec. In addition,
the entire network is monitored for suspicious activity, scanned for
malware and so on.
What do I mean by a constant target? Last year, Microsoft IT said it was
the target of more than 100,000 intrusion attempts per month. Currently,
Microsoft filters out about 9 million spam and virus e-mails a day out
of 10 million received. Yes, that means that roughly 90% of incoming
e-mails are spam.
In that environment, you'd think that VPN connections might expose
Microsoft to serious security risks. So how does Microsoft mitigate
those risks while continuing to offer VPN access to remote employees and
contractors? The answer to that is manifold.
The first layer of protection for the Microsoft VPN is two-factor
authentication. After an infamous incident in fall 2000, Microsoft
installed a certificate-based public-key infrastructure and rolled out
smart cards to all employees and contractors with remote access to the
network and individuals with elevated access accounts such as domain
Two-factor authentication requires that you have something physical. In
this case, it means the smart card and a password.
(The intrusion incident to which I refer was reported by the Wall Street
Journal and others, including Computerworld. The news reports said that
crackers gained access to Microsoft's network using a stolen username
and password, and were able to view, but not alter, some source code.
Microsoft disagrees with the information reported.)
"Today, we require a smart card with a valid certificate and PIN, as
well as network credentials and authorization to use the network
remotely," said Mark Estberg, director of Microsoft's internal security.
"We are 'dog-fooding' a deployment using Longhorn Server to implement
the same two-factor authorization with SSL VPN from ISA/Whale [acquired
by Microsoft in 2006], and with Network Access Protection for endpoint
scanning. The back-end authentication and authorization is handled by
integration with Active Directory and the Network Policy Server Windows
You might expect Microsoft to adopt biometric security. The company has
said it's evaluating it. As yet, however, it's sticking with smart
The second layer of protection for the Microsoft corporate VPN is a
connection "sandbox," implemented using Windows Server 2003s Network
Access Quarantine Control. Before a connected computer can access any
resources on the corporate network, a program scans the computer for
An approved operating system must be installed, along with all critical
security patches; the scanning program coordinates with Microsofts
methods for deploying patches, such as the Microsoft Update site. In
addition, Windows Firewall must be enabled. Finally, the remote computer
must not be connected to any other VPNs or be using any other type of
If the scan finds a deficiency, it attempts to correct it. For example,
it will update antivirus signatures and force the installation of
critical security patches. If the user rejects these updates, the
scanner ends the connection. Once the scan has determined that the
computer is clean and fully patched, the connection is allowed out of
the sandbox and onto the corporate network.
All of this due diligence can be time-consuming, and potentially
annoying to users. According to Microsoft IT, scanning at VPN sign-in
can sometimes take as long as five minutes, and on rare occasions up to
15 minutes, for a computer that is not compliant with the standards and
has not recently connected to the network.
It would be normal human behavior to hold on to a connection that took
you 15 minutes to establish for as long as you conceivably could, and
VPN connections are a limited resource that shouldn't be squandered.
Therefore, the Microsoft VPN system speeds up the log-in process for
frequent VPN users.
The network servers remember what has been scanned at each log-in, and
grant a grace period before requiring a rescan. Frequent users of the
VPN can often log into the network in under a minute.
Encryption and strong passwords
Microsoft follows its own recommendations for VPN encryption,
authentication, password strength, and password updates. Microsoft says
that the most secure VPN authentication is provided by Extensible
Authentication Protocol-Transport Level Security (EAP-TLS) used with
smart cards, and thats exactly what it uses itself. Point-to-Point
Tunneling Protocol (PPTP) with EAP-TLS provides the primary VPN services
of encapsulation and encryption.
Windows Server 2003 comes set to a default password policy that requires
moderately long passwords with a mix of character types (uppercase,
lowercase, numeric and symbol characters), along with a mandatory
password change every so many days. Microsoft uses what is a slightly
stricter version of the standard Windows Server 2003 password policy for
its own network, or perhaps I should say that Windows Server 2003 comes
standard with a slightly relaxed version of the secure password policy
Microsoft first deployed and vetted internally.
E-mail and IM without RAS
At one time, Microsoft would run out of VPN connections every time there
was snow in the Puget Sound area, because most employees working from
home would connect to the VPN to send and receive e-mail to and from
their Exchange server for extended periods.
Microsoft employees, in general, send and receive huge amounts of
e-mail, and use it as one of their principal ways to collaborate and
manage. Eventually, the Exchange group developed a method for connecting
to mail servers with full functionality without requiring the client to
be on the network.
This method involves setting up an Exchange proxy server to allow
Outlook to access Exchange via RPC over HTTP, protected by SSL
encryption. Microsoft deployed Exchange proxy servers, as well as
scripts to simplify the proxy setup for Outlook clients, several years
This is ideal for employees and contractors working remotely from their
own computers, and eliminates the need to use the VPN for e-mail. It
offers more functionality than standard POP3 or IMAP mail or Web mail.
Exchange also has Web mail, and Microsoft has heavy internal usage of
Outlook Web Access.
Many Microsoft employees have so much e-mail that they develop a backlog
of unread noncritical messages. One way to cut through that backlog is
instant messaging, and Microsoft offers an Enterprise-class product in
that area, Microsoft Office Communicator 2005. That product can work
securely over the Internet without a VPN connection, using a proxy. It
evolved from earlier internal instant messaging systems that forced
users to connect to the VPN to send secure instant messages.
External SharePoint sites
Another common reason for connecting to the VPN is to work with files
from the network. That's perfectly reasonable when only a few people
need access to the files, or the files are very sensitive. On the other
hand, it doesn't make a lot of sense to tie up the VPN for
low-sensitivity files that many people need when they're working
remotely, such as the official Microsoft glossary of computer terms.
To serve those needs, Microsoft IT has set up several SharePoint sites
as secure password-protected extranets. More accurately, what Microsoft
IT did was empower employees to set up their own SharePoint sites as
intranets or extranets, depending on the target audience and sensitivity
of the material, and post their own content.
So, for example, writers working on Microsoft projects can download the
Word templates they need from an extranet site run by the group that
manages that kind of writing project, and download the current copyright
and trademark list from another extranet site maintained by Microsoft's
"Recently, we had a snowstorm hit at our headquarters, and we estimate
that more than three quarters of Microsoft's Seattle-area workers
checked e-mail and did other work from home," said Microsoft CIO Stuart
Scott. "Our network and exchange environments scaled to meet this need
while doing so securely."
Martin Heller develops software and writes from Andover, Mass. Reach
Martin at cw (at) mheller.com.
Subscribe to InfoSec News