Earlier this year, Microsoft Office 365 and Microsoft Azure were granted OFFICIAL accreditation by CESG. Ever since then, customers have been asking when Microsoft’s private cloud solutions would get the same treatment. Good news! Microsoft's VPN stack, including Direct Access, is certified for use by UK Government offices for all OFFICIAL business.
What certifications were completed?
Windows 7 and 8.1, as well as Windows Server 2012 R2, have undergone CPA certification, using evidence from our Common Criteria evaluation. Windows 8.1 has been certified as meeting the Foundation Grade requirements, as described in the IPsec Client SC, while Windows Server 2012 R2 has met the equivalent requirements. Windows 7 and 8.1 have both been certified as meeting the equivalent of Foundation Grade requirements, as described in the IPsec Client SC, when using DirectAccess to connect to Windows Server 2012 R2.
What does the certification mean for me and my office?
It means that DirectAccess can finally be used by government offices for OFFICIAL and OFFICIAL – SENSITIVE business. It also enables offices to be security compliant to their PSN responsibilities. These changes are a cost saving for the customer and massively simpler for the end user. Is Direct Access compatible with PSN Compliance?
Direct Access needs to be run in the correct configuration in order to be compatible with the PSN security profile, this configuration is covered in the security procedures and end user device guidance. What about managed tunnel services?
To reconcile security concerns and performance requires, Microsoft use a specialised form of split tunnel called a “managed tunnel” approach. When certain traffic, such as Lync traffic, goes from a managed end point to a managed server over a secure and encrypted channel, it does not need to go down the Direct Access channel as well. There are similar examples for other services, where the traffic is well understood, and or is going to and from a secure end point over a secure channel. Microsoft can control this managed tunnel with firewall policies that are outside of the end users’ direct control. By default, all traffic will go to the government enterprise before going to the internet, with some very well defined exceptions, which can be extended to cover similar scoped and well understood information exchanges. Is 2-factor authentication necessary?
There will be multiple factors of authentication present, most of which will handled under the hood, away from the end user. Most users will power up a device, enter their BitLocker password, and authenticate using their user name and password. While this is happening, there are two more factors of authentication in play behind the scenes: a PKI Certificate for the computer and a Kerberos Authentication. Of course, if an office requires additional security factors, then a Virtual smartcard can be added to the mix. My office is interested in deploying Direct Access but we’ll need some help. Where can we turn?
Deploying Direct Access isn’t a trivial matter. Fortunately, Microsoft Services and Premier Support, as well as partner-based services, are there to help.
Will the end user device guidance be updated to reflect this?
The end user guidance for Windows 8.1 and Windows 7 are now updated to reflect the new evaluation.
Where is the notification/configuration guidance available?
The notification is available on the CESG website and the security procedures are available to government customers via firstname.lastname@example.org.
Presumably, Captive Portals do not fall under the managed tunnel service since traffic would be unencrypted and the same issues re. end user device compromise could exist if allowed to do so?
In addition, it would require some proxy/content management exceptions too?
By the way, I am typing this in starbucks using an Android phone to do Wi-Fi to Wi-Fi sharing and captive portal remediation whilst using my VPN.