Quick VPN question (Server 2012r2)

[thecomputerguy]

I have a Server 2012r2 DC setup with VPN connectivity and I'm just looking for best practice to get a user who connects locally onsite with a laptop then takes that laptop offsite to connect through the VPN.

1.) Should I use the same user account they logon locally with for also the VPN connection and just give that account dial-in access, and up the password complexity?

They will complain about having to type in a very complex password just to logon at work because I want high complexity for the VPN. Or should I make a separate user account call it... "jdoevpn", "jsmithvpn" etc, and use that account with a complex password for VPN for each user?

2.) Is it safe to allow the user to use their mapped drives through the VPN connection or should I remove mapped drives for remote users and just use UNC paths so that if they are hit with ransomware offsite they don't infect the mapped drive via the VPN?

 

[YeOldeStonecat]

I'll be honest. I hate/dread the thought of a Windows Server hanging that level of authentication outside on the wild side. I have grown to greatly appreciate having a separate hardware appliance do the VPN duties. Such as a UTM, like Untangle. Or a basic biz level router like a Ubiquiti.
Just having Windows server exposed like that..gives me the eebie jeebies...I'd want to format that server on a weekly basis!

Untangle has OpenVPN in the free version, and that can authenticate against active directory with the paid for version, another option is L2TP VPN via the IPSec module..native Windows 10 VPN adapter client supports that easy peasy!

Not long ago, helped out an IT guy of an aircraft engine repair place...does work with gov't contracts, so security is important. They had end users PPTP VPN'ing in..one of their DC's had port 1723 sticking outside the firewall! YIKES!!!. Got them on Untangle.

Mapped vs UNC..doesn't matter....malware can scan/find/whack both.

But if all they need is access to files...how about a different approach, one that is simpler, and more secure. A cloud file sync service! Like OwnCloud, DattoDrive, Sharepoint, etc.

 

[YeOldeStonecat]

It's not so much to have a different username/password for their VPN to me, the security of the sessions doesn't bother me, it's the fact that a Windows Server authentication service is exposed to the wild side like that...grinding attacks....grinding...exploits...vulnerabilities...

 

[Markverhyden]

Guess the first question is what is handling the VPN? The M$ server or a dedicated appliance? As @YeOldeStonecat mentioned it's not conducive to a good nights sleep to have any M$ Server exposing itself to the public. Just way too many possible ways to break it and just having a long, complex password will not do anything to stop many of them.

I used to use OS X server as a VPN server, being a *nix OS. Even then I've stopped that and only use an edge device that can handle VPN. So far only Ubiquiti since all of my customers are small.

 

[Tech Savvy]

From what I gather it sounds like you’re asking how do we normally authenticate a VPN user onto the network, if the network contains a domain is that correct?

I would say about 75% of the time I will configure the windows server to use LDAP. And configure the VPN appliance to authenticate with the domain using LDAP. This way the users will use the same logins for the domain as their VPN and if they change their password, the change will be reflected to the VPN authentication as well since it’s looking in the same place.

The other 25% of the time I use a local database (local to the VPN appliance). And that’s only because they are either very small (< 5 users) or they are cloud-driven and rarely ever use it.

 

[marley1]

Sstp vpn

 

[nlinecomputers]

Why do they need VPN? If it is just to access files then why not use Dropbox or OneDrive. And if you claim security I am going to sit and roll around on the floor laughing my guts out at the idea that exposing your undermanaged(unless you are full time 24/7 in-house IT then your undermanaged), likely not encrypted server over the internet is better than ISO certified data centers.

If they need to run apps over this connection you are going to find that most do not perform well with the overhead of a VPN connection. You are better off setting up a remote desktop for that kind of work.