Wednesday, December 14, 2011

Enforcing PC identity with Endpoint Connect client

One of the common challenges one can face concerning Remote Access VPN is necessity to enforce identity of end point client.  In other words, sometimes it is necessary to deny VPN access from non-corporate PCs.

It comes naturally if Microsoft Remote Access is in use, because there you could check the machine certificate. With Check Point clients, such as SecureClient or Endpoint Connect that is not so straight forward. Although you can make thorough compliance checks with SCV scripts, you cannot use machine certificates directly.

Of course, there is a way to create a script or a binary that would check certificate and report to SCV, but this is a complex task.

There is a simpler way to work the machine identity through SCV process. RegMonitor is part of SCV functionality. It allows you checking various parameter in the registry for existence and values. So if we could find a unique key entry or a string value in registry, then SVC would be able to decide whether an endpoint machine is part of the corporate domain or not.

If you look onto "Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership" entries in Windows Registry, you will see a number of groups defined for users. Each one of them has a unique SID. At least one group is common for all domain users. It means at least one of the group SID entries will be the same through the domain. Spoofing this entry is possible, but also not easy, as it can make non-domain PC unusable after default group SID changed.

SID group entries are also version independent. They will be the same for all domain users from XP to Windows 7.

A simple SVC RegMonitor script would give you a fair indication of an endpoint being a managed PC. It will work on both SecureClient and Enpoint Connect client.

This way is not ideal, but quite a good one, in my humble opinion.

No comments:

Post a Comment