Wednesday, February 17, 2010

Should Microsoft have a different policy on the default behavior of their Teredo client?

Now with Windows 7 increasing in deployments there is a legitimate concern if Microsoft has the best policy regarding non domain joined client machines having Windows Teredo enabled but not active as a default setting. There are many forum and security posts saying that even minor changes in the OS activate the Teredo client service turning it on and enable it. While the new Advanced Firewall certainly is IPv6 ready and had a good default posture it concerns many people that the Teredo client is going out to automatically and obtaining a legitimate routable IPv6 address.

I personally have not seen this behavior on Windows 7 clients I have used but I tend to use clients that are joined to a domain and are not stand alone clients. The behavior of non domain joined machines seems to be different then domain joined ones and this is likely to address the home/smb market and the different behavior that Microsoft wanted those people to experience than an Enterprise deployment.

For Enterprise and SMB's that are a concerned about client machines accessing Microsoft's Teredo relay server it is easy enough to write a GPO that would disable the teredo client, I covered much of the commands to do this in a previous post. What is more interesting from a security standpoint is if someone is able to exploit a client and then turn on the teredo service to register the client machine via IPv6 to a third party Teredo relay. They could easy pass all the command control portions over IPv6, have unfiltered access to the machine and have unrestricted access to many networks behind commercial firewalls providing NAT/PAT services.

I hope the days of people thinking that NAT/PAT devices provide any security are quickly at an end (finally) due to the transition technologies like Teredo that make bypassing a NAT/PAT device just way to easy. All the major torrent services use similar methods so anyone who thinks you can't share content this way is ignoring the facts. Application aware firewalls and host based firewalls are the only way to control traffic now. Microsoft has done the first step to address this with the Advanced Firewall and AD GPO policy pushes. They are introducing the second phase next with their Forefront client software suite to allow even more management and policy options through System Center. I think this will be critical for enterprises, especially those that are adopting virtualization and remote desktop configurations.

So, what are the benefits of running Teredo services? Why would Microsoft have enabled the service and let applications decide when they need unfettered access to the IPv6 network? I believe it is to address the needs of home users trying to connect multiple devices behind NAT/PAT home consumer grade network devices (Linksys, Netgear and the like) and then wanting to share the content and access their network from the public Internet. While perhaps this is awhile off in terms of a common deployment many companies are already providing similar services. Slingbox, GoToMyPC, torrents, and other file sync sites all could leverage Teredo and IPv6 to make the process work easier than it current is doing today. Instead of having a central proxy control server hosts could be directly connected with the home or work host they need content from, a novel idea. In addition, a machine could have a consistent IPv6 address all the time via the Teredo server regardless of what IPv4 network it is on, not a bad function in terms of getting content from a host and knowing you have the right one.

What I am not happy with is the lack of any intuitive interface within the GUI to tell you if Teredo is actually on or not. There is no way outside of command line that I am aware of to know if Teredo is enabled. It would seem like a simple enough process to add a small control applet to let people know if Teredo is enabled/disabled and if it is currently being used or not. This would go a long way to allowing folks to control this basic transition service.

I guess I will ask what Microsoft was thinking regarding this while I have their ear over the next few days and report back.
- Ed

No comments: