I currently have a Windows Server RRAS VPN set up for production that authenticates users through LDAP (Active Directory), but it operates without multi-factor authentication (MFA)—just username and password. I'm really concerned about how secure this is as we move into 2025, especially after reading about a recent VPN breach. I'm contemplating a switch to a FortiGate VPN that includes MFA (specifically integrated with Azure MFA), but my boss has a few questions before we commit to any changes. So, I'm reaching out for your insights: Are any of you still using this setup? I'm also worried that this configuration could allow the VPN client access to the entire network on all ports. Is using RRAS with just LDAP authentication still seen as secure or acceptable today without MFA? What are the main security risks or attack vectors associated with this setup? Also, is Microsoft still maintaining and updating RRAS regarding VPN security? Are there any significant breach incidents related to RRAS VPNs? Additionally, what other points should I consider mentioning when discussing this topic with my leadership? Thanks for your thoughts!
2 Answers
I’d recommend integrating with Azure NPS for MFA since it's essential. Just relying on LDAP without MFA isn't best practice. Anyone should have the ability to connect to a VPN from untrustworthy devices, which makes it risky. Better to have MFA to increase security.
Exactly! LDAP alone without MFA? Not a good idea, better safe than sorry!
We handle security by requiring MFA at the device level before users log into the machines, which covers the need for MFA, so we don’t require it on AOVPN. Our device VPNs can only communicate with AD and specific automated servers for authentication and updates, and we enforce strict firewall rules for each department based on their roles.
Yeah, we also use internal certificates for added security.