Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Are you using or considering BranchCache to improve remote site performance, but you have concerns about the security of the data that is cached on the remote servers? James McIllece, a Senior Technical Writer on the Networking IT Pro writing team provides the following information about how the data is protected, and what you can do to help improve the security of the cached data.
BranchCache optimizes traffic flow between Windows Server 2008 R2 servers and BranchCache-enabled clients; Windows Server 2008 R2 servers and computers running Windows 7 can be configured as BranchCache clients. BranchCache is transparent to existing authentication or authorization solutions. Existing protocols encapsulate the BranchCache protocol, preserving the security of existing authentication and authorization mechanisms, including Secure Sockets Layer (SSL) and Transport Layer Security (TLS), Server Message Block (SMB) signing, and Internet Protocol Security (IPSec). BranchCache reduces network bandwidth utilization and improves application performance even with encrypted content.
BranchCache operates in one of two modes:
The greatest threat to data stored in the BranchCache is tampering. If an attacker can tamper with data stored in the cache on client computers, then it might be possible to use this to try and launch an attack against the computers that are using BranchCache. Attackers can achieve this by inserting malicious software in place of other data. BranchCache mitigates this threat by validating all content using block hashes found in the content metadata. If an attacker attempts to tamper with this data, it will be discarded and replaced with valid data from the original source.
A secondary threat to data stored in the BranchCache is information disclosure. In Distributed Cache mode, the client caches only the content that it has requested itself; however, that data is stored in clear text, and may be at risk. To help restrict access to the BranchCache Service only, the local cache is protected by file system permissions specified in an ACL. Although the ACL is effective in preventing unauthorized users from accessing the cache, it is possible for a user with administrative permissions to gain access to the cache simply by manually changing the permissions specified in the ACL. BranchCache does not protect against the malicious use of an administrative account. Of course, as a best practice, standard users should not have administrator permissions on their local computers.
Data stored in the content cache is not encrypted, so if data leakage is a concern, encryption technologies such as BitLocker or the Encrypting File System (EFS) can be implemented. The local cache added by BranchCache does not increase the information disclosure threat borne by a computer in the branch office; the cache contains only copies of files that reside unencrypted elsewhere on the disk. Encrypting the entire disk is particularly important in environments in which the physical security of the clients is difficult to ensure. For example, encrypting the entire disk helps to secure sensitive data on mobile computers that may be removed from the Branch Office environment periodically.
In Hosted Cache mode, the greatest threat to the security of the Hosted Cache is information disclosure. BranchCache in a Hosted Cache environment behaves in a similar manner to Distributed Cache mode, with file system permission protecting the cached data. The difference is that the Hosted Cache server stores all of the content that any BranchCache-enabled computer in the branch office requests, rather than just the data that a single client requests. The consequences of unauthorized intrusion into this cache could be much more serious, because much more data is at risk.
In a Hosted Cache environment, the use of encryption technologies such as BitLocker or EFS is advisable if any of the clients in the branch office can access sensitive data across the WAN link. It is also necessary to prevent physical access to the Hosted Cache, because disk encryption works only so long as the computer is turned off when the attacker has physical access to it. If the computer is on or in sleep mode, then disk encryption offers little protection.
Even if a client is configured in Hosted Cache mode, it will still cache data locally, and you may choose to take steps to protect the local cache in addition to the Hosted Cache.
For more information, see the BranchCache Security Guide, which is available in Word format in the Microsoft Download Center, at http://go.microsoft.com/fwlink/?LinkId=164447.