Are you using or considering BranchCache to improve remote site performance, but you have concerns about the security of the data that is cached on the remote servers? James McIllece, a Senior Technical Writer on the Networking IT Pro writing team provides the following information about how the data is protected, and what you can do to help improve the security of the cached data.
Microsoft BranchCache is designed to reduce traffic on wide area network (WAN) links and provide users in branch offices with a better experience when accessing remote resources. In BranchCache-enabled environments, a copy of data retrieved from a content server over a WAN link is cached in the branch. Subsequent client requests for the same data are fulfilled from the branch cache, reducing traffic on slower and more expensive WAN links and increasing application responsiveness on the client.
BranchCache optimizes traffic flow between Windows Server 2008 R2 servers and BranchCache-enabled clients; Windows Server 2008 R2 servers and computers running Windows 7 can be configured as BranchCache clients. BranchCache is transparent to existing authentication or authorization solutions. Existing protocols encapsulate the BranchCache protocol, preserving the security of existing authentication and authorization mechanisms, including Secure Sockets Layer (SSL) and Transport Layer Security (TLS), Server Message Block (SMB) signing, and Internet Protocol Security (IPSec). BranchCache reduces network bandwidth utilization and improves application performance even with encrypted content.
BranchCache operates in one of two modes:
- Distributed Cache: In Distributed Cache mode, BranchCache-enabled clients cache copies of files downloaded from content servers across the WAN and send them directly to other clients when requested. Distributed Cache mode is especially beneficial for branch offices that do not have a local server.
- Hosted Cache: In Hosted Cache mode, a Windows Server 2008 R2 server, known as the Hosted Cache, acts as the host for the cached content. BranchCache-enabled clients cache data that they have requested and downloaded from content servers locally and use the Hosted Cache to retrieve data that is not available from their own local cache. Clients know the identity of the Hosted Cache and retrieve data from the Hosted Cache. For data not available from the Hosted Cache, the client downloads the data from the content server and offers it for caching to the Hosted Cache. Hosted Cache mode is beneficial in organizations that want to audit access to content in the local cache, or larger branch offices that have local servers.
The greatest threat to data stored in the BranchCache is tampering. If an attacker can tamper with data stored in the cache on client computers, then it might be possible to use this to try and launch an attack against the computers that are using BranchCache. Attackers can achieve this by inserting malicious software in place of other data. BranchCache mitigates this threat by validating all content using block hashes found in the content metadata. If an attacker attempts to tamper with this data, it will be discarded and replaced with valid data from the original source.
A secondary threat to data stored in the BranchCache is information disclosure. In Distributed Cache mode, the client caches only the content that it has requested itself; however, that data is stored in clear text, and may be at risk. To help restrict access to the BranchCache Service only, the local cache is protected by file system permissions specified in an ACL. Although the ACL is effective in preventing unauthorized users from accessing the cache, it is possible for a user with administrative permissions to gain access to the cache simply by manually changing the permissions specified in the ACL. BranchCache does not protect against the malicious use of an administrative account. Of course, as a best practice, standard users should not have administrator permissions on their local computers.
Data stored in the content cache is not encrypted, so if data leakage is a concern, encryption technologies such as BitLocker or the Encrypting File System (EFS) can be implemented. The local cache added by BranchCache does not increase the information disclosure threat borne by a computer in the branch office; the cache contains only copies of files that reside unencrypted elsewhere on the disk. Encrypting the entire disk is particularly important in environments in which the physical security of the clients is difficult to ensure. For example, encrypting the entire disk helps to secure sensitive data on mobile computers that may be removed from the Branch Office environment periodically.
Hosted Cache Servers
In Hosted Cache mode, the greatest threat to the security of the Hosted Cache is information disclosure. BranchCache in a Hosted Cache environment behaves in a similar manner to Distributed Cache mode, with file system permission protecting the cached data. The difference is that the Hosted Cache server stores all of the content that any BranchCache-enabled computer in the branch office requests, rather than just the data that a single client requests. The consequences of unauthorized intrusion into this cache could be much more serious, because much more data is at risk.
In a Hosted Cache environment, the use of encryption technologies such as BitLocker or EFS is advisable if any of the clients in the branch office can access sensitive data across the WAN link. It is also necessary to prevent physical access to the Hosted Cache, because disk encryption works only so long as the computer is turned off when the attacker has physical access to it. If the computer is on or in sleep mode, then disk encryption offers little protection.
Even if a client is configured in Hosted Cache mode, it will still cache data locally, and you may choose to take steps to protect the local cache in addition to the Hosted Cache.