VPN server installed by every network user?

[tc1010]

How can a network administrator prevent SoftEther VPN server from being installed by every single user in the network?

[tc1010]

I mean, the network administrator can beef up the security for SoftEther VPN server all he wants, creating all kinds of Users, Groups, Access Lists, Authentications, Certificates, Revocation lists, Security Policies, IP Access Control Lists..., everything, to tighten up the VPN security. And at the same time, any user in the network can easily install his (her) own version of SoftEther VPN server and completely bypass every security measure the administrator has adopted.
What kind of VPN security and management is this?
Do I totally misunderstand SoftEther VPN?

[dajhorn]

Security policies implemented by the operating system determine whether software can be installed or executed.

If you do not completely control the computers that are connecting to your network, then all of the sessions coming from those computers are untrusted and must be restricted and logged accordingly.

If you trust software (like perhaps SoftEther) to lock-down remote systems that you do not completely control, then you are indeed misunderstanding security.

[tc1010]

dajhorn wrote:
> Security policies implemented by the operating system determine whether software
> can be installed or executed.

The problem is, every user in a company network can easily install SoftEther VPN server without administrator's right, according to this page http://vpnazure.net/en/ ("VPN Azure Service makes it possible for any employees in the company to have their own and specific VPN Server in each work PC. From now on, let's build your own VPN to your office and make yourself enable to access file servers and groupware in your company from anywhere." "You need NO administrator's privileges to install.")

Sorry but you apparently didn't get my point.

[dajhorn]

tc1010 wrote:
> The problem is, every user in a company network can easily install SoftEther VPN
> server without administrator's right, according to this page http://vpnazure.net/en/

That is not a problem; you are quoting an important SoftEther feature from its product brochure.

Any security model that requires Administrator privileges at the client to keep the VPN host safe is thoroughly broken. Using domain GPOs to restrict application installation or execution would be one way to improve security on the client side. Using ACLs would be one way to improve security on the server side.

[tc1010]

Being a newbie in VPN and even newer one in SoftEther VPN, I really appreciate you shedding light on my questions. You are making a lot of sense. Thanks again.

[maltyx]

I think you can forbid by a firewall any traffic (except the machine with vpn that you have installed) to the Azure based VPN softether proxy ... that is the simple way

[tc1010]

Thanks for the reply. I did tried to block the URLs of vpnazure.net and abc.vpnazure.net through my dd-wrt router, for all IPs in my subnet. But when I tested it by enabling the VPN Azure for my VPN server, the status still showed it got connected. So how can I find the proxy?