With the November 2013 security bulletin release, Microsoft advises that DirectAccess includes a vulnerability that could allow security feature bypass. This update affects all supported versions of Microsoft Windows and addresses an issue with how the DirectAccess server authenticates connections with DirectAccess clients. The vulnerability could be leveraged by an attacker to pose as a man-in-the-middle and intercept their communication. For more details, please review Microsoft Security Advisory 2862152.
Awards
Pluralsight
Consulting
Newsletter
All posts tagged Server 2012
Vulnerability in DirectAccess Could Allow Security Feature Bypass
Posted by Richard M. Hicks on November 12, 2013
https://directaccess.richardhicks.com/2013/11/12/vulnerability-in-directaccess-could-allow-security-feature-bypass/
Microsoft Security Update MS13-064 and DirectAccess
With the August security update release cycle, Microsoft issued security bulletin MS13-064 to address a vulnerability in the Windows NAT driver that could result in a denial of service. The vulnerability could be exploited by an attacker who sends a specially crafted ICMP packet to the server running the Windows NAT Driver service. The vulnerability exists only on Windows Server 2012 and the affected driver, winnat.sys, is present when the DirectAccess role is installed. This vulnerability only affects only full installations of Windows Server 2012. Windows Server 2012 Core is not affected. If you are running DirectAccess on a full installation of Windows Server 2012, make sure you install this update as soon as possible to be protected from potential denial of service attacks. For more information about this update, click here. For a comprehensive list of updates that apply to DirectAccess on Windows Server 2012 as well as previous versions, please refer to Jason Jones’ DirectAccess hotfix summary page.
Posted by Richard M. Hicks on August 20, 2013
https://directaccess.richardhicks.com/2013/08/20/microsoft-security-update-ms13-064-and-directaccess/
Windows Server 2012 DirectAccess Network Location Server Not Working Properly
After configuring a Windows Server 2012 DirectAccess server to use an intranet-based Network Location Server (NLS), you may notice that the operations status in the remote access management console indicates a critical problem with NLS, when in fact you can browse the NLS server from the DirectAccess server.
The issue here is that the DirectAccess server, in addition to being able to successfully connect to the NLS using an HTTP GET, must also be able to ping the NLS server. However, inbound ICMP is often blocked on web servers which results in the DirectAccess server marking the service as failed. The issue can be quickly resolved by modifying the host firewall policy to allow inbound ICMPv4 echo requests. For example, in my test lab I’m using a Microsoft Windows Server 2012 server with Internet Information Services (IIS) installed. A new access rule can be added to the Windows Firewall with Advanced Security (WFAS) by executing the following PowerShell command:
New-NetFirewallRule -Name “Allow Inbound ICMPv4 Echo Request” -DisplayName “Allow Inbound ICMPv4 Echo Request” -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 172.16.1.241, 172.16.1.242 -Profile Domain -Action Allow -Enabled True
Note that my lab server is domain joined, so I’ve specified the WFAS profile to be the Domain profile. In addition I’ve included the IPv4 addresses assigned to the internal network interfaces of my two DirectAccess servers. You’ll need change the command as required to work in your environment.
Posted by Richard M. Hicks on July 22, 2013
https://directaccess.richardhicks.com/2013/07/22/windows-server-2012-directaccess-network-location-server-not-working-properly/
Always On VPN Book
DirectAccess Book
Always On VPN DPC
