How to Install and Configure KB2862152 for DirectAccess

Microsoft recently released security advisory 2862152 to address a vulnerability in IPsec that could allow DirectAccess security feature bypass. The associated update addresses an issue with how the DirectAccess client authenticates with a DirectAccess server. Without the update, it is possible for an attacker to launch a man-in-the-middle attack to intercept DirectAccess communication.

The update itself does not resolve the issue directly, however. The update simply allows administrators to configure DirectAccess clients using specific registry settings to enforce more stringent checks during IPsec negotiation after the update is installed. The challenge with this update is that the documentation contained within the knowledge base article is extremely detailed and includes information that pertains to many different remote access scenarios, not just DirectAccess. This has led to much confusion, and many administrators are unclear for which clients and deployment scenarios the registry changes are required.

For DirectAccess deployments, the update needs to be applied to all of your DirectAccess clients. The update does NOT need to be applied to the DirectAccess server. The registry settings required on the client will be dictated based on the configured authentication method for your DirectAccess deployment. If you have configured DirectAccess to use certificate-based authentication by checking selecting the Use computer certificates option as shown below, you’ll only need to make registry settings changes on your Windows 7 clients. Windows 8/8.1 clients DO NOT require any changes be made to the registry when DirectAccess is configured to use certificate-based authentication.

Microsoft Security Update KB2862152 for DirectAccess

If you are NOT using computer certificates for authentication, then you must make registry changes to all of your Windows 8/8.1 clients. For detailed, prescriptive guidance on implementing the client-side registry changes required to support this update and mitigate this vulnerability, Jason Jones has done a wonderful job documenting those steps specifically, so I’ll refer you to his post here.

You can find the update for KB2862152 for all supported clients here.

3 Comments
by Richard M. Hicks on December 2, 2013  •  Permalink
Posted in DirectAccess, VPN, Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on December 2, 2013

https://directaccess.richardhicks.com/2013/12/02/how-to-install-and-configure-kb2862152-for-directaccess/

Previous Post
Next Post
Leave a comment

3 Comments

  1. miles267n

     /  December 3, 2013

    I’ve followed this basic guide to enable DirectAccess on my Windows Server 2012 Essentials (R1) home server:
    http://technet.microsoft.com/en-us/library/jj200189.aspx
    My client family members are remote running Windows 8.0 Enterprise. Once you have DTE1 and DTE2 from the server, what client registry changes are required? Since clients are remote, I want to be cautious not break connectivity that’s currently working.

    Reply

  2. vgbest

     /  December 5, 2013

    Great.. thanks for the article 🙂

    Reply

Leave a Reply to miles267nCancel reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading