All posts in category IP-HTTPS

Critical Update MS15-034 and DirectAccess

Microsoft Security Bulletin MS15-034 Vulnerability in HTTP.sys affects DirectAccessThe April 2015 monthly security update release from Microsoft includes a fix for a serious vulnerability in HTTP.sys. On an unpatched server, an attacker who sends a specially crafted HTTP request will be able to execute code remotely in the context of the local system account. DirectAccess leverages HTTP.sys for the IP-HTTPS IPv6 transition protocol and is critically exposed. Organizations who have deployed DirectAccess are urged to update their systems immediately.

More information can be found on MS15-034 here.

Leave a comment
by Richard M. Hicks on April 20, 2015  •  Permalink
Posted in DirectAccess, Hotfix, IP-HTTPS, IPv6, IPv6 Transition, Remote Access, Security, SSL and TLS, Update, Windows Server 2012 R2
Tagged , , , , , , , , ,

Posted by Richard M. Hicks on April 20, 2015

https://directaccess.richardhicks.com/2015/04/20/critical-update-ms15-034-and-directaccess/

Monitoring DirectAccess Machine and User Activity with Windows Component Event Logging

Monitoring DirectAccess Machine and User Activity with Component Event LoggingThe monitoring of DirectAccess machine and user activity presents some unique challenges for security administrators. All DirectAccess client communication destined for the internal corporate network is translated by the DirectAccess server and appears to originate from the DirectAccess server’s internal IPv4 address. Also, the public IPv4 address for DirectAccess clients using the IP-HTTPS IPv6 transition protocol is not visible using the native reporting tools. In addition, vital information such as source ports used by the DirectAccess server for internal connections and source ports used by DirectAccess clients is not available. This lack of granular connection logging creates a serious blind spot for administrators conducting forensic investigations.

As veteran Microsoft Premier Field Engineer (PFE) Martin Solis described in detail in a recent blog post, all of these details are in fact logged. However, gathering this information is not exactly intuitive. To collect this essential information it will be necessary to leverage Windows component event logging. By searching the IPHLPSVC, Base Filtering Engine Connections, Base Filtering Resource Flows, and WinNAT operational logs, it is possible to gather all of the information necessary for uniquely identifying DirectAccess corporate network communication.

Be sure to read Martin’s excellent article about using Windows component event logging to monitor DirectAccess machine and user activity, which can be found here.

6 Comments
by Richard M. Hicks on April 16, 2015  •  Permalink
Posted in DirectAccess, IP-HTTPS, IPv6 Transition, Remote Access, Security, Windows Server 2012, Windows Server 2012 R2
Tagged , , , , , , ,

Posted by Richard M. Hicks on April 16, 2015

https://directaccess.richardhicks.com/2015/04/16/monitoring-directaccess-machine-and-user-activity-with-windows-component-event-logging/

ISP Address Field is Blank in DirectAccess Status and Reports

When viewing DirectAccess client status in the Remote Access Management console, you will notice that the ISP address field is blank for clients using the IP-HTTPS IPv6 transition protocol. However, the ISP Address information is displayed for clients using the 6to4 or Teredo IPv6 transition protocols.

ISP Address Field is Blank in DirectAccess Status and Reports

This is expected behavior and occurs as a result of the way in which the DirectAccess reports obtain the client’s public ISP address information. The ISP address is derived from the IPv6 address used to establish the DirectAccess client’s IPsec Security Associations (SAs) on the DirectAccess server. For clients using the 6to4 or Teredo IPv6 transition protocols, the client’s public IPv4 address is embedded in its IPv6 address. This information is displayed in the ISP Address field. However, the IP-HTTPS IPv6 transition protocol uses completely random IPv6 addresses. Without an embedded IPv4 address, the Remote Access Management console lacks the information to display in the ISP Address field.

Updated 3/22/2015: With a little extra work it is possible to find the IPv4 ISP address for DirectAccess clients using the IP-HTTPS IPv6 transition protocol. For more information, please refer to Microsoft PFE Martin Solis’ excellent blog post on the subject here.

16 Comments
by Richard M. Hicks on March 16, 2015  •  Permalink
Posted in DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, Teredo, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2
Tagged , , , , , , ,

Posted by Richard M. Hicks on March 16, 2015

https://directaccess.richardhicks.com/2015/03/16/isp-address-field-is-blank-in-directaccess-status-and-reports/

« Older Posts
Newer Posts »