none
Direct Access Server 2012 R2 Hardening RRS feed

  • Question

  • Hello,

    I am building a POC for Direct Access and need to expose the service to the internet. Of course comes the fear of hardening the system from external attacks since either method (One NIC or Two NICs) exposes the server. I used an SCM template to apply a Microsoft Baseline to the server, but wonder if I should be doing more.

    Currently my configuration is a one NIC server behind a firewall. Is there a more secure way of doing this? I have been consulting the internet and have found many "guides" but they don't seem to state which is more secure and how to secure the domain joined server.

    Thanks!

    Wednesday, August 17, 2016 2:02 PM

Answers

  • As long as your DirectAccess server isn't inside a DMZ network, the single NIC approach is acceptable. However, if the DirectAccess server needs to be in a DMZ, it is best to have two NICs, one on the LAN and the other in the DMZ. This allows the DirectAccess server to access all LAN resources, while at the same time reducing exposure to the DMZ network. This is accomplished by using a more restrictive Windows firewall policy on the external interface. It will require some tuning of the default Windows firewall rules though. Also, some adjustments will be required to the default SSL/TLS configuration too.

    To provide the best security and lowest attack surface, consider also deploying DirectAccess on Server Core. :)

    • Marked as answer by RCCMG Friday, August 19, 2016 4:07 PM
    Thursday, August 18, 2016 11:29 PM

All replies

  • As long as your DirectAccess server isn't inside a DMZ network, the single NIC approach is acceptable. However, if the DirectAccess server needs to be in a DMZ, it is best to have two NICs, one on the LAN and the other in the DMZ. This allows the DirectAccess server to access all LAN resources, while at the same time reducing exposure to the DMZ network. This is accomplished by using a more restrictive Windows firewall policy on the external interface. It will require some tuning of the default Windows firewall rules though. Also, some adjustments will be required to the default SSL/TLS configuration too.

    To provide the best security and lowest attack surface, consider also deploying DirectAccess on Server Core. :)

    • Marked as answer by RCCMG Friday, August 19, 2016 4:07 PM
    Thursday, August 18, 2016 11:29 PM
  • Richard,

    Thanks for the reply. Just so you know, your website and blogs have been helpful in my venture into Direct Access, and not to get this far off topic, can you suggest a path of troubleshooting for this issue?

    • Server behind a netscaler, all status checks are green in the Remote Access Management and I can see the link up from the NetScaler to the DA server.
    • I can do all the other fun things to check connectivity to the server from outside as well (ping,telnet)
    • Client is on the Internet and netsh interface httpstunnel show interfaces shows error code 0x0 and that the interface is active

    Problem is the Server doesn't show that the client is connected, the client itself is unable to access anything in the world (Force tunneling is enabled), or on the corp network.

    Thanks for your time!

    Friday, August 19, 2016 2:54 PM
  • Does it work if you disable force tunneling?
    Friday, August 19, 2016 8:07 PM
  • If I disable force tunneling I can still browse the internet, but the tunnel still doesn't work. Still show 0x0 in the agent though.
    Friday, August 19, 2016 8:16 PM
  • Ok, it could be any number of things at this point. You should be able to ping the DNS64 IPv6 address (ends in 3333::1) from the DirectAccess client. If not, ensure that ICMPv6 is allowed inbound on all interfaces and all WFAS profiles on the DirectAccess server and try again. If that doesn't work, make sure you have the correct DirectAccess policy. If you've uninstalled/reinstalled there's a chance the client has the wrong configuration. After that, could be a certificate issue. Ping me directly if you can't get it sorted and I'll offer some additional guidance.
    Monday, August 22, 2016 4:14 PM
  • I have good news, another Windows 10 device works so it turns out my Windows 10 Surface just doesn't want to play. Thanks for the advice (and your blog) Richard.
    Tuesday, August 23, 2016 4:43 PM
  • My pleasure. Thanks! :)
    Saturday, August 27, 2016 2:37 PM