Direct Access 2012 Advance Logging !

May 1, 2015May 1, 2015 sohailkp Direct Access 2012

Sometime back i had a debate with one of the information security team on Direct Access 2012 the Next Generation Remote Access Solution ,They pointed out some of the security risk in direct access .The major ones were as follows

1. IP-HTTPS connection doesn’t display ISP IP information when Direct Access Clients connect via internet to the corp Network

2.how to get the information on how long the DA client was connected via Internet

3.How to track what all resources were access in crop network via Direct Access client .

The answers to the above concerns raised by most of the security teams are possible in Direct Access 2012 and trust me the Security Teams will be well convinced by the Direct Access Advance logging

The ISP public IP information is not displayed in Direct Access console for IP-HTTPS traffic is due to SSL and TSL encryption hence it cannot be displayed in Direct Access Management console .

But these information can be fetched from Component Event Logging in Direct Access Server .Below are the options you need to check in event viewer to fetch these information for audit purpose ,also these can be integrated by the SIEMS.

The following event logs are used:

IPHLPSVC Operational event log
Base-Filtering-Engine (BFE) Connections Operational log.
Base-Filtering-Engine (BFE) Resource Flows Operational log
WinNAT Operational log
Security event log

I would suggest to have a look at a very informative Information Shared by Martin J Solis on Technet blog on Advance logging in Direct Access 2012.

http://blogs.technet.com/b/martin_j_solis/archive/2015/03/20/additional-way-to-monitor-directaccess-machine-user-activity-on-windows-2012-and-2012r2-directaccess-with-component-even-logging.aspx

Cheers !

Sohail

Microsoft Direct Access 2012 – Its not that Complicated !

December 28, 2014December 28, 2014 sohailkp Direct Access 2012

Microsoft came up with this Remote Access Solution named “Direct Access ” in Windows 2008 R2 Platform , it was very hard for IT Administrators to adapt this technology , as it is mandate requirement to have IPv6 Network Infrastructure.

But With Windows 2012 Microsoft has eliminated the IPv6 Network Infrastructure – Now Direct Access can be deployed by doing some few Clicks ! ..Sound’s Simple ! but few administrators still face issues while configuring Direct Access 2012

Here are some Suggestions –

First of all you would require a Windows 2012 Server with recent patches . The Network Placement Plays the Key role here , the most secure way is to Keep your server in DMZ Zone behind NAT , meaning your Private DMZ IP will be bind to Public IP behind the edge firewall.Microsoft 2012 Direct Access allow to configure it using Single NIC Behind NAT and Dual NIC Behind NAT .

Single NIC is pretty Straight forward – But drawback is you need to open lots of ports for your Direct Access clients to access the internal resource from internet .This is little painful if you have huge number of application and some applications like Outlook which runs on random ports can force you to open wide range of Ports , for which you may have to justify to Information Security folks.

Best Practices would be to go with Dual NIC behind NAT topology – One NIC connected to Internal Network and Second one connected to DMZ Network as a External NIC.

Internal Network – NIC will have IP , Subnet ,BUT NO GATEWAY , you will also have to assign the internal DNS to the NIC .External NIC – Will have IP , Subnet and DMZ Gateway – NO DNS HERE

you may ask without Gateway how Internal NIC will communicate to internal Network ??..you are right ! they can’t ..But you may be aware only one gateway can be assigned if you have dual NIC enabled , for Internal NIC gateway you would need to add routes by using route add command . Syntax would be somewhat i have mentioned below .

route add 10.0.0.0 mask 255.0.0.0 YOURGATEWAYIP -p

This will allow your internal NIC to communicate with internal Network – now you can go ahead and add your Direct Access to domain.

Once this is done initiate the configuration of Direct Access server , you may receive an error stating both the NICs are in Domain Profile .That’s a problem now ! , the reason for this is most of the Network Administrators keep Active Directory ports open for all VLANs including DMZ , since DMZ NIC here is acting as External network- it should have Public profile instead of Domain.This is because your DMZ NIC IP have connection to Active Directory ports , So all you need to do is break this connection by blocking 389 LDAP port from your DMZ IP to AD IP address on your Internal leg firewall .This will define your External NIC as Public after this.

Make Sure the Direct Access Public IP is registered in External DNS before you configure Direct Access.

Post this just few Clicks and you are Done !!

Cheers to MS ! for bringing such an amazing Remote Access Solution !

Soon to Come – How to Install Direct Access with Least Privileges ? Stay Connected !

Please feel free to comment – if you have any queries on the above topic .

How to Restore Deleted AD user using LDP !

December 14, 2014December 15, 2014 sohailkp Active Directory By Sohail Pendhari

Many AD administrators choose Authoritative restore method or restore tools to restore deleted user object in Active Directory, I would like to Share how Useful ldp.exe can be to browse the directory Services database and restore the deleted AD user object.You should have Domain Administrator rights to restore the deleted object form AD.

1.We have a user named abc in av.com AD , lets delete it so that I can demonstrate the restoration of it using ldp

Now Lets login to domain controller and open run window and hit ldp command , this will launch the ldp console, post that follow the steps which i have performed in below Snapshots.

Wow ! we restored the deleted user named abc , but you will see a Red X mark on the restored user – dont worry about it ju , you need to right on the restored account and click on enable and you are done !!

NOTE :- This is was done on Lab environment – Plan appropriately if you are going to use this on Production DC.

Cheers !

Sohail

Identify and Fix the Memory Leak Issues !

December 14, 2014 sohailkp Windows Server Performance By Sohail Pendhari

First of all – what are Pool Resources? When a machine boots up, the Memory Manager creates two dynamically sized memory pools that kernel-mode components use to allocate system memory. These two pools are known as the Paged Pool and NonPaged Pool. Each of these pools start at an initial size that is based upon the amount of physical memory present in the system. Pool memory is a subset of available memory and is not necessarily contiguous. If necessary, these pools can grow up to a maximum size that is determined by the system at boot time.

So – what distinguishes Paged Pool and NonPaged Pool memory? The first difference is that Paged Pool is exactly what its name implies – it can be paged out. The NonPaged Pool cannot be paged out. Drivers use the NonPaged Pool for many of their requirements because they can be accessed at any Interrupt Request Level (IRQL). The IRQL defines the hardware priority at which a processor operates at any given time.

Here’s where things get really interesting – what happens to a system when these Pool Resources get depleted? Some of the most common symptoms exhibited are:

the machine becomes sluggish
users can no longer log on to the machine
console access is sluggish
users cannot connect to file shares or other shared resources
system hangs including the console itself being unresponsive

Symptoms such as this are usually the first indication that there is something causing an issue with the machine.

If the NonPaged Pool on a server has become depleted, the machine will log an Event in the System Log as shown below:

Event ID 2019

Event Type: Error

Event Source: Srv

Event Category: None

Event ID: 2019

Description: The server was unable to allocate from the system NonPaged pool because the pool was empty

Paged Pool Depletion is logged as an Event 2020:

Event ID 2020

Event Type: Error

Event Source: Srv

Event Category: None

Event ID: 2020

Description: The server was unable to allocate from the system paged pool because the pool was empty.

What are these error messages telling us beyond the fact that there is an issue with Pool Depletion? A common misunderstanding of this message is that the problem is being caused by the Server Service (srv.sys). Usually the Server Service is the first component to experience the issue because it is trying to satisfy a request and cannot allocate the appropriate Pool Memory.

These mean, other applications that have been already assigned a NonPaged pool memory by system are not releasing it. When application keeps it engage for longer time, system unable to suffice requirement from other applications for NonPgaed pool memory. This eventually leads to system halt / frozen / unable to execute any new application.

Restarting the server resolves the issue because after restart non page pool becomes free. But if you are getting these alerts too often that mean a driver is leaking memory / may be NonPaged pool settings are not optimal. This needs to be checked and fixed.