Direct Access 2012 Advance Logging !

Sometime back i had a debate with one of the information security team on Direct Access 2012 the Next Generation Remote Access Solution ,They pointed out some of the security risk in direct access .The major ones were as follows

1. IP-HTTPS connection doesn’t display ISP IP information when Direct Access Clients connect via internet to the corp Network

2.how to get the information on how long the DA client was connected via Internet

3.How to track what all resources were access in crop network via Direct Access client .

The answers to the above concerns raised by most of the security teams are possible in Direct Access 2012 and trust me the Security Teams will be well convinced by the Direct Access Advance logging

The ISP public IP information is not displayed in Direct Access console for IP-HTTPS traffic is due to SSL and TSL encryption hence it cannot be displayed in Direct Access Management console .

But these information can be fetched from Component Event Logging in Direct Access Server .Below are the options you need to check in event viewer to fetch these information for audit purpose ,also these can be integrated by the SIEMS.

The following event logs are used:

• IPHLPSVC Operational event log
• Base-Filtering-Engine (BFE) Connections Operational log.
• Base-Filtering-Engine (BFE) Resource Flows Operational log
• WinNAT Operational log
• Security event log

I would suggest to have a look at a very informative Information Shared by Martin J Solis on Technet blog on Advance logging in Direct Access 2012.

http://blogs.technet.com/b/martin_j_solis/archive/2015/03/20/additional-way-to-monitor-directaccess-machine-user-activity-on-windows-2012-and-2012r2-directaccess-with-component-even-logging.aspx

Cheers !

Sohail