DirectAccess: Forcing Encryption for ICMPv6 Traffic
By default, the DirectAccess Setup Wizard creates Group Policy objects for DirectAccess clients and servers for settings that allow the following behaviors:
- Internet Control Message Protocol (ICMP) traffic, for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), is exempted from Internet Protocol security (IPsec) protection
- Teredo discovery traffic does not travel within the IPsec tunnels between DirectAccess clients and servers on the intranet
These default settings allow Teredo-based DirectAccess clients to perform Teredo discovery of intranet resources. However, these settings also allow the following:
- Any computer with a Teredo or 6to4 client can send Internet Control Message Protocol for IPv6 (ICMPv6) traffic to intranet locations through the DirectAccess server to probe for valid intranet destination IPv6 addresses. The amount of this traffic is limited by the Denial of Service Protection (DoSP) component of the DirectAccess server.
- A malicious user on the same subnet as a Teredo-based DirectAccess client can determine the IPv6 addresses of intranet servers by capturing ICMPv6 Echo Request and Echo Reply message exchanges using a network analysis tool, sometimes referred to as a "network sniffer"
To prevent these possible security issues, you can modify the default configuration for the following:
- Configure the global IPsec settings for the Group Policy object for DirectAccess clients to not exempt ICMP traffic from IPsec protection (from the IPsec Settings tab for the properties of the Windows Firewall with Advanced Security snap-in).
- Configure the global IPsec settings for the Group Policy object for the DirectAccess server to not exempt ICMP traffic from IPsec protection (from the IPsec Settings tab for the properties of the Windows Firewall with Advanced Security snap-in).
- For the Group Policy object for the DirectAccess server, create a new connection security rule that exempts ICMPv6 traffic when it is tunneled from the DirectAccess server.
- For the Group Policy object for DirectAccess clients, create a new connection security rule that exempts ICMPv6 traffic when it is tunneled to the DirectAccess server.
With these modifications:
- All ICMPv6 traffic sent through the DirectAccess server must be sent using through an IPsec tunnel mode tunnel. This results in only DirectAccess clients being able to send ICMPv6 traffic to intranet locations.
- Malicious users on the same subnet as the DirectAccess client will only be able to determine the IPv6 addresses of the DirectAccess client and the DirectAccess server. Intranet IPv6 addresses will be tunneled and encrypted with IPsec.
Although these modifications address the security issues of the default configuration, Teredo discovery messages can no longer pass through the DirectAccess server and DirectAccess clients cannot use Teredo as a connectivity method. Therefore, if you make these changes, you must also do the following:
- Disable Teredo client functionality on your DirectAccess clients
From the Group Policy object for DirectAccess clients, set Computer Configuration\Administrative Templates\Networking\TCPIP Settings\IPv6 Transition Technologies\Teredo State to Disabled. - Disable Teredo server and relay functionality on your DirectAccess server
Type the netsh interface teredo set state state=disabled command from an administrator-level command prompt on your DirectAccess server.
If you previously added a packet filter on your Internet firewall to allow Teredo traffic to and from the DirectAccess server, remove it.
Without Teredo connectivity, DirectAccess clients that are located behind network address translators (NATs) will use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) for IPv6 connectivity to the DirectAccess server. However, IP-HTTPS-based connections have lower performance and higher encryption and protocol overhead than Teredo-based connections.
Forcing Encryption of IPv6 ICMP Traffic
As described in above, the default settings created by the DirectAccess Setup Wizard allow the following:
- Any computer with a Teredo or 6to4 client can send Internet Control Message Protocol for IPv6 (ICMPv6) traffic to intranet locations through the DirectAccess server to probe for valid intranet destination IPv6 addresses. The amount of this traffic is limited by the Denial of Service Protection (DoSP) feature of the DirectAccess server.
- A malicious user on the same subnet as a Teredo-based DirectAccess client can determine the IPv6 addresses of intranet servers by capturing ICMPv6 Echo Request and Echo Reply message exchanges.This procedure allows you to prevent these possible security issues.
To complete the following procedure , you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify Group Policy settings. Review details about using the appropriate accounts and group memberships at Active Directory Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
WARNING:
The following custom settings must be applied each time you run the DirectAccess wizard. This applies to both the Windows DirectAccess Wizard and the UAG DirectAccess Wizard. If you make policy changes using the DirectAccess Wizard and deploy the new policies to the DirectAccess server(s) and clients, you must perform the following procedure after making the policy changes. If you do not perform the following procedure each time after making a policy change through the Windows or UAG DirectAccess wizard, your settings will be overwritten and IPv6 ICMP traffic will again be allowed to travel in the clear and outside of an IPsec tunnel mode tunnel.
To confine ICMPv6 traffic to the intranet
On a domain controller, start a command prompt as an administrator.
From the Command Prompt window, run the netsh –c advfirewall command.
From the netsh advfirewall prompt, run the following commands:
set store gpo=" DomainName \DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}"
consec show rule name=”DirectAccess Policy-ClientToDnsDc”
consec show rule name=”DirectAccess Policy-ClientToCorp”
From the display of the last two commands, copy or write down the IPv6 addresses for the RemoteTunnelEndpoint.
From the netsh advfirewall prompt, run the following commands:
set global ipsec defaultexemptions neighbordiscovery,dhcp
consec add rule name=”Exempt ICMPv6 to Tunnel endpoint” profile=private,public action=noauthentication mode=tunnel endpoint1=any endpoint2= IPv6AddressesOfTheRemoteTunnelEndpoints protocol=icmpv6
set store gpo=" DomainName \DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"
set global ipsec defaultexemptions neighbordiscovery,dhcp
consec add rule name=”Exempt ICMPv6 from Tunnel endpoint” profile=private,public action=noauthentication mode=tunnel endpoint1= IPv6AddressesOfTheRemoteTunnelEndpoints endpoint2=any protocol=icmpv6
Click Start, type gpmc.msc, and then press ENTER.
In the console tree, open **Forest/Domains/**YourDomain, right-click the DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12} GPO, and then click Edit.
In the console tree of the Group Policy Management Editor, open Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security.
Right-click Windows Firewall with Advanced Security, and then click Properties.
Click the IPsec Settings tab. In IPsec exemptions, in Exempt ICMP from IPsec, click No, and then click OK.
Close the Group Policy Management Editor.
In the console tree of the Group Policy Management console, open **Forest/Domains/**YourDomain, right-click the DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} GPO, and then click Edit.
In the console tree of the Group Policy Management Editor, open Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security.
Right-click Windows Firewall with Advanced Security, and then click Properties.
Click the IPsec Settings tab. In IPsec exemptions, in Exempt ICMP from IPsec, click No, and then click OK.