70-299 : Module 12 : Securing Remote Access

Lesson 2: Configuring Remote Access Servers

On remote access clients, you specify the minimum authentication and encryption levels that the client will accept. On the server, you specify the authentication and encryption levels that it will offer to the client. The client and server will then negotiate and choose the authentication and encryption levels with the highest level of security that both are compatible with. If the server doesn’t allow authentication or encryption levels that meet the client’s requirements, or if the client doesn’t support the server’s minimum authentication and encryption levels, the remote access will fail.

Configuring Authentication :
You create a remote access server by using the Routing And Remote Access Server Setup Wizard, as described in Exercise 1 of this lesson. This wizard does not provide the opportunity to configure authentication and encryption settings, however. To view or modify remote access server security settings after the initial configuration, open the properties dialog box for the server from the Routing And Remote Access console, and then click the Security tab.

As shown in Figure 12.4, the default settings for a dial-up or VPN server use Windows Authentication and Windows Accounting. These settings are compatible with the client’s default settings, which allows administrators who are not concerned with finetuning remote access security to bring the service online quickly. If you have decided to use a preshared key to authenticate L2TP/IPSec VPN connections, select the Allow Custom IPSec Policy For L2TP Connection check box, and then type a preshared key.

If you plan to use a RADIUS server, such as an IAS server, to authenticate users, click the Authentication Provider list and then click RADIUS Authentication. Then click the Configure button to create a list of RADIUS servers. Along with the IP address, shared secret, port number, and time out configuration of each server, you will specify an Initial Score. The remote access server will attempt to contact RADIUS servers with a higher initial score. As time goes on, the RADIUS server will keep track of the responsiveness of each RADIUS server and adjust that server’s score. Ultimately, this will lead to efficient load-balancing between multiple RADIUS servers, even if the servers have
different processing capabilities.

Configuring Authorization :
After the credentials submitted with the remote access connection are authenticated, the connection must be authorized. Remote access authorization consists of two steps: first, verification of the dial-in properties of the user account submitted by the dial-up connection, and second, application of the first matching RAP.

User account properties
Dial-in properties, which apply to both direct dial-up and VPN connections, are configured on the Dial-In tab of the domain or local user account properties dialog box. If a user is authenticating with a domain account, a user account corresponding to the name sent through the dial-up connection must already exist in the domain. Dial-in properties for this account can thus be configured in the Active Directory Users And Computers console. If the user is dialing in to a standalone server, however, the account must already exist as a user account in the answering server’s local user database. Dial-in properties for this account can thus be configured in the Local Users And Groups snap-in within the Computer Management console.

The most important security setting on this tab is Remote Access Permission. Setting this to Allow Access or Deny Access controls whether the user will be allowed to connect remotely when no RAPs are specified. Selecting Control Access Through Remote Access Policy, the default for standalone computers and computers in a Windows Server 2003 domain, allows the Routing And Remote Access service or the RADIUS server to determine whether the user is allowed to connect. By default, RAPs block all remote access connections. The Control Access Through Remote Access Policy radio button is not available on domain user accounts unless the domain is at a Windows Server 2003 domain functional level.

Remote access policies
RAPs control how or whether a connection is authorized to the network. A RAP contains a set of policy conditions that determine whether that policy applies to a given connection request. If you are using IAS as a RADIUS server, you should create the RAPs by using the Internet Authentication Service console on the IAS server. Otherwise, create the RAPs by using the Routing And Remote Access console on the remote access server.

A typical use of a dial-up or VPN RAP is to create policy conditions that specify the Active Directory security group that a client must be a member of, the time of day, or the connection type of the requesting client. A RAP is also configured to allow or deny the connection request. If there are multiple RAPs on a server, each connection request is evaluated against them according to the priority until a matching RAP either allows or denies the request.

Google