Configuring Routing and Remote Access User AuthenticationWith remote access, you are basically opening the door for remote access clients to access the internal network. With remote access arises the topic of security. You must be able to allow certain "trusted" clients to have remote access while denying access to everyone else. You also want to ensure that the data that is being sent between a remote access client and a remote access server is secure. To meet these requirements, Windows Server 2003 supports a number of authentication and encryption protocols. Configuring Remote Access Authentication ProtocolsWindows Server 2003 supports a number of authentication protocols that can be used to authenticate dial-up clients. The supported protocols are as follows :
Using the Properties dialog box for the remote access server that is shown in Figure 5.5, you can configure which authentication protocol the remote access server can use to authenticate remote clients. Clicking the Authentication Methods button from the Security tab opens the Authentication Methods dialog box, from which you can select the authentication protocols that are available on the server. Figure 5.5. You configure authentication methods by clicking the Authentication Methods button on the Security tab.
When you have enabled the authentication protocols at the server level, you can use the Authentication tab in the policy's Properties dialog box (see Figure 5.6) to specify which of the authentication protocols are available for each remote access policy. To do so, click the Remote Access Policies container, right-click the appropriate policy within the Details pane, and click Properties. You can access the Authentication tab by clicking the Edit Profile button. Figure 5.6. Configuring authentication methods in a remote access policy via the Authentication tab.
Configuring Encryption ProtocolsIf you're sending sensitive data across the network, you might want to add another level of security by implementing some form of data encryption. The two types of encryption available are as follows:
Encryption for a dial-up connection is configured at the policy level. Right-click the remote access policy within the Details pane for the Remote Access Policies container. Open the Properties dialog box for the remote access policy, click the Edit Profile button, and select the Encryption tab (see Figure 5.7). Select one or more of the following encryption levels:
Figure 5.7. Configuring the encryption level for a profile.
Configuring Internet Authentication Services (IAS) to Provide Authentication for Routing and Remote Access ClientsAs your networks increase in size, you might need to implement multiple remote access servers. To ease the administrative overhead of managing multiple RAS servers, you can implement a RADIUS server to centralize the authentication of remote access clients and the storage of accounting information. Windows Server 2003 can be configured for RADIUS by installing the Internet Authentication Service (IAS) through the Add/Remove programs applet in the Control Panel. With IAS, a server can be configured as a RADIUS server and a RADIUS proxy. When configured as a RADIUS server, RAS servers can forward authentication requests from RAS clients to the IAS server. IAS provides the benefit of centralizing user authentication and centralizing the storage of auditing and accounting information collected from the RAS servers. When RADIUS is implemented, the remote access server is configured as a RADIUS client. You can configure a RADIUS client when enabling routing and remote access. Any authentication requests to the remote access server are sent to the server running IAS. The server running IAS provides authentication, auditing, and accounting services for RADIUS clients. When configured as a RADIUS proxy, an IAS server can forward authentication and accounting information to other RADIUS servers. The IAS server functions as a message router and forwards messages to another specified RADIUS server or client. Connection requestprocessing rules are configured to tell the IAS server where to forward the authentication request messages. Keep in mind that an IAS server can function as a RADIUS server and a RADIUS proxy. Depending on the connection requestprocessing rules configured, some connection requests can be authenticated and others can be forwarded. Installing IASIAS can be installed using the Add or Remove Programs applet within the Control Panel by performing the following steps:
When IAS has been installed, you can use the Internet Authentication Service MMC snap-in, which is located within the Administrative Tools menu, to configure IAS. Configuring Routing and Remote Access Policies to Permit or Deny AccessA remote access policy enables you to control which users are permitted remote access to the network and specify the characteristics of the connection. In terms of remote access, Windows 2000 introduced some major changes from Windows NT 4.0. One of these changes is the use of remote access policies. Before Windows 2000, remote access was controlled through the Properties dialog box of a user account. Windows 2000 and now Windows Server 2003 use both user account properties and remote access policies to control remote access. With remote access policies, administrators can permit or deny connection attempts based on a number of criteria (such as the time of day or group membership), giving administrators much more flexibility and granular control. When a connection has been permitted, administrators can further control the session by defining the maximum session time and encryption settings. A remote access policy consists of the following elements, which work together to provide secure access to remote access servers:
When remote access is enabled, two default remote access policies are created automatically: connections to Microsoft Routing and Remote Access Server and connections to other access servers. You can create additional policies by right-clicking the Remote Access Policies icon within the Routing and Remote Access management console and selecting the New Remote Access Policy option. The wizard prompts with the option of creating a typical policy for a common scenario using the wizard or to create a custom policy. The elements of a policy are discussed in the following section. Managing Remote Access ConditionsConditions define the parameters that must match those configured on the remote access client before the server will grant remote access. These can include parameters such as the time of day and Windows group membership. Before the permissions of a remote access policy are evaluated, the connection attempt must match the conditions within a remote access policy. For example, the conditions of the policy might specify that you must be a member of the Sales group. If the user account is a member of the Sales group, the conditions have been met and the policy evaluation continues by checking the permissions of the user account. If multiple policies are configured, the first policy that matches the conditions of the connection attempt is then further evaluated for permissions and profile settings. Table 5.2 summarizes some of the commonly used conditions that can be configured for a remote access policy. Table 5.2. Conditions That Can Be Configured in a Remote Access Policy
To configure the conditions of a remote access policy, follow these steps:
Controlling Remote Access PermissionsIf the connection attempt matches the conditions of a remote access policy, the permissions of that policy are then evaluated. The remote access permissions determine whether a specific user is granted or denied remote access. Windows Server 2003 uses a combination of the dial-in properties of a user account and the permissions in the remote access policy to determine whether the connection attempt is allowed. Remote access permissions can be explicitly allowed or denied through user account properties. When configuring remote access permissions using the Dial-In tab in the Properties dialog box for a user account, you have the following three options (see Figure 5.9):
Figure 5.9. Configuring remote access permissions through the user account properties.
If you explicitly allow remote access by selecting the Allow Access option, the connection attempt can still be denied if the properties configured for the user account do not match the remote access policy or if the profile settings are not met. If you choose to have the policy control remote access permissions, you can grant or deny permission through the policy's Properties window (see Figure 5.10). If you are using the default policy, remote access permission is denied by default. You must change this setting to allow access. Figure 5.10. Controlling access through the remote access policy.
From the Dial-In tab, several other settings can be configured, including caller ID, callback options, and static IP routes. Again, if you configure the settings for the user account, they must match the settings configured on the client or the connection attempt will be denied.
Configuring a Remote Access ProfileThe final element of the remote access policy is the remote access profile. When the remote access client has been granted permission, the profile determines the settings of the connection. Again, the settings in the profile must match those of the connection attempt or it will be denied. To configure the profile settings, click the Edit Profile button in the policy's Properties window. This opens the Edit Dial-In Profile dialog box, shown in Figure 5.11. Several tabs are available, as summarized in Table 5.3. Figure 5.11. You can configure a remote access profile via a remote access policy.
Table 5.3. Remote Access Profile Settings
Evaluating Remote Access PoliciesGiven the many options and the complexity of remote access policy elements, it is important to have a good understanding of how policies are applied when a remote access client attempts a connection. Assuming that your domain functional level is Windows Server 2003, the following points outline the connection process:
Configuring Routing and Remote Access for DHCPAs you saw when enabling RRAS, you can configure the remote access server with a range of IP addresses to assign to remote access clients. (If you do, make sure the range does not conflict with the range of IP addresses configured on the DHCP server, to avoid duplicate addresses.) You can also configure the RAS server to obtain IP addresses from the DHCP server to lease to clients. When you choose to use a DHCP server, the remote access server obtains, by default, 10 IP addresses to lease to clients. If all 10 IP addresses are in use, the remote access server obtains 10 more from the DHCP server. (10 is the default number but can be changed through the Registry.) The benefit of using DHCP with RAS is that IP address assignment remains centralized. For DHCP to be used with RAS, the DHCP Relay Agent must be configured on the RAS server. When you configure the DHCP Relay Agent, clients still receive IP addresses from the RAS server, but they can use DHCPInform messages to obtain optional parameters, such as the IP addresses of WINS and DNS servers, directly from the DHCP server. The relay agent component allows the RAS server to relay the DHCPInform messages between the remote access clients and the DHCP server. To configure DHCP to work with remote access, follow these steps:
|