Remote access policy provides more control to remote access connections than was previously available in Microsoft network solutions. With remote access policy, instead of defining whether a user account has dial-in permissions, you can define conditions and profiles that must be met before the connection is established. This allows you to define the criteria for allowing remote access and ensure that security is maintained at the desired level.
After this lesson, you will be able to
Estimated lesson time: 45 minutes
You can define remote access policies to grant or deny remote access based on several specified conditions. The remote access server evaluates the existing conditions of the remote access request and compares it to the conditions defined in the remote access policy. If all conditions are matched, the remote access policy is applied to the request.
You can define the following condition attributes to identify which remote access policy to apply to a remote access connection.
NOTE
Designing RADIUS security for a network is discussed in Lesson 5, "Planning RADIUSSecurity."
WARNING
You can't use groups from the remote access server's local security account management (SAM) database in the Windows-Groups condition. All groups must be from the domain.
When designing conditions for remote access policy, make sure that you consider the following design points in the development of your remote access policy:
Different remote access policies are required for the three remote access scenarios presented for Hanson Brothers. Table 13.12 outlines the conditions required for each remote access policy.
Table 13.12 Designing Remote Access Policies for Hanson Brothers
Remote Access Policy | Required Conditions |
---|---|
Employees | Windows Groups: Member of the Remote Users group. Day-and-Time Restrictions: Access for all hours except 6 P.M. to midnight on Saturdays. |
Administrators | Members of the Administrators group. Day-and-Time-restrictions: Allow access at all hours and on all days of the week. |
Adventure Works | Calling-Station-ID: Must match the phone number used at Adventure Works to connect to the remote access server. |
Montréal office VPN | You can't set conditions for the Montréal office VPN because IPSec tunnel mode connections don't utilize RRAS. |
Once a remote access connection attempt is found to match the conditions defined for a specific remote access policy, the remote access policy profile is applied to the connection. While conditions are used to identify a remote access connection attempt, the profile defines the security settings that the remote access connection must implement. These security settings can include the authentication method and encryption level required to proceed with the connection. You can define the following properties for a remote access policy profile to secure remote access connection attempts, as shown in Figure 13.10.
Figure 13.10 Defining remote access policy profile settings
NOTE
MPPE provides encryption services for dial-up and PPTP-based VPN connections. DES and 3DES provide encryption for L2TP/IPSec connections.
Table 13.13 outlines scenarios in which you can use remote access policy profile settings to restrict remote access to the network.
Table 13.13 Using Remote Access Policy Profiles to Restrict Connections
To | Use the Following Profile Settings |
---|---|
Prevent idle remote access connections from using up the available remote access ports | Configure dial-in constraints to drop idle connections after a specified time has passed. Configure dial-in constraints to define maximum session lengths. This requires the remote client to reconnect after the maximum session length is reached. |
Restrict remote access connections to a specific phone number | Configure dial-in constraints to limit connections to a specific phone number and to require that the connection uses dial-in, referred to as asynch, media. |
Restrict a remote access connection to a single computer or specific computers | Define IP packet filters that restrict access to specific IP addresses. Define the filters to deny all access except for the filters defined in the packet filter list. |
Restrict a remote access connection to specific protocols | Define IP packet filters to allow only the protocols defined in the packet filter listing. |
Require a specific authentication mechanism | Configure the profile to accept only connections using the desired authentication protocols. A connection attempt using a different authentication protocol will be dropped. |
Require a specific level of encryption | Configure the profile to use the desired encryption level settings. Remember that the use of strongest encryption requires the Windows 2000 High Encryption Pack to be installed at both the remote access server and the remote access client. |
Hanson Brothers must configure profiles for each of the client's remote access policies. Table 13.14 outlines the profile configuration required for each remote access policy.
Table 13.14 Designing Remote Access Policies Profiles for Hanson Brothers
Remote Access Policy | Required Profile Configuration |
---|---|
Employees | Only accept MS-CHAPv2 or EAP authentication protocols to ensure mutual authentication of user and server. Allow both asynch and virtual network connections under dial-in constraints. This will provide support for both dial-up and VPN clients. Prevent connections on Saturdays between 6:00 P.M. and midnight under dial-in constraints. |
Administrators | Only accept MS-CHAPv2 or EAP authentication protocols to ensure mutual authentication of user and server. Allow both asynch and virtual network connections under dial-in constraints. This provides support for both dial-up and VPN clients. |
Adventure Works | Only accept MS-CHAPv2 or EAP authentication protocols to ensure strong authentication of the remote user account. Require that MPPE 128-bit encryption is required for the connection by requiring that only strongest encryption be accepted. Only accept connections from the phone number supplied by Adventure Works by configuring the dial-in number under dial-in constraints. Only accept asynch connections in the dial-in media property of dial-in constraints. This ensures that VPN connections will fail. Limit access to the remote access server by configuring IP filters that only allow access to the remote access server. If the stock application listens for connections on a known port, limit connections to that port only so that the remote access client can connect only to the stock application on the remote access server. |
Montréal office VPN | No conditions can be set to match the Montréal office VPN because IPSec tunnel mode connections don't use RRAS. |
Remote access policy application varies depending on whether the domain is in native or mixed mode.
NOTE
If your organization wants to centralize remote access policy management, consider using RADIUS servers. Details on RADIUS design are covered in Lesson 5, "Planning RADIUSSecurity."
In a mixed-mode domain you don't have the Control Access Through Remote Access Policy option available in a user account's properties. By default, every user is set to Allow Access, but remote access policy is still applied.
IMPORTANT
The default remote access policy, Allow Access If Dial-In Permission Is Enabled, will grant access to all users if left unmodified. You must delete or modify the default remote access policy if you need to be able to restrict remote access to the network.
Whenever a connection attempt occurs, the remote access policy whose conditions match the attempt evaluates the remote access policy profile to determine whether to allow the connection. The connection attempt will end in one of two outcomes.
In a native mode domain, user accounts are configured to Control Access Through Remote Access Policy in the user account property pages. With this setting, all remote access permissions are determined through remote access policy settings. The connection attempt will result in one of three outcomes.
To provide remote access to the network, you must determine how you will apply remote access policy. Although remote access policy is applied in mixed mode, native mode provides the most flexibility.
When deciding how to use remote access policy in your domain, consider the following design points:
To take full advantage of remote access policy, Hanson Brothers should ensure that their domain is in native mode. Native mode allows Hanson Brothers to take full advantage of remote access policy for dial-up access determination.
Hanson Brothers should verify that each user account that requires dial-up access to the network is configured to Control Access Through Remote Access Policy. This ensures that remote access policy is used to determine access settings. In addition, all other accounts should be configured to Deny Access.
Remote access policy provides more flexibility for securing remote access policies than was ever possible in a Windows NT 4.0 network. Make sure that your design includes refining the conditions and profiles that must be matched for remote access to the network. By spending the time to properly define remote access policy, you ensure that security is maintained when access to the network is extended to remote users and networks.