Planning a remote access strategy involves analyzing the needs of the organization, the needs of individual users, and other factors. You should also consider which of the remote access types you need to support:
Dial-in remote access
VPN (virtual private network)
Dial-in access using modems is the traditional type of remote access and is still useful. If you will enable dial-in access, there are a number of factors to plan for. These include whether the RRAS server will assign IP addresses using a static address pool, using DHCP, or using automatic private addressing. You will also need to consider number of incoming ports you will need and whether to manage access by
VPN access uses a client’s Internet connection and the server’s Internet connection to create a virtual connection, or tunnel, and provide for remote access. A VPN uses one or more VPN protocols to create the tunnels and manage encryption. The VPN tunneling protocols are as
PPTP (point-to-point tunneling protocol): A protocol based on PPP. Uses MPPE for encryption.
L2TP (Layer 2 tunneling protocol):
Wireless remote access uses the 802.11 standard. A WAP provides access to a number of clients and connects to the LAN. WAPs can use IAS (RADIUS) to provide enhanced security and centralized authentication.
Your plan for the security of a remote access solution should consider the functional levels of domains and the features they support, the authentication
Remote access policies can be used to grant or deny remote access based on a number of criteria. Each remote access policy includes a profile, which can control what the connection allows after it is established. A profile also includes settings, such as maximum session time and idle timeout, to control the length of remote sessions.
Dial-in access requires a modem or ISDN port for each
VPN access can use existing Internet connections but risks sending data (although encrypted) over the public Internet.
Wireless remote access uses a wireless access point (WAP) and is usually limited to short ranges.
You need to determine the number of ports you will need and the bandwidth they will use to plan for dial-in access.
Multilink is a system that combines two or more dial-up connections into a single faster connection. It is often used with ISDN.
PPTP is supported by Windows 95 and later; L2TP is supported by Windows 2000, Windows XP, and Windows Server 2003 only.
L2TP supports data integrity and sender authentication; PPTP does not.
L2TP requires a public-key infrastructure.
L2TP requires machine certificates for each client and VPN server.
Like other connection types, wireless access can be managed using a remote access policy.
A network can support any number of WAPs.
RADIUS authentication requires an IAS server configured with the WAPs as clients, and the WAPs configured for RADIUS authentication.
Windows 2000 mixed domains support Windows NT 4.0 domain controllers and limited security features. Windows 2000 Native and Windows Server 2003 domains support all the Active Directory security features. Windows Server 2003 Interim domains support Windows Server 2003 and Windows NT 4.0 domain controllers.
You can raise a domain’s functional level, but you cannot lower it.
MS-CHAP v2 and EAP are
Encryption levels range from no encryption to 168-bit triple DES encryption.
Remote Access Policies determine which users can connect remotely and the connection methods they can use.
Remote Access Profiles provide further restrictions after the connection is established. Each policy contains exactly one profile.
To authorize access by user, use the user’s Dial-in properties.
To authorize access by
Remote Assistance is really a tool for end users and you are
End-users can use Remote Assistance to invite another person to view or take control of their desktops.
You can use Group Policy to enable your support staff to proactively offer Remote Assistance to end users
Remote Desktop for Administration enables up to two administrators to remotely connect to the server
Remote Assistance enables a user, called the Novice, to request help from someone more knowledgeable, called the Expert. The Expert is able to view and interact with the Novice’s desktop remotely (if permission is granted by the Novice).
Though installed with the operating system, both Remote Desktop for Administration and Remote Assistance must be enabled manually after installation before they can be used.