Lesson 3: Securing Remote Clients

Lesson 3: Securing Remote Clients

In addition to fixing settings in the RRAS console, you can manage RRAS security on a per-user basis by using RRAS remote access policies. RRAS remote access policies allow you to control the duration of sessions, the authentication methods that remote clients can use, and other options that can increase the security of connections.

To make it easy for users to select the necessary RRAS policy options on their client computers, you can create a custom version of the RRAS client software called Connection Manager, with preset options for your particular remote access needs.


After this lesson, you will be able to

  • Manage security using a remote access policy

  • Use Connection Manager Administration Kit

  • Use Connection Manager from remote clients

Estimated lesson time: 30 minutes


Managing Remote Access Policy

Windows 2000 RRAS provides comprehensive support for remote access policies, which provide you with complete control over client access to the RRAS server. You can specify one or more policies, each with conditions that a client must match to connect. The possible conditions include time of day and day of the week, client name and IP address, client and server telephone numbers, and other options.

You can also determine whether a user account's remote access permission enables the user to connect through RRAS. If you choose Allow Access, the client can connect only if it matches one of the remote access policies. If the user permission is set to Deny Access, all connections for that user are refused. If the user permission is set to Control Access through remote access policy, the policy's Allow or Deny option determines whether the connection is allowed.

Accessing Remote Access Policy

Where you manage the remote access policies depends on whether Windows authentication or IAS is in use. For Windows authentication, remote access policy is located under the RRAS server in the Routing And Remote Access management console. For IAS, remote access policy is located in the Internet Authentication Service management console. This lesson discusses IAS policy management.

Because IAS provides centralized management of remote access, it allows you to create remote access policies that apply to all servers. If IAS is not in use, each RRAS server has its own set of remote access policies. Always use IAS when you have more than one RRAS server in your enterprise, to ensure that a consistent remote access policy is in use throughout your network. Consider using IAS even if you only have one RRAS server so that policy management won't change as your network grows.

Creating and Editing Remote Access Policies

The Remote Access Policies window displays all of the currently active policies. You can change the sequence of policies to control which policy will be applied when two or more policies match the connection. When a connection attempt is made, RRAS uses this sequence to check the policies and uses the first policy whose conditions match the connection.

By default, a single policy is included: allow access if dial-in permission is enabled. This policy includes a condition that matches all connections, and it is set to deny access unless it is explicitly granted to the user.

When you add a policy to the list, you name the policy and then apply a list of conditions that must be matched by a connection for the policy to be used. The conditions you can use are listed in Table 9.1.

Table 9-1. Remote Access Policy Conditions

Condition

Description

Called-Station-Id

The telephone number dialed by the client

Calling-Station-Id

The originating telephone number

Day-and-Time-Restrictions

Connections during specified hours or days of week

Framed-Protocol

The connection protocol in use

Service-Type

The type of service requested

Tunnel-Type

The VPN tunneling protocol in use

Windows-Groups

Group memberships of the connecting user

Several additional conditions are available when you use RADIUS authentication. Most of these conditions examine the characteristics of the NAS (network access server), which is the client that makes a request to the RADIUS server (remember that RRAS acts as a NAS client). This allows you to change the authentication method based on which type of NAS the client has attached to. For example, checking the NAS port type allows you to prevent a policy you created for dial-up access from being applied to a wireless LAN user. Table 9.2 lists these additional conditions.

Table 9-2. IAS/RADIUS Remote Access Policy Conditions

Condition

Description

Client-Friendly-Name

The friendly name set in the IAS client list

Client-IP-Address

The IP address of the RADIUS client

Client-Vendor

The vendor of the NAS

NAS-Identifier

The identifier of the NAS

NAS-IP-Address

The IP address of the NAS

NAS-Port-Type

The physical port used by the NAS

Depending on the condition you select, you will be prompted for additional information. For example, the Day-and-Time-Restrictions condition prompts you for the hours and days of the week that access will be allowed or denied, and the Windows-Groups condition prompts for a list of groups.

The final step when creating a policy is to specify whether the policy will grant or deny remote access permission to users who match the conditions. If access is denied by a remote access policy, it can still be allowed on a per-user basis by the user's remote access properties.

When you attach third-party NAS clients to an IAS server, the NAS vendor will typically provide an example of a correct IAS policy to allow the device to function correctly and securely on your network.

Managing the Profile for a Policy

If a connection attempt matches the policy you have created and the policy's Grant Remote Access permission option is selected, the user will be allowed access. The user will also be allowed access if explicitly granted access in the user account's remote access permission. Once a connection is made using a policy, you can further restrict the activities of the connection using policy profile settings. The profile includes six sets of properties:

  • Dial-in Constraints. Contains various constraints that can be placed on dial-in users matching the current policy conditions. The following options are available:

    • Disconnect if idle for the specified number of minutes

    • Restrict maximum session to a specified number of minutes

    • Restrict access to specified dates and times

    • Restrict dial-in access to a particular telephone number

    • Restrict the media (modem, ISDN, DSL, Ethernet, and so on) on which connections will be allowed

  • IP. Includes settings relating to client IP addresses. You can specify that the server must supply an IP address to the client, that the client can request an address, or that policy will be based on the server's settings.

    These IP settings also include options for packet filtering. You can create both incoming packet filters, and outgoing packet filters to restrict the ports and services that a user will be allowed to access when connected to the RRAS server. For example, you could use IP filters to allow access only to the company intranet Web site, preventing dial-up users from connecting directly to file servers. Packet filters are used only in RRAS policies, not IAS policies.

  • Multilink. Controls whether clients using the current security policy can connect using Multilink, which allows a client to connect to two or more modems or other ports and use the combined bandwidth available from these devices. You can choose to disable Multilink entirely, allow Multilink with a specified maximum number of ports, or default to the RRAS server's settings.

    Using the bandwidth allocation protocol (BAP) options, you can specify a minimum percentage capacity for the dial-in lines and a time limit. If the capacity falls below this level for the specified time, the RRAS server will remove lines from Multilink connections to increase the available capacity.

  • Authentication. Controls the authentication methods that will be allowed for connections that match the current policy. The options available are the same as those described earlier in this chapter, including PAP, SPAP, CHAP, MS-CHAP, MS-CHAP version 2, and EAP.

    You can also specify which types of EAP connections are allowed and their specific settings. For example, you can allow EAP connections using a smart card or certificate and specify the certificate that the server will use to authenticate itself.

  • Encryption. Controls the level of encryption that will be allowed for connections matching the current policy. The options include No Encryption, Basic, Strong, and Strongest. These options apply only to communication between Windows 2000 clients and Windows 2000 RRAS servers.

  • Advanced. Allows you to specify additional security attributes. Click Add to add an attribute. The list of available attributes includes standard options for RADIUS servers, as well as a variety of vendor-specific options.

Using the Connection Manager Administration Kit

The Connection Manager Administration Kit (CMAK), included with Windows 2000 Server, enables you to customize many features of the Connection Manager software used for clients of the RRAS server. Connection Manager is the Windows component that clients see when they dial a modem connection. By creating a custom Connection Manager profile with the CMAK, you are pre-setting the connection options that clients will need to meet your RRAS or IAS policies and successfully establish a dial-in connection. This is useful for ISPs that provide dial-up access as well as enterprises with dial-up or VPN access to networks. The CMAK is a wizard that prompts you for various information and then creates a service profile for the Connection Manager utility. The following sections describe how to use this wizard.

Working with Service Profiles

When you start the Connection Manager Administration Kit Wizard, you are prompted to either create a new service profile or open and modify an existing service profile. Service profiles are stored with the .cms extension.

Another page of the wizard allows you to merge one or more existing service profiles into the current profile.

Specifying Service Names and Support Information

The initial pages of the Connection Manager Administration Kit Wizard prompt you for various text items that will be used to customize the Connection Manager interface:

  • Service Name. A friendly name for the service, up to 40 characters long.

  • File Name For Service Profiles. A file name used to prefix the files created by CMAK. This file name is limited to 8 alphanumeric characters.

  • Support Information. An optional message, up to 50 characters long, displayed in the Connection Manager dialog box.

  • Realm Name. An optional prefix (such as a domain or organizational unit name) or suffix (such as an Internet domain name) to be added to all user names.

Network and Dial-Up Connections

You can specify that Connection Manager will create one or more entries for your service in the Network And Dial-Up Connections window. For each of these, you can specify DNS and WINS addresses, if the server does not assign them automatically, and an optional script file.

You can also include a telephone book file in the service profile, specifying one or more dial-up telephone numbers. Connection Manager can also use the URL of a server running Connection Point Services to automatically download updated lists of telephone numbers.

VPN Support

If you enable VPN support in the Connection Manager Administration Kit Wizard, the resulting connection profile can be used to connect to the RRAS server through a public network, such as the Internet, rather than directly through a dial-up connection. The Internet connection used for a VPN can be any existing dial-up connection or always-on broadband connection, such as DSL or LAN.

Using Actions and Applications

The Connection Manager Administration Kit Wizard allows you to specify a number of actions, or programs, that will run at various points within the connection process. The following actions are available:

  • Pre-connect actions run before connecting.

  • Pre-tunnel actions run before connecting using a VPN.

  • Post-tunnel actions run after a successful VPN connection.

  • Disconnect actions run after the user disconnects from the service.

In addition to these actions, you can specify one or more auto-applications. These are applications that run when connected to the network. The network connection will be disconnected automatically after the user exits the last auto-application.

Modifying Graphics and Icons

Using CMAK options, you can change many of the graphics and icons used in Connection Manager dialog boxes from the default choices. Table 9.3 lists the elements you can customize.

Table 9-3. Customizable Connection Manager Elements

Element

Pixel size

Description

Logon graphic

330 x 141

Displayed at top of logon dialog box

Phonebook graphic

114 x 304

Displayed at left of Phone Book dialog box

Large program icon

32 x 32

The desktop icon

Title bar icon

16 x 16

Appears in title bar and taskbar

Status area icon

16 x 16

Appears in status area while connected

Software and Documentation

The Connection Manager Administration Kit Wizard prompts you to indicate whether to include the Connection Manager software with the service profile. You can also specify a custom Windows help file if you have created your own documentation, or use the default Connection Manager help file. Options are also provided for a custom license agreement and additional help or documentation files.

Using Connection Manager

After you complete all of the CMAK settings, the CMAK saves a number of files to complete the profile. These include a .cms file, which stores the information the wizard prompted for, and a self-extracting .exe file that installs the Connection Manager software and the service profile on a client computer. These files use the 8-character file name you specified. They can be copied to a floppy disk, CD-R, or network share to deploy the service profile to clients.

Practice: Securing Remote Clients

In this practice, you create remote access policies and modify the settings of existing policies. You also install and use the CMAK and test a customized version of Connection Manager from a client machine.

To complete this practice, you will need a Windows 2000 Server computer with the RRAS component enabled and a client computer for testing.

Exercise 1: Managing Remote Access Policy

In this exercise, you create remote access policies, edit an existing policy, and edit settings in the policy profile. You will need to use either the Routing And Remote Access console or the Internet Authentication Service console to access the policy, depending on whether your RRAS server is configured to use RADIUS authentication.

To create a remote access policy with day and time restrictions

Perform this procedure on the RRAS server.

  1. From the Administrative Tools menu, choose Routing And Remote Access to open the Routing And Remote Access management console.

  2. Select Remote Access Policies in the console tree. The list of current policies is displayed.

  3. From the Action menu, choose New Remote Access Policy. The Add Remote Access Policy Wizard is displayed, as shown in Figure 9.17.

    figure 9-17 the add remote access policy wizard

    Figure 9-17. The Add Remote Access Policy Wizard

  4. On the Policy Name page, type Date and Time in the Policy Friendly Name box, and click Next.

  5. On the Conditions page, click Add to add a condition to the policy.

    As shown in Figure 9.18, the Select Attribute dialog box lists the available conditions you can add to the policy.

    figure 9-18 the select attribute dialog box

    Figure 9-18. The Select Attribute dialog box

  6. In the dialog box, select Day-and-Time-Restrictions from the list, and click Add. The Time Of Day Constraints dialog box is displayed, as shown in Figure 9.19.

    figure 9-19 the time of day constraints dialog box

    Figure 9-19. The Time Of Day Constraints dialog box

  7. Click and drag to draw a box from Monday 8:00 a.m. to Friday 6:00 p.m., and then select Permitted. This enables access from 8:00 a.m. to 6:00 p.m., Monday through Friday.

  8. Click OK, and click Next. The Permissions options are displayed, as shown in Figure 9.20.

    figure 9-20 the permissions options page

    Figure 9-20. The Permissions options page

  9. On the Permissions page, select Grant Remote Access Permission, and click Next.

  10. On the User Profile page, click Finish to complete the new policy.

    This policy allows all users access if they connect in the specified time period.

To create a remote access policy with Windows group restrictions

  1. In the console tree of the Routing And Remote Access console, select Remote Access Policies, and choose New Remote Access Policy from the Action menu. The Add Remote Access Policy Wizard appears.

  2. On the Policy Name page, type Design Group Access in the Policy Friendly Name box, and click Next.

  3. On the Conditions page, click Add. The Select Attribute dialog box lists the available condition attributes.

  4. Select Windows-Groups in the list, and click Add. The Groups dialog box appears.

  5. In the Groups dialog box, click Add. The Select Groups dialog box is displayed, as shown in Figure 9.21.

    figure 9-21 selecting windows groups for a policy

    Figure 9-21. Selecting Windows groups for a policy

  6. Select Design Users in the list of groups, and click Add. The Design Users group is added to the group list.

  7. Click OK to close the Select Groups dialog box, and then click OK in the Groups dialog box. The condition you added is now included in the list.

  8. Click Next to continue. The Permissions options are displayed.

  9. On the Permissions page, select the Grant Remote Access Permission option, and click Next.

  10. On the User Profile page, click Finish to complete the policy.

    This policy allows access to users in the Design Users group regardless of the day or time.

To edit an existing policy

  1. In the console tree of the Routing And Remote Access console, select Remote Access Policy.

  2. Select Date And Time from the list, and from the Action menu, choose Properties. The Date And Time Properties dialog box is displayed, as shown in Figure 9.22.

    figure 9-22 date and time permissions dialog box

    Figure 9-22. Date And Time Permissions dialog box

  3. Select Deny Remote Access Permission, and click OK.

    The policy now denies access during the selected times. Users can still connect if they match a different policy or if the user properties explicitly grant the remote access permission.

To change policy profile settings

  1. In the console tree of the Routing And Remote Access console, select Remote Access Policy.

  2. Select Design Group Access from the list, and from the Action menu, choose Properties. The Design Group Access Properties dialog box is displayed, as shown in Figure 9.23.

    figure 9-23 the design group access properties dialog box

    Figure 9-23. The Design Group Access Properties dialog box

  3. Click Edit Profile. The Dial-in Constraints tab is displayed in the Edit Dial-in Profile dialog box shown in Figure 9.24.

    figure 9-24 the edit dial-in profile dialog box

    Figure 9-24. The Edit Dial-in Profile dialog box

  4. Select the Disconnect If Idle For check box, and change the idle time to 20 minutes.

  5. Select the Restrict Maximum Session To check box, and change the corresponding time to 60 minutes.

  6. Click OK, and click OK in the Design Group Access Properties dialog box.

    Users who connect using this profile are now restricted to 60-minute sessions, and they are disconnected after 20 minutes of idle time.

Exercise 2: Connection Manager

In this exercise, you set up the CMAK on a Windows 2000 Server computer. You then use the CMAK to create a service profile, and install the customized version of Connection Manager on a client machine.

To install the Connection Manager Administration Kit

Perform this procedure from the RRAS Server.

  1. In Control Panel, double-click Add/Remove Programs.

  2. Click Add/Remove Windows Components. A list of installed Windows components is displayed.

  3. Select Management And Monitoring Tools in the list, and click Details. A list of monitoring components is displayed, as shown in Figure 9.25.

    figure 9-25 the management and monitoring tools components list

    Figure 9-25. The Management And Monitoring Tools components list

  4. Select the Connection Manager Components check box, and click OK.

  5. In the Windows Components Wizard, click Next to install the new components. (This might take several minutes.) The Connection Manager components are now installed.

  6. You might be prompted to insert the Windows 2000 Server or Service Pack CD during the installation process.

  7. Click Finish to return to Control Panel.

To create a service profile using the CMAK

  1. Click Start, point to Programs, point to Administrative Tools, and click Connection Manager Administration Kit. The Connection Manager Administration Kit Wizard displays an introductory page.

  2. Click Next to continue. The Service Profile Source page, shown in Figure 9.26, appears. You can indicate whether to create a new profile or edit an existing one.

    figure 9-26 creating a new service profile

    Figure 9-26. Creating a new service profile

  3. Select Create A New Service Profile, and click Next.

  4. On the Service And File Names page, type Fabrikam in the Service Name and File Name boxes, and click Next. The next page allows you to merge existing service profiles.

  5. On the Merged Service Profiles page, click Next to continue. The Support Information page allows you to add a line of support information that will be displayed in the logon dialog box.

  6. On the Support Information page, click Next to continue.

  7. On the Realm Name page, select Do Not Add A Realm Name, and click Next to continue.

  8. Click Next on both the Dial-Up Networking Entries page and the VPN Support page.

  9. On the Connect Actions page, clear all check boxes, and click Next.

  10. On the Auto Applications page, click Next.

  11. Click Next on the Logon Bitmap, Phone Book Bitmap, Phone Book, and Icons pages.

  12. On the Status-Area-Icon Menu page, click Next.

  13. On the Help File page, select Use The Default Help File, and click Next.

  14. On the Connection Manager Software page, select Include The Connection Manager 1.2 Software, and click Next.

  15. Click Next on both the License Agreement and the Additional Files pages.

  16. On the Ready To Build Service Profile page, click Next to begin building the service profile. A command prompt window opens and builds the profile.

    The path of the .exe file name is displayed when the wizard completes; typically, the file name is \Program Files\Cmak\Profiles\Fabrikam\Fabrikam.exe.

  17. Click Finish to exit the wizard.

  18. Copy the files in the \Program Files\Cmak\Profiles\Fabrikam folder to a floppy disk to use in the next procedure.

To connect with a customized Connection Manager

  1. On the client machine, insert the floppy disk containing the service profile, and open the floppy disk from My Computer.

  2. Double-click the Fabrikam.exe file you created in the previous procedure. A dialog box asks whether you want to install the connection.

  3. Click Yes to install the new connection. A dialog box opens allowing you to choose whether to make the connection available to all users or to the current user.

  4. In the dialog box, select All Users, and click OK. The Connection Manager is now launched, as shown in Figure 9.27.

    figure 9-27 the connection manager dialog box

    Figure 9-27. The Connection Manager dialog box

  5. Specify a User Name and Password, and click Connect to make the connection.

Connecting requires a telephone number. Click Properties to specify a number. You can also specify a list of telephone numbers when creating the service profile.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

  1. When RADIUS is not in use, what tool do you use to manage remote access policies?

  2. If a user is connecting to an RRAS server and matches several remote access policies, which policy will be used for the connection?

  3. How would you restrict the session length for a remote access policy?

  4. When you answer the questions in the Connection Manager Administration Kit Wizard, where are the answers saved?

  5. What happens if an incoming connection matches a remote access policy and the policy is set to deny access?

Lesson Summary

  • Remote access policies are managed through the RRAS or IAS management console, depending on the authentication type selected. When users attempt to connect, the connection uses the first policy that matches the current conditions. Each policy can specify conditions to match as well as restrictions and settings in the connection's profile.

  • The Connection Manager Administration Kit (CMAK) allows you to create a customized Connection Manager for use by employees, partners, or clients. The CMAK can customize aspects of the connection including phone numbers, protocols, documentation, and graphics.

  • A service profile created by the CMAK can include a copy of the Connection Manager software. This can be distributed along with the service profile and provides a simply installed program for establishing an RRAS connection from a client.



MCSA(s)MCSE Self-Paced Training Kit Exam 70-214(c) Implementing and Administering in a Microsoft Windows 2[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)
ISBN: 073561878X
EAN: 2147483647
Year: 2003
Pages: 82

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net