Taking Advantage of Internet Authentication Service

Internet Authentication Service, or IAS, is the Windows Server 2003 implementation of Remote Authentication Dial-in User Service (RADIUS) server and proxy. As a RADIUS server, IAS supports centralized authentication, accounting, and authorization for multiple types of network access. These access types include VPN connections, wireless connections, switch authentication, and remote access dial-up connections. As a RADIUS proxy, IAS is able to forward switch authentication and accounting messages to other RADIUS servers. RADIUS is an Internet Engineering Task Force (IETF) standard that is designed to handle authentication, auditing, and accounting tasks for connectable devices.

Using Terminal Services to Access the IAS Server

When using Terminal Services, data is not actually sent between client and server. Only the user interface of the server (for example, the IAS console image and the operating system desktop) is sent to the Terminal Services client. This is called Remote Desktop Connection in Windows XP. The client sends keyboard and mouse input, which is processed locally by the server that has Terminal Services installed. When Terminal Service users log on, they can view only their individual client sessions, which are managed by the server and are independent of each other. This means that other Terminal Sessions don't have access to the traffic associated with other connection. Additionally, Remote Desktop Connection provides 128-bit encryption between the client and the server.

Using IPSec to Encrypt Confidential Data

Like with any type of traffic, IPSec can be used to encrypt communication between the IAS server and the remote client computer that is being used to administer it. This ensures that none of the configuration information is being passed in clear text. To administer the server remotely, the Windows Server 2003 Administration Tools Pack must be installed on the client computer, and the IAS snap-in must be added to the Microsoft Management Console (MMC).

The IAS server provides authentication, authorization, and accounting for connection attempts to a corporate network. It is very important to protect the IAS server and RADIUS messages from unwanted internal and external intrusion. IAS is the key to accessing a corporate network and it is critical that only the appropriate people have access to those keys.

Always take standard precautions to secure an IAS server. Limit access to the system to only a limited number of members of the IT staff. Store the IAS server in a locked and controlled data center. Audit the security logs regularly and be sure to password-protect the system backups . This way the tapes can't be easily used to create a server that can impersonate the corporate IAS server.

Use the RunAs command to administer local IAS servers rather than logging in with an administrative-level account. You can use the RunAs command to perform administrative tasks when you are logged on as a member of a group that does not have the required administrative credentials.

Because the IAS system is the gatekeeper to remote access it is critical that access via the system is well logged. There are two types of logging offered by IAS ”event logging and authentication logging.

Event logging can be used to record IAS events in the system event log. This is primarily used for auditing and troubleshooting connection attempts. This information goes directly into the Windows Server 2003 Event Viewer.

IAS is able to log user authentication and accounting information to log files in text or database format. Optionally it can log to a stored procedure in a SQL Server 2000 database. This type of logging is primarily used for connection trend analysis as well as for billing purposes. This type of data can also be useful as a security investigation tool, giving you another method of tracking down the activity of an unauthorized user.

With either type of logging, ensure that there is sufficient capacity to maintain the logs. In the case of auditing information, one would usually need at least a month of data to accurately perform bill back tasks to various departments. On the security tracking side, it is useful to have many months of data so that it will be possible to track the activities of a suspected hacker. Be sure to back up the log files regularly as they cannot be re-created if they are damaged or deleted.

You can optimize IAS authentication and authorization response times as well as reduce network traffic by installing IAS on a domain controller. Similar gains can be achieved by making the IAS system a Global Catalog as well. This is because when universal principal names (UPNs) or Windows Server 2003 domains are used, IAS will use the global catalog to authenticate the users. Making the IAS a global catalog or at least having a global catalog on the same subnet as the IAS system will reduce the time needed to perform the authentication.

In a large RADIUS implementation where there is heavy authentication traffic, you can effectively load balance the RADIUS environment by doing the following:

• Install IAS as a RADIUS server on all domain controllers.

• Configure multiple IAS proxies to forward the authentication requests between the RADIUS servers and the access servers.

• Configure the access servers to use the IAS proxies as RADIUS servers.

This is especially useful in large 802.1x implementations where wireless connections are using certificates to authenticate via IAS/RADIUS to gain access to an internal network.