Remote Access Basics


Remote Access Basics

There are many ways to access your server remotely. Although this section focuses on remote access using virtual private networks (VPNs) or dial-up, other remote access options are mentioned to compare them in terms of functionality and ease of use.

If you were to take a poll asking users what they like most about SBS, you would find that the ability to work remotely ranks high. Being able to read your mail and access filesor even your computerfrom anywhere has become a necessity in today's business world, and it's one of the major reasons why people choose SBS.

Fortunately, remote access in SBS 2003 has improved significantly over previous versions. Not only it is easier to configure, but SBS also has a wide array of options to connect remotely in specific scenarios. Thanks to these improvements working remotely is more feasible than ever before, not to mention more secure.

Remote Access Options

Although working remotely can be a blessing, it can also become a nightmare (and I'm not talking about working at home at 2:00 a.m.!). SBS does a great job protecting your network, but enabling remote access is always a risk. On the other hand, this risk can be minimized by carefully considering all your remote access options and following the security best practices such as enforcing complex passwords and changing them frequently.

This discussion begins by addressing the following questions:

  • What can you do with dial-up or VPN access?

  • Is VPN or dial-up access necessary?

  • When should you use VPN versus dial-up?

  • How does VPN compare with other remote access alternatives?

  • Which users need VPN or dial-up access?

Dial-up remote access is similar to accessing the Internet through a dial-up account. You connect to the server using a modem directly through a phone line. One of the main advantages of this is that you can access the network remotely even in the event of an Internet outage. The main disadvantage is speed; in most cases, the maximum speed attainable is 33.6 kbps, which is very slow. Another disadvantage is that you must have a line dedicated (at least partially) for this kind of access. Having said that, a dial-up connection will behave as part of your internal network (albeit much slower). In fact, you can even use it to connect to the Internet through your own server.

Virtual private networks on the other hand use a public network infrastructure (such as the Internet) to create a private link between two networks or computers. In other words, when you establish a VPN you are creating a secure tunnel between your computer and the remote network that goes through the Internet.

Not only can you access all the resources of the network as if your computer was physically connected to it, but traffic is encrypted in both directions while it travels the public network. When you connect to the VPN you can potentially do everything a local user would do (although it will be slower).

Best Practice: Enable Password Policies

Weak passwords and remote access do not mix. Enforcing a strong password policy is essential to keeping your data secure. Teach your users how to create pass phrases that are easier to remember and difficult to crack, and have your users change them regularly.


Risks of Using VPNs

VPNs are powerful, but they also present certain risks. Because VPN traffic is trusted, it effectively bypasses the firewall. This means that if you connect through VPN to a computer that has been infected with a virus or worm, you can potentially compromise the whole network because the virus/worm has unrestricted access to it. Also, if a hacker were to obtain access to the VPN, he would have access to the network, not just to a particular machine or service.

One of the main concepts in securing your network is to always give users the minimum access necessary to do their jobs. In that spirit the first thing you should evaluate is whether giving them VPN or dial-up access is required.

Best Practice: VPNs Are Not a Panacea

Although SBS makes VPNs easy, the truth is that they can be dangerous in the wrong hands. With so many options for remote access available in SBS, using VPNs is no longer a requirement. If a user only needs email access, it would be foolish to use VPN for that purpose.


Alternatives to VPNs

In the past VPNs were essential to work remotely. However, many new features in SBS 2003 make VPNs unnecessary in many cases. Table 7.2 shows several alternatives to VPNs for accomplishing certain tasks.

Table 7.2. Alternatives to Using VPN for Certain Activities

Activity

Alternative

Read email

Outlook Web AccessAccess your email using a web browser.

Outlook with RPC over HTTPAll the functionality of Outlook but remotely.

Connect to computers remotely

Remote Web WorkplaceTo connect to any workstation or server on your network.

Access files on the road

SharePointFor files that need to be shared among several users either locally or remotely.

Offline filesFor files that are not being shared among users and that need to be available even when the network is not available.

Remote Web WorkplaceIt can also be used to transfer files (if enabled).


In many cases using these alternatives can provide a better end-user experience. Also, from a practical standpoint using alternative methods can sometimes be the only way to access resources remotely because some providers may block VPN traffic while still allowing other (more common) protocols.

Guidelines for Using VPNs

From the previous discussion it becomes clear that VPNs are not for everyone. The question remains how to decide when the use of a VPN is really warranted. This section addresses these concerns by examining some common usage scenarios.

For administrative purposes VPNs can be really useful. The ability to see the whole network at once can be helpful for domain administrators to help diagnose and solve problems that involve several machines. Additionally, administrators are generally tech-savvy and take better care of their machines than regular users. Considering all this, granting administrators VPN access has many advantages and an acceptable risk level.

VPNs can also be helpful for users running an application locally that requires connecting to a resource in your network that is not available from the outside. For example, a user might need to connect to a database remotely. Setting VPN access for such users, where they can access the resource as required is a good idea.

Another example worth mentioning is printing to the SBS shared fax printer while you are on the road. You can potentially send faxes from anywhere in the world that has Internet access.

Best Practice: Practicing Safe VPN

Never establish a VPN from a computer not under your control (such as at an Internet Café). You will be giving that computer unrestricted access to your whole network and placing your network at risk.

Even allowing users to connect from their shared home PC is not a great idea because you don't have control of how well-kept those machines are. However, you can try to minimize that risk by implementing Network Quarantine Control. Use the following link to learn more about it: http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx