Configuring Remote Access Security

With remote access, you are basically opening the door for remote access clients to access the internal network. With this arises the topic of security. You need to be able to allow certain clients remote access while keeping the door closed to everyone else. You also want to ensure that the data being sent between a remote access client and a remote access server is secure. To meet these requirements, Windows 2000 supports a number of authentication and encryption protocols.

Configuring Authentication Protocols

Windows 2000 supports a number of authentication protocols that can be used to authenticate dial-up clients. Knowing the features and differences between each is important to achieving success on the exam.

• Password Authentication Protocol (PAP) ” PAP is the least secure of all the authentication protocols because it sends the username and password in clear text.

• Shiva Password Authentication Protocol (SPAP) ” SPAP can be used to authenticate against Shiva remote access servers. It can also be used to authenticate against Windows 2000 Servers. This protocol is typically more secure than PAP but not as secure as CHAP or MS-CHAP.

• Challenge Handshake Authentication Protocol (CHAP) ” CHAP does not send the username and password across the network. Instead, it uses a challenge response with a one-way hash algorithm. It is an industry standard protocol that can be used to authenticate non-Windows “based clients.

• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) ” A Microsoft version of CHAP that uses mutual authentication and encryption for Windows-based clients. MS-CHAP version 2 provides stronger encryption and separate encryption keys for sending and receiving data.

• Extensible Authentication Protocol (EAP) ” EAP is an extension of the PPP protocol that provides support for other authentication mechanisms, such as SmartCards.

Using the Properties dialog box for the remote access server, as shown in Figure 4.15, you can configure which authentication protocol the remote access server can use to authenticate remote clients. Clicking the Authentication Methods button opens the Authentication Methods dialog box, in which you can select the authentication protocols available on the server.

Once you've enabled the authentication protocols at the server level, you can specify which of the authentication protocols are available for each remote access policy using the Authentication tab in the policy's properties dialog box (see Figure 4.16).

Configuring Encryption Protocols

If you're sending sensitive data across the network, you may want to add another level of security by implementing some form of data encryption. The two types of encryption available are as follows :

• Microsoft Point-to-Point Encryption (MPPE) ” MPPE can use 40-bit, 56-bit, and 128-bit encryption keys. MPPE encryption can be used for PPP connections, including PPTP VPN connections. MPPE is used in conjunction with EAP-TLS and MS-CHAP authentication protocols.

• IP Security (IPSec) ” IPSec is used with L2TP connections. It supports the Data Encryption Standard (DES) and triple DES (3DES).

Some older Microsoft operating systems do not support 56-bit encryption. To support these clients, you must use 40-bit encryption instead; otherwise , 56-bit encryption should be used. In addition, 128-bit encryption is only supported in North America.

You configure encryption for a dial-up connection at the policy level. To do so, open the Properties dialog box for the remote access policy and select the Encryption tab (see Figure 4.17). Select one or more of the following encryption levels:

• No Encryption ” Select this option to allow remote access clients to connect without requiring a form of encryption.

• Basic ” Specifies whether remote access clients can connect using MPPE 40-bit or IPSec 56-bit DES encryption.

• Strong ” Specifies whether remote access clients can connect using MPPE 40-bit or IPSec 56-bit DES encryption.

Creating a Remote Access Policy

Earlier in the chapter, you looked at the elements of a remote access policy. Those were conditions, permissions, and profile settings. As already mentioned, once RRAS is enabled, a default policy is automatically created called Allow Access If Dial-in Permission Is Granted. However, there may be instances whereby you need to configure additional policies to meet security requirements and the needs of the remote access clients.

To create a new remote access policy, right-click the Remote Access Policies container within the Routing and Remote Access management console and click New Remote Access Policy. You are prompted to specify a name for the policy and configure the conditions, permissions, and profile settings. Once complete, the policy will be listed under the Remote Access Policies container. The policy settings can be changed at any time using the policy's Properties dialog box.

Policies are evaluated in the order in which they appear within the management console. The order can be changed by right-clicking a policy and choosing the Move Up or Move Down options.