Remote access enables clients to connect to your network from a remote location through various hardware devices including network interface cards and modems. Once clients obtain a remote access connection, they can use network resources such as files in the same way as they would use a client computer directly connected to your LAN. In this lesson, you learn how to configure security for remote access on your network.
After this lesson, you will be able to
Estimated lesson time: 60 minutes
Routing and Remote Access is the service that lets remote users connect to your local network by telephone. Remote access provides an opportunity for intruders to access your network; therefore, Windows 2000 provides multiple security features to permit authorized access while limiting opportunities for mischief. When a client dials a remote access server on your network, the client is granted access to the network if the following are true:
After the client has been identified and authorized, access to the network can be limited to specific servers, subnets, and protocol types, depending on the remote access profile of the client. Otherwise, all services typically available to a user connected to a LAN (including file and print sharing, Web server access, and messaging) are enabled by means of the remote access connection.
Consider that someone can intercept a user name and password while a user is attempting to log on to the Routing and Remote Access server using techniques similar to a wiretap. To prevent this, Routing and Remote Access can use a secure user authentication method, which includes the following:
Like PAP, SPAP is a simple exchange of messages. First, the remote access client sends an SPAP Authenticate-Request message to the remote access server containing the remote access client's user name and encrypted password. Next, the remote access server decrypts the password, checks the user name and password, and sends back either an SPAP Authenticate-Ack message when the user's credentials are correct, or an SPAP Authenticate-Nak message with a reason why the user's credentials were not correct.
For a VPN to be secure, you need to use an appropriate security protocol. In this practice, you will configure a VPN to use the CHAP Authentication method.
The Server Properties dialog box appears.
The Authentication Methods dialog box appears.
Figure 12.20 Using the CHAP authentication method
Routing and Remote Access and IAS both use remote access policies to determine whether to accept or reject connection attempts. In both cases, the remote access policies are stored locally. Policy is now dictated on a per-call basis.
With remote access policies, you can grant or deny authorization by time of day or day of the week, by the Windows 2000 group to which the remote access user belongs, by the type of connection being requested (dial-up networking or VPN connection), and so forth.
Because remote access policies are stored locally on either a remote access server or an IAS server, in order to centrally manage a single set of remote access policies for multiple remote access or VPN servers, you must do the following:
After you configure a Windows 2000 remote access server as a RADIUS client to an IAS server, the local remote access policies stored on the remote access server are no longer used. Centralized management of remote access policies is also used when you have remote access servers that are running Windows NT 4.0 with the Routing and Remote Access Service (RRAS). You can configure the server that is running Windows NT 4.0 with RRAS as a RADIUS client to an IAS server. You cannot configure a remote access server that is running Windows NT 4.0 without RRAS to take advantage of centralized remote access policies.
You can use data encryption to protect the data that is sent between the remote access client and the remote access server. Data encryption is important for financial institutions, law-enforcement and government agencies, and corporations that require secure data transfer. For installations where data confidentiality is required, the network administrator can set the remote access server to require encrypted communications. Users who connect to that server must encrypt their data, or the connection attempt is denied.
For VPN connections, you protect your data by encrypting it between the ends of the VPN. You should always use data encryption for VPN connections when private data is sent across a public network such as the Internet, where there is always a risk of unauthorized interception.
For dial-up networking connections, you can protect your data by encrypting it on the communications link between the remote access client and the remote access server. You should use data encryption when there is a risk of unauthorized interception of transmissions on the communications link between the remote access client and the remote access server. There are two forms of encryption available for demand-dial connections: Microsoft Point-to-Point Encryption (MPPE) and IP Security (IPSec).
For dial-up networking connections, Windows 2000 uses MPPE.
For VPN connections, Windows 2000 uses MPPE with the PPTP, and IPSec encryption with the L2TP.
Follow these steps to configure encryption for a dial-up connection:
Figure 12.21 Setting the level of encryption
Remote access enables clients to connect to your network from a remote location using various hardware devices, including network interface cards and modems. Once a client obtains a remote access connection, he or she can use network resources, such as files, just as when the client computer is directly connected to the LAN. In Windows 2000 you create remote access policies and then configure them for security. You can set the level of encryption and dial-up permissions for remote access.