Creating Remote Access Policies

EXAM 70-293 OBJECTIVE 3

You can manage the security of your remote access server by creating one or more Remote Access Policies. Depending on your configuration, you will need to create policies in one of these two places:

• If you are using Windows authentication, use the Remote Access Policies item under each RRAS server in the Routing and Remote Access MMC snap-in.

• If you are using RADIUS authentication, use the Remote Access Policies item under the IAS server in the Internet Authentication Service MMC snap-in.

Regardless of the type of authentication you are using, the policies you create will work the same way, and the dialog boxes for creating and modifying policies are the same.

Policies and Profiles

Remote access security includes two key components:

• Remote Access Policies Determine which users can connect remotely and the connection methods they can use. You can have any number of remote access policies.

• Remote Access Profiles Provide further restrictions after the connection is established. Each policy contains exactly one profile.

Each remote access policy has an order number, or priority. You can define the order by using the Move Up and Move Down actions in the policy window. The list of policies in a default Windows Server 2003 RRAS installation is shown in Figure 7.12. Each policy can have various criteria against which connection attempts are checked. The policy can be set to either Grant or Deny access for users who match these criteria.

Figure 7.12: Remote Access Policies

When a user attempts to connect, his or her connection criteria are compared to each policy’s conditions in order until a policy matches. The Grant or Deny setting of that policy then determines whether the user is allowed access. If a policy grants access, its associated profile is used to further restrict the connection.

In the following sections, you will learn how to make practical use of remote access policies and profiles to authorize or restrict remote access, and to control aspects of the connections using remote access profiles.

Authorizing Remote Access

The simplest use for a remote access policy is to authorize remote access for a particular user or group. Windows Server 2003 includes a wizard that you can use to quickly create these types of policies. After you have created a policy, you can modify the properties of the policy to make more specific settings or restrictions.

Authorizing Access By User

As described earlier in this chapter, you can use the Dial-in Properties page of a user account’s Properties dialog box to explicitly allow or deny access to the user. This is the recommended way to authorize access by user. When you use the wizard to create a policy to authorize by user, it creates a policy that does not include any user restrictions. You can then use the user properties to allow or deny access. Exercise 7.08 shows you how to create a policy to authorize by user.

Exercise 7.08: Authorizing Remote Access by User

Follow these steps to create a policy to authorize access by user:

1. Select Programs | Administrative Tools | Routing and Remote Access from the Start menu. If you are using RADIUS authentication, select Internet Authentication Service instead.

2. Click Remote Access Policies in the left-hand column. A list of the current policies is displayed in the window.

3. From the menu, select Action | New Remote Access Policy.

4. The wizard displays a welcome message. Click Next to continue.

5. The Policy Configuration Method screen is displayed, as shown in Figure 7.13. Select the Use the wizard to set up a typical policy option and enter Allow Dial-up Access in the Policy name field. Click Next to continue.

   
   Figure 7.13: Policy Configuration Method

6. The Access Method screen is displayed. You can select whether this policy will apply to Dial-up, VPN, Wireless, or Ethernet access. Select the Dial-up option and click Next to continue.

7. The User or Group Access dialog box is displayed, as shown in Figure 7.14. Select the User option and click Next to continue.

   
   Figure 7.14: User or Group Access

8. The Authentication Methods dialog box is displayed. This dialog box enables you to choose the authentication methods this policy will accept. Click Next to continue.

9. The Policy Encryption Level screen is displayed. Select the encryption types to accept and click Next.

10. The wizard displays a completion dialog box. Click Finish to create the new policy.

11. You are returned to the Remote Access Policies window and your new policy has been added at the top of the list.

After you have created the policy with the wizard, you can use the Move Up and Move Down commands in the Action menu to change the policy order if you wish.

Authorizing Access By Group

Unlike user accounts, security groups do not include dial-in properties. If you wish to enable access for a group, you can use the wizard to create a remote access policy that includes a condition to check the user’s group membership. Exercise 7.09 guides you through this process.

Exercise 7.09: Authorizing Remote Access by Group

Follow these steps to create a policy to authorize access for the Domain Admins group:

1. Select Programs | Administrative Tools | Routing and Remote Access from the Start menu. If you are using RADIUS authentication, select Internet Authentication Service instead.

2. Click Remote Access Policies in the left-hand column. A list of the current policies is displayed in the window.

3. From the menu, select Action | New Remote Access Policy.

4. The wizard displays a welcome message. Click Next to continue.

5. The Policy Configuration Method screen is displayed. Select the Use the wizard to set up a typical policy option and enter Allow Admin Access in the Policy name field. Click Next to continue.

6. The Access Method screen is displayed, as shown in Figure 7.15. You can select whether this policy will apply to Dial-up, VPN, Wireless, or Ethernet access. Select the Dial-up option and click Next to continue.

7. The User or Group Access dialog box is displayed. Select the Group option and click the Add button to add a group name.

   
   Figure 7.15: Access Method

8. The Select Groups dialog box is displayed, as shown in Figure 7.16. Enter Domain Admins in the Enter the object names to select field and click OK.

   
   Figure 7.16: Select Groups

9. You are returned to the User or Group Access dialog box. Click Next to continue.

10. The Authentication Methods dialog box is displayed. Click Next to continue.

11. The Policy Encryption Level dialog box is displayed. Click Next to continue.

12. The wizard displays the completion dialog box. Click Finish to create the policy.

Restricting Remote Access

You can add any number of conditions to a remote access policy to restrict the users, connection types, and other criteria that can match the policy. Each policy can be configured to either allow access or deny access based on those criteria.

To restrict access, you can create a policy that denies access based on a set of criteria. Because each connection will use the first policy that it matches, be sure your policies for denying access are placed early in the list, before any other policy that might match the same users.

The current conditions for a policy are listed in its Properties dialog box. You can use the Add button to add a condition. There are a variety of attributes you can test to create a condition. For example, Figure 7.17 shows the Properties dialog box for a policy that checks the connection type and group membership.

Figure 7.17: Policy Properties

Restricting by User/Group Membership

You already used the wizard to create a simple policy to restrict by group membership earlier in this section. You can also add this condition manually to any policy using its properties. The attribute for group membership is Windows-Groups. You can specify one or more group memberships to match and set the policy to either grant or deny access.

Restricting by Type of Connection

You can use the NAS-Port-Type attribute to restrict a remote access Policy to a particular type of connection. Connection types include modem, ISDN, wireless, VPN, and other network connections that can be used for remote access.

For example, suppose you were discontinuing the use of dial-in remote access and want to add a policy to prevent dial-in access. You would create a policy to deny access when the NAS-Port-Type attribute indicates a modem connection and place it at the top of the list to override other policies. Exercise 7.10 guides you through this process.

Exercise 7.10: Restricting Access by Connection Type

Follow these steps to create a policy that denies access to modem users:

1. Select Programs | Administrative Tools | Routing and Remote Access from the Start menu.

2. Click to highlight Remote Access Policies in the left-hand column.

3. Select Action | New Remote Access Policy from the menu.

4. A welcome message is displayed. Click Next to continue.

5. The Policy Configuration Method dialog box is displayed. Select Set up a custom policy and enter Deny modem access in the Policy name field.

6. The Policy Conditions dialog box is displayed. Click Add to add a condition.

7. The Select Attribute dialog box lists the available attributes, as shown in Figure 7.18. Select NAS-Port-Type and click Add.

   
   Figure 7.18: Select Attribute

8. The available port types are listed in a dialog box. Select Async (Modem) and click Add; then click OK.

9. You are returned to the Policy Conditions dialog box. Click Next to continue.

10. The Permissions dialog box is displayed. Select Deny remote access permission and click Next.

11. The Profile dialog box is displayed. You can use the Edit button to make changes to the profile if you wish. Click Next to continue.

12. A completion message is displayed. Click Finish to create your policy.

Your new policy should appear at the top of the list by default and will prevent access by modem users regardless of other policies they may match.

Restricting by Time

You can use the Day-and-Time-Restrictions attribute to control the day of the week and times of day that a policy will be effective. You can use this feature to deny access at a specific time or day or to explicitly grant access at a certain time. To use this feature, use the Add button in the Properties dialog box to add a condition to a policy, and then select Day-and-Time-Restrictions. The Time of day Constraints dialog box, shown in Figure 7.19, enables you to allow or deny access for each hour of the day and each day of the week.

Figure 7.19: Time of Day Constraints

Restricting by Client Configuration

As mentioned earlier in this chapter, you can use the Network Access Quarantine Control (NAQC) feature to restrict connections based on aspects of a client’s configuration: the operating system, file system, and even details of which security updates have been installed. You need to create a custom script or program to check the client’s configuration to implement this feature.

NAQC is included with the Windows Server 2003 Resource Kit. It includes several components:

• The Remote Access Quarantine Agent service (RQS.EXE) runs on the RRAS servers.

• A custom script to check the configuration. The script can use RQC.EXE, included in the Resource Kit, to notify the quarantine agent whether the client passed its tests.

• Connection Manager, using a custom profile and a post-connect action to run the script.

• A RADIUS (IAS) server to manage authentication.

• A remote access Policy that uses the quarantine attributes, installed with the quarantine agent, to determine whether the connection has been authorized by the script.

NAQC is supported by Windows 98 SE and later clients that support Connection Manager. For details on implementing a quarantine script, consult Microsoft’s TechNet site.

Restricting Authentication Methods

You can use the Authentication-Type attribute to restrict a policy to certain authentication types. When you add this attribute, you can use the Authentication-Type dialog box to add one or more of the possible authentication types, as shown in Figure 7.20.

Figure 7.20: Restricting by Authentication Method

Restricting by Phone Number or MAC Address

You can use the following two attributes to add a phone number condition to a remote access Policy:

• Called-Station-ID: The phone number the user called.

• Calling-Station-ID: The phone number the call originated from (Caller ID).

Controlling Remote Connections

After a connection is established by matching a remote access Policy, the profile associated with the policy is used to control what the user can do with the connection. Some of the most useful profile settings include the following:

• The amount of time the user is allowed to remain connected or remain idle

• The encryption methods that will be allowed

• Which traffic will be filtered using packet filters

• The client IP address.

Controlling Idle Timeout

The idle timeout is the amount of time the RRAS server will keep a session connected when there has not been any traffic to or from the remote access server. You can use this setting to ensure that clients who finish using their remote connection but fail to disconnect are disconnected automatically.

The idle timeout is part of a remote access profile. You can change the timeout on the Dial-in Constraints tab of the Edit Dial-in Profile dialog box. Exercise 7.11 describes how to change this setting.

Controlling Maximum Session Time

Along with the idle timeout, you can define a maximum amount of time a client can remain connected to the server whether they use the connection or not. When your supply of incoming ports is limited, this is one way to ensure that ports are opened up to enable other users to connect.

The maximum session time is also defined in the Dial-in Constraints tab of a profile. Exercise 7.11 demonstrates how to change the idle timeout and session time for a profile.

Exercise 7.11: Controlling Idle and Session Times

Follow these steps to modify the idle and session times for a remote access policy’s profile.

1. From the Routing and Remote Access console, select Remote Access Policies in the left-hand column. A list of the current policies is displayed in the window.

2. Click one of the policies in the window to highlight it. Select Action | Properties from the menu.

3. The Policy Properties dialog box is displayed. Click the Edit Profile button.

4. The Edit Dial-in Profile dialog box is displayed, as shown in Figure 7.21. Check the box next to Minutes server can remain idle before it is disconnected and select a number of minutes.

   
   Figure 7.21: Edit Dial-in Profile

5. Check the box next to Minutes the client can be connected and select a number of minutes.

6. Click OK to return to the Policy Properties dialog box.

7. Click OK to save your changes and return to the RRAS console.

Controlling Encryption Strength

You can use the settings in the Encryption tab of a remote access profile’s Properties dialog box to allow or disallow particular types of encryption for a VPN connection. Encryption types include the following:

• Basic encryption (MPPE 40-bit)

• Strong encryption (MPPE 56-bit)

• Strongest encryption (MPPE 128-bit)

Which encryption type is used depends on what the server and the client support, but you can use this setting to prevent access with inadequate encryption. The Encryption tab of the Properties dialog box is shown in Figure 7.22.

Figure 7.22: Encryption Properties

Controlling IP Packet Filters

You can use IP packet filters to filter incoming or outgoing traffic for connections that match a particular remote access profile. You might find this useful for denying access to a VPN from particular locations, or only allowing access from a particular address. You can manage outgoing and incoming packet filters from the IP settings tab of the Profile Properties dialog box, as shown in Figure 7.23.

Figure 7.23: IP Settings

Controlling IP Address for PPP Connections

You can also use the IP settings to control IP address assignment for PPP (dial-in) connections. The following options are available:

• Server must supply an IP address

• Client may request an IP address

• Server settings determine IP address assignment

• Assign a static IP address

The last option enables you to specify a single IP address to be a assigned to clients that match this profile. If you use this feature, be sure that only one client at a time will match the profile, because the IP address can only be assigned to one client.