Best Practices

Best Practices

• Allow only MS-CHAPv2 or EAP-TLS for remote client authentication.

  Only these forms of authentication provide maximum protection of user credentials as well as mutual authentication of the remote client and the remote access server.

• Implement RADIUS authentication for all remote access authentication.

  By implementing RADIUS authentication, you ensure that remote access policy is applied centrally from the IAS server, rather than by each remote access server.

• Ensure that the latest service packs or the Windows 2000 High Encryption Pack are applied to all remote access servers, IAS servers, and remote access clients.

  This guarantees that the strongest forms of encryption are used for VPN connections. For PPTP connections, accept only connections that implement 128-bit MPPE encryption. For L2TP/IPSec connections, accept only connections that implement ESP with 3DES encryption.

• If implementing L2TP/IPSec as your VPN protocol, use certificates to authenticate the remote access client computer and the remote access server.

  Using preshared keys for IPSec authentication of L2TP/IPSec connections is considered a security weakness and should be avoided.

• Create remote access client packages by using the CMAK.

  The CMAK packages ensure that the correct configuration is implemented and enforced at remote client computers.

• Create separate remote access policies for each remote access solution.

  Ensure that remote access policies are ordered correctly at the remote access server or the IAS server so that the correct remote access policy is applied for each type of connection attempt.

• Implement remote access account lockout.

  This prevents online dictionary attacks against a user s password.

• Prevent RRAS from starting on nonauthorized computers in the domain.

  You can do so by defining System Services policies. Allow only the local Administrators and the System account on approved remote access servers to start, stop, or pause the service.