Best Practices
Only these forms of authentication provide maximum protection of user credentials as well as mutual authentication of the remote client and the remote access server.
By implementing RADIUS authentication, you ensure that remote access policy is applied centrally from the IAS server, rather than by each remote access server.
This guarantees that the strongest forms of encryption are used for VPN connections. For PPTP connections, accept only connections that implement 128-bit MPPE encryption. For L2TP/IPSec connections, accept only connections that implement ESP with 3DES encryption.
Using preshared keys for IPSec authentication of L2TP/IPSec connections is considered a security weakness and should be avoided.
The CMAK packages ensure that the correct configuration is implemented and enforced at remote client computers.
Ensure that remote access policies are ordered correctly at the remote access server or the IAS server so that the correct remote access policy is applied for each type of connection attempt.
This prevents online dictionary attacks against a user s password.
You can do so by defining System Services policies. Allow only the local Administrators and the System account on approved remote access servers to start, stop, or pause the service.