Planning and Implementing Remote Access Security

In this section, we examine the process of planning and implementing security for remote access solutions. In general, if you were to think about overall network security when dealing with a remote access solution, the most important consideration would be that remote access means "remote" sites, users, and so on will be entering your protected core network to access resources needed to perform business. Therefore, you need to consider how to authenticate them and make sure that you are giving access to these critical resources to the right people and that they are logged as doing such, so if a problem occurs, it can be traced back to the source.

To implement remote access security, you need to follow a general process similar to this: First, determine what risks and problems you are likely to encounter. Next , choose a solution that fits your business needs (Windows Server 2003 RRAS for this discussion), and then implement the solution. After you have implemented the solution, test itto try to break it, in effect, looking for weaknesses in its design and implementation. This section focuses on planning and creating secure remote access solutions using remote access policies and the various user authentication methods available in Windows Server 2003.

Windows Server 2003 provides remote access for both dial-in connections and virtual private network (VPN) connections and includes a set of features that provide flexibility and security for your remote access solution. If you need to review the basics of implementing and configuring remote access, be sure to see MCSA/MCSE 70-291 Training Guide: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure by Dave Bixler and Will Schmied (Que Publishing, 2003).

Before you go any further with your plan for secure remote access, you should ask yourself the following questions to gain an insight into what security you may need:

Do all your users require remote access? In the majority of networks, only a small group of users actually needs to have remote access capabilities. Your remote access policies should take this into account and prevent unauthorized users from making remote access connections to your network.
Of the users who do need remote access, do they need differing levels of remote access? You need to plan for this if you have users who require differing levels of remote access.
Of the users who do need remote access, do they need to access network resources or only the resources located on the Remote Access Server? If users do not need to access any internal resources, you can contain them to the Remote Access Server for increased security and accountability.

Remote access allows users with remote computers to create a logical connection to an organization's network or the Internet. In this chapter, we do not look at the specifics of how connections are created (that is the scope of the 70-291 exam), but instead at how to authenticate and secure these connections.

Planning Authentication Methods

Plan security for remote access users.

Analyze protocol security requirements.

Plan authentication methods for remote access clients .

To handle network traffic (and to know what to do with it via security), you need to select a protocol to use with your remote access setup in Windows Server 2003. This section highlights your options, which one seems best to utilize, what differences they have and why, as well as what you can use if you don't want a high-end security solution. Regardless, you need to know these options for the 70-293 exam.

Remote access authentication methods are configured on the Authentication Methods dialog box, as shown in Figure 4.29. In this section, we cover EAP, CHAP, MS-CHAP, MS-CHAP v2, SPAP, PAP, and nonauthorized access.

Figure 4.29. You can select any number of available remote access authentication methods.

Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP) is a commonly used protocol on networks today. It is responsible for creating an authentication method in which the authentication scheme to be used is negotiated by the remote access client and the authenticator, which could be either the Remote Access Server or even a RADIUS server. Windows Server 2003 Routing and Remote Access (RRAS) includes support for EAP-TLS by default; TLS stands for Transport Layer Security . It could be considered an EAP type, much like the wireless access protocol called LEAP, which is provided by Cisco systems. There are many types of EAP, although they all perform similar functions, such as authentication; they just use different methods to do so. Following are some of the more common forms of EAP:

EAP-MD5 CHAP (Extensible Authentication ProtocolMessage Digest 5 Challenge Handshake Authentication Protocol) This form of EAP uses the same type of CHAP authentication that is explained in the next authentication method, but wraps the authentication in EAP packets for increased security during transmission.
PEAP (Protected Extensible Authentication Protocol) This relatively new form of EAP is used in wireless networks.
EAP-TLS (Extensible Authentication ProtocolTransport Layer Security) This derivative of EAP uses smart cards or digital certificates to perform the authentication.

Challenge Handshake Authentication Protocol (CHAP)

Challenge Handshake Authentication Protocol (CHAP) uses the industry standard Message Digest 5 (MD5) protocol. MD5 is a hashing scheme that encrypts your data in transit over the remote access network. CHAP is supported by virtually all remote access clients and servers. This protocol uses a user's password to perform authentication; by default, Windows Server 2003 does not allow CHAP to access a user's password. If you plan to use CHAP, you must configure the user's password for CHAP by selecting the Store Passwords Using Reversible Encryption option either on a specific user's account or in Group Policy. After this change has been made, all applicable users must then change their passwords so that they will be stored in a form that CHAP can access.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

MS-CHAP provides one-way authentication of the user to the Remote Access Server and uses a single encryption key for all transmitted and received messages. Windows 95 and Windows NT 3.51 clients cannot make use of the newer , more secure, MS-CHAP version 2 (discussed next); thus, MS-CHAP is provided in Windows Server 2003 for backward compatibility with these clients.

MS-CHAP Version 2

MS-CHAP version 2 is a stronger version of the MS-CHAP protocol that provides for mutual authentication by both the user and the server using encrypted passwords. MS-CHAP v2 is the simplest remote access authentication method to employ if all your clients are Windows 98 or newer.

Shiva Password Authentication Protocol (SPAP)

The Shiva Password Authentication Protocol (SPAP) is an authentication protocol originally used by the Shiva LAN Rover line of products. If a Shiva client tries to connect to a Windows Server 2003 Remote Access Server, or a Windows client connects to a Shiva LAN Rover, SPAP must be used. Because Shiva was prominent in the remote access market at one time, support is still included in Windows Server 2003 even though SPAP is extremely insecure . SPAP is susceptible to replay attacks (such attacks occur when data packets are captured in transit, examined, and then replayed to the server to gain access) because the same user password is always sent over the network in the same reversibly encrypted way each time. You should use SPAP only when you absolutely have to.

Password Authentication Protocol (PAP)

The Password Authentication Protocol (PAP) is the weakest authentication method available in Windows Server 2003. PAP sends your credentials in plain text, not encrypted or otherwise protected from compromise. Any network sniffing tool could pick up a packet with your credentials in it and, by simply looking at the packet, you could log in to a network with someone else's ID. PAP is most commonly used as a method of last resort in the event that a client and server cannot agree on any other method. Even PAP authentication is better than no authentication at all, as discussed next. You should plan to never use sensitive accounts, such as administrative accounts, when PAP is the authentication method in place.

Using Unauthenticated Access

Windows Server 2003 supports the use of Guest access, better known as unauthorized access, which allows a connection attempt to be granted without need for credentials. You should avoid the use of unauthenticated access if at all possible.

Using Dial-in Properties for Access Control

Even though Windows Server 2003 provides a full array of encrypted authentication methods, there are several basic dial-in properties that you can configure on a user-by-user basis, as shown in Figure 4.30.

Figure 4.30. You can use these basic dial-in properties as your first line of defense.

EXAM TIP

Know the methods You absolutely must know the different remote access authentication methods that are available in Windows Server 2003 come test time.

You can use the following options on the dial-in tab to control how remote access connections are made:

Remote Access Permission This option enables you to allow or deny remote access to the user. Alternatively, you can leave the default selection of Control Access through Remote Access Policy. (We will discuss remote access policies shortly.)
Verify Caller ID If you enter a phone number in this area, the Remote Access Server will not accept any calls from any other number.
Callback Options This option group allows you to specify how callback should be handled for the user. This is both a cost-saving measure and a means of security.

Now that you've seen the available methods of authenticating remote access, you're ready to start creating remote access policies.

Planning and Creating Remote Access Policies

Plan security for remote access users.

Plan remote access policies .

Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in authorizing connection attempts. They provide both granular and flexible configuration settings for both RAS and VPN connections. This granularity and flexibility unfortunately come at the expense of ease of use: Remote access policies can be very complex, and you need an in-depth understanding of them if you are going to successfully provide secure remote access to your users. With remote access policies, you can grant remote access by individual user account or through the configuration of specific remote access policies.

Windows Server 2003 uses three types of remote access policies to control access:

Group Policies Access can be controlled by group policies created on each Windows Server 2003 Routing and Remote Access Server. This is the simplest method for authenticating users as long as you are using a single server for remote access.
Local Internet Authentication Services policies These local policies are derived from RADIUS and can be used to define access permissions based on a number of client attributes. This mechanism requires that the Internet Authentication Service be installed on the Windows Server 2003 Remote Access Server. This is typically the best solution if you are planning on adding additional Windows Server 2003 Remote Access Servers and don't want to have to replicate the policies to each new server.
Central Internet Authentication Services policies A Windows Server 2003 Routing and Remote Access Service server can be configured to use a central Internet Authentication Server (IAS) RADIUS server to provide its policies. This allows multiple Routing and Remote Access dial-up servers to use the same policies without requiring the manual replication of policies and settings. This is the most practical solution for companies deploying multiple Windows Server 2003 Remote Access Servers.

NOTE

Use Windows authentication methods To ensure the success of Step by Step 4.10, make sure that the authentication method set on the server properties Security tab is set to Windows Authentication. Setting up a remote access policy under the Internet Authentication Service for centralized policy management works in exactly the same way as setting up the policy locally, but complicates any testing you might want to do.

Windows Server 2003 supports two methods for creating a remote access policy: utilizing a wizard to create commonly used remote access policies and using a custom method that allows you to create less common remote access policies. Step by Step 4.10 walks you through the process of creating a new remote access policy to allow VPN access to anyone in the Domain Users group using the wizard.

STEP BY STEP

4.10 Using the Remote Access Policy Wizard to Create a VPN Access Policy

Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.
Open the Routing and Remote Access console by choosing Start, Administrative Tools, and selecting Routing and Remote Access.
Right-click Remote Access Policies in the left pane (see Figure 4.31) and select New Remote Access Policy from the context menu. The New Remote Access Policy Wizard opens, as shown in Figure 4.32.

Figure 4.31. Remote access policies are managed locally through the Routing and Remote Access console.

Figure 4.32. The New Remote Access Policy Wizard enables you to create new remote access policies.
Click Next to continue. The Policy Configuration Method dialog box opens, as shown in Figure 4.33. Select the Use the Wizard to Set Up a Typical Policy for a Common Scenario option. In the Policy Name field, type Allow Remote Access to Remote Users . If you are in a complex environment that uses many remote access policies, you may need a naming convention for these policies to keep them straight.

Figure 4.33. The Policy Configuration Method dialog box allows you to decide whether to use the wizard or manual configuration to create a remote access policy.
Click Next to continue. The Access Method dialog box opens, as shown in Figure 4.34. For this exercise, select VPN. Be aware of the additional options for your information; it is good to know what can be done with this wizard.

Figure 4.34. The Access Method dialog box allows you to select how users can connect to the Windows Server 2003 Remote Access Server.
Click Next to continue to the User or Group Access dialog box. Select the Group option and click Add to open the Select Groups dialog, as shown in Figure 4.35. Type Domain Users in the Enter the Objects Names to Select field. Clicking Check Names confirms that the object exists in the Active Directory.

Figure 4.35. The Select Groups dialog box allows you to populate the list of groups that will be affected by this policy.
Click OK to return to the User or Group Access dialog box, as shown in Figure 4.36. Notice that the group you entered in step 6 now appears in the list of groups.

Figure 4.36. Any groups added appear in the Group Name field of the User or Group Access dialog box.
Click Next to continue. The Authentication Methods dialog box opens, as shown in Figure 4.37. Notice that the only authentication types allowed are EAP, MS-CHAPv2, and MS-CHAP. To use other authentication types, you need to use a custom remote access policy. Make sure that MS-CHAPv2 is selected.

Figure 4.37. In the Authentication Methods dialog box, you can select which authentication methods will be permitted for accessing the Windows Server 2003 Routing and Remote Access Service server using this remote access policy.
Click OK to continue. The Policy Encryption Level dialog box opens, as shown in Figure 4.38. Because this will be a VPN connection, select Strongest Encryption. If this were a dial-up connection, you would have an additional optionNo Encryption.

Figure 4.38. The Windows Server 2003 Routing and Remote Access Service supports three different encryption strengths.
Click Next to continue. The Completing the New Remote Access Policy Wizard dialog box opens, as shown in Figure 4.39.

Figure 4.39. The Completing the New Remote Access Policy Wizard dialog box summarizes the configuration of the policy.
Click Finish to complete the policy creation. Figure 4.40 shows the newly created remote access policy.

Figure 4.40. The Remote Access Policy folder shows all the policies that are in effect on the local server.

Remote Access Profiles

In conjunction with the remote access policy, there is also a component known as the remote access profile . This profile contains a number of variables that allow you to further refine the parameters of the remote access policy. You can modify a remote access profile during the creation of a remote access policy, or you can review/modify a profile for an existing remote access policy by right-clicking the policy in either the Routing and Remote Access console or in the Internet Authentication Service console, selecting Properties, and then selecting the Edit Profile button. When the Settings dialog box opens, you can add additional conditions to the policy, edit the profile, or review/change the Allow/Deny Access settings on the policy. Six tabs are available in the Edit Profile dialog box; let's look at them one at a time.

Dial-in Constraints

The parameters that you can configure on the Dial-in Constraints tab, shown in Figure 4.41, are as follows :

Minutes server can remain idle before it is disconnected (Idle Timeout) The Idle Timeout setting allows you to set the number of minutes of inactivity users have before the system disconnects them. This setting can be used to limit toll charges being incurred by an idle system or to protect your network from the vulnerability a connected but idle system presents . This option can also be used to maximize the availability of ports if your server has a limited number. This prevents idle users from tying up ports that might be needed by another user.
Minutes client can be connected (Session Timeout) The Session Timeout setting allows you to set the total number of minutes a session can last. This option can be used to limit toll charges for users who may leave themselves connected for extended periods of time.
Allow access only on these days and at these times This setting allows you to place day and time limits on any remote access policy, without needing to make that a condition of the policy.
Allow access only to this number (Called-Station-ID) This setting is typically used in conjunction with a branch office connection, to ensure that the connection is originating from the appropriate number. This field can contain a phone number or IP address, so it can be used in conjunction with a site-to-site VPN as well as a branch demand-dial connection.
Allow access only through these media types (NAS-Port-Type) This parameter allows you to control the types of network media that can be used to connect using this profile. You might use this setting to ensure a VPN connection can be established using only LAN media and not dial-in lines.

Figure 4.41. On the Dial-in Constraints tab, you can restrict how dial-in access can be used.

IP

The parameters that can be configured on the IP tab, shown in Figure 4.42, are as follows:

IP Address Assignment (Framed-IP-Address) This setting defines how users being authorized by this policy will get their IP addresses. This option is typically left at the default setting but can be used to restrict how IP addresses are assigned.
IP Filters This setting allows you to set IP packet filters on the connection. For example, if this connection were being used only to get Web access to your intranet server, you might set an inbound filter for port 80 (http) to access only the intranet server.

Figure 4.42. On the IP tab, you can configure the characteristics of the IP protocol for a remote access policy.

Multilink

The parameters that you can configure on the Multilink tab, shown in Figure 4.43, are as follows:

Multilink Settings These settings control how the Multilink protocol can be used with this remote access policy:
- Server Settings Determine Multilink Usage This setting enables use of the Routing and Remote Access Service server settings to determine whether Multilink is permitted.
- Do Not Allow Multilink Connections This setting disables the use of Multilink.
- Allow Multilink Connections This configuration allows a client computer to connect using multiple ports. Here, you can also set the maximum number of ports that can be used.
Windows 2000 and higher support the use of multiple connections to a single server, which are aggregated to provide additional bandwidth. Although multiple connections can improve performance, Multilink can be a very resource- intensive solution. Not only does it tie up multiple ports per user at the server end of the connection, but it also requires multiple modems and phone lines on the user's end.
Bandwidth Allocation Protocol (BAP) Settings BAP monitors the utilization on a Multilink connection and dynamically reduces the number of connected lines if the user's utilization drops below a certain amount. The utilization percentage and time before dropping one line of the Multilink connection are set here. You can (and should) require the use of BAP with any Multilink connection in this section.

Figure 4.43. On the Multilink tab, you can configure the Multilink (aggregation of multiple physical connections into a single logical connection) capabilities of the Windows Server 2003 Routing and Remote Access Service.

Authentication

The parameters that you can configure on the Authentication tab, shown in Figure 4.44, are as follows:

Authentication Methods This section allows you to select what protocols can be used to authenticate a user connecting using this remote access policy. Whenever possible, use MS-CHAP v2 or the Extensible Authentication Protocol because they provide the most secure authentication.
Unauthenticated Access Never enable this setting. It essentially allows clients to connect without authenticating first, and should never be used, because it bypasses all authentication security.

Figure 4.44. The Authentication tab allows you to configure the authentication methods to be used.

Encryption

The purpose of the Encryption tab, shown in Figure 4.45, is to select how strong the encryption used by this connection must be. If you are running an entirely Windows 2000 or greater client population, you should permit only the Strongest level of encryption. If you have older clients, you may need to permit less strong encryption levels.

Figure 4.45. On the Encryption tab, you can specify the permitted encryption strengths for a connection.

Advanced

The Advanced tab, shown in Figure 4.46, allows you to specify additional connection attributes, typically related to RADIUS requirements for a connection. This screen is generally used only for very complex implementations involving centralized RADIUS servers for remote access policy storage.

Figure 4.46. On the Advanced tab, you can specify additional connection attributes.

NETWORK ACCESS QUARANTINE CONTROL

Windows Server 2003 includes a new feature called Network Access Quarantine Control. This feature allows the delay of a remote access connection attempt to the Remote Access Server until a script that verifies the configuration of the remote access computer runs. The connection attempt goes into quarantine until verified. The actual process is as follows: When a remote computer attempts to connect to the Remote Access Server, the computer is assigned an IP address to participate on the network. Then the user credentials are verified and authenticated, but the connection stays in quarantine until the remote computer is verified against the script. A script runs, and after it is completed, the server hosting quarantine releases the connection from quarantine after this information is verified . Network Access Quarantine Control is one of the newest features of Remote Access Security provided by default with Windows Server 2003.