In this section, we examine the process of planning and implementing security for remote access solutions. In general, if you were to think about overall network security when dealing with a remote access solution, the most important consideration would be that remote access means "remote" sites, users, and so on will be entering your protected core network to access resources needed to perform business. Therefore, you need to consider how to authenticate them and make sure that you are giving access to these critical resources to the right people and that they are logged as doing such, so if a problem occurs, it can be traced back to the source. To implement remote access security, you need to follow a general process similar to this: First, determine what risks and problems you are likely to encounter. Next , choose a solution that fits your business needs (Windows Server 2003 RRAS for this discussion), and then implement the solution. After you have implemented the solution, test itto try to break it, in effect, looking for weaknesses in its design and implementation. This section focuses on planning and creating secure remote access solutions using remote access policies and the various user authentication methods available in Windows Server 2003. Windows Server 2003 provides remote access for both dial-in connections and virtual private network (VPN) connections and includes a set of features that provide flexibility and security for your remote access solution. If you need to review the basics of implementing and configuring remote access, be sure to see MCSA/MCSE 70-291 Training Guide: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure by Dave Bixler and Will Schmied (Que Publishing, 2003). Before you go any further with your plan for secure remote access, you should ask yourself the following questions to gain an insight into what security you may need:
Remote access allows users with remote computers to create a logical connection to an organization's network or the Internet. In this chapter, we do not look at the specifics of how connections are created (that is the scope of the 70-291 exam), but instead at how to authenticate and secure these connections. Planning Authentication Methods
To handle network traffic (and to know what to do with it via security), you need to select a protocol to use with your remote access setup in Windows Server 2003. This section highlights your options, which one seems best to utilize, what differences they have and why, as well as what you can use if you don't want a high-end security solution. Regardless, you need to know these options for the 70-293 exam. Remote access authentication methods are configured on the Authentication Methods dialog box, as shown in Figure 4.29. In this section, we cover EAP, CHAP, MS-CHAP, MS-CHAP v2, SPAP, PAP, and nonauthorized access. Figure 4.29. You can select any number of available remote access authentication methods.
Extensible Authentication Protocol (EAP)Extensible Authentication Protocol (EAP) is a commonly used protocol on networks today. It is responsible for creating an authentication method in which the authentication scheme to be used is negotiated by the remote access client and the authenticator, which could be either the Remote Access Server or even a RADIUS server. Windows Server 2003 Routing and Remote Access (RRAS) includes support for EAP-TLS by default; TLS stands for Transport Layer Security . It could be considered an EAP type, much like the wireless access protocol called LEAP, which is provided by Cisco systems. There are many types of EAP, although they all perform similar functions, such as authentication; they just use different methods to do so. Following are some of the more common forms of EAP:
Challenge Handshake Authentication Protocol (CHAP)Challenge Handshake Authentication Protocol (CHAP) uses the industry standard Message Digest 5 (MD5) protocol. MD5 is a hashing scheme that encrypts your data in transit over the remote access network. CHAP is supported by virtually all remote access clients and servers. This protocol uses a user's password to perform authentication; by default, Windows Server 2003 does not allow CHAP to access a user's password. If you plan to use CHAP, you must configure the user's password for CHAP by selecting the Store Passwords Using Reversible Encryption option either on a specific user's account or in Group Policy. After this change has been made, all applicable users must then change their passwords so that they will be stored in a form that CHAP can access. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)MS-CHAP provides one-way authentication of the user to the Remote Access Server and uses a single encryption key for all transmitted and received messages. Windows 95 and Windows NT 3.51 clients cannot make use of the newer , more secure, MS-CHAP version 2 (discussed next); thus, MS-CHAP is provided in Windows Server 2003 for backward compatibility with these clients. MS-CHAP Version 2MS-CHAP version 2 is a stronger version of the MS-CHAP protocol that provides for mutual authentication by both the user and the server using encrypted passwords. MS-CHAP v2 is the simplest remote access authentication method to employ if all your clients are Windows 98 or newer. Shiva Password Authentication Protocol (SPAP)The Shiva Password Authentication Protocol (SPAP) is an authentication protocol originally used by the Shiva LAN Rover line of products. If a Shiva client tries to connect to a Windows Server 2003 Remote Access Server, or a Windows client connects to a Shiva LAN Rover, SPAP must be used. Because Shiva was prominent in the remote access market at one time, support is still included in Windows Server 2003 even though SPAP is extremely insecure . SPAP is susceptible to replay attacks (such attacks occur when data packets are captured in transit, examined, and then replayed to the server to gain access) because the same user password is always sent over the network in the same reversibly encrypted way each time. You should use SPAP only when you absolutely have to. Password Authentication Protocol (PAP)The Password Authentication Protocol (PAP) is the weakest authentication method available in Windows Server 2003. PAP sends your credentials in plain text, not encrypted or otherwise protected from compromise. Any network sniffing tool could pick up a packet with your credentials in it and, by simply looking at the packet, you could log in to a network with someone else's ID. PAP is most commonly used as a method of last resort in the event that a client and server cannot agree on any other method. Even PAP authentication is better than no authentication at all, as discussed next. You should plan to never use sensitive accounts, such as administrative accounts, when PAP is the authentication method in place. Using Unauthenticated AccessWindows Server 2003 supports the use of Guest access, better known as unauthorized access, which allows a connection attempt to be granted without need for credentials. You should avoid the use of unauthenticated access if at all possible. Using Dial-in Properties for Access ControlEven though Windows Server 2003 provides a full array of encrypted authentication methods, there are several basic dial-in properties that you can configure on a user-by-user basis, as shown in Figure 4.30. Figure 4.30. You can use these basic dial-in properties as your first line of defense.
EXAM TIP Know the methods You absolutely must know the different remote access authentication methods that are available in Windows Server 2003 come test time. You can use the following options on the dial-in tab to control how remote access connections are made:
Now that you've seen the available methods of authenticating remote access, you're ready to start creating remote access policies. Planning and Creating Remote Access Policies
Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in authorizing connection attempts. They provide both granular and flexible configuration settings for both RAS and VPN connections. This granularity and flexibility unfortunately come at the expense of ease of use: Remote access policies can be very complex, and you need an in-depth understanding of them if you are going to successfully provide secure remote access to your users. With remote access policies, you can grant remote access by individual user account or through the configuration of specific remote access policies. Windows Server 2003 uses three types of remote access policies to control access:
NOTE Use Windows authentication methods To ensure the success of Step by Step 4.10, make sure that the authentication method set on the server properties Security tab is set to Windows Authentication. Setting up a remote access policy under the Internet Authentication Service for centralized policy management works in exactly the same way as setting up the policy locally, but complicates any testing you might want to do. Windows Server 2003 supports two methods for creating a remote access policy: utilizing a wizard to create commonly used remote access policies and using a custom method that allows you to create less common remote access policies. Step by Step 4.10 walks you through the process of creating a new remote access policy to allow VPN access to anyone in the Domain Users group using the wizard.
Remote Access ProfilesIn conjunction with the remote access policy, there is also a component known as the remote access profile . This profile contains a number of variables that allow you to further refine the parameters of the remote access policy. You can modify a remote access profile during the creation of a remote access policy, or you can review/modify a profile for an existing remote access policy by right-clicking the policy in either the Routing and Remote Access console or in the Internet Authentication Service console, selecting Properties, and then selecting the Edit Profile button. When the Settings dialog box opens, you can add additional conditions to the policy, edit the profile, or review/change the Allow/Deny Access settings on the policy. Six tabs are available in the Edit Profile dialog box; let's look at them one at a time. Dial-in ConstraintsThe parameters that you can configure on the Dial-in Constraints tab, shown in Figure 4.41, are as follows :
Figure 4.41. On the Dial-in Constraints tab, you can restrict how dial-in access can be used.
IPThe parameters that can be configured on the IP tab, shown in Figure 4.42, are as follows:
Figure 4.42. On the IP tab, you can configure the characteristics of the IP protocol for a remote access policy.
MultilinkThe parameters that you can configure on the Multilink tab, shown in Figure 4.43, are as follows:
Figure 4.43. On the Multilink tab, you can configure the Multilink (aggregation of multiple physical connections into a single logical connection) capabilities of the Windows Server 2003 Routing and Remote Access Service.
AuthenticationThe parameters that you can configure on the Authentication tab, shown in Figure 4.44, are as follows:
Figure 4.44. The Authentication tab allows you to configure the authentication methods to be used.
EncryptionThe purpose of the Encryption tab, shown in Figure 4.45, is to select how strong the encryption used by this connection must be. If you are running an entirely Windows 2000 or greater client population, you should permit only the Strongest level of encryption. If you have older clients, you may need to permit less strong encryption levels. Figure 4.45. On the Encryption tab, you can specify the permitted encryption strengths for a connection.
AdvancedThe Advanced tab, shown in Figure 4.46, allows you to specify additional connection attributes, typically related to RADIUS requirements for a connection. This screen is generally used only for very complex implementations involving centralized RADIUS servers for remote access policy storage. Figure 4.46. On the Advanced tab, you can specify additional connection attributes.
|