Lesson 1: Securing RRAS Servers

Lesson 1: Securing RRAS Servers

Because RRAS allows access to a network from remote locations, configuring it for maximum security is essential. In this lesson you learn to properly secure a Windows 2000 server providing RRAS services and manage the VPN and authentication functions of RRAS.


After this lesson, you will be able to

  • Understand security concerns that are specific to RRAS

  • Perform initial configuration of an RRAS server

  • Manage RRAS security options

Estimated lesson time: 20 minutes


Understanding RRAS Security

RRAS not only provides access to a network from remote locations, it also serves as the end point for VPN connections, which use encryption to securely connect private networks over a public network, such as the Internet. Because any remote access point is a potential network vulnerability, you must be especially vigilant to set up RRAS as securely as possible.

Windows 2000 includes several tools to help you configure a secure RRAS system. On the server side:

  • Remote access policies enable you togrant or deny remote access to all users on a server according to any specific set of conditions.

  • Internet Authentication Service (IAS) provides a central management facility for remote access security. The remote access policies in IAS can provide authentication and security for any number of RRAS servers.

On the client side:

  • Remote access properties of user accounts provides a way to grant or deny remote access to individual users. This permission applies to all types of remote access, including dial-up, VPN, and 802.1x port authentication (discussed in Chapter 10, "Wireless Security").

  • Connection Manager Administration Kit (CMAK) allows you to create customized client access software for dial-up or VPN access to a network.

All of these components are described in detail in this chapter, but this lesson focuses on configuring RRAS for remote access and giving users permission to connect remotely.

Remote Access Security Issues

Remote access is one of the four major ways that hackers get into your network (through the Internet, through wireless networks, and through direct log on to a LAN-connected workstation are the others).

Although the Internet has replaced dial-up as the most important hacking vector, most hacking resulted from remote access through dial-up modems until as recently as 1998. Hackers continue to attack networks using dial-up connections, so expect dial-up access to be exploited by anyone who is specifically targeting your network or who has an insider's knowledge of how your network is set up. You cannot simply deploy remote access and assume that hackers won't bother with it.

Dial-back policy was the earliest form of remote access security. When a dial-back policy is enforced, remote access occurs only after the user connects to the server and provides a telephone number. The remote access server then checks a list of valid connecting points and calls back if the telephone number is on the list. Dial-back policy is reasonably secure because it authenticates users by their telephone numbers and prevents connections from unauthorized locations. Typically, user authentication is then required to prove the identity of the user.

Dial-back security is an excellent way to secure dial-in access if users will be dialing in only from a fixed set of locations.

More and more frequently, users do not dial in from fixed locations. Traveling business professionals, sales representatives, and executives often require access from many locations, and cannot predict what their telephone numbers will be. To service this group, you can configure dial-back security to allow access to all telephone numbers, but the server records the numbers that it dials. Administrators can then audit these records to determine if unexpected telephone numbers have appeared. This approach uses the accountability security model rather than the restriction model to secure the system, and it's effective unless hackers can dial in, gain administrative access, and then erase the remote access logs.

Recently, it has become popular to require the use of VPN software in addition to dialing in to the network and to place remote access servers outside the interior firewall. In this approach, users dial in (or request a dial back) to a remote access server that gives them access to the Internet and initiates a VPN connection with the firewall to gain access to the interior of the network.

Using a VPN connection provides the best level of real security and allows you to centrally administer security on your firewall by handling dial-up users the same way you handle any other VPN user.

When you use a VPN connection, your RRAS servers are out in the perimeter network, and they cannot be joined to the domain. Under these circumstances, Windows-integrated authentication is not a good option for dial-up users. You can configure your RRAS servers to connect to an IAS RADIUS server inside your firewall (allowing access only for the RADIUS protocol from the remote access server) to support integrated account names and passwords, but you should strongly consider having a separate set of user accounts on the remote access machines. Credentials for dial-up networking are frequently stored on network laptops where they can be retrieved and decrypted by laptop thieves, which would subsequently allow access to your entire network if those credentials worked with your VPN solution.

Security Consequences of Single Sign-On

Remember that convenience is the opposite of security in most cases. In Single Sign-On (SSO) systems, you can use the same user name and password everywhere. While this is convenient, the password only has to be discovered in one service to be valid everywhere, so SSO systems like Active Directory improve convenience, not security.

Publicly accessible networks should always use separate security domains with different sets of user accounts from private networks.

You should also strongly urge users not to use the same user name and password that they use on your network, or use their work e-mail address when they sign up for third-party services such as subscription Web sites. Web sites are routinely exploited by hackers who download and analyze the lists of user names and passwords they gain access to.

Finally, you should always enforce separate e-mail addresses and user names. Although Microsoft Exchange integrates closely with Active Directory and automatically generates e-mail boxes with the same names as user accounts, you should create a name mapping policy in Exchange to modify the e-mail addresses of users so that they're different from those in their user accounts.

Consider the consequences of using Active Directory connected services in their default configurations on both your public and private networks. Microsoft Exchange would automatically generate e-mail addresses that were the same as user names. RRAS users would be assigned dial-in permissions using their standard account names and passwords. VPN access via PPTP and L2TP would allow users to connect from the Internet. If hackers found an account named "kkennedy@Fabrikam.com" with a password of "theiwproyf13#" on the list of subscribers to a Web site, they would have all the information they'd need to reach the interior of your network using a valid user account including which network the credentials are valid on.

Configuring a New RRAS Server

RRAS is installed by default on Windows 2000 Server, but its features are not enabled by default. Windows 2000 Server provides a wizard, the Routing and Remote Access Server Setup Wizard, which you can use to enable a basic set of features on the RRAS server, depending on how you intend to use the server.

Default RRAS Configurations

RRAS provides a number of possible configurations from which you can choose:

  • Internet Connection Server. Acts as an Internet gateway.

  • Remote Access Server. Provides dial-in access to the network.

  • Virtual Private (VPN) Server. Allows remote computers that have Internet access to connect to the network using a VPN.

  • Network Router. Configures the server to act as a router between networks.

  • Manually Configured Server. Uses default settings rather than a specific configuration.

    These configurations are only preset combinations of properties. You can change any configuration using RRAS server properties and remote access policies.

RRAS Configuration Options

In addition to its default configurations, the Routing And Remote Access Server Setup Wizard displays a list of its currently supported network protocols, and provides the option for you to configure support for additional protocols, You can use these additional protocols for Novell Netware servers or other legacy systems. You can also choose whether to enable the Guest account for users who don't have user names or passwords. When you enable the Guest account, you allow clients to attach to the RRAS server without authenticating. This is necessary for some legacy systems, but represents an extreme security risk because you can't determine who is connecting to the system.

Using the Guest account significantly reduces RRAS security so enable it only to serve a specific need, such as supporting Apple Macintosh clients, that cannot be satisfied any other way.

When you set up RRAS, you are also prompted to choose an IP addressing method. RRAS supports two methods of assigning IP addresses:

  • Automatically. Uses a Dynamic Host Configuration Protocol (DHCP) server to assign addresses.

  • From A Specified Range Of Addresses. Specifies a range of addresses to be used as a static address pool. Using this option does not require you to configure a DHCP server.

In addition to these options, you can choose whether to enable Remote Authentication Dial-In User Service (RADIUS) authentication support for the server. RADIUS is a mechanism for centralizing authentication for numerous RRAS servers and protocols. The primary purpose of RADIUS is to allow third-party access equipment to authenticate with the operating system's accounts. Because OS integrated authentication is already supported by RRAS, you can enable RADIUS, as described in Lesson 2, only when you must integrate third-party access equipment in addition to RRAS servers.

Managing RRAS Security Options

The primary method for managing the security of a RRAS server is to set its properties in the Routing And Remote Access management console. This console becomes available on the Administrative Tools menu after you've enabled RRAS on a Windows 2000 computer.

Configuring RRAS Server Properties

For each server you select in the Routing And Remote Access management console, you can modify its settings using options on the following tabs in the server Properties dialog box:

  • General. Includes options to control whether the server acts as a router, remote access server, or both.

  • Security. Allows you to configure security and authentication options. These options are described later in this chapter.

  • IP. Includes IP routing and remote access options, and the option to configure a DHCP server or static address pool for assigning IP addresses.

  • AppleTalk. Includes options for AppleTalk routing.

  • PPP. Includes global options for the dial-up Point-to-Point Protocol (PPP).

  • Event Logging. Allows you to specify whether warning and error messages are logged. You can view log messages in the Event Viewer console.

Configuring User Properties

In addition to modifying the RRAS server's security features, you can also set the dial-in properties for user accounts. This allows you to control the ability of individual users to dial in. Using remote access policies, you can set the user dial-in properties to allow access, deny access, or control access. Remote access policies are described in detail later in this chapter.

RRAS remote access policies are not available in mixed-mode Active Directory domains. To enable RRAS remote access policies, you must migrate all backup domain controllers to Windows 2000 and switch the domain mode to native mode. More information about how to accomplish this is provided in the Microsoft Windows 2000 Server Resource Kit (Microsoft Press, 2000).

Practice: Securing RRAS Servers

In this practice, you configure and enable RRAS on a Windows 2000 Server computer and explore the server and user properties that you can use to manage RRAS security settings.

Exercise 1: Configuring a Server for RRAS

In this exercise, you configure a new RRAS server on a Windows 2000 Server computer as a Remote Access Server. You might need the Windows 2000 Server CD or a network installation share to complete this procedure.

This procedure is necessary only on a new Windows 2000 Server installation where RRAS has not yet been configured.

To configure RRAS in Windows 2000 Server

Perform this procedure on a Windows 2000 Server computer, logged on as the Administrator.

  1. Click Start, point to Programs, point to Administrative Tools, and click Routing And Remote Access Service. The Routing And Remote Access management console is displayed.

  2. Select the server (dc01) in the list in the left column. The console message area indicates that the server needs to be configured for RRAS, as shown in Figure 9.1.

    figure 9-1 the routing and remote access management console

    Figure 9-1. The Routing And Remote Access management console

  3. From the Action menu, choose Configure And Enable Routing And Remote Access.

  4. On the introductory page of the Routing And Remote Access Server Setup Wizard, click Next to continue. A list of common RRAS server configurations is displayed, as shown in Figure 9.2.

    figure 9-2 the routing and remote access server setup wizard

    Figure 9-2. The Routing And Remote Access Server Setup Wizard

  5. On the Common Configurations page of the wizard, select the Remote Access Server option, and click Next. A list of currently installed protocols is displayed, as shown in Figure 9.3.

    figure 9-3 the default installed protocols

    Figure 9-3. The default installed protocols

  6. On the Remote Client Protocols page, select the Yes, All Of The Required Protocols Are On This List option, and click Next. A message indicates that you can optionally enable the Guest account for Apple Macintosh users.

  7. Click Next. The IP Address Assignment options are displayed, as shown in Figure 9.4.

    figure 9-4 selecting a method of ip address assignment

    Figure 9-4. Selecting a method of IP address assignment

  8. On the IP Address Assignment page, select Automatically, and click Next. The RADIUS options are displayed, asking whether RADIUS will be the authentication method.

  9. Select No, and click Next.

  10. Click Finish to complete the RRAS server configuration. RRAS is now started.

Exercise 2: Managing an RRAS Server

In this exercise, you add a remote RRAS server to the console so it can be managed, and you configure properties for an RRAS server.

To manage RRAS server properties

Perform this procedure from the Routing And Remote Access management console on the RRAS server.

  1. Select the server (dc01) from the list in the left column.

  2. From the Action menu, Choose Properties. The server Properties dialog box is displayed.

  3. Click the IP tab. The IP Properties are displayed.

  4. Select the Static Address Pool option, and click Add. You are prompted for an IP address range.

  5. Type 192.168.241.160 for the Start IP Address and 192.168.241.175 for the End IP Address. The IP range you've added is now shown in the list, as shown in Figure 9.5.

    figure 9-5 the rras server properties dialog box

    Figure 9-5. The RRAS server Properties dialog box

  6. Click OK to add the address range to the address pool.

  7. Click OK to close the Properties dialog box and save the new settings.

To manage user dial-in properties

  1. Log on to the domain controller as an Administrator

  2. From the Administrative Tools menu, choose Active Directory Users And Computers. The Active Directory Users And Computers management console is displayed.

  3. Select a user to manage, and from the Action menu, choose Properties. The Properties dialog box for the user is displayed.

  4. Click the Dial-in tab. The Dial-in Properties are displayed, as shown in Figure 9.6.

    figure 9-6 user account dial-in properties

    Figure 9-6. User account dial-in properties

  5. Select the Allow Access option, and click OK.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

  1. Which utility do you use to manage most of Windows 2000's RRAS settings?

  2. If you select automatic IP address assignment for an RRAS server, where do IP addresses come from?

  3. What is the easiest way to set up an RRAS server on a Windows 2000 Server computer?

  4. How can you change the settings of a server, such as its IP addressing, after configuring RRAS?

  5. How can you allow a user to connect to RRAS without using remote access policies?

Lesson Summary

  • Routing and Remote Access Service (RRAS) is included with Windows 2000 Server. It allows the server to act as a dial-in remote access server, Internet gateway, VPN server, or network router.

  • RRAS is installed by default with Windows 2000 Server, but it is not configured. You can configure it using the Routing And Remote Access Server Setup Wizard in the Routing And Remote Access console. This console also provides access to properties and security settings for RRAS.

  • User accounts include dial-in properties. Using the Active Directory Users And Computers console, you can grant or deny dial-up access for a user, or specify that the user's access will be controlled by remote access policies.



MCSA(s)MCSE Self-Paced Training Kit Exam 70-214(c) Implementing and Administering in a Microsoft Windows 2[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)
ISBN: 073561878X
EAN: 2147483647
Year: 2003
Pages: 82

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net