Lesson 2: Configuring Remote Access Servers

On remote access clients, you specify the minimum authentication and encryption levels that the client will accept. On the server, you specify the authentication and encryption levels that it will offer to the client. The client and server will then negotiate and choose the authentication and encryption levels with the highest level of security that both are compatible with. If the server doesn’t allow authentication or encryption levels that meet the client’s requirements, or if the client doesn’t support the server’s minimum authentication and encryption levels, the remote access will fail.

This lesson covers remote access server security configuration, and Lesson 3 will cover configuring the remote access client.

After this lesson, you will be able to

• Configure a remote access server with acceptable authentication methods.

• Configure user dial-up properties to control which users can connect to a remote access server.

• Use remote access policies to further restrict the circumstances under which users can and cannot connect.

Estimated lesson time: 25 minutes

Configuring Authentication

You create a remote access server by using the Routing And Remote Access Server Setup Wizard, as described in Exercise 1 of this lesson. This wizard does not provide the opportunity to configure authentication and encryption settings, however. To view or modify remote access server security settings after the initial configuration, open the properties dialog box for the server from the Routing And Remote Access console, and then click the Security tab.

As shown in Figure 12.4, the default settings for a dial-up or VPN server use Windows Authentication and Windows Accounting. These settings are compatible with the client’s default settings, which allows administrators who are not concerned with fine- tuning remote access security to bring the service online quickly. If you have decided to use a preshared key to authenticate L2TP/IPSec VPN connections, select the Allow Custom IPSec Policy For L2TP Connection check box, and then type a preshared key.

Figure 12.4: Default server authentication and accounting settings

If you plan to use a RADIUS server, such as an IAS server, to authenticate users, click the Authentication Provider list and then click RADIUS Authentication. Then click the Configure button to create a list of RADIUS servers. Along with the IP address, shared secret, port number, and time out configuration of each server, you will specify an Initial Score. The remote access server will attempt to contact RADIUS servers with a higher initial score. As time goes on, the RADIUS server will keep track of the responsiveness of each RADIUS server and adjust that server’s score. Ultimately, this will lead to efficient load-balancing between multiple RADIUS servers, even if the servers have different processing capabilities.

Whether you use Windows or RADIUS authentication, you can click the Authentication Methods button to control which authentication protocols the server will accept from the client. By default, the server accepts EAP, MS-CHAP v2, and MS-CHAP v1, as shown in Figure 12.5.

Figure 12.5: Default server authentication methods

You cannot configure encryption levels by using the server’s properties dialog box. Instead, you use RAPs. RAPs also allow you to restrict authentication and encryption based on other factors, such as the client’s phone number and group memberships.

Configuring Authorization

After the credentials submitted with the remote access connection are authenticated, the connection must be authorized. Remote access authorization consists of two steps: first, verification of the dial-in properties of the user account submitted by the dial-up connection, and second, application of the first matching RAP.

User account properties

Dial-in properties, which apply to both direct dial-up and VPN connections, are configured on the Dial-In tab of the domain or local user account properties dialog box, as shown in Figure 12.6. If a user is authenticating with a domain account, a user account corresponding to the name sent through the dial-up connection must already exist in the domain. Dial-in properties for this account can thus be configured in the Active Directory Users And Computers console. If the user is dialing in to a standalone server, however, the account must already exist as a user account in the answering server’s local user database. Dial-in properties for this account can thus be configured in the Local Users And Groups snap-in within the Computer Management console.

Figure 12.6: Editing user dial-in properties

The most important security setting on this tab is Remote Access Permission. Setting this to Allow Access or Deny Access controls whether the user will be allowed to connect remotely when no RAPs are specified. Selecting Control Access Through Remote Access Policy, the default for standalone computers and computers in a Windows Server 2003 domain, allows the Routing And Remote Access service or the RADIUS server to determine whether the user is allowed to connect. By default, RAPs block all remote access connections. The Control Access Through Remote Access Policy radio button is not available on domain user accounts unless the domain is at a Windows Server 2003 domain functional level.

When you use the Allow Access and Deny Access settings along with RAPs, Deny Access will always override the RAP. In other words, a user with the Deny Access setting selected will never be able to connect. A user with Allow Access can connect if no RAP denies the user access. For example, dial-up hours specified in a RAP profile might prevent a user account from connecting in the evening hours even when the Allow Access option has been set for the dial-in properties of the user account. However, the Allow Access option specifies that the Deny Remote Access Permission setting in RAPs is ignored.

If the Verify Caller ID check box is selected, the server verifies the caller’s phone number for dial-up access or the source IP address for VPN access. If the Verify Caller ID value does not match the user’s phone number or source IP address, the connection attempt is denied. For dial-up users, caller ID must be supported by the caller, the phone system between the caller and the remote access server, and the remote access server. You should only use this feature for VPN users that always connect by using a single statically assigned IP address.

To use callback to improve dial-up security by having the remote access server call the user at a specified phone number, click Always Callback To and type the user’s phone number. Generally, you should use this only when the user consistently calls from the same number and you do not have the option of verifying caller ID. This slows connection time considerably because the remote access server must authenticate the user, disconnect the session, and then establish a new session.

Remote access policies

RAPs control how or whether a connection is authorized to the network. A RAP contains a set of policy conditions that determine whether that policy applies to a given connection request. If you are using IAS as a RADIUS server, you should create the RAPs by using the Internet Authentication Service console on the IAS server. Otherwise, create the RAPs by using the Routing And Remote Access console on the remote access server.

A typical use of a dial-up or VPN RAP is to create policy conditions that specify the Active Directory security group that a client must be a member of, the time of day, or the connection type of the requesting client. A RAP is also configured to allow or deny the connection request. If there are multiple RAPs on a server, each connection request is evaluated against them according to the priority until a matching RAP either allows or denies the request.

The process of configuring a RAP for wireless users and remote access users is very similar; however, there is a significant difference. You typically restrict encryption for wireless users at the wireless access point (WAP). However, you must use a RAP to specify whether a remote access client uses 48-bit, 56-bit, or 128-bit encryption. To specify the encryption levels, view the RAP properties, and then click the Edit Profile button. In the Edit Dial-In Profile dialog box, click the Encryption tab. As shown in Figure 12.7, you can then select from Basic Encryption (MPPE 40 bit), Strong Encryption (MPPE 56 bit), Strongest Encryption (MPPE 128 bit), or No Encryption.

Figure 12.7: Configuring RAP encryption levels

By default, two RAPs are preconfigured in Windows Server 2003. The first built-in policy is Connections To Microsoft Routing And Remote Access Server. As the name suggests, this policy is configured to match every remote access connection to the Routing And Remote Access service. When Routing And Remote Access is reading this policy, the policy naturally matches every incoming connection. However, when the policy is being read by an IAS server, network access might be provided by a non-Microsoft vendor; consequently, this policy will not match those connections.

The second built-in RAP is Connections To Other Access Servers. This policy is configured to match every incoming connection regardless of network access server type. However, because the first policy matches all connections to Routing And Remote Access, only connections to other remote access servers read and match the policy when the default policy order is not changed. Unless the first policy is deleted or the default policy order is rearranged, this second policy can be read only by IAS servers.

Generally, you should not edit the built-in RAPs. Editing the built-in RAPs can cause confusion for other administrators, which can lead to security vulnerabilities. For example, if you choose to edit the profile of the Connections To Microsoft Routing And Remote Access Server RAP to allow unencrypted communication, another administrator might assume that the policy still requires encryption without double-checking the settings. Instead of modifying the built-in RAPs, add additional RAPs that have higher priority ratings.

Configuring Authentication with Certificates or Smart Cards

Enabling EAP authentication might or might not be enough to allow your users to authenticate with a smart card or public key certificate. If you are using an enterprise CA and your Routing And Remote Access servers are members of the same domain, they will be automatically configured to allow EAP authentication for certificates signed by the enterprise CA. To verify that certificate or smart card authentication is enabled for a remote access policy, follow this procedure:

1. Open the Routing And Remote Access console.

2. In the left pane, expand the server node, and then click Remote Access Policies.

3. In the right pane, right-click the RAP that applies to the users who will authenticate with certificates, and then click Properties. If the RAP does not yet exist, create one.

4. Click Edit Profile, and then click the Authentication tab.

5. Click the EAP Methods button.

   The Select EAP Providers list appears.

6. If Smart Card Or Other Certificate is not listed in the EAP Types list, click Add. Click Smart Card Or Other Certificate, and then click OK.

7. Click Smart Card Or Other Certificate, and then click Edit.

8. Click the Certificate Issued To list, and then click the certificate you will use to identify the Routing And Remote Access server. Click OK four times.

If your certificates are not issued by an enterprise CA, or if your computer has more than one certificate, you should add a remote access policy specifically for authenticating users with a smart card or other certificate. To do so, follow this procedure:

1. Open the Routing And Remote Access console.

2. In the left pane, expand the server node. Right-click Remote Access Policies, and then click New Remote Access Policy.

   The New Remote Access Policy Wizard appears.

3. Click Next.

4. On the Policy Configuration Method page, in the Policy Name box, type a name for the policy. Click Next.

5. On the Access Method page, click either VPN or Dial-Up. Click Next.

6. On the User Or Group Access page, select your preferred authorization method. Click Next.

7. On the Authentication Methods page, select Extensible Authentication Protocol (EAP). Click the Type list, and then click Smart Card Or Other Certificate.

8. Click the Configure button. Click the Certificate Issued list, and then click the certificate you will use to identify the Routing And Remote Access server. Click OK.

9. Clear Microsoft Encrypted Authentication Version 2 (MS-CHAPv2). Click Next.

10. On the Policy Encryption Level page, select the encryption levels you want to allow. Click Next, and then click Finish.

11. In the left pane, click Remote Access Policies. In the right pane, right-click the new policy, and then click Properties.

12. Click Grant Remote Access Permission, and then click OK.

Practice: Configuring a VPN Server and Client

In this practice, you will connect two computers by using a VPN. First, make sure that the computers are connected and configured as shown in Figure 12.8. Computer1 must have two network interface cards, each connected to a different computer, for this practice to be successful.

Figure 12.8: Network architecture for testing VPN connectivity

Exercise 1: Configuring a VPN server

In this exercise, you will configure Computer1 as a VPN server. First, create a user and group to assign remote access to.

1. Log on to the cohowinery.com domain on Computer1 by using the Administrator account.

2. Click Start, point to Administrative Tools, and then click Active Directory Users And Computers.

3. Expand cohowinery.com. Right-click Users, point to New, and then click Group.

4. In the Group Name box, type Remote Access Users. Click OK.

5. Right-click Users, point to New, and then click User.

6. In the User Logon Name box, type User1. In the Full Name box, type User1. Click Next.

7. In the Password and Confirm Password boxes, type a complex password. Clear the User Must Change Password At Next Logon check box. Click Next, and then click Finish.

8. Double-click User1. Click the Member Of tab. Click the Add button.

9. In the Enter The Object Names To Select box, type Remote Access Users. Click OK.

10. Click the Dial-In tab, and then click Allow Access.

11. Select the Verify Caller-ID check box, and then type 192.168.3.2 in the box. Click OK.

    Configuring the Verify Caller-ID box with the client’s IP address reduces the risk that the account will be used to authenticate from a different location on the Internet. This option is available only for user accounts located on a standalone server or on an Active Directory domain with a Windows Server 2003 functional level.

In this part of the exercise, you will configure Routing And Remote Access.

1. Click Start, point to Administrative Tools, and then click Routing And Remote Access.

2. Right-click Computer1 (Local), and then click Configure And Enable Routing And Remote Access.

   The Routing And Remote Access Server Setup Wizard appears.

3. Click Next.

4. On the Configuration page, click Remote Access (Dial-Up Or VPN), and then click Next.

5. On the Remote Access page, click VPN, and then click Next.

6. On the VPN Connection page, click 192.168.3.1, and then click Next.

   The 192.168.3.1 interface connects to Computer2, which will simulate the VPN client connecting across the Internet. Notice that the Enable Security On The Selected Interface By Setting Up Static Packet Filters check box is selected by default. If you were to leave this check box selected on a production system, all non-VPN services would become unavailable across the public network interface.

7. On the IP Address Assignment page, click From A Specified Range Of Addresses. Click Next.

8. On the Address Range Assignment page, click New.

9. In the Start IP Address box, type 192.168.4.10. In the Number Of Addresses box, type 10. Click OK.

   Notice that the addresses are on the destination network.

10. Click Next. On the Managing Multiple Remote Access Servers page, accept the default setting to not use a RADIUS server by clicking Next.

11. Click Finish.

12. You can disregard the Routing And Remote Access warning box that appears because you are not using DHCP to assign addresses. Click OK.

Exercise 2: Configuring a VPN client

In this exercise, you will configure Computer2 as a VPN client configured to use Computer1 as the VPN server. You will then test connectivity by communicating with Computer1.

1. Log on to Computer2 by using the Administrator account.

2. Open Control Panel, open Network Connections, and then open New Connection Wizard.

   The Welcome To New Connection Wizard page appears.

3. Click Next.

4. On the Network Connection Type page, click Connect To The Network At My Workplace. Click Next.

5. On the Network Connection page, click Virtual Private Network Connection. Click Next.

6. On the Company Name page, type Test VPN in the Company Name box. Click Next.

7. On the Public Network page, click Do Not Dial The Initial Connection. Click Next.

   You would use this page if users were connecting to the private network across the public Internet. Having users dial in to an ISP before establishing a VPN connection is a common, economical way to provide dial-up access to your users.

8. On the VPN Server Selection page, type 192.168.3.1 in the Host Name Or IP Address box. Click Next twice, and then click Finish.

   The Connect Test VPN dialog box appears.

9. In the User Name box, type User1. In the Password box, type the complex password you assigned to User1.

10. Select the Save This User Name And Password For The Following Users check box, as shown in Figure 12.9.

    
    Figure 12.9: Creating a new test VPN connection

    Security Alert

    Saving the password is convenient for users. However, if a mobile computer is compromised—for example, if it’s stolen—an attacker can connect directly to your internal network.

11. Click Connect.

    The computer establishes a VPN connection to Computer1.

12. Open a command prompt. Run the command Ipconfig.

    Notice that Computer2 now has two network interfaces listed. The Local Area Connection will have the IP address 192.168.3.2, and the test VPN connection will have the IP address 192.168.4.11. Numbering for the private networks started at 192.168.4.10, but Computer1 claimed 192.168.4.10 for itself to act as the default gateway.

13. Run the command ping 192.168.4.1.

    Ping will receive responses from the private interface of Computer1.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

1. Your organization has multiple dial-up servers configured to authenticate to an IAS RADIUS server. Which tool should you use to restrict the hours during which users can dial up?

   1. Active Directory Users And Computers

   2. Computer Management

   3. Routing And Remote Access

   4. Internet Authentication Service

2. Your organization uses Windows authentication to verify the credentials of remote VPN clients. Which tool should you use to restrict the groups that can connect to the VPN server?

   1. Active Directory Users And Computers

   2. Computer Management

   3. Routing And Remote Access

   4. Internet Authentication Service

3. In an Active Directory domain environment, which of the following conditions must be met in order to use RAPs to control which remote access users are allowed to connect?

   1. The domain functional level must be Windows 2000 Mixed.

   2. The domain functional level must be Windows Server 2003.

   3. You must use MS-CHAP v1 or MS-CHAP v2 authentication.

   4. You must use an IAS RADIUS server.

Lesson Summary

• You can configure a remote access server and clients without changing the default settings. By default, encryption is required, and MS-CHAP v2 or MS-CHAP v1 authentication will be used.

• Edit the remote access server’s properties to expand or restrict the available authentication protocols. Select EAP authentication to enable authentication with public key certificates or smart cards.

• User authorization can be controlled in three places: the user’s dial-up properties, a RAP configured on the remote access server, or a RAP configured on the IAS RADIUS server.