Setting Remote Access Policies

In Windows NT 4.0 and Windows NT 3.51, remote access is granted based solely on whether the user's account has dial-in permission. The permission is configured in User Manager or the Remote Access Administration utility. In Windows 2000, remote access is somewhat more complicated. Authorization is determined by a combination of the dial-in properties for the user account and the remote access policies. With remote access policies, connections can be authorized or denied based on the time of day, the Windows 2000 group to which the user belongs, the type of connection being requested, and many other variables. By default, only one policy is in place when you install Routing and Remote Access: Allow Access If Dial-In Permission Is Enabled. However, this policy operates quite differently, depending on which administration model you use.

Real World

Authorization and Authentication

The similarity between the words "authorization" and "authentication" can cause some confusion, and it's important to understand the differences. Authorization is the process of giving a user access to system objects based on the user's identity. Authentication is the process of identifying a user. In remote access connections, this is done when the client sends the user's credentials (user name and password) to the server using an authentication protocol. Authentication ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

Understanding the Default Policy

When you launch Routing and Remote Access from the Administrative Tools folder and click Remote Access Policies in the console tree, the details pane lists a single policy (Figure 32-4). This policy is called Allow Access If Dial-In Permission Is Enabled, and it is referred to often in this chapter. Understanding what it does and doesn't do is essential to grasping the administration of remote access.

Figure 32-4. The default remote access policy.

Right-click the policy in the details pane, and choose Properties from the shortcut menu to open the dialog box shown in Figure 32-5. This policy has a single condition that must be matched by anyone seeking remote access. Click Edit to view the condition. As you can see, the condition is Any Day, Any Time. You might not think that access at any day, any time is a condition, but it is. It's just not a restrictive condition, and it makes this policy essentially transparent.

Figure 32-5. The Properties dialog box for the default remote access policy.

Close the Time Of Day Constraints dialog box to return to the policy's Properties dialog box. The area labeled If A User Matches The Conditions contains two options: Grant Remote Access Permission and Deny Remote Access Permission. You might think that the default setting of Deny Remote Access Permission would prevent anyone from dialing into this remote server, but you would be mistaken. Whether these options actually allow or prevent a connection depends on the dial-in permission of the user account.

The confusion arises because people tend to use the terms "permission" and "policy" as if they were interchangeable. Permission is in fact set on the user account, and it is granted by default. The dial-in permission set on the user account overrides the permission option in this Properties dialog box except in the case of the native-mode administration model (described in the next section), in which all user accounts are set to Control Access Through Remote Access Policy.

Read the sections on administrative policies that follow carefully, and study the logic diagrams. The administrative approach you choose should be as simple as possible while still meeting your needs.



Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net