Setting Remote Access Policies | Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)

[Previous] [Next]

In Windows NT 4 and 3.51, remote access is granted based solely on whether the user's account has dial-in permission. The permission is configured in User Manager or the Remote Access Administration utility. In Windows 2000, remote access is somewhat more complicated. Authorization is determined by a combination of the dial-in properties for the user account and the remote access policies. With remote access policies, connections can be authorized or denied based on the time of day, the Windows 2000 group to which the user belongs, the type of connection being requested, and many other variables. By default, only one policy is in place when you install Routing and Remote Access: Allow Access If Dial-In Permission Is Enabled. However, this policy operates quite differently, depending on which administration model you use.

REAL WORLD Authorization and Authentication

The similarity between the words "authorization" and "authentication" can cause some confusion, and it's important to understand the differences. Authorization is the process of giving a user access to system objects based on the user's identity. Authentication is the process of identifying a user. In remote access connections, this is done when the client sends the user's credentials (user name and password) to the server via an authentication protocol. Authentication ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

Understanding the Default Policy

When you open Routing And Remote Access from the Administrative Tools folder and click Remote Access Policies in the console tree, the details pane lists a single policy (Figure 31-4). This policy is called Allow Access If Dial-In Permission Is Enabled, and it is referred to often in this chapter. Understanding what it does and doesn't do is essential to grasping the administration of remote access.

click to view at full size.

Figure 31-4. The default remote access policy.

Right-click the policy in the details pane, and choose Properties from the shortcut menu to open the dialog box shown in Figure 31-5. This policy has a single condition that must be matched by anyone seeking remote access. Click the Edit button to view the condition. As you can see, the condition is Any Day, Any Time. You might not think that access at any day, any time is a condition, but it is. It's just not a restrictive condition, and it makes this policy essentially transparent.

Figure 31-5. The Properties window for the default remote access policy.

Close the Time Of Day Constraints dialog box to return to the policy's Properties window. In the area labeled If A User Matches The Conditions are two options: Grant Remote Access Permission and Deny Remote Access Permission. You might think that the default setting of Deny Remote Access Permission would prevent anyone from dialing into this remote server, but you would be mistaken. Whether these options actually allow or prevent a connection depends on the Dial-In setting on the user account.

The confusion arises because people tend to use the terms "permission" and "policy" as if they were interchangeable. Permission is in fact set on the user account, and it is granted by default. The dial-in permission set on the user account overrides the permission option in this Properties window except in the case of the native-mode administration model (described in the next section), in which all user accounts are set to Control Access Through Remote Access Policy.

Read the sections on administrative policies that follow carefully, and study the logic diagrams. The administrative approach you choose should be as simple as possible while still meeting your needs.