10. Click OK to exit the Authentication Methods dialog box, and then click OK to exit the Properties dialog box and save the changes. T EST DAY TIP You can also restrict authentication methods by changing settings in the Authentication tab of the Properties dialog box for a Remote Access Policy. Policies are described in detail later in this chapter. Using MS-CHAP v2 MS-CHAP v2 is a more secure version of MS-CHAP.This version uses stronger initial encryption keys, uses different keys for sending and receiving data, and supports mutual authentication—this means that after the server sends a challenge to the client and the client responds correctly, proving that it has the correct password, the client sends its own chal- lenge to the server.The client disconnects immediately if the server responds incorrectly to this challenge.This enables the client to detect a server attempting to impersonate the legit- imate server. MS-CHAP v2 is supported by operating systems as old as Windows NT 4.0 and Windows 98, and is even supported by Windows 95 if the Dial-Up Networking upgrade is installed.This means that unless you are supporting very old computers, there is no need to risk security by supporting MS-CHAP v1. Using EAP EAP (Extensible Authentication Protocol) is not itself an authentication protocol, but pro- vides a framework that enables authentication using a variety of different methods, known as EAP types.The following are the EAP types supported by Windows Server 2003: ■ EAP-MD5 A challenge-response protocol similar to CHAP.This method uses reversible encryption to store passwords, and is thus vulnerable to the same secu- rity problems as CHAP. ■ EAP-TLS (Transport Level Security) A high-security protocol based on the SSL (Secure Sockets Layer) system used for Web server security. EAP-TLS uses encrypted certificates for authentication. It also supports mutual authentication, similar to MS-CHAP v2.This is considered the most secure authentication pro- tocol supported by Windows Server 2003. www.syngress.com Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 511 255_70_293_07.qxd 9/10/03 10:33 AM Page 511 TEST DAY TIP EAP-TLS is the most secure authentication method, but is not supported by all clients. Only Windows 2000, Windows XP, and Windows Server 2003 clients sup- port this authentication method. Using RADIUS/IAS vs.Windows Authentication Windows Server 2003 supports RADIUS, an Internet standard for a centralized server to handle a network’s authentication and accounting needs. Internet Access Server (IAS) is Microsoft’s implementation of a RADIUS server, and is included with Windows Server 2003 but is not installed by default.You can install it through the Add/Remove Programs applet in Control Panel as a Windows component.When you configure an RRAS server, you can choose one of two authentication methods: ■ Windows Authentication: The traditional method. Each RRAS server handles authentication itself, and you can configure the authentication methods supported in the Remote Access Policy section of the Routing and Remote Access MMC snap-in. Policies you create for one RRAS server apply only to that server. ■ RADIUS Authentication: The RRAS server acts as a RADIUS client and con- tacts an IAS (or RADIUS) server to authenticate users.When RADIUS is in use, you configure authentication methods and other remote access security settings from the Remote Access Policy section of the Internet Access Server MMC snap- in.The policies you create for the IAS server apply to any RRAS server that authenticates using that server. TEST DAY TIP EAP supports an authentication type called EAP Over RADIUS. This is not an authentication method itself; instead, authentication requests are forwarded to a RADIUS server for processing. This enables you to install and configure EAP types on the RADIUS server and use them from any remote access server, without installing the types on each RRAS server. Selecting the Data Encryption Level In a VPN, you can control the level of encryption that is allowed for access. By disallowing unencrypted connections or those that use less-secure encryption, you can decrease the risk of network snooping.You can enable or disable the following levels of encryption: ■ No encryption: Unencrypted connections, unsuitable for VPN use. www.syngress.com 512 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy 255_70_293_07.qxd 9/10/03 10:33 AM Page 512 ■ Basic encryption: Encryption with a 40-bit key, considered relatively easy to break. ■ Strong encryption: Encryption with a 56-bit key. In IPSec, this uses the DES standard for encryption. Although more secure, DES-encrypted data has been demonstrated to be breakable. ■ Strongest encryption: Encryption with a 128-bit key for MPPE connections, or triple DES (3DES), which uses a 168-bit key (56-bit times three) for IPSec con- nections. The Strongest Encryption option might not be available in international versions of Windows Server 2003 or US editions without the High Encryption Pack installed.You can enable or disable these encryption levels using remote access Policies.This process is described later in this chapter. Using Callback Security Callback security is a high-security system used for dial-in connections.When a client con- nects to a system using callback, the system disconnects and calls the client back at the client’s phone number.There are two variations of callback: ■ Allowing the user to specify the callback number.This does not provide a high level of security, but does ensure that the client’s phone number can be logged and can be used to avoid long-distance charges being incurred by the client. ■ Using a callback number specified by the administrator.This is very secure because it is difficult to impersonate a valid client, but it requires that a client always connect from the same number. You can configure callback security as part of a remote access profile.This process is described in the final section of this chapter. Managed Connections For a user to connect to a remote access server via dial-in or VPN, the client computer must have the correct settings configured to match the server. Because this can be a daunting process for administrators,Windows Server 2003 supports two components to simplify the process of managing connections: ■ Connection Manager is the client software Windows clients use to make a con- nection to a dial-in server or VPN server. Current versions of Windows include Connection Manager. ■ Connection Manager Administration Kit (CMAK) is an administrator’s tool that enables you to create a customized version of Connection Manager to dis- www.syngress.com Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 513 255_70_293_07.qxd 9/10/03 10:33 AM Page 513 tribute to clients.The customizations are stored in a dial-in profile and can include settings for your server, phone numbers, and even custom graphics, icons, and help files. Connection Manager and CMAK are described in detail in Chapter 5. Mandating Operating System/File System Windows Server 2003 supports a new feature called Network Access Quarantine control. This feature enables you to restrict access to particular operating systems, file systems, and other aspects of the client’s configuration.You use a script to accomplish this. When Quarantine control is enabled, clients can connect normally to the RRAS server and are issued IP addresses. However, when a client first connects, it is put into quarantine mode and allowed only limited access to network resources.A script is then run through Connection Manager on the client machine to determine if the client’s configuration matches the requirements. If it does, the quarantine is released and the client gains full access to the network. TEST DAY TIP Quarantine Control requires an IAS (RADIUS) server, a customized Connection Manager profile created with CMAK, and a custom script. It also requires that clients run Windows 98, Windows ME, Windows XP, Windows 2000, or Windows Server 2003. Using Smart Cards for Remote Access A smart card is a credit card-sized device that can store a public/private key pair or certifi- cate for encryption.To use smart cards, you install card readers on client computers. Clients can request certificates from a certification authority (CA) and store them on the smart card. Because the encryption keys are not stored on client computers, this eliminates many potential security problems. Smart cards are typically used with the EAP-TLS authentication method. Because IPSec encryption is used with L2TP VPN connections, smart cards can be used to encrypt a VPN connection that uses L2TP over IPSec. Smart cards can store an encryption key with a large number of bits, making for highly secure communications.Their chief disadvantage is the smart card hardware; if it is dam- aged, a new card must be configured for the user, and if the card falls into the wrong hands, it can be used to gain unauthorized access to the network. However, smart cards use a PIN number to eliminate much of this risk. www.syngress.com 514 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy 255_70_293_07.qxd 9/10/03 10:33 AM Page 514 Creating Remote Access Policies You can manage the security of your remote access server by creating one or more Remote Access Policies. Depending on your configuration, you will need to create policies in one of these two places: ■ If you are using Windows authentication, use the Remote Access Policies item under each RRAS server in the Routing and Remote Access MMC snap-in. ■ If you are using RADIUS authentication, use the Remote Access Policies item under the IAS server in the Internet Authentication Service MMC snap-in. Regardless of the type of authentication you are using, the policies you create will work the same way, and the dialog boxes for creating and modifying policies are the same. TEST DAY TIP Keep in mind that with RADIUS authentication you have exactly one set of remote access policies defined for the IAS server. With Windows authentication there is a separate set of policies for each RRAS server. Policies and Profiles Remote access security includes two key components: ■ Remote Access Policies Determine which users can connect remotely and the connection methods they can use.You can have any number of remote access policies. ■ Remote Access Profiles Provide further restrictions after the connection is established. Each policy contains exactly one profile. Each remote access policy has an order number, or priority.You can define the order by using the Move Up and Move Down actions in the policy window.The list of policies in a default Windows Server 2003 RRAS installation is shown in Figure 7.12. Each policy can have various criteria against which connection attempts are checked.The policy can be set to either Grant or Deny access for users who match these criteria. www.syngress.com Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 515 EXAM 70-293 OBJECTIVE 3 255_70_293_07.qxd 9/10/03 10:33 AM Page 515 When a user attempts to connect, his or her connection criteria are compared to each policy’s conditions in order until a policy matches.The Grant or Deny setting of that policy then determines whether the user is allowed access. If a policy grants access, its associated profile is used to further restrict the connection. In the following sections, you will learn how to make practical use of remote access policies and profiles to authorize or restrict remote access, and to control aspects of the connections using remote access profiles. Authorizing Remote Access The simplest use for a remote access policy is to authorize remote access for a particular user or group.Windows Server 2003 includes a wizard that you can use to quickly create these types of policies. After you have created a policy, you can modify the properties of the policy to make more specific settings or restrictions. Authorizing Access By User As described earlier in this chapter, you can use the Dial-in Properties page of a user account’s Properties dialog box to explicitly allow or deny access to the user.This is the recommended way to authorize access by user.When you use the wizard to create a policy to authorize by user, it creates a policy that does not include any user restrictions.You can then use the user properties to allow or deny access. Exercise 7.08 shows you how to create a policy to authorize by user. www.syngress.com 516 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy Figure 7.12 Remote Access Policies 255_70_293_07.qxd 9/10/03 10:33 AM Page 516 E XERCISE 7.08 AUTHORIZING REMOTE ACCESS BY USER Follow these steps to create a policy to authorize access by user: 1. Select Programs | Administrative Tools | Routing and Remote Access from the Start menu. If you are using RADIUS authentication, select Internet Authentication Service instead. 2. Click Remote Access Policies in the left-hand column. A list of the cur- rent policies is displayed in the window. 3. From the menu, select Action | New Remote Access Policy. 4. The wizard displays a welcome message. Click Next to continue. 5. The Policy Configuration Method screen is displayed, as shown in Figure 7.13. Select the Use the wizard to set up a typical policy option and enter Allow Dial-up Access in the Policy name field. Click Next to continue. 6. The Access Method screen is displayed. You can select whether this policy will apply to Dial-up, VPN, Wireless, or Ethernet access. Select the Dial-up option and click Next to continue. 7. The User or Group Access dialog box is displayed, as shown in Figure 7.14. Select the User option and click Next to continue. www.syngress.com Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 517 Figure 7.13 Policy Configuration Method 255_70_293_07.qxd 9/10/03 10:33 AM Page 517 8. The Authentication Methods dialog box is displayed. This dialog box enables you to choose the authentication methods this policy will accept. Click Next to continue. 9. The Policy Encryption Level screen is displayed. Select the encryption types to accept and click Next. 10. The wizard displays a completion dialog box. Click Finish to create the new policy. 11. You are returned to the Remote Access Policies window and your new policy has been added at the top of the list. After you have created the policy with the wizard, you can use the Move Up and Move Down commands in the Action menu to change the policy order if you wish. Authorizing Access By Group Unlike user accounts, security groups do not include dial-in properties. If you wish to enable access for a group, you can use the wizard to create a remote access policy that includes a condition to check the user’s group membership. Exercise 7.09 guides you through this process. www.syngress.com 518 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy Figure 7.14 User or Group Access 255_70_293_07.qxd 9/10/03 10:33 AM Page 518 E XERCISE 7.09 AUTHORIZING REMOTE ACCESS BY GROUP Follow these steps to create a policy to authorize access for the Domain Admins group: 1. Select Programs | Administrative Tools | Routing and Remote Access from the Start menu. If you are using RADIUS authentication, select Internet Authentication Service instead. 2. Click Remote Access Policies in the left-hand column. A list of the cur- rent policies is displayed in the window. 3. From the menu, select Action | New Remote Access Policy. 4. The wizard displays a welcome message. Click Next to continue. 5. The Policy Configuration Method screen is displayed. Select the Use the wizard to set up a typical policy option and enter Allow Admin Access in the Policy name field. Click Next to continue. 6. The Access Method screen is displayed, as shown in Figure 7.15. You can select whether this policy will apply to Dial-up, VPN, Wireless, or Ethernet access. Select the Dial-up option and click Next to continue. 7. The User or Group Access dialog box is displayed. Select the Group option and click the Add button to add a group name. www.syngress.com Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 519 Figure 7.15 Access Method 255_70_293_07.qxd 9/10/03 10:33 AM Page 519 8. The Select Groups dialog box is displayed, as shown in Figure 7.16. Enter Domain Admins in the Enter the object names to select field and click OK. 9. You are returned to the User or Group Access dialog box. Click Next to continue. 10. The Authentication Methods dialog box is displayed. Click Next to continue. 11. The Policy Encryption Level dialog box is displayed. Click Next to con- tinue. 12. The wizard displays the completion dialog box. Click Finish to create the policy. Restricting Remote Access You can add any number of conditions to a remote access policy to restrict the users, con- nection types, and other criteria that can match the policy. Each policy can be configured to either allow access or deny access based on those criteria. To restrict access, you can create a policy that denies access based on a set of criteria. Because each connection will use the first policy that it matches, be sure your policies for denying access are placed early in the list, before any other policy that might match the same users. The current conditions for a policy are listed in its Properties dialog box.You can use the Add button to add a condition.There are a variety of attributes you can test to create a condition. For example, Figure 7.17 shows the Properties dialog box for a policy that checks the connection type and group membership. www.syngress.com 520 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy Figure 7.16 Select Groups 255_70_293_07.qxd 9/10/03 10:33 AM Page 520 [...]... 10:33 AM Page 530 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy Figure 7.24 Summary of Remote Assistance Invitations Using Remote Assistance As with Remote Desktop for Administration, the Remote Assistance (RA) components of Windows 2003 are installed with the operating system And, just as Remote Desktop for Administration needs to be enabled and configured before you can... 10:33 AM Page 528 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy Controlling IP Packet Filters You can use IP packet filters to filter incoming or outgoing traffic for connections that match a particular remote access profile.You might find this useful for denying access to a VPN from particular locations, or only allowing access from a particular address.You can manage outgoing... Messenger is a chat program available from Microsoft and installed in Windows XP by default that is similar to ICQ and AOL Instant Messenger (MSN Messenger is a separate but related application; both use the NET Messenger Service).When you use Windows Messenger for RA, the invitation travels through a messaging server infrastructure that can include the Internet, or can work with Microsoft Exchange Server. .. 10:33 AM Page 545 Planning, Implementing, and Maintaining a Remote Access Strategy • Chapter 7 EXAM 70-293 OBJECTIVE 3 5.4.2 Planning for Remote Administration by Using Terminal Services Most of what is new in Windows 2003 Terminal Services relates to remote administration Microsoft has really listened to customer feedback from previous versions of the operating system, and has created some major improvements... your default e-mail program should have launched, with an e-mail created and ready to be sent to the person whose assistance you are requesting.This final screen alerts you to this and gives you the option to recreate the mail message in case you accidentally closed the window when it popped open At the bottom of the screen are links to manage your outstanding invitation requests and create additional invitations... clicked.This displays a Save As dialog box that enables you to specify a name and location for the file.The file will be saved with an msrcincident extension After it is saved, the final screen is displayed It confirms the file name and where it was saved At the bottom of the screen, there are links to manage your outstanding invitation requests and create additional invitations Exercise 7.12 walks you through... the invitation is shorter You should also educate your users on when it is appropriate to accept RA requests As mentioned previously, a request saved to a file is stored in a standard XML file.These can easily be modified to perform malicious actions when run by a user on a local system.The e-mail request contains a URL to click and can also be altered In this case it may take the user to a page that performs... Windows Server 2003 computer.This mail client can be Microsoft Outlook Express, which is installed with Windows, Outlook (installed as a separate application or with www.syngress.com 533 255_70_293_07.qxd 534 9/10/03 10:33 AM Page 534 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy Microsoft Office), or a third-party mail application.To create an RA invitation using email,... 255_70_293_07.qxd 5 46 9/10/03 10:33 AM Page 5 46 Chapter 7 • Planning, Implementing, and Maintaining a Remote Access Strategy Setting Up Authentication When RDA is enabled, any user accounts that are members of the Administrators built-in group on the server will be allowed to establish a remote session However, other accounts must be explicitly approved for access.There are two different ways this can be accomplished... Remote Administration Methods Windows Server 2003 includes many ways to remotely administer your servers.You can install server administration tools (including Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and many others) on a client computer.You can use the Computer Management console on one computer on the network to connect to and manage . RADIUS, an Internet standard for a centralized server to handle a network s authentication and accounting needs. Internet Access Server (IAS) is Microsoft’s implementation of a RADIUS server, and. files. Connection Manager and CMAK are described in detail in Chapter 5. Mandating Operating System/File System Windows Server 2003 supports a new feature called Network Access Quarantine control. This feature. Access Server MMC snap- in.The policies you create for the IAS server apply to any RRAS server that authenticates using that server. TEST DAY TIP EAP supports an authentication type called EAP