Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.
Harden NT 4.0 Remote Access Server Configuration
Windows NT 4.0 provides a basic dial-up Remote Access Service (RAS), and as an addon, the Routing and Remote Access Service (RRAS). Dial-up access can be secured using MS_CHAPv2 authentication and data encryption, but these choices must be configured. Weaker authentication protocols and lack of encrypted communications were originally provided to ensure the ability to service connections from legacy clients.
Harden Access Port Usage
Use only the required COM port access. In many cases, this means that the RAS server should be configured only to receive calls. If the RAS server is configured for dial-back, however, configure the server for both incoming and outgoing calls.
1. Open the Network interface by right-clicking Network Neighborhood and selecting Properties.
2. Select the Services tab, select Remote Access Service, and then click Properties.
3. From the Remote Access Setup dialog box, click Configure.
4. Select the Dial Out and Receive Calls radio button as shown here:
Harden Network Configuration
RAS network configuration can be secured by limiting the protocols to those used, and by requiring encryption.
1. From the Remote Access Setup dialog box, click Network.
2. Set the dial-out protocols.
3. Set the Server settings to restrict access from clients. If clients must be running IPX, for example, select only this protocol. Clients attempting to connect using another protocol will be unsuccessful. Select only those protocols your network requires. In this example, only TCP/IP has been selected.
4. Click the Configure button next to the protocol.
5. If clients need access only to specific data and that data can be available on the RAS server, then click This Computer Only in the Allow Remote TCP/IP Clients to Access box as shown in the following illustration. This will prevent clients from accessing other network resources. The RAS server will not act as a portal to the rest of the network.
6. Click OK.
7. Select Require Data Encryption, as shown in the following illustration. MSCHAP must be used for authentication to enable data encryption. Table 11-1 provides information on how to select other authentication protocols.
8. Click OK, and then click Continue.
Table 11-1. Authentication Choices for Windows NT 4.0 RAS
Harden Client Access
The first step in hardening client access is to provide permission to only those users who should have remote access. The second is by requiring callback where possible. When callback is configured, the server terminates the successful client initial connection and dials the specified phone number. This ensures that the connection can be made only with a designated location. When users always work from the same location, callback can be an effective security measure as long as physical access to the phone line is restricted to the authorized user. When users travel and must use dial-up remote access, callback cannot provide this. Remote access is configured by visiting the user account property pages in User Manager or by using the Remote Access Admin tool.
1. Open Remote Access Admin via Start | Programs | Administrative Tool.
2. From the Users menu, select Permissions.
3. Select the user account from the Users box.
4. Select Grant Dialin Permission to User.
5. If users work from an established phone line (the same phone number all of the time), select Preset To and enter the phone number, as shown here:
6. Configure additional users.
7. Click OK to close the dialog box and then click Exit from the Server menu.
Click for the next excerpt in this series: Harden Windows Server 2000 and Windows Server 2003 RRAS Configuration.
Click for book details or purchase the book.
This was first published in March 2005