Get a glimpse inside Roberta
Bragg's boeok "Hardening Windows Systems" with this series of book excerpts. Below is the
introductory excerpt from Chapter 11, "Harden Communications." Click for the
complete book excerpt series or purchase
Harden Windows Server 2000 and Windows Server 2003 RRAS
While Routing and Remote Access Services can be installed on Windows NT 4.0, I recommend avoiding the use of RRAS on Windows NT 4.0. Instead, use Windows 2000 or Windows Server 2003, which provide additional security and manageability. If you must use RRAS on Windows NT, adapt the recommendations given for Windows 2000 and Windows Server 2003 RRAS to Window NT 4.0.
RRAS provides dial-up and VPN remote access. In addition to client-to-server VPNs, RRAS provides gateway-to-gateway VPN services. Network Address Translation (NAT), packet filters, and Remote Access Policies add additional configuration features. Since the versions are so similar, Windows Server 2003 is used for the examples in the following configuration settings. Differences with Windows 2000 will be noted.
Secure External Network Configuration with Packet Filters
Windows Server 2003 packet filters can be configured to secure the external network interface, permitting only VPN traffic access. To do so during RRAS setup, select the external network interface on the VPN Connection page and then select Enable Security On the Selected Interface By. . . as shown here:
To manage connections after setup, use Remote Access Policies and set Input Filters as discussed in the later section "Use Remote Access Policies."
Authentication is configured from the Server Security property page. Currently the best solution is to require smart card authentication. If that is not immediately possible, then restrict the authentication methods possible.
1. Right-click the server in the Routing and Remote Access console and select Properties.
2. Select the Security tab.
3. Click the Authentication Methods button.
4. Deselect Microsoft encrypted authentication (MS-CHAP), as shown in the following illustration. All Microsoft clients from Windows 95 onward can be configured to use MS-CHAPv2, which has many improvements over MSCHAP. (Do not select legacy remote access communication protocols.)
5. Click EAP Methods. The Extensible Authentication Protocol can be used to configure advanced authentication methods, including Protected EAP (PEAP) and smart card or certificate authentication. They are configured in Remote Access Policies, but this property page defines the EAP methods installed on the Remote Access Server.
If IAS should be used for authentication and/or auditing, this is configured on the Security page.
Additional logging should be configured in order to provide a record of remote access connections. Logging is configured from the Logging page of the remote access server's property pages. Select Log All Events as shown here:
In addition, in Windows Server 2003, a Remote Access logging node in the Routing and Remote Access Console enables configuration of logging. Use the Settings page to limit logging to select logging for authentication, accounting, and status. (If IAS is used, and authentication and accounting tasks are split between different servers, configure authentication and accounting on the respective servers.)
If log files are moved to a SQL Server database, protect communications between the SQL server and the RRAS servers by using IPSec.
You may locate the log files to a different location, but if you do, secure the log files by setting the DACL to access by SYSTEM and Administrators groups only. Audit who accesses the log files.
Use a Firewall
Use a firewall to protect the RRAS and IAS servers. If RADIUS messages must traverse a firewall, create a rule to allow communications for the RADIUS ports listed in Table 11-2.
Configure Client Access
As in Windows NT 4.0, accounts in Windows 2000 and Windows Server 2003 are denied remote access by default. Users must be configured for remote access. If Windows 2000 domains are in native mode, or Windows Server 2003 domains are at least at Windows 2000 functional level, access permission may be configured using Remote Access Policies. Otherwise, access is configured similar to that for Windows NT 4.0 domains.
For each user account, remote access is configured from the Dial-in tab of the user account properties as shown in Figure 11-4.
Click for the next excerpt in this series: Use L2TP/IPSec VPNs.
This was first published in March 2005