Get a glimpse inside Roberta Bragg's
book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory
excerpt from Chapter 11, "Harden Communications." Click for the
complete book excerpt series or purchase
Use Remote Access Policies
When remote access policies are used, user accounts in Windows Server 2003 and/or Windows 2000 domains are configured to control access through remote access policy. However, the default remote access policy is configured to deny all remote access requests. Do not delete the default remote access policy.
Remote access policies are used to provide remote access configuration. The beauty of remote access policies is that many policies can be created, each specifically designed for a group of clients, a time of day, or some physical device requirement. This allows for many models of remote access control. While it is not the most desirable response, you can create a weak policy for use with legacy clients, while retaining more secure authentication and encryption for others. The weakest connections do not have to dictate security for the entire organization. Hardening remote access connections can be accomplished by setting up proper remote access policies. The following list of hardening steps is presented during a walkthrough of remote access policy creation for connections by the custom-created Auditors group. When IAS is used to centralize RRAS, additional settings can be configured. Techniques for hardening connections according to policy conditions are listed in Table 11-4. A policy condition is checked when a connection attempt is made. If the properties of a connection match the policy condition in a remote access policy, then the remote access policy is applied.
To use remote access policies:
1. Right-click the Remote Access Policy node of the Routing and Remote Access console and select
New Remote Access Policy. Then click Next.
2. Select Set Up a Custom Policy, enter a name for the new policy, and then click Next.
3. Click Add to add a policy condition. Select Windows-Groups and click Add.
4. Click Add and enter or browse to and select the Auditors group.
5. Click Grant Remote Access Permissions; then click Next.
6. Click the Edit Profile button to open the Dial-in Profile property pages, as shown here:
7. Restrict connection type to VPN by selecting Allow Access Only Through These Media (NAS Port Type) and then selecting Virtual, as shown here:
8. Harden authentication. Click the Authentication tab; then click EAP Methods.
9. Click Add and select Smart Card or Other Certificate, and then click OK.
10. Click all other checked authentication methods to deselect them.
11. Require Strong Encryption. Select the Authentication tab.
12. Click to deselect Basic Encryption, click to deselect Strong Encryption, and click to deselect No Encryption.
13. Click OK. Then click Next and then Finish.
Click for the next excerpt in this series: Harden Remote Access Clients.
This was first published in March 2005