Decisions on the best way to provide remote access will vary depending on the tools you have chosen. Here are some thoughts.
- Install and test RRAS servers before making them IAS (Internet Authentication Services) clients.
- Immediately after installation, back up the IAS database file, ias.mdb, from the %systemroot%system32ias folder.
- Back up the ias.mdb file whenever changes to the IAS configuration are made.
- The IAAS and RRAAS servers should be dedicated servers. This will help eliminate the possibility that unauthorized users will gain access and weaken the security configuration.
- Physically secure IAS, VPN and RRAS servers.
- Protect IAS and VPN routers behind a firewall.
- Turn on the account lockout feature.
- Disable authentication protocols you do not use. Do not use PAP (Password Authentication Protocol) unless you must support legacy systems.
- Determine desired logging for audit purposes and back up IAS logs.
- Do not use telnet.
- Secure remote administration sessions with IPsec or with VPNs if these sessions are being initiated externally to your network.
- Increase encryption levels on Terminal Services when providing remote access.
To learn more about
This was first published in January 2001