Manage Learn to apply best practices and optimize your operations.

Remote authentication: Four tips for improving security

Your network boundary has crumbled and ensuring secure remote authentication is an essential duty for any administrator. RADIUS expert Jonathan Hassell provides four tips for improving the security and administration of remote access to your network.

Remote users are a problem for a lot of us whose jobs are to keep our networks secure. Anytime you don't have control over a machine's physical location, a world of variables are introduced that could compromise the integrity of your infrastructure. As remote access becomes more of a requirement than a nicety, it's important to maintain a secure but easy remote authentication process. Here are four tips to make it easier to administer remote access to your network:

  1. Use RADIUS or a similar authentication, authorization and accounting (AAA) server to granularize who gets access to what and to keep track of those users' activities. Most versions of Windows Server support the Internet Authentication Service, which is Microsoft's version of RADIUS. IAS interacts with Active Directory to create a unified identity store that prevents you, as the administrator, from having to maintain separate databases of approved remote users. You can also authorize access to certain parts of the network based on group membership and control the assignment of static versus dynamic IP addresses for remote clients. In addition, you can maintain an active, easily searchable log in case you need to examine forensics for a connection.
    Benefits: improved security, better probability of a faster connection sequence, less security hardening required

  2. Invest in devices, not full servers, to maintain your endpoints. Using real servers and operating system software functionality to perform AAA processes directly at your endpoint requires almost a full-time employee to keep that server monitored, updated and hardened. Even with auxiliary services turned off, the core of the operating system is probably not designed to weather the constant beating that an Internet-facing system takes. On the other hand, devices that are specifically designed to perform only remote concentration and remote authentication services have a significantly smaller attack surface and a well-tuned kernel specially designed to perform limited functions. Thus, they are a better bet for maintaining a high level of security at the "back door" of your network.
    Benefits: improved security, better probability of a faster connection sequence, less security hardening required

  3. Consider a quarantine solution to prevent infected or damaged machines from having unfettered access to your network. Machines connecting to a quarantine-enabled endpoint are scanned automatically against a common baseline to ensure patching has taken place, firewalls are enabled, antivirus software is up to date and so on. If the connecting machine fails these tests, the machine is placed in quarantine and is able to access only selected machines that contain the tools needed to fix the failing element. Cisco's Network Access Control technologies are available today and will be completely compatible with Microsoft's new Network Access Protection (NAP) specification and protocol, when Microsoft introduces it in the client upon the release of Windows Vista and in the server when Longhorn Server is finally released. In the meantime, check out the complete deployment guide to Network Access Quarantine Control that I wrote earlier this year for NAQC is a more limited but functional quarantine utility that's available today for systems based on Windows Server 2003 Service Pack 1.
    Benefits: sets a minimally acceptable security baseline for your network, cements security policy, can cleanse problematic machines, reduces chances of an infected machine spreading virus payloads internally

  4. Be consistent with your remote authentication policies. If different departments on your campus are responsible for maintaining their own endpoints into your network, form a working group and draft a unified specification for secure, rapid remote authentication into your network. Think about pitching the idea of a single network endpoint to the powers that be -- an endpoint that operates under a single, comprehensive security framework. This is a proactive -- rather than reactive -- step. Otherwise, you may have different departments with more or less stringent requirements to authenticate and authorize, creating an opportunity for those weaknesses to be exploited.
    Benefits: easier administration, fewer rules for users to remember, better logging

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Dig Deeper on Microsoft Active Directory Security