Hardening Communications - Harden NT 4.0 Remote Access Server Configuration

(Page 7 of 11 )

Windows NT 4.0 provides a basic dial-up Remote Access Service (RAS), and as an add-on, the Routing and Remote Access Service (RRAS). Dial-up access can be secured using MS_CHAPv2 authentication and data encryption, but these choices must be configured. Weaker authentication protocols and lack of encrypted communications were originally provided to ensure the ability to service connections from legacy clients.

Harden Access Port Usage 

Use only the required COM port access. In many cases, this means that the RAS server should be configured only to receive calls. If the RAS server is configured for dial-back, however, configure the server for both incoming and outgoing calls.

1. Open the Network interface by right-clicking Network Neighborhood and selecting Properties.

2. Select the Services tab, select Remote Access Service, and then click Properties.

3. From the Remote Access Setup dialog box, click Configure.
   
4. Select the Dial Out and Receive Calls radio button as shown here:
   

Harden Network Configuration  

RAS network configuration can be secured by limiting the protocols to those used, and by requiring encryption.

1. From the Remote Access Setup dialog box, click Network.

2. Set the dial-out protocols.

3. Set the Server settings to restrict access from clients. If clients must be running IPX, for example, select only this protocol. Clients attempting to connect using another protocol will be unsuccessful. Select only those protocols your network requires. In this example, only TCP/IP has been selected.

4. Click the Configure button next to the protocol.

5. If clients need access only to specific data and that data can be available on the RAS server, then click This Computer Only in the Allow Remote TCP/IP Clients to Access box as shown in the following illustration. This will prevent clients from accessing other network resources. The RAS server will not act as a portal to the rest of the network.
   
   

6. Click OK.

7. Select Require Data Encryption, as shown in the following illustration. MSCHAP must be used for authentication to enable data encryption. Table 11-1 provides information on how to select other authentication protocols.
   
   

8. Click OK, and then click Continue.

Network Configuration Selection	Authentication Protocols Accepted	Discussion
Allow Any Authentication Including Clear Text	MS-CHAP, SPAP, PAP	Not an acceptable selection.
Require Encrypted Authentication	MS-CHAP, SPAP	Passwords must be encrypted.
Require Microsoft Encrypted Authentication	MS-CHAP, MS-CHAPv2	If you require data encryption, you must use MS-CHAP, or MS-CHAPv2. You cannot use SPAP or PAP. Configure clients to use MS-CHAPv2 for the most secure connection.

Table 11-1. Authentication Choices for Windows NT 4.0 RAS

This is from Hardening Windows Systems, by Roberta Bragg, (McGraw-Hill/Osborne, ISBN: 0072253541). Check it out at your favorite bookstore today. Buy this book now.

Next: Harden Client Access >>
 

More Windows Security Articles
More By McGraw-Hill/Osborne

Comments On: Hardening Communications

>>> Be the FIRST to comment on this article!