Hardening Communications - Harden Client Access

(Page 8 of 11 )

 

The first step in hardening client access is to provide permission to only those users who should have remote access. The second is by requiring callback where possible. When callback is configured, the server terminates the successful client initial connection and dials the specified phone number. This ensures that the connection can be made only with a designated location. When users always work from the same location, callback can be an effective security measure as long as physical access to the phone line is restricted to the authorized user. When users travel and must use dial-up remote access, callback cannot provide this. Remote access is configured by visiting the user account property pages in User Manager or by using the Remote Access Admin tool.

1. Open Remote Access Admin via Start | Programs | Administrative Tool.

2. From the Users menu, select Permissions.

3. Select the user account from the Users box.

4. Select Grant Dialin Permission to User.

5. If users work from an established phone line (the same phone number all of the time), select Preset To and enter the phone number, as shown here:
   
   

6. Configure additional users.

7. Click OK to close the dialog box and then click Exit from the Server menu.

Harden Windows Server 2000 and Windows Server 2003 RRAS Configuration

While Routing and Remote Access Services can be installed on Windows NT 4.0, I recommend avoiding the use of RRAS on Windows NT 4.0. Instead, use Windows 2000 or Windows Server 2003, which provide additional security and manageability. If you must use RRAS on Windows NT, adapt the recommendations given for Windows 2000 and Windows Server 2003 RRAS to Window NT 4.0.

RRAS provides dial-up and VPN remote access. In addition to client-to-server VPNs, RRAS provides gateway-to-gateway VPN services. Network Address Translation (NAT), packet filters, and Remote Access Policies add additional configuration features. Since the versions are so similar, Windows Server 2003 is used for the examples in the following configuration settings. Differences with Windows 2000 will be noted.

Secure External Network Configuration with Packet Filters

Windows Server 2003 packet filters can be configured to secure the external network interface, permitting only VPN traffic access. To do so during RRAS setup, select the external network interface on the VPN Connection page and then select Enable Security On the Selected Interface By. . . as shown here:

To manage connections after setup, use Remote Access Policies and set Input Filters as discussed in the later section “Use Remote Access Policies.”

Harden Authentication 

Authentication is configured from the Server Security property page. Currently the best solution is to require smart card authentication. If that is not immediately possible, then restrict the authentication methods possible.

1. Right-click the server in the Routing and Remote Access console and select Properties.

2. Select the Security tab.

3. Click the Authentication Methods button.

4. Deselect Microsoft encrypted authentication (MS-CHAP), as shown in the following illustration. All Microsoft clients from Windows 95 onward can be configured to use MS-CHAPv2, which has many improvements over MSCHAP. (Do not select legacy remote access communication protocols.)
   
   

5. Click EAP Methods. The Extensible Authentication Protocol can be used to configure advanced authentication methods, including Protected EAP (PEAP) and smart card or certificate authentication. They are configured in Remote Access Policies, but this property page defines the EAP methods installed on the Remote Access Server.

If IAS should be used for authentication and/or auditing, this is configured on the Security page.

Configure Logging

Additional logging should be configured in order to provide a record of remote access connections. Logging is configured from the Logging page of the remote access server’s property pages. Select Log All Events as shown here:

In addition, in Windows Server 2003, a Remote Access logging node in the Routing and Remote Access Console enables configuration of logging. Use the Settings page to limit logging to select logging for authentication, accounting, and status. (If IAS is used, and authentication and accounting tasks are split between different servers, configure authentication and accounting on the respective servers.)

If log files are moved to a SQL Server database, protect communications between the SQL server and the RRAS servers by using IPSec.

You may locate the log files to a different location, but if you do, secure the log files by setting the DACL to access by SYSTEM and Administrators groups only. Audit who accesses the log files.

Use a Firewall

Use a firewall to protect the RRAS and IAS servers. If RADIUS messages must traverse a firewall, create a rule to allow communications for the RADIUS ports listed in Table 11-2.

RADIUS Ports		Authentication Messages	Accounting Messages
Standard		UDP 1812	UDP 1813
Alternative		UDP 1645	UDP 1646

Table 11-2. RADIUS Ports

Configure Client Access

As in Windows NT 4.0, accounts in Windows 2000 and Windows Server 2003 are denied remote access by default. Users must be configured for remote access. If Windows 2000 domains are in native mode, or Windows Server 2003 domains are at least at Windows 2000 functional level, access permission may be configured using Remote Access Policies. Otherwise, access is configured similar to that for Windows NT 4.0 domains.

HEADS UP! Each user account is configured to Deny access, Allow access, or rely on Remote Access policies. When Remote Access policies are used, connections and attempts to connect are a result of a combination of account dial-in properties and remote access policy constraints. However, if an IAS profile constraint is configured to ignore user dial-in properties, then account dial-in properties are not considered. A user may be configured in account properties to Deny remote access, and yet it may be possible for that account to connect. To evaluate remote access, you must evaluate each remote access policy in addition to user settings.

For each user account, remote access is configured from the Dial-in tab of the user account properties as shown in Figure 11-4.

This is from Hardening Windows Systems, by Roberta Bragg, (McGraw-Hill/Osborne, ISBN: 0072253541). Check it out at your favorite bookstore today. Buy this book now.

Next: Use L2TP/IPSec VPNs >>
 

More Windows Security Articles
More By McGraw-Hill/Osborne

Comments On: Hardening Communications

>>> Be the FIRST to comment on this article!