Hardening Communications - Use L2TP/IPSec VPNs
(Page 9 of 11 )
Where dial-up access is required, require the use of VPNs and do not allow plain dial-up connections. VPNs are a better choice for security. Two VPN types can be configured. Where possible, use L2TP/IPSec. PPTP is considered to be a less secure VPN protocol than L2TP/IPSec; however, it can provide secure communications if correctly configured. In general, though, L2TP/IPSec is simply a better choice. Important differences in these technologies are listed in Table 11-3.
Figure 11-4. Remote access can be controlled via Remote Access Policies.
Technology | PPTP | L2TP/IPSec |
Encryption | Microsoft Point-to-Point Encryption (MPPE). Only the data payload is encrypted. | IPSec. Encrypts most parts of the packet. |
Tunnel | PPTP | L2TP |
Authentication | User based. May be mutual, for example with MS-CHAPv2. | Requires mutual machine authentication via certificates. (Can be configured for shared secret. Do not do so.) |
NAT | Typically no problems. | Can cause problems as NAT-T-compliant clients and servers enable the use of IPSec over NAT. |
Table 11-3. Differences in PPTP and L2TP/IPSec VPNs
When VPN access is configured during setup, both PPTP and L2TP/IPSec ports are configured on the RRAS server. No configuration is possible directly on the ports. Settings on clients determine which protocol is used; however, if you can restrict VPN access to one or the other, you may delete the other type of communication port.
NOTE: The L2TP/IPSec standard as originally written is incompatible with NAT because IPSecencrypted packets including a checksum calculated over the IPSec source address. Since NAT modifies the source address, packets are considered to be corrupt or modified and dropped when received. NAT-Traversal, or NAT-T, uses UDP to encapsulate the IPSec packet, and therefore the packet can pass through the NAT server without a modification that will cause problems for IPSec. The NAT server must implement NAT-T. The Windows Server 2003 implementation of Internet Key Exchange (IKE), a component of IPSec, can detect NAT-T and use UDP-ESP encapsulation.
Use Remote Access Policies When remote access policies are used, user accounts in Windows Server 2003 and/or Windows 2000 domains are configured to Control Access Through Remote Access Policy. However, the default remote access policy is configured to deny all remote access requests. Do not delete the default remote access policy.
Remote access policies are used to provide remote access configuration. The beauty of remote access policies is that many policies can be created, each specifically designed for a group of clients, a time of day, or some physical device requirement. This allows for many models of remote access control. While it is not the most desirable response, you can create a weak policy for use with legacy clients, while retaining more secure authentication and encryption for others. The weakest connections do not have to dictate security for the entire organization. Hardening remote access connections can be accomplished by setting up proper remote access policies. The following list of hardening steps is presented during a walkthrough of remote access policy creation for connections by the custom-created Auditors group. When IAS is used to centralize RRAS, additional settings can be configured. Techniques for hardening connections according to policy conditions are listed in Table 11-4. A policy condition is checked when a connection attempt is made. If the properties of a connection match the policy condition in a remote access policy, then the remote access policy is applied.
Condition | Recommendation |
Authentication Type | Create policies that deny connections based on the use of legacy authentication types. |
Called Station-ID | Combine with user groups and/or times of day and deny access to specific numbers. Identify restraints for allowed connections to a specific number. |
Calling Station–ID | Create policy profile restrictions according to the specific location. |
Day and Time restrictions | Deny or allow access according to the time of day. |
Tunnel type | Deny or allow access depending on the protocol; specifically, prevent access via PPTP to force use of L2TP/IPSec. |
Windows Groups | Deny or allow access by Windows user group. |
Service Type | Deny connections according to the service requested; for example, prevent the use of telnet through this remote access server. |
Table 11-4. Policy Conditions
To use remote access policies:
- Right-click the Remote Access Policy node of the Routing and Remote Access console and select New Remote Access Policy. Then click Next.
- Select Set Up a Custom Policy, enter a name for the new policy, and then click Next.
- Click Add to add a policy condition. Select Windows-Groups and click Add.
- Click Add and enter or browse to and select the Auditors group.
- Click Grant Remote Access Permissions; then click Next.
- Click the Edit Profile button to open the Dial-in Profile property pages, as shown here:
- Restrict connection type to VPN by selecting Allow Access Only Through These Media (NAS Port Type) and then selecting Virtual, as shown here:
- Harden authentication. Click the Authentication tab; then click EAP Methods.
- Click Add and select Smart Card or Other Certificate, and then click OK.
- Click all other checked authentication methods to deselect them.
- Require Strong Encryption. Select the Authentication tab.
- Click to deselect Basic Encryption, click to deselect Strong Encryption, and click to deselect No Encryption.
- Click OK. Then click Next and then Finish.
 This is from Hardening Windows Systems, by Roberta Bragg, (McGraw-Hill/Osborne, ISBN: 0072253541). Check it out at your favorite bookstore today. Buy this book now. |
Next: Harden Remote Access Clients >>
More Windows Security Articles
More By McGraw-Hill/Osborne
