Hardening Communications - Harden Remote Access Clients
(Page 10 of 11 )
Client hardening should be done as a matter of installation and upkeep. Of critical importance on remote access clients is the use of a personal firewall and updated antiviral product. In addition, harden authentication, policy use, and encryption on the client. Client configuration can be centralized using Group Policy and for Windows NT 4.0, by creating profiles using the Connection Manager Administration Kit (CMAK). Like IEAK, CMAK is simply a way to create a standard user remote access profile and distribute it from a central location. The profile can be installed as part of an IEAK Package. A version is available for Windows 2000, Windows XP, and Windows Server 2003.
Use IAS to Centralize Authentication, Accounting, and Authorization The Internet Authentication Service is the Microsoft implementation of RADIUS. When IAS is added to a network, it can provide centralized authentication, authorization, and auditing for remote access. Remote access policies are configured on the IAS server and manage policy for all RRAS servers configured to use the IAS server. (If remote access policies exist on the RRAS server, only the IAS remote access policies will be used.)
Harden the IAS server as you would the RRAS server. In addition, harden authentication and communications between RRAS and IAS servers.
Harden RADIUS/RRAS Authentication When IAS is used for authentication, a shared secret must be configured on the RRAS and IAS servers and is used to authenticate connections between them. Use a long shared secret (22 characters or more) composed of a random sequence of letters, numbers, and punctuation and change it often. Use a different shared secret for each RADIUS client and RADIUS server pair, and for each RADIUS proxy and RADIUS server pair. (This will not be possible if you specify RRAS servers by IP address range.)
Provide RADIUS Message Authentication and Integrity Use the Message Authenticator Attribute to protect IAS from spoofed IP addresses. RRAS servers are identified in the IAS properties and used to determine which RRAS servers can connect to IAS. When the Message Authenticator Attribute is used, an MD5 hash of the RADIUS message is made using the shared secret as a key. The IAS server can therefore determine that the message came from an RRAS server with knowledge of the shared secret, not just a server with one of the approved IP addresses. This also guarantees the integrity of the message.
The RADIUS Message Authenticator Attribute is configured on the property page of the RADIUS client in the RADIUS Clients node of the Internet Authentication Services console, as shown in Figure 11-5.
Use IPSec to Secure RADIUS Messages Use IPSec to secure the entire RADIUS message. Create an IPSec policy that secures all communication between the RRAS and IAS servers.
 This is from Hardening Windows Systems, by Roberta Bragg, (McGraw-Hill/Osborne, ISBN: 0072253541). Check it out at your favorite bookstore today. Buy this book now. |
Next: Secure Wireless Access >>
More Windows Security Articles
More By McGraw-Hill/Osborne
/ 4 
