CHAPTER
13
SECURING ACCESS FOR REMOTE USERS AND
NETWORKS
Scenario:
that they can use will be Preshared Key.
======================================================================
winsec13.html PAGE
2 2002/05/04
Lesson 1:
Planning Remote Access Security
Allowing remote access to your network enables your organization’s employees to access
corporate information from anywhere in the world.
Choosing Between Dial-up and VPN Solutions
Windows 2000 offers 2 methods for remote users to connect to
the LAN: Dial-up remote
access, and VPN.
Dial-up
Dial-up connections offer access to the greatest number of users because the client requires
only a modem and a phone number to connect to a remote access server. They use the PSTN,
Public Switched Telephone Network. The main advantage to using Dial-in is if the company is
local and they will not need to rely on an ISP as with the VPN.
LCP protocol defines the authentication protocol and other connection parameters.
VPN (Virtual Private Network)
The VPN client connects using TCP port on the remote access server using L2TP or PPTP.
VPN access is commonly implemented to reduce the costs associated with support modems
pools for an organization and the long distance costs associated with remote employees.
VPN is faster access, and users will have existing Internet Access.
Planning Remote Access Authentication
Windows 2000 RRAS supports the following authentication methods:
PAP (Password Authentication Protocol). The user password is sent as plain text. Do
not use on a security-based network.
SPAP (Shiva Password Authentication Protocol). SPAP uses reversible encryption
method supported by Shiva remote access servers and Windows 2000 remote access
servers.
CHAP (Challenge Handshake Authentication Protocol). CHAP sends the password
and a challenge from the server through a hashing algorithm.
======================================================================
winsec13.html PAGE
3 2002/05/04
IMPORTANT: CHAP authentication requires that the user’s password be stored in plaintext
or in reversibly encrypted format at the domain controller for comparison purposes. When this
attribute is set, the storage of the plaintext password format doesn’t take place until the user
changes the password after the attribute is enabled.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol. MS-CHAP does
not store the password in plain text. At the domain controller. MS-CHAP uses MPPE
Protocol to encrypt all data transmitted between the remote access client and the Network
Access Server (NAS).
MS-CHAPv2 Version 2. Improved security, supports mutual authentication, stronger data
encryption, and separate encryption keys for sending and receiving data.
EAP. (Extensible Authentication Protocol). EAP uses TLS to secure the authentication
process.
Choosing Remote Access Authentication Protocols
===================================================================
Use Under the following
conditions
Level of Protection
===================================================================
PAP All Dial-up connections, does not support Low
VPN
SPAP You do not require strong encryption Low
CHAP Your company does not consider the storage of Medium
passwords in reversible encrypted format on the DC
a security risk.
MS-CHAP You don’t wish to store passwords in reversible Medium
encrypted format. You require encryption of data
between the remote access client and the NAS.
MS-CHAPv2 Windows 2000 and NT 4.0 based clients for both High
Dial-up and VPN authentication.
You are using Windows 95 & 98 clients for VPN
Authentication only.
======================================================================
winsec13.html PAGE
4 2002/05/04
EAP-TLS Your organization wants both VPN and Dial-in High
You have PKI deployed within your organization
which requires certificates.
You are using only Windows 2000 or other
operating systems that support smart card authentic-
ation.
========================================================================
Planning Dial-up Protocols
You must configure remote access clients and NASs to support a dial-up remote access
protocol when using dial-up connections. There are three:
PPP. (point-to-point). PPP has the ability to negotiate security requirements between a
remote access client and a NAS. PPP offers support for multiple protocols (NetBEUI,
IPX/SPX, and TCP/IP) and interoperability with other operating systems. Needed for
remote access for Windows 95, 98, NT 3.5, NT 3.51, NT 4.0 Windows 2000 and
most third-party dialers.
======================================================================
winsec13.html PAGE
5 2002/05/04
SLIP (Serial Line Internet Protocol). Older dial-up only used with TCP/IP protocol.
RRAS can’t use SLIP to authenticate remote access connections.
AsyBEUI (Asynchronous NetBEUI). Used by NT 3.1, and Windows for Workgroups,
MS-DOS and LAN Manager.
Planning VPN Protocol
Windows 2000 supports VPN solutions for both client-to-server and network-to-network
connectivity. For client-to-server connections, Windows 2000 support both PPTP and
L2TP/IPSec solutions.
Analyzing VPN
Protocols Selections:
There are three protocols for VPN connections: PPTP, L2TP/IPSec and IPSec tunnel
mode.
PPTP. Is supported by Windows 95, 98, NT 4.0 and 2000 remote access. PPTP needs
the IP connection to exists before the VPN can be established. PPTP uses MPPE to
provide encryption of the transmitted data. MPPE can use 40-bit, 56-bit or 128-bit
encryption keys.
NOTE: MPPE needs the High encryption pack installed.
PPTP is commonly used to meet the following requirements, only for Windows 95 & 98
clients and NT 4.0 support PPTP only as a VPN protocol. PPTP is also commonly used
if you must pass over a firewall or perimeter network that performs NAT. PPTP doesn’t
support the authentication of the computers used in the remote access connection.
L2TP/IPSec. L2TP is an alternate method of providing VPN access to the network. As
with PPTP can be used to provide both client-to-server and server-to-server access. L2TP
and PPTP have three major differences:
L2TP doesn’t include an encryption mechanism. To provide encryption, IPSec is automatically
used to negotiate a security association between the two computers using the L2TP tunnel.
L2TP provides two forms of authentication. It uses MS-CHAP and MS-CHAPv2 and EAP
for standard dial-up. In addition, IPSec provides machine authentication.
L2TP can’t pass through a firewall or perimeter server performing NAT. NAT modifies the
IP address and port information in an IP packet.
IPSec Tunnel Mode. IPSec tunnel mode uses ESPs to encrypt all traffic passing between the
tunnel endpoints. Consider the following if you want to use IPSec Tunnel mode:
tunnel.
authentication
for IPSec connections.
======================================================================
winsec13.html PAGE
6 2002/05/04
Selecting the VPN Protocol
=====================================================================
Choose this VPN
Protocol When these Circumstances Exist
=====================================================================
PPTP You require client-to-gateway or network-to-network
connectivity.
The VPN must pass through a firewall or NAT server.
L2TP You require client-to-gateway or network-to-network
connectivity.
The tunnel server isn’t located behind a firewall or
Perimeter server performing NAT.
You plan to implement IPSec-protected tunnel with the
least amount of configuration.
IPSec Tunnel You require only network-to-network connectivity.
Mode
Only machine authentication is required for the tunnel
endpoints.
If using preshared keys, the IPSec security associations
are configured to only allow connections from the tunnel
endpoints.
=====================================================================
If IPSec tunnel mode packets must pass through a firewall, you must configure the firewall to
allow packets destined to UDP port 500 on the tunnel server.
Planning Integration with Windows NT 4.0 Remote Access Service
(RAS) Servers
If your network contains a mix of Windows NT 4.0 RAS servers and Windows 2000 remote
access servers, you must make special considerations to allow authentication of clients
connecting to the Windows NT 4.0 RAS servers.
======================================================================
winsec13.html PAGE
7 2002/05/04
Windows NT 4.0 RAS server determine whether a connecting user has dial-in permissions by
connecting to a domain controller with a NULL session. A NULL session is a security risk
because it doesn’t provide credentials for the connection.
If you don’t allow NULL sessions, a remote access client being authenticated by a Windows
NT 4.0 RAS server may face the following authentication results:
If the Windows NT 4.0 RAS server connects to a Windows NT 4.0 BDC in a mixed-mode
network, authentication will succeed because the Windows NT 4.0 BDC support NULL sessions.
If the Windows NT 4.0 RAS server is a Windows NT 4.0 BDC in a mixed-mode network,
authentication will succeed because the BDC can determine dail-in permissions by looking at
its versions of the domain database.
If the Windows NT 4.0 RAS server connects to a Windows 2000 domain controller, the
authentication will fail or succeed depending on the membership of the Pre-Windows 2000
Compatible Access security group.
This can be determined when running Windows 2000 dcpromo, remember it asks you the
question if you are pre-windows 2000. This is about the 2nd screen after running Dcpromo.
Lesson Summary:
The decision to allow users to remotely connect to your organization’s network requires
careful planning to ensure that security is maintained.
Lesson 2:
Designing Remote Access Security for Users
You can apply several settings to secure user connections to the network. You can use the
CMAK (Connection Manager Administration Kit) to do this.
For each user account you can define the following settings to secure remote access connections:
Remote Access Permissions. You can set permissions for each user to allow access, deny
access or control access through remote access policy.
Verify Caller-ID. The phone number from which the remote access connection originated
can be verified against this attribute value.
Callback Options. Phone chares are applied to the remote access server rather than to the
remote access client.
======================================================================
winsec13.html PAGE
8 2002/05/04
Assign a Static IP Address. Some firewall software identifies connections by their IP address.
Apply Static Routes. You can restrict which networks a remote access client can access by
applying static routes to the remote access connection.
NOTE: Remote account lockout isn’t related to user account lockout. Remote access account
lockout only prevents an account from connecting to the network using remote access. Account
lockout prevents all access to the network for the locked out account.
There are 2 registry settings to enable remote access account logout.
HKEY_LOCAL-MACHINE\SYSTEM\Current ControlSet\Services\Remote Access\
Parameters\AccountLockout\MaxDenials
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Access\
Parameters\Account\AccountLockout\Reset Time
WARNING: Enabling the remote access account lockout settings leaves your network
susceptible to an attacker.
Authorizing Dial-up Connections
Windows 2000 supports the following remote access authorization methods:
remote access policies based on the phone number dialed by
the remote access client.
of a third-party security host such as a SecureID
security card.
======================================================================
winsec13.html PAGE
9 2002/05/04
Securing Client Configuration
Dial-up networking for clients requires that the client computers are configured with dial-up
connections to the remote network.
CMAK allows an administrator to create a dial-up networking connection that works with
Windows 95, Windows 98, NT 4.0 and Windows 2000. You can do the following:
· It defines a highly secure connection object.
· It defines a packages that launches a dial-up VPN connection.
· It defines a package that works on Windows 95, 98, NT 4.0 and 2000 based computers.
· It removes saved password configurations.
· It uses a standard phone book. You can update the connection object with a phone book
· that provides current local phone numbers.
*** See the chart
page 500 ***
Lesson Summary:
CMAK lets you control the security settings of remote access connections by enforcing the
settings that your organization requires and allowing you to restrict access to key configuration
screens for the remote access connections objects.
Lesson 3:
Designing Remote Access Security for Networks.
You can deploy a dedicated (or private) WAN link or you can implement a VPN over a public
network such as the Internet.
Private WAN links are typically implemented by purchasing or leasing a dedicated
telecommunications line between the remote office and the corporate network.
In a VPN solution the organization uses a public network to link the offices. The remote office
and the corporate office will still require telecommunication links, but the links will be to the
Internet rather than between the offices.
======================================================================
winsec13.html PAGE
10 2002/05/04
Securing Dedicated WAN Connections
NOTE: A windows 2000 server configured with RRAS can act as a router for a dedicated
network link. Windows 2000 supports common routing protocols such as RIP (routing
information protocol) and OSPF (open shortest path first) protocol and can interoperate
with many third-party routers.
Designing VPN Solutions
VPNs ensure that data protected as it’s transmitted over the public network.
VPN solutions between offices can use PPTP, L2TP/IPSec and IPSec tunnel mode.
In this scenario, the remote access server, also referred to as a tunnel server, is located in the
network’s DMZ. The DMZ, or perimeter network, is used to store externally available resources.
In this scenario the DMZ is implementing NAT. Since you can’t use IPSec to connect through
a firewall that’s implementing NAT, this network infrastructure supports only PPTP tunnel
connection to the tunnel server.
What if the Tunnel Server is the Server Performing NAT?
If L2TP/IPSec tunnel mode is configured between the two tunnel servers, the VPN connection
will terminate before the NAT process is performed on any incoming or outgoing packets.
Lesson Summary:
Define security to protect all data transmitted between the remote office and the corporate network.
======================================================================
winsec13.html PAGE
11 2002/05/04
Lesson 4:
Designing Remote Access Policy
Remote access policy provides more control to remote access connections than was previously
available in Microsoft network solutions.
Designing Remote Access Policy Conditions
Attributes
You can grant or deny depending on the conditions:
Called-Station-ID. You can identify which remote access policy to apply if a specific phone
number is dialed by the remote access connection.
Calling-Station-ID. The phone number from which the call originated.
Client-Friendly-Name. The name of the RADIUS client that’s forwarding the authentication
request.
Client-IP Address. The IP address of the RADIUS client that forwarded the authentication
request.
Client-Vendor. Identifies the manufacture of the RADIUS client that forwarded the
authentication request.
See page 512 for the
rest, getting sick of this !!!!!!
Designing Remote Access Policy Profiles
Once a remote access connection attempt is found to match the conditions defined for a specific
remote access policy, the remote access policy profile is applied to the connection.
key for DES and MPPE), or strongest encryption (3DES and
128-bit MPPE).
connections use RADIUS authentication.
NOTE: MPPE provides encryption services for dial-up and PPTP-based VPN connections.
DES and 3DES provide encryption for L2TP/IPSec connections.
Planning Remote Access Policy Application
Remote access varies, depending on whether the domain is in mixed or native mode.
======================================================================
winsec13.html PAGE
12 2002/05/04
Mixed Mode
In mixed-mode you don’t have the Control Access Through Remote Access Policy option
available in a user account’s properties. By default, every user is set to Allow Access, but
remote access policy is still applied.
Important: The default remote access policy, Allow Access If Dial-In Permission is Enabled,
will grant access to all users if left unmodified. You must delete or modify the default remote
access policy if you need to be able to restrict remote access to the network.
Native Mode
In native mode domain, user accounts are configured to Control Access Through Remote
Access Policy in the user account property pages. The connection attempt will result in one
of three outcomes.
· Allowed by policy.
· Denied by policy.
· Denied implicitly.
Lesson Summary:
every possible in a Windows NT 4.0 network.
maintained when access to the network is extended to remote users and networks.
Lesson 5:
Planning RADIUS Security
IAS is Microsoft’s deployment of Remote Authentication Dial-In User Service (RADIUS)
protocol.
======================================================================
winsec13.html PAGE
13 2002/05/04
Introducing RADIUS Authentication
RADIUS allows single sign-on capabilities to remote users by allowing them to authenticate
with the domain account and password.
Designing RADIUS Deployments
A RADIUS infrastructure requires servers that play different roles in the RADIUS authentication
process. The server required for a RADIUS deployment include:
RADIUS server. The RADIUS server provides remote access authentication,
authorization, and accounting services.
RADIUS clients. RADIUS clients include remote access servers, tunnel servers, and
network access servers that can accept remote access client connections.
Remote Access clients. Remote Access clients connect to the network using dial-up
or VPN connections. Remote access clients may have to provide a prefix or suffix to
identify the RAIUS server that a RADIUS proxy must forward the RADIUS authentication
request to.
RADIUS proxy. A RADIUS proxy is able to determine the correct RADIUS server
by inspecting prefixes and suffixes appended to the user name provided by the remote access
client.
NOTE: Windows 2000 does not provide a RADIUS proxy service. If you require a RADIUS
proxy in your RADIUS deployment, you must deploy either a third-party RADIUS server or
the RADIUS proxy that’s included in the Internet Connection Services for RAS for Windows
NT 4.0.
See Page 522 for
details
Making the Decision
When designing a RADIUS solution for your organization, you must determine which RADIUS
roles are required to provide single sing-on capabilities.
======================================================================
winsec13.html PAGE
14 2002/05/04
=====================================================================
Planning RADIUS Component Use
Use To
Perform the Following Tasks
=====================================================================
RADIUS Servers To centralize remote access policy application in a
Windows 2000 network.
To centralize authentication requests to a single
directory store
To centralize account information for remote
access at a single location.
RADIUS clients To forward all authentication and accounting
requests to the configured RADIUS server.
To receive centralized remote access policy
from the configured RADIUS server.
RADIUS proxies To allow the hosting of authentication services
For multiple organizations through the same
Phone number or tunnel server IP address.
To provide informed routing of RADIUS
authentication packets to the correct RADIUS
server based on either a prefix or suffix provided
by the remote access client.
======================================================================
Planning Centralized Application of Remote Access Policy
Decentralized application of remote access policy can result in inconsistent configurations at
each remote access server.
If you are denied access, deny will override.
IMPORTANT: RADIUS does expose a single point of failure if the server hosting the ISA
service were to fail. Make sure that the configuration is backed up using the Netsh utility.
When a server running RRAS is configured as a RADIUS client, it receives its remote access
policy from the RADIUS server.
You can create a Group Policy object that enables RRAS. In addition, at the domain you can
configure the Default Domain Policy to disable RRAS. Group Policy inheritance applies the
service setting to all other OUs in the domain.
======================================================================
winsec13.html PAGE
15 2002/05/04
Making the Decision
To ensure that only centralized application of remote access policy takes place, you must
include the following items in your security design:
Ensure that a server on the network is configured with IAS service.
Configure all authorized remote access servers as RADIUS clients.
Ensure that RRAS is disabled on all unauthorized remote access servers. Use Group Policy
to ensure that RRAS is disabled on all unauthorized remote access server. Configure
permissions to restrict the ability to start, pause, and start RRAS to Domain Admins.
Lesson Summary:
you ensure that remote access policy design and deployment is centralized at the RADIUS
server.