Title: ScenarioBased Solutions for Secure Windows Server 2003 Network Access
1Scenario-Based Solutions for Secure Windows
Server 2003 Network Access
Nam NgSecurity ConsultantMicrosoft
2What We Will cover
- NAT (Network Address Translation), ICS (Internet
Connection Sharing) - Windows Firewall and the RRAS Basic Firewall
- Certificate based IPSEC (Internet Protocol
Security) - Remote access quarantine
- L2TP (Layer 2 Tunneling Protocol)
- IAS (Internet Authentication Service)
3Prerequisite Knowledge
- TCP/IP
- Active Directory
- Windows Server Administration
Level 200
4Agenda
- Branch office Internet connectivity
- Securing server communications
- Securing remote access
- Office to office VPN
- IAS configuration
5Business Scenario
Branch Office
Clients
Corporate Office
Windows Server 2003
Clients
Windows Server 2003
Servers
Internet
6Branch Office Internet AccessBusiness Problem
- You have a new branch office with the following
needs - Internet access
- Security from outside sources
7Branch Office Internet AccessSolution NAT
Firewall
- NAT (Network Address Translation) or ICS
(Internet Connection Sharing) - Provides access to the Internet from a protected
private address range - Basic Firewall or Windows Firewall
- Provides packet filtering firewall capabilities
8Branch Office Internet AccessSolution NAT or
ICS
- NAT (Network Address Translation)
- Translates IP address and port number for
outgoing and incoming traffic - Hides private IP address range from the Internet
- Can be used with DHCP or can be configured as a
DHCP allocator - Can be configure to allow incoming connections to
specified reservations - ICS (Internet Connection Sharing)
- ICS is basically NAT that is easier to configure
(Also available on Windows XP)
9Branch Office Internet AccessNAT vs ICS
- NAT requires manual configuration of DHCP, DNS
and RRAS - ICS is auto configured and is best suited for a
very small environment - Do not use ICS on a network that
- Uses static IP addresses
- Uses other DNS servers, gateways, or DHCP servers
10NAT/ICS
Internet
Client Computers
Computer Running NATInternal IP
192.168.1.1External IP Public IP
Web ServerIP Public IP
IP 192.168.1.3
IP 192.168.1.4
- The computer running NAT changes the packet
header and sends the packet over the Internet to
the Web server
- The Web server sends a reply to the computer
running NAT
IP 192.168.1.5
- The computer running NAT determines the
destination, changes the packet header, and sends
the packet to the client
11Branch Office Internet AccessBasic
Firewall/Windows Firewall
- Basic Firewall
- Configured through RRAS
- Allows you to configure exceptions for IP
protocols and ICMP traffic for both incoming and
outgoing traffic - Server based firewall
- Windows Firewall
- Added feature in Windows Server 2003 SP1
- Only allows you to configure TCP and UDP
port-based exceptions for incoming traffic - Client based firewall
12 demonstration
- NAT and Basic Firewall configuration
- Configuring NAT and the RRAS Basic Firewall
13Agenda
- Branch office Internet connectivity
- Securing server communications
- Securing remote access
- Office to office VPN
- IAS configuration
14Securing server communicationsBusiness Problem
- You need to ensure that communications between
your public web server and your SQL Server are
secured - The web server is located in a screened subnet
and connects to the SQL Server through a firewall - The web server is not a member of the internal
Active Directory forest - Packet filters are already configured on the
firewall but more security is needed
15Securing server communications Certificate based
IPSec
- Windows Server 2003 Certificate Services
- Configure IPSec encryption to use certificate
authentication - Customize IPSec policy to encrypt only the SQL
traffic (optional but recommended)
16Securing server communications Windows Server
2003 PKI
Certificates are an electronic credential that
authenticates a user on the Internet and intranets
Certificates
- Securely bind a public key to the entity that
holds the corresponding private key - Are digitally signed by the issuing certificate
authority (CA) - Verify the identity of a user, computer, or
service that presents the certificate - Contain details about the issuerand the subject
17Securing server communications IPSec
Authentication Methods
- Kerberos (default)
- Works for machines that are members of trusted
Active Directory domains - Certificate based
- Works for machines that have certificates from a
selected Certificate Authority - Preshared key
- Not recommended because it is the least secure of
the three methods
18Securing server communications Custom IPSec
Policies
- Default polices include
- Client (Respond Only)
- Server (Request Security)
- Secure Server (Require Security)
- Example of a custom policy
- Edit the Secure Server policy filters to require
security only for communications between the IIS
server and the SQL Server.
19 demonstration
- IPSec Configuration
- Installing the IPSec computer certificates
- Creating the custom IPSec policy
20Agenda
- Branch office Internet connectivity
- Securing web server communications
- Securing remote access
- Office to office VPN
- IAS configuration
21Securing Remote Access Business Problem
- You need to configure a secure remote access
solution that ensures - Customizable control over user access
- Prevention of invalid configurations from
connecting
22Securing Remote Access Remote Access Policies
and Quarantine
- Remote Access Policies
- Allow robust control of remote access
- Network Access Quarantine Control
- Delays a full remote access connection until the
remote access client has been examined according
to administrator provided scripts
23Securing Remote Access Remote Access Policy
Evaluation
Remote Access Policy
- Remote Access Conditions
- Day and time
- Group
- Etc.
RAS Client
RAS Server
- Remote Access Profile
- Dial in Media restrictions
- Multilink settings
- Etc.
- Account
- Permissions
- Allow
- Deny
Windows 2000 Domain Controller
24Securing Remote AccessRemote Access Policy
Evaluation
Remote Access Policy
- Remote Access Conditions
- Day and time
- Group
- Etc.
RAS Client
RAS Server
- Remote Access Profile
- Dial in Media restrictions
- Multilink settings
- Etc.
- Account
- Permissions
- Allow
- Deny
- Control with RAP
- Remote Access Permissions
- Allow
- Deny
- (Only in Native mode)
Windows 2000 Domain Controller
25Securing Remote Access Policy Behavior
- Default Remote Access Policy
- Essentially allows access to any user account
that has been allowed access through their user
account properties in Active Directory - Multiple policies
- Policies are checked in priority order until the
user matches the conditions of one of the
policies - If a user matches the conditions of multiple
policies the first policy that matches is used
26Securing Remote Access Network Access Quarantine
- Allows validation of the following on incoming
remote access connections - Service pack version
- Antivirus software and signatures
- Local firewall configuration
- Local routing disabled
- Password protected screensaver
27Securing Remote Access Network Access Quarantine
Quarantine Resources
Quarantine Policy
Intranet
Client executes quarantine script
X
OK
Quarantine Client with CM profile
Windows Server 2003 RAS
Windows Server 2003 DC
28Securing Remote Access Quarantine configuration
- To deploy Network Access Quarantine Control, the
basic steps (in order) are as follows - 1. Create quarantine resources
- 2. Create a script or program that validates
client configuration - 3. Install Rqs.exe on remote access servers
- NOTE This will be available through add/remove
programs with Service Pack 1 - 4. Create a new quarantine CM profile with
Windows Server 2003 CMAK - 5. Distribute the CM profile for installation on
remote access client computers - 6. Configure a quarantine remote access policy
29 demonstration
- Configuring VPN Quarantine
- Configuring the Remote Access Server
- Creating the CMAK profile
- Testing the connection
30Agenda
- Branch office Internet connectivity
- Securing web server communications
- Securing remote access
- Office to office VPN
- IAS configuration
31Office to Office VPNBusiness Problem
- You want to connect the branch office through
site to site VPN and need to ensure high security
32Office to Office VPNSolution L2TP VPN
- Router to Router VPN
- Cost effective solution when compared to leased
lines - L2TP (Layer 2 Tunneling Protocol)
- Utilizes IPSec encryption (DES or 3DES) and
computer certificates for machine based
authentication
33Office to Office VPNWindows Server 2003 L2TP
- Windows Server 2003 supports IPSec NAT-T which
means that you could have your VPN servers behind
a firewall that provides NAT
- Windows Server 2003 also supports using preshared
keys for authentication (not recommended for
production use)
34Office to Office VPNL2TP Connection Process
Internet
Windows Server 2003 VPN
Windows Server 2003 VPN
35Office to Office VPNL2TP VPN Configuration
- Install computer certificates on each of the VPN
servers - Configure demand-dial interfaces
- Configure dial-in account to be used
- Configure packet filters on the VPN server or
firewall depending on the environment
36 demonstration
- Office to Office VPN using L2TP
- Configuring the corporate router
- Configuring the branch router
- Testing the connection
37Agenda
- Branch office Internet connectivity
- Securing web server communications
- Securing remote access
- Office to office VPN
- IAS configuration
38IAS ConfigurationBusiness Problem
- You would like to configure a remote access
server at the new branch office that is located
in the DMZ and is not a member of the domain.
Authentication needs to be from Active Directory
39IAS ConfigurationSolution IAS
- An IAS (Internet Authentication Service) server
is Microsofts implementation of RADIUS (Remote
Authentication Dial-In User Service) - Enables organizations to centralize remote access
authentication, auditing, authorization, and
accounting
40IAS ConfigurationWhat is IAS?
- IAS, a Windows Server 2003 component, is an
industry-standard compliant RADIUS server. IAS
performs centralized authentication,
authorization, auditing, and accounting of
connections for VPN, dial-up, and wireless
connections
You can configure IAS to support
- Dial-up corporate access
- Extranet access for business partners
- Internet access
- Outsourced corporate access through service
providers
RADIUS Server
41IAS ConfigurationHow IAS Works
Domain Controller
Remote Access Server
Client
RADIUS Server
42 demonstration
- Configuring IAS
- Install and configure IAS
- Configure the RADIUS client
- Test and verify the configuration
43Session Summary
- Windows Server 2003 RRAS is a very capable
solution to many networking problems - Network access quarantine is a great tool to help
protect your network from unwanted threats - Certificates can be used with custom IPSec
policies as well as L2TP VPN connections to
greatly enhance security
44For More Information
- Visit TechNet at www.microsoft.com/technet
- For the url below for additional information
including - books and courses
- community resources
- streamed and downloadable media versions of this
session
www.microsoft.com/technet/tnt1-158
45- TechEd Hong Kong 2005 is coming!
- October 4-6, Hong Kong Convention Exhibition
Centre - Free of charge to all Macau customers if you
register today! - www.microsoft.com/hk/teched2005
46http//jo-san.it
- Hang out and meet other IT Professionals
- Hear about the latest IT Professional news and
gossip - Get tips and ideas
- Share technical know-how with others
- Blogs