Securing Access for Remote Users and Networks

1
Securing Access for Remote Users and Networks

• Planning Remote Access Security
• Designing Remote Access Security for Users
• Designing Remote Access Security for Networks
• Designing Remote Access Policy
• Planning RADIUS Security

2
Planning Remote Access Security

• Choosing between dial-up and virtual private
  network (VPN) solutions
• Planning remote access authentication
• Planning dial-up protocols
• Planning VPN protocols
• Planning integration with Microsoft Windows NT
  4.0 Remote Access Service (RAS) servers

3
Dial-Up Access
4
VPN Access
5
Making the Decision Choosing Between Dial-Up and
VPN Remote Access

• Use dial-up access if
• The organization maintains an existing modem pool
• Most remote connections to the network are
  through local access numbers and do not require
  long distance or toll-free charges
• The organization requires an alternative
  connection method between offices if a dedicated
  network link fails
• Use VPN access if
• The organization wants to outsource modem support
  to an ISP
• Users have existing Internet access
• The organization wants to reduce the costs
  associated with long-distance and toll-free
  numbers
• The organization requires faster access speeds
  than are possible with dial-up networking
  solutions

6
Applying the Decision Hanson Brothers Requires
Both Dial-Up and VPN Remote Access

• Dial-up access
• The stock application from Adventure Works
  requires a dial-up connection.
• Hanson Brothers will restrict the connection to a
  specific phone number.
• VPN access
• Connect Montreal to the corporate office in
  Warroad.
• Create a demand-dial connection as a backup.
• Packets will initiate the dial-up connection if
  the VPN is unavailable.

7
Authentication Protocols Supported by Windows
2000 RRAS

• Routing and Remote Access Service (RRAS) supports
• Password Authentication Protocol (PAP)
• Shiva Password Authentication Protocol (SPAP)
• Challenge Handshake Authentication Protocol
  (CHAP)
• Microsoft Challenge Handshake Authentication
  Protocol (MS-CHAP)
• Microsoft Challenge Handshake Authentication
  Protocol Version 2 (MS-CHAPv2)
• Extensible Authentication Protocol (EAP)

8
The Advantage of Two-Factor Authentication

• Adds security to the authentication process
• Requires two forms of identification when users
  are authenticating with the network

9
Making the Decision Choosing a Remote Access
Authentication Protocol

• Low level of protection
• PAP
• SPAP
• Medium level of protection
• CHAP
• MS-CHAP
• High level of protection
• MS-CHAPv2
• EAP-TLS

10
Applying the Decision Hanson Brothers Must
Implement MS-CHAP and MS-CHAPv2

• These protocols provide the strongest form of
  authentication acceptable to both the remote
  client and the RRAS server.
• Implement strong encryption on the remote access
  connection from Adventure Works.
• Internet Protocol Security (IPSec) tunnel mode is
  the only choice for connecting the Montreal
  office securely to the Warroad office over the
  Internet.

11
Remote Access Protocols Supported by Microsoft
Windows 2000

• Point-to-Point Protocol (PPP)
• Serial Line Internet Protocol (SLIP)
• Asynchronous NetBEUI (AsyBEUI)

12
Making the Decision Choosing a Remote Access
Protocol

• PPP
• SLIP
• AsyBEUI

13
Applying the Decision Hanson Brothers Implements
PPP Remote Access Protocol

• Windows 2000 RRAS will provide remote user and
  office connectivity.
• PPP meets all needs for connectivity.
• SLIP is supported only for remote access clients.
• There is no need to configure the remote access
  clients to support SLIP connections.
• There is no need to support AsyBEUI remote access
  connections.

14
Planning VPN Protocols
15
VPN Protocol Introduction

• Windows 2000 supports
• VPN solutions for both client-to-server and
  network-to-network connectivity
• Both Point-to-Point Tunneling Protocol (PPTP) and
  Layer Two Tunneling Protocol (L2TP)/IPSec
  solutions
• IPSec tunnel solutions for providing
  network-to-network connectivity
• The design decisions do not vary for
  client-to-network and network-to-network
  solutions.
• Network-to-network solutions can include IPSec
  tunnel mode.

16
Point-to-Point Tunneling Protocol (PPTP)

• PPTP requires an IP connection to exist before
  the VPN can be established.
• PPTP uses Microsoft Point-to-Point Encryption
  (MPPE) to provide encryption of the transmitted
  data.
• MPPE can use 40-bit, 56-bit, or 128-bit
  encryption keys.
• If a firewall is used, it should be configured to
  allow the PPTP packets to pass through the
  firewall.
• Use the destination port of TCP port 1723 and
  protocol ID 47 (Generic Routing Encapsulation
  (GRE))

17
Use PPTP to Meet the Following Requirements

• If support for down-level clients is needed
• If the VPN must cross a firewall or perimeter
  network that performs Network Address Translation
  (NAT)
• If the organization requires the authentication
  of the user account only, not the machine account

18
PPTP Security Weakness

• The original implementation of PPTP used MS-CHAP
  as the authentication protocol.
• The latest update to PPTP has added support for
  MS-CHAPv2 and EAP authentication.
• With PPTP deployed, it is possible to determine
  the password by using a dictionary attack if weak
  passwords have been used.
• If weak passwords are a major concern, ensure
  that all remote access clients use Windows 2000,
  and issue smart cards to use EAP authentication.

19
Differences between L2TP and PPTP

• L2TP does not include an encryption mechanism.
• L2TP provides two forms of authentication.
• L2TP cannot pass through a firewall or perimeter
  server performing NAT.

20
L2TP/IPSec Firewall Considerations

• Configure the firewall to allow IPSec packets
  destined for the tunnel server to pass through
  the firewall.
• The IPSec packets are destined for UDP port 500
  on the tunnel server using the IPSec ESP protocol
  identified by protocol ID 50.
• Do not configure the firewall to pass L2TP
  packets (destined for UDP port 1701) because the
  packets are still encrypted when they pass
  through the firewall.

21
IPSec Tunnel Mode

• IPSec Tunnel Mode uses Encapsulating Security
  Payloads (ESPs) to encrypt all traffic passing
  between the tunnel endpoints.
• Original IP packets are encrypted within the
  IPSec tunnel mode packet as they are transmitted
  across the unsecured network.
• Data is decrypted when it reaches the endpoint
  nearest the destination computer.

22
IPSec Tunnel Mode Considerations

• IPSec tunnel mode is a highly interoperable
  solution.
• IPSec does not provide user authentication of the
  two endpoints involved in the IPSec tunnel.
• IPSec tunnel mode does not support
  client-to-network VPN access.
• IPSec tunnel mode does not provide end-to-end
  encryption of data.
• IPSec supports certificate-based authentication,
  Kerberos, and preshared key authentication for
  IPSec connections.
• Tunnel server placement can prevent IPSec tunnel
  mode communications.

23
Making the Decision Selecting a VPN Protocol

• PPTP
• L2TP
• IPSec Tunnel Mode

24
Applying the Decision VPN Solutions for
Connecting the Montreal and Warroad Offices
25
Planning Integration with Windows NT 4.0 RAS
Servers

• NULL sessions
• NULL sessions allow anyone connected to the
  network to query the Active Directory directory
  service without the default security mechanisms
  in place.
• Windows NT 4.0 RAS servers determine whether a
  connecting user has dial-in permissions by
  connecting to a domain controller (DC) with a
  NULL session.

26
Implications of Disallowing NULL Sessions

• With a Windows NT 4.0 RAS server that connects to
  a Windows NT 4.0 backup domain controller (BDC)
  in a mixed mode network
• Authentication will succeed because the Windows
  NT 4.0 BDC supports NULL sessions
• With a Windows NT 4.0 RAS server that is a
  Windows NT 4.0 BDC in a mixed mode network
• Authentication will succeed because the BDC can
  determine dial-in permissions by looking at its
  versions of the domain database
• With a Windows NT 4.0 RAS server that connects to
  a Windows 2000 DC
• The authentication will fail or succeed depending
  on the membership of the PreWindows Compatible
  Access security group

27
Membership of the PreWindows 2000 Compatible
Access Security Group

• Members of this group can query the DC with a
  NULL session.
• Membership is determined by the user who creates
  a new domain in the forest.
• The Everyone group can be added to the
  PreWindows 2000 Compatible Access security
  group.
• There are security implications due to unsecured
  queries to Active Directory.

28
Making the Decision Designing Remote Access when
Windows NT RAS Servers Exist on the Network

• If the Windows NT 4.0 remote access server is not
  a BDC, ensure that the membership of the Pre
  Windows 2000 Compatible Access group contains the
  Everyone group.
• Upgrade or decommission the Windows NT 4.0 remote
  access servers as soon as possible.
• Remove the Everyone group from the PreWindows
  2000 Compatible Access group after all servers
  are upgraded or decommissioned.

29
Applying the Decision Windows NT RAS Server
Considerations for Hanson Brothers

• There are no Windows NT 4.0 servers running
  remote access services in the network.
• To prevent excess rights from being granted to
  the network, inspect the membership and ensure
  that the Everyone group is not a member of the
  PreWindows 2000 Compatible Access security
  group.

30
Designing Remote Access Security for Users

• Planning user settings for dial-up networking
  security
• Authorizing dial-up connections
• Securing client configuration

31
Remote Access Settings for User Accounts

• Set remote access permissions.
• Verify caller-ID.
• Configure callback options.
• Assign a static IP address.
• Apply static routes.

32
Making the Decision Planning User Properties for
Remote Access Security

• Prevent remote access to the network.
• Use remote access policy settings to determine
  remote access permissions.
• Restrict dial-up connections to a specific phone
  number.
• Assign a specific IP address for all connection
  attempts by the user.
• Restrict remote access clients to specific
  network segments.

33
Making the Decision Enabling the Remote Access
Account Lockout Feature

• Use this feature to deny remote access to a user
  account if a preconfigured number of failed
  authentication attempts occur.
• This helps prevent an attacker from attempting
  dictionary attacks.
• The attacked account is disabled for remote
  access once the number of failed attempts exceeds
  the configured threshold.
• Remote access account lockout is not related to
  user account lockout.
• Enabling remote access lockout leaves the network
  susceptible to an attacker who could lock out
  user accounts.

34
Making the Decision Registry Settings to Enable
Remote Access Account Lockout

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
  es \RemoteAccess\Parameters\AccountLockout\MaxDeni
  als
• Sets the value for the failed attempts counter.
• If the counter exceeds the configured value,
  remote access is locked out for the account.
• A successful authentication resets the failed
  attempts counter.
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
  es \RemoteAccess\Parameters\AccountLockout\ResetTi
  me
• Sets the interval, in minutes, to reset the
  failed attempts counter to a value of 0.
• The default value is 2880 minutes, or 48 hours.
• RADIUS authentication
• Make the registry modifications at the server
  running Internet Authentication Services (IAS).

35
Applying the Decision Deploying User Properties
for Remote Access Security for Hanson Brothers

• Hanson Brothers
• The default option of Control Access Through
  Remote Access Policy is appropriate for all user
  accounts.
• Configure Deny Access for the Guest account.
• Adventure Works
• Define a dedicated user account for connecting to
  the Hanson Brothers network.
• Configure the dial-in settings for the account to
  Verify Caller-ID and set the predefined phone
  number at Adventure Works.
• Hanson Brothers can cover the long-distance phone
  charges by using callback security to return the
  call to the specified phone number.

36
Authorizing Dial-Up Connections

• Windows 2000 remote access authorization
  techniques can be implemented in addition to
  authenticating remote access connections.
• Authorization techniques examine the attributes
  of the connection attempt, not the user account.
• The entire phone system must support the
  authorization method.
• If any part of the connection does not support
  the authorization method, authorization will
  fail.

37
Remote Access Authorization Methods
38
ANI/CLI and Caller ID Differences

• Automatic Number Identification/Calling Line
  Identification (ANI/CLI) does not require the
  remote access connection to provide user
  credentials.
• The remote access connection is authorized based
  on the originating phone number when ANI/CLI is
  used.
• ANI/CLI does not send user credentials in the
  connection request.
• The Caller-ID attribute is not verified until
  after the credentials are presented for a remote
  access connection.
• Caller ID can be used to secure access to other
  resources on the network.

39
Making the Decision Authorization Methods for
Remote Access

• ANI/CLI
• Dialed Number Identification Service (DNIS)
• Third-party security hosts

40
Applying the Decision Authorization Methods for
Remote Access at Hanson Brothers

• Hanson Brothers should consider using a
  combination of ANI/CLI and DNIS for the
  connection from Adventure Works.
• Adventure Works should use a different phone
  number when connecting to the Hanson Brothers
  network to query stock levels.
• DNIS can identify connection attempts to the
  network and apply the most restrictive remote
  access policy to the connection.
• Hanson Brothers can use ANI/CLI to provide
  Adventure Works with unauthenticated, but
  authorized, access to the network.
• ANI/CLI cannot be used for requests to the
  stocking application, since user credentials will
  not be provided.

41
Securing Client Configuration

• The Configuration Manager Administration Kit
  (CMAK) allows an administrator to create a
  dial-up connection that works with Microsoft
  Windows 95, Microsoft Windows 98, Windows NT 4.0,
  and Windows 2000.
• CMAK allows control of the security settings of
  remote access connections by
• Enforcing the settings the organization requires
• Restricting access to key configuration screens
  for remote access connection objects
• CMAK reduces administrative overhead by deploying
  preset security configuration.
• CMAK is included with Microsoft Windows 2000
  Server.

42
CMAK Advantages over User-Defined Dial-Up
Network Connection Objects

• Defines a highly secure connection object
• Defines a package that launches a dial-up and VPN
  connection
• Creates a package that can be deployed to most
  Microsoft Windows operating systems.
• Removes saved password vulnerabilities
• Deploys preset security configurations
• Uses a standard phone book

43
Making the Decision Designing CMAK Packages to
Secure Remote Access

• Provide local access numbers.
• Simplify the dial-up process when VPNs are
  deployed.
• Prevent the modification of security
  configuration parameters set in a dial-up
  connection.
• Prevent remote access connections by unauthorized
  personnel.
• Meet multiple dial-up configuration requirements.

44
Applying the Decision Designing CMAK Packages to
Secure Remote Access for Hanson Brothers

• CMAK package for dial-up clients
• Configure the phone book to provide local access
  numbers for the Calgary, Boise, and Warroad
  offices.
• Configure the dial-up connections to use only
  MS-CHAPv2 to ensure mutual authentication of
  remote access client and remote access server.
• Configure the dial-up connections to require the
  strongest encryption settings.
• Restrict access to the Security tab to prevent
  users from modifying data encryption or
  authentication settings.

45
Applying the Decision Designing CMAK Packages to
Secure Remote Access for Hanson Brothers (Cont.)

• CMAK package for VPN clients
• Configure the phone book to provide host names
  for the remote access servers at the Calgary,
  Boise, and Warroad offices, or configure separate
  CMAK packages for each office.
• Configure the VPN connections to only use
  MS-CHAPv2 to ensure mutual authentication of
  remote access client and remote access server.
• Configure the VPN connections to require the
  strongest encryption settings.
• Configure the VPN connection to use only PPTP.
• Deploy computer certificates to all remote access
  client computers before implementing L2TP/IPSec
  connections.
• Prevent access to the Security tab so users
  cannot modify data encryption or authentication
  settings.

46
Designing Remote Access Security for Networks

• Choosing remote office connectivity solutions
• Securing dedicated WAN connections
• Designing VPN solutions

47
Private WAN Links
48
VPN Over a Public Network
49
Making the Decision Choosing a Remote Office
Connectivity Solution

• Reasons to choose a dedicated WAN Link
• Restricts network traffic over the WAN link
  exclusively to traffic between the two offices
• Guarantees bandwidth between the two sites
• Cost of a dedicated link is not prohibitive
• International boundaries or local laws do not
  prevent the establishment of a dedicated network
  link

50
Making the Decision Choosing a Remote Office
Connectivity Solution (Cont.)

• Reasons to choose a VPN over a public network
• Leverages existing Internet links to provide
  network connectivity between sites
• Provides connectivity between hardware from
  different network vendors over public networks
• Reduces the costs associated with connecting
  offices across international boundaries

51
Applying the Decision Remote Office Connectivity
Solution for Hanson Brothers

• Hanson Brothers plans to implement a VPN solution
  to reduce the high cost associated with a
  dedicated WAN link between Canada and the United
  States.
• All data exchanged between the Montreal office
  and the Warroad office must be encrypted as it is
  transmitted over the Internet.

52
Securing Dedicated WAN Connections

• Ensuring security of transmitted data over a WAN
  link
• Limit the types of data that can be transmitted.
• Limit which computers can transmit data over the
  WAN link.
• Encrypt all traffic that is transmitted over the
  WAN link.
• Require mutual authentication of routers.

53
Making the Decision Designing Security for
Dedicated WAN Links

• Limit which protocols can traverse the network
  link.
• Limit which computers can transmit data over the
  WAN link.
• Ensure that confidential data cannot be inspected
  as it is transmitted.
• Limit which routers can connect to another
  router.

54
Applying the Decision Designing Security for
Dedicated WAN Links for Hanson Brothers

• A VPN solution will be used for connecting the
  Montreal office to the corporate network in
  Warroad.
• Because a third-party firewall will be used at
  the Montreal office, design decisions for
  dedicated network connections should be applied
  at the firewall.
• Configure the firewall to accept connections only
  from the remote access server at the Warroad
  office.
• This ensures that no other routers, remote access
  servers, or firewalls can establish connections
  to the firewall.

55
Designing VPN Solutions

• VPNs allow an organization to leverage existing
  network links to a public network and use those
  links to connect remote offices.
• VPNs ensure that data is protected during
  transmission over the public network.
• VPN solutions between offices can use PPTP,
  L2TP/IPSec, and IPSec tunneling mode.
• Choosing the best solution depends on
• The remote access devices deployed at each office
• The availability of a Public Key Infrastructure
  (PKI)
• The placement of remote access devices

56
VPN Deployment in a DMZ Using Private Network
Addressing
57
VPN Deployment in a DMZ Not Using Private Network
Addressing
58
Tunnel Server Performing NAT
59
Making the Decision Determining When to Deploy
Tunneling Protocols

• Deploy PPTP when
• Either tunnel server is located in a network
  segment where NAT is performed
• Creating VPNs with Windows NT 4.0 RAS servers
• Only user authentication is required for the VPN
  connection
• Deploy L2TP/IPSec when
• Stronger encryption is required for the
  connection between sites
• Authentication of both a user account and machine
  account is required
• The tunnel servers are not located behind a
  firewall or perimeter server that performs NAT

60
Making the Decision Determining When to Deploy
Tunneling Protocols (Cont.)

• Deploy IPSec tunnel mode when
• The tunnel servers are not located behind a
  firewall or perimeter server that performs NAT
• Connecting to a third-party firewall or firewall
  that does not support PPTP or L2TP/IPSec
• Machine authentication is required only between
  the two tunnel endpoints

61
Applying the Decision Tunneling Protocol Choices
for Hanson Brothers
62
Designing Remote Access Policy

• Designing remote access policy condition
  attributes
• Designing remote access policy profiles
• Planning remote access policy application

63
Designing Remote Access Policy Condition
Attributes

• Define remote access policies to grant or deny
  remote access.
• The remote access server evaluates the existing
  conditions of the remote access request and
  compares it to the conditions defined in the
  remote access policy.
• If all conditions are matched, the remote access
  policy is applied to the request.

64
Condition Attributes

• Called-Station-ID
• Calling-Station-ID
• Client-Friendly-Name
• Client-IP Address
• Client-Vendor
• Day-And-Time-Restrictions
• Framed Protocol

• NAS-Identifier
• NAS-IP-Address
• NAS-Port-Type
• Service-Type
• Tunnel-Type
• Windows-Groups

65
Making the Decision Designing Conditions for
Remote Access Policy

• Minimize conditions in the remote access policy
  definition.
• Remote access policies are processed from the top
  of the list to the bottom.
• Remote access policies can be defined to both
  allow and deny remote access to the network.
• If no remote access policies exist, all remote
  access is denied.
• Do not define a remote access policy condition
  that cannot be met.

66
Applying the Decision Designing Conditions for
Remote Access Policy at Hanson Brothers

• Design remote access policies for
• Employees
• Administrators
• Adventure Works
• Montreal office VPN

67
Designing Remote Access Policy Profiles

• The profile defines the security settings that
  the remote access connection must implement.
• These security settings can include the
  authentication method and the encryption level
  required to proceed with the connection.

68
Remote Access Policy Profile Settings

• Dial-In Constraints
• IP
• Multilink
• Authentication
• Encryption
• Advanced

69
Making the Decision Restricting Remote Access
Connections

• Prevent idle remote access connections from using
  up the available remote access ports.
• Restrict remote access connections to a specific
  phone number.
• Restrict a remote access connection to a single
  computer or to specific computers.
• Restrict a remote access connection to specific
  protocols.
• Require a specific authentication mechanism.
• Require a specific level of encryption.

70
Applying the Decision Configuring Remote Access
Profiles for Hanson Brothers

• Employees
• Administrators
• Adventure Works
• Montreal office VPN

71
Remote Access Policy Application in Mixed Mode

• The Control Access Through Remote Access Policy
  option is not available in a users account
  properties.
• By default, every user account is set to Allow
  Access, but remote access policy is still
  applied.
• The default remote access policy grants access to
  all users if left unmodified.
• When a connection attempt occurs, the remote
  access policy evaluates the remote access policy
  profile to determine whether to allow the
  connection.

72
Remote Access Policy Application in Native Mode

• User accounts are configured to Control Access
  Through Remote Access Policy in the user account
  property pages.
• With this setting, all remote access permissions
  are determined through Remote Access Policy
  settings.

73
Making the Decision Planning for Remote Access
to the Network

• In mixed mode, delete or modify the default
  remote access policy.
• Disallow dial-in permissions for all users in a
  mixed mode domain.
• Prevent specific connection attempts in a native
  mode domain.
• In either mixed mode or native mode, remote
  access policy is evaluated to determine whether
  remote access should be granted to the network.
• Prevent all remote access to the network in mixed
  mode or native mode.

74
Applying the Decision Implementing Remote Access
Policy for Hanson Brothers

• Ensure that the domain is in native mode to take
  advantage of remote access policy for dial-up
  access determination.
• Verify that each user account that requires
  dial-up access to the network is set to Control
  Access Through Remote Access Policy.
• All other accounts should be set to Deny Access.

75
Planning RADIUS Security

• Introducing RADIUS authentication
• Designing RADIUS deployment
• Planning centralized application of Remote Access
  Policy

76
Introducing RADIUS Authentication

• RADIUS allows single sign-on capabilities to
  remote users by allowing them to authenticate
  with the domain account and password.
• Single sign-on allows access to all resources on
  a network with a single user account and
  password.
• This single user account and password can be used
  at any remote access server or network device
  that is configured as a RADIUS client to the IAS
  server.

77
Designing RADIUS Deployment
78
RADIUS Authentication Process for a VPN Client
79
Making the Decision Planning RADIUS Components

• RADIUS servers
• RADIUS clients
• RADIUS proxies

80
Applying the Decision Centralized Management of
Authentication at Hanson Brothers

• Configure remote access servers at the Warroad,
  Boise, and Calgary offices as RADIUS clients to a
  RADIUS server at the Warroad office.
• The RADIUS server allows all users to
  authenticate by using their domain account and
  password.
• The RADIUS server allows centralized management
  of remote access policy and centralized
  collection of accounting information for all
  remote access connectivity.

81
Decentralized Application of Remote Access Policy

• Results in inconsistent configurations at each
  remote access server.
• Inconsistent application of remote access policy
  can result in authorized users being denied
  access and unauthorized users gaining access to
  the network.

82
Centralization of Remote Access Policy

• RADIUS servers allow the centralization of remote
  access policy.
• When configured as RADIUS clients, remote access
  servers no longer configure remote access policy
  locally.
• Remote access policy is obtained instead from the
  RADIUS server, which acts as the repository for
  Remote Access Policy.
• Remote users gain access to the network no matter
  which remote access server they access.
• All remote access servers have the same remote
  access policy, which is stored locally at the
  RADIUS server.

83
Servers Running RRAS Configured as a RADIUS
Client

• These servers receive their remote access policy
  from the RADIUS server.
• Remote access policy does not appear in the
  Routing And Remote Access console.
• Configuration requirements
• Prevent the deployment of new remote access
  servers that are not configured as RADIUS
  clients.
• Use Group Policy to either enable or disable RRAS
  for Windows 2000based computers.
• Change the permissions for the service to
  restrict who can start, stop, or pause the
  service.

84
Ensure That Approved Remote Access Servers are
Running RRAS

• Place the remote access servers in a dedicated
  organizational unit (OU).
• Create a Group Policy object that enables RRAS.
• Configure the Default Domain Policy to disable
  RRAS.
• Group Policy inheritance applies the service
  setting to all other OUs in the domain.

85
Making the Decision Ensuring Centralized
Application of Remote Access Policy

• Ensure that a server on the network is configured
  with the IAS service.
• Configure all authorized remote access servers as
  RADIUS clients.
• Ensure that RRAS is disabled on all unauthorized
  remote access servers.

86
Applying the Decision Centralized Remote Access
Policies at Hanson Brothers

• Requires centralized management of remote access
  policies from the Warroad office.
• Configure the Default Domain Group Policy to
  disable RRAS on all domain computers.
• Place the remote access servers for each office
  in an OU where Group Policy enables RRAS.
• The remote access servers must be configured as
  RADIUS clients to the RADIUS server located at
  the Warroad office.

87
Chapter Summary

• Choosing between dial-up and VPN solutions
• Planning remote access authentication
• Planning dial-up protocols
• Planning VPN protocols
• Planning integration with Windows NT 4.0 RAS
  servers
• Planning user settings for dial-up networking
  security
• Authorizing dial-up connections
• Securing client configuration

88
Chapter Summary (Cont.)

• Choosing remote office connectivity solutions
• Securing dedicated WAN connections
• Designing VPN solutions
• Designing remote access policy condition
  attributes
• Designing remote access policy profiles
• Planning remote access policy application
• Introducing RADIUS authentication
• Designing RADIUS deployments
• Planning centralized application of remote access
  policy