Planning Distributed Security
Planning Distributed Security |
|
Routing and Remote Access is the service that lets remote users connect to your local network by phone. This section deals only with the remote access security features of Routing and Remote Access. Remote access by its nature is an invitation to intruders; so Windows 2000 provides multiple security features to permit authorized access while limiting opportunities for mischief.
A client dials a remote access server on your network. The client is granted access to the network if:
After the client has been identified and authorized, access to the network can be limited to specific servers, subnets, and protocol types, depending on the remote access profile of the client. Otherwise, all services typically available to a user connected to a local area network (including file and print sharing, Web server access, and messaging) are enabled by means of the remote access connection.
Windows 2000–based servers are governed by security policies that determine their remote access behavior. These policies establish whether a server accepts requests for remote access and, if so, during what hours of what days, what protocols are used, and what types of authentication are required.
You define remote access policies by using the Computer Management snap-in to MMC. You define the policy in the Remote Access Policies node:
Computer Management (local)
— Services and Applications
— Routing and Remote Access
— Remote Access Policies
Right-click a policy in the console tree and select Properties. A remote access policy is defined as a rule with conditions and actions. If the conditions are met, the action is taken. For example, if the time of day is appropriate for remote access, if the requested protocol is permitted, and if the requested port type is available, then access is granted. If granted, remote access is limited by the access profile of the policy. Click Edit Profile to view the available profile options.
To enable remote access for a user, open the Active Directory Users and Computers snap-in to MMC. Right-click a user, and select Properties. Select the Dial-In tab in the property sheet.
For more information about remote access and installing and configuring the remote access server, see Windows 2000 Server Help. For more information about remote access authentication, see "Remote Access Server" in the Microsoft® Windows® 2000 Server Resource Kit Internetworking Guide.
Granting remote access permission to a user is ineffective if there is no appropriate remote access policy in place for the remote access server.
Windows 2000 supports the following authentication options for remote access:
Standard PPP authentication methods offer limited security.
EAP modules can be developed or provided by third parties to extend the authentication capabilities of PPP. For example, you can use EAP to provide stronger authentication using token cards, smart cards, biometric hardware, or one-time password systems.
EAP-TLS provides strong authentication. Users' credentials are stored on tamper-proof smart cards. You can issue each user one smart card to use for all logon needs.
It is recommended that your network security plan include strategies for remote access and authentication, including the following information: