Harden Windows Server 2000 and Windows Server 2003 RRAS Configuration

This excerpt from Chapter 11 of Roberta Bragg's "Hardening Windows Systems" describes how to harden Windows Server 2000 and Windows Server 2003.

Hardening Windows Systems Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.

Harden Windows Server 2000 and Windows Server 2003 RRAS Configuration

While Routing and Remote Access Services can be installed on Windows NT 4.0, I recommend avoiding the use of RRAS on Windows NT 4.0. Instead, use Windows 2000 or Windows Server 2003, which provide additional security and manageability. If you must use RRAS on Windows NT, adapt the recommendations given for Windows 2000 and Windows Server 2003 RRAS to Window NT 4.0.

RRAS provides dial-up and VPN remote access. In addition to client-to-server VPNs, RRAS provides gateway-to-gateway VPN services. Network Address Translation (NAT), packet filters, and Remote Access Policies add additional configuration features. Since the versions are so similar, Windows Server 2003 is used for the examples in the following configuration settings. Differences with Windows 2000 will be noted.

Secure External Network Configuration with Packet Filters

Windows Server 2003 packet filters can be configured to secure the external network interface, permitting only VPN traffic access. To do so during RRAS setup, select the external network interface on the VPN Connection page and then select Enable Security On the Selected Interface By. . . as shown here:

To manage connections after setup, use Remote Access Policies and set Input Filters as discussed in the later section "Use Remote Access Policies."

Harden Authentication

Authentication is configured from the Server Security property page. Currently the best solution is to require smart card authentication. If that is not immediately possible, then restrict the authentication methods possible.

1. Right-click the server in the Routing and Remote Access console and select Properties.
2. Select the Security tab.
3. Click the Authentication Methods button.
4. Deselect Microsoft encrypted authentication (MS-CHAP), as shown in the following illustration. All Microsoft clients from Windows 95 onward can be configured to use MS-CHAPv2, which has many improvements over MSCHAP. (Do not select legacy remote access communication protocols.)

5. Click EAP Methods. The Extensible Authentication Protocol can be used to configure advanced authentication methods, including Protected EAP (PEAP) and smart card or certificate authentication. They are configured in Remote Access Policies, but this property page defines the EAP methods installed on the Remote Access Server.

If IAS should be used for authentication and/or auditing, this is configured on the Security page.

Configure Logging

Additional logging should be configured in order to provide a record of remote access connections. Logging is configured from the Logging page of the remote access server's property pages. Select Log All Events as shown here:

In addition, in Windows Server 2003, a Remote Access logging node in the Routing and Remote Access Console enables configuration of logging. Use the Settings page to limit logging to select logging for authentication, accounting, and status. (If IAS is used, and authentication and accounting tasks are split between different servers, configure authentication and accounting on the respective servers.)

If log files are moved to a SQL Server database, protect communications between the SQL server and the RRAS servers by using IPSec.

You may locate the log files to a different location, but if you do, secure the log files by setting the DACL to access by SYSTEM and Administrators groups only. Audit who accesses the log files.

Use a Firewall

Use a firewall to protect the RRAS and IAS servers. If RADIUS messages must traverse a firewall, create a rule to allow communications for the RADIUS ports listed in Table 11-2.

Configure Client Access

As in Windows NT 4.0, accounts in Windows 2000 and Windows Server 2003 are denied remote access by default. Users must be configured for remote access. If Windows 2000 domains are in native mode, or Windows Server 2003 domains are at least at Windows 2000 functional level, access permission may be configured using Remote Access Policies. Otherwise, access is configured similar to that for Windows NT 4.0 domains.

Each user account is configured to Deny access, Allow access, or rely on Remote Access policies. When Remote Access policies are used, connections and attempts to connect are a result of a combination of account dial-in properties and remote access policy constraints. However, if an IAS profile constraint is configured to ignore user dial-in properties, then account dial-in properties are not considered. A user may be configured in account properties to Deny remote access, and yet it may be possible for that account to connect. To evaluate remote access, you must evaluate each remote access policy in addition to user settings.

For each user account, remote access is configured from the Dial-in tab of the user account properties as shown in Figure 11-4.

Click for the next excerpt in this series: Use L2TP/IPSec VPNs.

Click for book details or purchase the book.

Read more on Mobile hardware