Section 6.4: Remote Access Security
RRAS provides access to a network from remote locations. It also serves as the end point for VPN connections, which use encryption to securely connect private networks over a public network, such as the Internet. Therefore, RRAS should be configured it for maximum security.
6.4.1: Secure User Authentication
Secure user authentication is obtained through the encrypted exchange of username and password credentials. This is possible through the use of the PPP remote access protocol along with one of the following authentication protocols:
• Extensible Authentication Protocol (EAP);
• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 and version 2;
• Challenge Handshake Authentication Protocol (CHAP); and
• Shiva Password Authentication Protocol (SPAP).
6.4.1.1: Mutual Authentication
Mutual authentication is obtained by authenticating both ends of the connection through the encrypted exchange of username and password credentials. This is possible through the use of PPP with EAP-Transport Level Security (EAP-TLS) or MS-CHAP version 2. During mutual authentication, the remote access client authenticates itself to the RAS server, and then the RAS server authenticates itself to the remote access client.
6.4.1.2: Data Encryption
Data encryption is the process of encrypting the data that is transmitted between the remote access client and the RAS server. Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and remote access client. This shared secret key is generated during the user authentication process. Data encryption is possible over dial-up remote access links when using PPP along with EAP-TLS or MS-CHAP. Windows Server 2003, Windows 2000, Windows NT 4.0, Windows 98, and Windows 95 remote access clients and remote access servers support the Microsoft Point-to-Point Encryption Protocol (MPPE). MPPE uses the Rivest-Shamir-Adleman (RSA) RC4 stream cipher and 40-bit, 56-bit, or 128-bit secret keys. MPPE keys are generated from the EAP-TLS and MS-CHAP user authentication processes.
6.4.1.3: Callback
When you configure RRS for callback, the RAS server calls the remote access client back at a number specified by the user of the remote access client after the username and password credentials have been verified. This allows a traveling user to dial in and have the RAS server call back the remote access client at the current location, saving telephone charges. Callback can also be configured to always call back the remote access client at a specific phone number, which is the secure form of callback. Telecommuters often require access from different locations. To service these users, you can configure callback security to allow access to all telephone numbers, but the server records the numbers that it dials. Administrators can then audit these records to determine if unexpected telephone numbers have appeared. This approach uses the accountability security model rather than the restriction model to secure the system, and it is effective unless hackers can dial in, gain administrative access, and then erase the remote access logs.
6.4.1.4: Caller ID
Caller ID can be used to verify that the incoming call is coming from a specified phone number. Caller ID is configured as part of the dial-in properties of the user account. If the caller ID number of the incoming connection for that user does not match the configured caller ID, the connection is denied. This requires that the caller's telephone line, the phone system, the RAS server's telephone line, and the Windows Server 2003 driver for the dial-up equipment all support caller ID. Caller ID is a feature designed to provide a higher degree of security for networks that support telecommuters.
6.4.2: Managing Authentication
RRAS provides a wide variety of authentication methods, from simple, unencrypted passwords for low-security applications to highly secure authentication schemes for applications in which security is paramount. Windows Server 2003 also supports Remote Authentication Dial-In User Service (RADIUS), a dedicated service for authenticating remote users with high security and detailed accounting that works with a broad range of third-party remote access devices and services. You can thus configure the remote access server to use either Windows or RADIUS for authentication purposes.
6.4.2.1: Windows Authentication
With Windows authentication the username and password credentials sent by users attempting remote access connections are authenticated through normal Windows authentication mechanisms. If the remote access server is a member server in Windows domain and is configured for Windows authentication, the computer account of the RAS server computer must be a member of the RAS and IAS Servers security group. Configuring membership can be performed by a domain administrator by using the Active Directory Users And Computers snap-in to add the computer to the RAS And IAS Servers security group in the Users container. The netsh command-line utility can also be used to add the server to this group.
Most of the authentication methods available in RRAS are based on Password Authentication Protocol (PAP), which supports simple password authentication, and Challenge Handshake Authentication Protocol (CHAP), a more sophisticated protocol that uses two-way handshakes to authenticate users. You can enable any of the following variations of these protocols:
• Password Authentication Protocol (PAP) is the basic PAP protocol. It sends passwords as clear text so it is vulnerable to network snooping. You should not use PAP unless you must support a legacy application that requires it.
• Shiva Password Authentication Protocol (SPAP) is an extension to the PAP protocol used to support Shiva LAN Rover devices. It supports basic encryption of passwords, but is not challenge and response, so it is vulnerable to replay attacks in which hackers capture encrypted passwords and re-use them in encrypted form.
• Challenge Handshake Authentication Protocol (CHAP) provides authentication with encrypted passwords. In this protocol, the server sends a challenge to the client, and the client uses the data from the challenge to calculate a one-way encrypted value, or hash, from the user name and password that can be used to authenticate the user without sending the password across the network.
• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a Microsoft extension of CHAP that improves security by storing passwords in encrypted form. This is the authentication used by Microsoft Windows 95 and Windows 98 clients.
• Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is the Windows 2000 implementation of MS-CHAP. It does not support earlier Windows client versions. MS-CHAP v2 improves security by eliminating support for LAN Manager encryption and performs mutual authentication to ensure that no man-in-the-middle attack can occur. You should use MS-CHAP v2 whenever possible.
• Extensible Authentication Protocol (EAP) is an authentication protocol that can be extended with additional authentication methods that you can install separately. This protocol is commonly used for smart card authentication or certificate-based authentication.
6.4.2.2: RADIUS Authentication and IAS
RADIUS is a standard service for user authentication, which provides centralized authentication, multiple authentication servers, and detailed activity logging for remote access users. With RADIUS authentication the username and password credentials and parameters of the connection request are sent as a series of RADIUS request messages to a RADIUS server. In Windows Server 2003 that would be the IAS server. When the RADIUS server receives a user-connection request from the RAS server, it authenticates the client against its authentication database. RADIUS provides a way to decouple user authentication from the server or device that receives the connection or provides access to the port. It allows Administrators to centralize the authentication function on a small group of servers dedicated to authentication while distributing remote access servers or devices throughout the enterprise. Furthermore, by decoupling authentication from remote access, it allows the authentication service to be used by other services that require authentication, such as the 802.1x port authentication protocol provided to secure wireless access.
Microsoft's implementation of RADIUS, provided in Windows Server 2003 Server, is called the Internet Authentication Service (IAS) . The IAS server uses the Active Directory database to store authentication information so all IAS servers can be managed from a single console. When you use IAS to provide remote access authentication, the remote clients do not directly communicate with the IAS server. Instead, clients connect to a normal RRAS server, known in RADIUS terminology as the network access server (NAS). Dial-up clients connect to network access servers, which then contact the nearest IAS server to authenticate each user. A network access server can be any RADIUS aware device or service that allows users to connect to a port, such as an RRAS server, an 802.11b wireless access point, or an 802.1x compliant Ethernet switch.
If an IAS server is available on the network, you can configure RRAS servers to use RADIUS authentication. After you select RADIUS authentication, you must restart the RRAS server before the changes will take effect.
Note: Dial-up computers cannot be configured as RADIUS clients. Each RADIUS client is an RRAS server or other hardware or software that provides remote access. Dial-up clients connect to this server, which in turn authenticates using the RADIUS server.