Implementing Remote Access Security

How to configure which authentication protocols the remote access server should support

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
2. In the console tree, right-click the server that you want to configure and then select Properties from the shortcut menu to access the server Properties dialog box.
3. Click the Security tab.
4. In the Authentication Provider drop-down list box, select Windows Authentication.
5. Click Authentication Methods.
6. The Authentication Methods dialog box opens.
7. You should disable password based authentication by deselecting/clearing the checkboxes for the following authentication methods:

1. • Microsoft Encrypted Authentication (MS-CHAP)
   • Encrypted Authentication (CHAP)
   • Shiva Password Authentication Protocol (SPAP)
   • Unencrypted Password (PAP).

1. Enable the following authentication protocols:

1. • Extensible Authentication Protocol (EAP)
   • Microsoft Encrypted Authentication Version 2 (MS-CHAPv2)

1. Ensure that the Allow Remote Systems To Connect Without Authentication checkbox is not selected.
2. Click OK in the Authentication Methods dialog box.
3. Click OK in the server Properties dialog box.

How to allow remote access for specific user

1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console.
2. In the console tree, expand the domain that contains the user account that you want to enable remote access for.
3. Select the Users container.
4. In the right pane, locate the user account that you want to configure.
5. Right-click the specific user account and then select Properties from the shortcut menu.
6. The Properties dialog box of the user opens.
7. Click the Dial-in tab.
8. In the Remote Access Permission area, click the Allow Access option.
9. Click OK.

How to allow remote access based on remote access policy

1. Click Start, Administrative Tools, and then click Active Directory Users and Computers to open the Active Directory Users and Computers management console.
2. In the console tree, expand the domain that contains the user account that you want to enable remote access for.
3. Select the Users container.
4. In the right pane, locate the user account that you want to configure.
5. Right-click the specific user account and then select Properties from the shortcut menu.
6. The Properties dialog box of the user opens.
7. Click the Dial-in tab.
8. In the Remote Access Permission area, click the Control Access Through Remote Access Policy option.
9. Click OK.

How to create a remote access policy for a remote access server

1. Click Start, Administrative Tools, and then select Active Directory Users and Computers to open the Active Directory Users and Computers management console.
2. In the console tree, select the Users container, right-click the user account which you want to configure and then select Properties from the shortcut menu.
3. Click the Dial-in tab. Verify that the Remote Access Permission (Dial-in or VPN) option is specified as Control Access Through Remote Access Policy.
4. To configure the remote access policy for the remote access server, click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
5. In the console tree, expand the server’s node and then right-click Remote Access Policies and select New Remote Access Policy fom the shortcut menu.
6. Select the desired policy configuration settings through the various pages of the New Remote Access Policy Wizard.

How to create a remote access policy to authorize access by user

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
2. In the console tree, expand the server’s node and then right-click Remote Access Policies and select New Remote Access Policy from the shortcut menu.
3. The New Remote Access Policy Wizard starts.
4. Click Next on the New Remote Access Policy Wizard Welcome page.
5. On the Policy Configuration Method page, click the Use the wizard to set up a typical policy option.
6. Enter a name in the Policy name box, and then click Next.
7. On the Access Method page, select between the following options and then click Next: Dial-up, VPN, Wireless, Ethernet.
8. On the User or Group Access page, click the User option and then click Next.
9. On the Authentication Methods page, specify the authentication methods which the policy will accept and then click Next.
10. On the Policy Encryption Level page, specify the encryption types and then click Next.
11. Click Finish to create the new remote access policy.

How to create a remote access policy to authorize access by group

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
2. In the console tree, right-click Remote Access Policies and then select New Remote Access Policy from the shortcut menu.
3. The New Remote Access Policy Wizard starts.
4. Click Next on the New Remote Access Policy Wizard Welcome page.
5. When the Policy Configuration Method page appears, select the Use the wizard to set up a typical policy option.
6. Enter a name in the Policy name box, and then click Next.
7. On the Access Method page, select between the following options and then click Next: Dial-up, VPN, Wireless or Ethernet.
8. On the User or Group Access page, select the Group option and then click Add to specify the group name.
9. Using the Enter the object names to select box, specify the group and then click OK.
10. Click Next on the User or Group Access page.
11. On the Authentication Methods page, specify the authentication methods which the policy will accept and then click Next.
12. On the Policy Encryption Level page, specify the encryption types and then click Next.
13. Click Finish to create the new remote access policy.

How to create a remote access policy that allows domain users remote access only through VPN connections

1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console.
2. In the console tree, click Remote Access Policies, click the Action menu, and then select the New Remote Access Policy command.
3. The New Remote Access Policy Wizard starts.
4. Click Next on the initial page of the New Remote Access Policy Wizard.
5. On the Policy Configuration Method page, select the Use The Wizard To Set Up A Typical Policy For A Common Scenario option.
6. In the Policy Name field, enter a meaningful name that describes the purpose of the remote access policy. Click Next.
7. On the Access Method page, select VPN, Use For All VPN Connections. Click Next
8. When the User Or Group Access page opens, select the Group option and then click the Add button.
9. The Select Groups dialog box opens.
10. In the Enter The Object Names To Select field, enter Domain Users, and click the Check Names button.
11. Click OK.
12. On the Authentication Methods page, select the Microsoft Encrypted Authentication Version 2 (MS-CHAPv2) ption. Click Next.
13. On the Policy Encryption Level page, select the encryption strength and click Next.
14. Click Finish on the Completing The New Remote Access Policy Wizard page.

How to create a remote access policy that restricts remote access based on connection type

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
2. In the console tree, expand the server’s node and then right-click Remote Access Policies and select New Remote Access Policy from the shortcut menu.
3. The New Remote Access Policy Wizard starts.
4. Click Next on the New Remote Access Policy Wizard Welcome page.
5. On the Policy Configuration Method page, click the Set up a custom policy option.
6. Enter a name in the Policy name box, and then click Next.
7. On the Policy Conditions page, click the add button to add a condition.
8. When the Select Attribute dialog box opens, specify the desired attribute and then click the Add button.
9. Click Next on the Policy Conditions page.
10. On the Permissions page, click the Deny remote access permission option and then click Next.
11. When the Profile page appears, use the Edit button if you want to change the profile. Click Next.
12. Click Finish to create the new remote access policy.

How to create a remote access policy for VPN access

1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console.
2. In the console tree, expand the server node to display the Remote Access Policies node.
3. Right-click Remote Access Policies, and then select New Remote Access Policy from the shortcut menu.
4. When the New Remote Access Policy Wizard starts, click Next on the initial page of the Wizard.
5. Enter a name for the new remote access policy. Click Next.
6. On the Policy Conditions page, click Add.
7. To restrict VPN users to either use PPTP or L2TP, add the appropriate tunnel-type condition. Click Next.
8. Ensure that the Grant Remote Access Permission option is selected on the Permissions page.
9. To set profiles, click the Edit Profile button on the Profile page.
10. Click Finish.

How to create a remote access policy for wireless access

1. Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access console.
2. Click the Action menu, and then select New Remote Access Policy.
3. The New Remote Access Policy Wizard launches.
4. Click Next on the initial screen of the New Remote Access Policy wizard.
5. On the Policy Configuration Method page, select the Use the wizard to set up a typical policy option.
6. In the Policy Name field, provide a name for the policy. Click Next.
7. On the Access Method page, select the Wireless option. Click Next.
8. On the User or Group Access, select the Group option, and then click the Add button.
9. Specify the group, and then click OK and Next.
10. Select the Smart card or other certificate option and then click Next.
11. Click Finish.

How to enable Multilink

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
2. In the console tree, expand the server node to display the Remote Access Policies node.
3. Select Remote Access Policies.
4. In the details pane, double-click the remote access policy that should be configured.
5. Click Edit Profile.
6. Use the Multilink tab to configure properties for the Multilink policy.
7. Click OK

How to configure idle and session time restrictions for an existing profile

1. Click Start, Administratve Tools, and then click Routing and Remote Access to open the Routing and Remote Access console.
2. In the console tree, expand the server node to display the Remote Access Policies node.
3. Select Remote Access Policies.
4. In the details pane, select the remote access policy that you want to modify the idle and session times for.
5. Click the Action menu and then select Properties from the shortcut menu.
6. When the properties dialog box of the remote access policy opens, click Edit Profile.
7. Select the Minutes server can remain idle before it is disconnected checkbox. Specify the number of minutes for this setting.
8. Select the Minutes the client can be connected checkbox, and then specify the number of minutes for this setting.
9. Click OK
10. Click OK in the properties dialog box of the remote access policy.

How to configure an encryption level

1. Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
2. In the console tree, expand the server’s node and then select Remote Access Policies.
3. All remote access policies defined for the remote access server are listed in the details pane of the Routing And Remote Access console.
4. Select the remote access policy that you want to configure an encryption level for, click the Action menu and then select Properties.
5. When the Properties dialog box of the policy opens, click the Edit Profile button.
6. Click the Encryption tab.
7. Ensure that the No Encryption checkbox is disabled.
8. Enable the following: Basic checkbox, Strong checkbox, and Strongest checkbox.
9. Click OK.

How to raise the domain functional level for a domain to enable additional security features

1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want to raise, and select Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the domain functional level for the domain.
5. Click Raise.
6. Click OK.