Section 6.5: Securing RRAS Clients

You can manage RRAS security on a per-user basis by using RRAS remote access policies. RRAS remote access policies allow you to control the duration of sessions, the authentication methods that remote clients can use, and other options that can increase the security of connections. To make it easy for users to select the necessary RRAS policy options on their client computers, you can create a custom version of the RRAS client software called Connection Manager, with preset options for your particular remote access needs.

6.5.1: Remote Access Policies

Windows Server 2003 RRAS provides comprehensive support for remote access policies, which provide you with complete control over client access to the RRAS server. You can specify one or more policies, each with conditions that a client must match to connect. The possible conditions include time of day and day of the week, client name and IP address, client and server telephone numbers, and other options. You can also determine whether a user account's remote access permission enables the user to connect through RRAS. If you choose Allow Access, the client can connect only if it matches one of the remote access policies. If the user permission is set to Deny Access, all connections for that user are refused. If the user permission is set to Control Access through remote access policy, the policy's Allow or Deny option determines whether the connection is allowed.

The Remote Access Policies window displays a list of all the currently active policies. When a connection attempt is made, RRAS uses this list to check the policies and uses the first policy whose conditions match the connection. You can change the order of policies on the list to specify which policy will be applied when two or more policies match the connection. When you add a policy to the list, you name the policy and then apply a list of conditions that must be matched by a connection for the policy to be used. The conditions you can set are listed in Table 6.1.

Table 6.1: Remote Access Policy Conditions

Condition Description
Called-Station-Id The telephone number dialed by the client
Calling-Station-Id The originating telephone number
Day-and-Time-Restrictions Connections during specified hours or days of week
Framed-Protocol The connection protocol in use
Service-Type The type of service requested
Tunnel-Type The VPN tunneling protocol in use
Windows-Groups Group memberships of the connecting user

Several additional conditions are available when you use RADIUS authentication. Most of these conditions examine the characteristics of the Network Access Server (NAS), which is the client that makes a request to the RADIUS server. This allows you to change the authentication method based on which type of NAS the client has attached to. Table 6.2 lists the additional conditions that are available when you use RADIUS authentication.

Table 6.2: Additional RADIUS Remote Access Policy Conditions

Condition Description
Client-Friendly-Name The friendly name set in the IAS client list
Client-IP-Address The IP address of the RADIUS client
Address The IP address of the RADIUS client The vendor of the NAS
NAS-Identifier The identifier of the NAS
NAS-IP-Address The IP address of the NAS
NAS-Port-Type The physical port used by the NAS

If a connection attempt matches the policy you have created and the policy's Grant Remote Access permission option is selected, the user will be allowed access. The user will also be allowed access if explicitly granted access in the user account's remote access permission. Once a connection is made using a policy, you can further restrict the activities of the connection using policy profile settings. The profile includes six sets of properties:

• Dial-in Constraints, which contains various constraints that can be placed on dial-in users matching the current policy conditions. The available options are:

• Disconnect if idle for the specified number of minutes

• Restrict maximum session to a specified number of minutes

• Restrict access to specified dates and times

• Restrict dial-in access to a particular telephone number

• Restrict the media (modem, ISDN, DSL, Ethernet, etc) on which connections will be allowed

• IP, which includes settings relating to client IP addresses. You can specify that the server must supply an IP address to the client, that the client can request an address, or that policy will be based on the server's settings. These IP settings also include options for packet filtering. You can create both incoming packet filters, and outgoing packet filters to restrict the ports and services that a user will be allowed to access when connected to the RRAS server. Packet filters are used only in RRAS policies, not IAS policies.

• Multilink, which controls whether clients using the current security policy can connect using Multilink, which allows a client to connect to two or more modems or other ports and use the combined bandwidth available from these devices. You can choose to disable Multilink entirely, allow Multilink with a specified maximum number of ports, or default to the RRAS server's settings. Using the bandwidth allocation protocol (BAP) options, you can specify a minimum percentage capacity for the dial-in lines and a time limit. If the capacity falls below this level for the specified time, the RRAS server will remove lines from Multilink connections to increase the available capacity.

• Authentication, which controls the authentication methods that will be allowed for connections that match the current policy. The options available are the same as those described earlier in this chapter, including PAP, SPAP, CHAP, MS-CHAP, MS-CHAP version 2, and EAP. You can also specify which types of EAP connections are allowed and their specific settings.

• Encryption, which controls the level of encryption that will be allowed for connections matching the current policy. The options include No Encryption, Basic, Strong, and Strongest. These options apply only to communication between Windows Server 2003 clients and Windows Server 2003 RRAS servers.

• Advanced, which allows you to specify additional security attributes. Click Add to add an attribute. The list of available attributes includes standard options for RADIUS servers, as well as a variety of vendor-specific options.

6.5.2 The Connection Manager Administration Kit

The Connection Manager Administration Kit (CMAK), which is included with Windows Server 2003 Server, can be used to customize many features of the Connection Manager software, which is the Windows component that clients see when they dial a modem connection. By creating a custom Connection Manager profile with the CMAK, you pre-determine the connection options that clients will need in order to meet your RRAS or IAS policies and establish a dial-in connection.

When you start the CMAK Wizard, you are prompted to either create a new service profile or open and modify an existing service profile. Service profiles are stored with the .cms extension. The initial pages of the CMAK Wizard prompt you for various text items, such as Service Name; File Name For Service Profiles; and Support Information, that will be used to customize the Connection Manager interface. In the Network And Dial-Up Connections window you can specify that Connection Manager will create one or more entries for your service. For each of these, you can specify DNS and/or WINS addresses, if the server does not assign them automatically, and an optional script file. You can also include a telephone book file in the service profile, specifying one or more dial-up telephone numbers. Connection Manager can also use the URL of a server running Connection Point Services to automatically download updated lists of telephone numbers.

The CMAK Wizard allows you to specify a number of actions, or programs, that will run at various points during the connection process. The available actions are:

• Pre-connect actions run before connecting;

• Pre-tunnel actions run before connecting using a VPN;

• Post-tunnel actions run after a successful VPN connection; and

• Disconnect actions run after the user disconnects from the service.

In addition to these actions, you can specify one or more auto-applications. These are applications that run when connected to the network. The network connection will be disconnected automatically after the user exits the last auto-application.

The CMAK Wizard also prompts you to indicate whether to include the Connection Manager software with the service profile. You can also specify a custom Windows help file if you have created your own documentation, or use the default Connection Manager help file. Options are also provided for a custom license agreement and additional help or documentation files.

After you complete all of the CMAK settings, the CMAK saves a number of files to complete the profile. These include a .cms file, which stores the information the wizard prompted for, and a self-extracting .exe file that installs the Connection Manager software and the service profile on a client computer. These files use the 8-character file name you specified. They can be copied to a floppy disk, CD-R, or network share to deploy the service profile to clients.

If you enable VPN support in the CMAK Wizard, the resulting connection profile can be used to connect to the RRAS server through a public network, such as the Internet, rather than directly through a dial-up connection. The Internet connection used for a VPN can be any existing dial-up connection or always-on broadband connection, such as DSL or LAN.

Windows Server 2003 also provides Network Access Quarantine Control, which are special policies that restrict VPN client access using a quarantine mode until the client system is either brought into compliance with corporate VPN client specifications or determined to already be in accordance with specifications. Network Access Quarantine Control can be configured using the Connection Manager Administration Kit (CMAK).