Dial-up networking security in Windows NT

Windows 2000 may be the rage, but Windows NT ain't dead yet. You can set up a secure RAS using Windows NT. In this Daily Feature, Talainia Posey shows you the security settings you can use for a secure Windows NT RAS.

When it comes to dial-up networking, security can’t be overemphasized. After all, dial-up networking offers the chance for anyone, friend or foe, to connect to your server from the comfort of his or her own home—or anywhere else, for that matter. Fortunately, you can prevent unauthorized users from accessing your network through a dial-in portal. In this Daily Feature, I’ll discuss some techniques you can use to secure your Windows NT servers from unauthorized dial-up access.

The network operating system difference
Before you get started with the process of enhancing your network’s dial-up security, it’s important to understand that Windows NT Server 4.0 and Windows 2000 Server are two totally different animals and require very different security techniques. For example, Windows NT Server’s dial-up networking security is set on a per-user basis, while Windows 2000 Server’s dial-up networking security is set through a centrally located policy that can be applied to groups or individual users.

Windows 2000 gets all the press nowadays, but chances are you’re still running Windows NT. You may not have even begun deploying Windows 2000 yet. Fortunately, even though Windows NT 4.0 is different, you don’t have to wait or rush to install Windows 2000 to create secure dial-up access.

Windows NT RAS security options
In Windows NT, dial-up networking is based on the remote access service (RAS). The process of implementing RAS security begins during the initial configuration process. During this process, you can configure such options as which communications devices can be used with the RAS and whether these devices can accept incoming calls. As you configure the various devices to allow inbound calls, you must determine which protocols dial-up clients should be allowed to use. The default protocol is TCP/IP.

Normally, TCP/IP is a good choice. After all, it’s the protocol used by the Internet, and it’s compatible with practically every platform that’s out there. However, TCP/IP is often the first protocol that a hacker will try to use because it’s so popular. Therefore, one technique you can use to discourage hackers is to use a different protocol, such as IPX or NetBEUI. If you decide to use an alternate protocol, though, you must remember a few things.

For starters, if you decide to use NetBEUI, you must remember that NetBEUI isn’t routable. However, this doesn’t necessarily mean that NetBEUI clients will be limited to accessing only the computer that they dialed in to. Actually, NetBEUI can normally access only the network segment that the server is on. A setup option, however, allows you to determine whether NetBEUI clients should be able to access only a single server or the entire network, as shown in Figure A.

Figure A
A setup option lets you specify whether NetBEUI clients will be able to access only a single server or the entire network.

If you decide to use the IPX protocol instead, keep in mind that although IPX/SPX is routable, any server that’s intended to be accessed through the RAS port must be configured to run IPX/SPX. However, as with NetBEUI, RAS contains an option you can use to limit clients running IPX to accessing a single server or the entire network. Finally, remember that running multiple protocols on your network increases the amount of traffic on your network exponentially.

Another way you can enhance RAS security during the configuration process is by using encryption. When you’re configuring RAS, you can select from three types of authentication, as shown in Figure B.

Figure B
When you’re configuring RAS, you can choose among three types of authentication.

The preferred authentication method is through the use of Microsoft Encrypted Authentication. Unfortunately, only Microsoft operating systems are capable of using this authentication method. Therefore, if you’re going to use non-Microsoft operating systems, such as Linux or Macintosh, you won’t be able to use Microsoft Encrypted Authentication. Instead, you’ll have to use the Require Encrypted Authentication or Allow Any Authentication Including Clear Text option. The advantage to using Microsoft Encrypted Authentication is that this authentication method also includes the option to encrypt data as it flows across the line.

Once the initial configuration process is complete, you can further enhance security by making sure the latest service pack is installed. The service packs alter the operating system’s code to close potential security holes (related to the OS itself, not to the way it’s configured). Some versions of the service packs also increase RAS’s encryption strength.

Once RAS is up and running, not just anyone can dial in. The Administrator must grant dial-in permissions on a per-user basis. You can grant dial-in permissions to a user by going through the User Manager For Domains and accessing the account you want to grant dial-in permissions for. Once you do, you’ll notice there’s a Dialin button on the user’s property sheet. If you click this button, Windows NT will take you to the user’s Dialin Information screen. Before the user will be able to dial in to the network, you must select the Grant Dialin Permission To User check box, as shown in Figure C.

Figure C
Before a user will be able to dial in to the network, you must select the Grant Dialin Permission To User check box.

Perhaps the biggest RAS security feature is the Call Back option. If you enable this option, after the server authenticates the client, the server will disconnect and call the client back. You’ll find the Call Back option by going through the User Manager For Domains and looking on the user’s Dialin Information screen.

The default option is No Call Back. If you decide to enable Call Back, however, you have a couple of options. First, you can set the server to dial a number specified by the user. By doing so, you can create a log of the user’s location. This option works well if the user travels a lot and may be dialing in from a variety of locations.

The most secure option is to use Call Back to dial a preset number. That way, if a hacker gains access, the server will disconnect the hacker and try to dial a phone number that’s known to be secure. Because the hacker isn’t calling from the preset number, there’s no way for him or her to get into your network through the dial-in port.

In this article, I’ve explained the importance of securing your dial-up networking servers. As you can see, dial-up networking in Windows NT is pretty basic. Only a few security options are available, but those options can be very effective.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.