Lock IT Down: Increasing Windows 2000 RRAS security

Make Windows RRAS more secure from hacker attack

So far, in my discussion about the Windows 2000 RRAS service, I’ve shown you how to configure Windows 2000 for NAT and as a remote access server. But now that you’ve set up your remote access server, how do you secure it? In this Drill Down, I’ll show you how to set up remote access policies for your remote access server. I’ll also show you how you can create secure connections across the Internet using VPN (Virtual Private Network) protocols.

Configuring remote access policies
In my last Daily Drill Down about Windows 2000 RRAS, I showed you how to configure the hardware and port settings for your server. In addition to configuring the hardware and port settings, you also need to configure remote access policies. These policies enable you to control allowed access times, restrict users to specific dial-up numbers, and configure other Remote Access Policy settings.

You configure remote access policies through the RRAS console that I previously introduced to you. Open the console and click the Remote Access Policies branch. By default, remote access permission is denied through the default Remote Access Policy, Allow Access If Dial-In Permission Is Enabled. Double-click the policy and note that Deny Remote Access Permission is selected. This is because there are no other parameters yet specified for the policy. If you enabled it, it would allow all users to gain remote access by default. So, you’ll need to either modify this policy or create a new one. In this example, I’ll assume you want to modify the existing policy to allow only users who belong in a specific user group. For my example, I’ll create a group called RAS users and grant them permission.

First, open the Local Users And Groups console (stand-alone or member server) or the Active Directory Users And Computers console (domain controller). Create a new group named RAS Users and place in it all of the users to whom you want to grant remote access permission.

Next, open the RRAS console and double-click the policy to open its Settings property page. Click Add, select Windows-Groups, and click Add. Click Add in the Groups dialog box, select the group, and click Add. Click OK, then OK again to close the two configuration dialog boxes and return to the Settings property page. Select Grant Remote Access Permission, and click OK.

The policy you just created allows all users in the RAS Users group to log in via RAS at any time. You can modify the Day-And-Time-Restrictions profile to allow RAS access only at certain times. To do so, open the policy again, click Day-And-Time Restrictions, and click Edit. Specify the allowed dial-in times in the Time Of Day Constraints window (as shown in Figure A), and click OK. Configure other settings as needed, and then close the property sheet for the policy to apply the change.

Figure A
Configure the Day-And-Time-Restrictions condition to control when remote access users can dial in.

Now, what happens if you want two separate groups to have RAS access at different times? Simple: You create two policies. RRAS processes all the remote access policies if needed, granting access to a caller if the caller’s parameters match at least one policy. So, a caller might not match the first policy or the second, but might match the third, and RRAS would therefore grant (or deny) access subject to the properties of the matched policy.

For example, assume you have three groups of users: one that needs access from 8:00 A.M. to 5:00 P.M., another that needs access from 5:00 P.M. to midnight, and a third group that can gain access at all hours but must use L2TP for security. You create three policies, one for each situation. Each group of users would belong in an identifying group, which I’ll name RAS 1, RAS 2, and RAS Secure. When you define the policies for RAS 1 and RAS 2, each policy has two properties (in this example): Windows-Group and Day-And-Time-Restrictions. You configure the allowed logon times for the Day-And-Time-Restrictions property for RAS 1 to be 8:00 A.M. to 5:00 P.M., and for RAS 2 to be 5:00 P.M. to 12:00 A.M.

For the third group, use the Windows-Group property along with the Tunnel-Type property set to L2TP to restrict users in that group to only use L2TP. If they attempt to use a different tunneling protocol, such as PPTP, Windows 2000 rejects the connections.

You configure the priority of policies so that RRAS parses them in a specific order. This gives you the ability to move the most frequently used policy to the beginning of the list to speed connections and reduce overhead. To configure policy priority, open the RRAS console, expand the Remote Access Policies branch, click on a policy, and use the up- and down-arrow buttons in the toolbar to change its location in the list.

Configuring a VPN server
Virtual Private Network (VPN) connections enable clients to establish a secure, private connection to a remote computer or LAN through a public network such as the Internet. For example, users who travel can connect through a national or local ISP, then connect through that Internet connection to the office LAN. Windows 2000 supports two tunneling protocols, PPTP and L2TP; the latter provides stronger security than PPTP primarily because of differences in the encryption methods between the two.

Setting up a VPN server is initially not much different from configuring a remote access server, although there are a few additional steps and considerations. When you run the wizard and select the Virtual Private Network option, Windows 2000 prompts you for essentially the same information as for a Remote Access Server, including protocols, network interfaces, IP address assignment mode, and whether or not to use RADIUS for authentication. One difference is when you use the wizard to configure the server for VPN; it creates 128 ports each for PPTP and L2TP. Configuring the server for remote access creates only five ports each.

Even if you use the wizard to set up a VPN server, you still have some tasks to perform to complete the operation. Plus, you might already have the server configured for another RAS purpose and need to configure the server manually for VPN. If you choose the manual method, first perform these tasks:
  • Set up the Internet connection—This is the public connection through which remote clients will gain access to the intranet. Verify that the connection is fully configured and functioning.
  • Set up the intranet connection—If your server is multihomed (has a public interface to the Internet and a private interface to the intranet), configure the intranet connection and verify connectivity with clients on the intranet. Note that you don’t need a second interface to set up a VPN server. A single, public interface will suffice. Remote clients will receive an IP address assignment from the same subnet as the computer’s Internet interface.
  • Set up routing (multihomed systems)—If the server is multihomed, you’ll need to configure static routes, or use routing protocols to enable routing between the public and private interface(s). In most situations the wizard will handle these tasks, but you might have to fine-tune the configuration, particularly if you are using static routes. If the server has only one network interface, you don’t need to configure any routing properties, since no routing is necessary.
  • Enable remote access—If you are configuring VPN support manually, you’ll need to enable RAS on the server. Open the RRAS console, right-click the server, and choose Properties. On the General page, select Remote Access Server.
  • Configure IP addressing and routing—On the properties sheet for the server, click the IP tab, and select Enable IP Routing. If you didn’t already do so through the wizard, configure IP address assignment through the same property page, configuring the server to rely on DHCP, or use a static address pool to assign IP addresses to clients.
  • Configure ports for remote access—You need to ensure that the necessary ports are created and configured for remote access. Expand the server in the RRAS console and open the Ports branch. Right-click Ports and choose Properties. Select either PPTP or L2TP and click Configure. Select Remote Access Connections (Inbound Only) to enable remote access for the port type. Use the Maximum Ports spin control to increase or decrease the number of ports. The number won’t increase in the ports list, however, until you stop and restart the service. If you wish to support both VPN port types, repeat the process for each.

Configuring the server for PPTP VPN connections
Although you can begin using the server to service VPN clients at this point, you’ll probably want to ensure a higher level of security than what you’ll have by default. In particular, you might want to configure filters to restrict traffic to and from the VPN server, as well as define the authentication mechanism(s) to be supported.

In the RRAS console, right-click the server, choose Properties, and then click the Security tab. You can choose between Windows Authentication and RADIUS both for authentication and accounting. Click Authentication Methods to specify the authentication methods you want to support. You need to use either MS-CHAP or EAP-TLS if you need to support encrypted authentication.

If your server is functioning only as a VPN server, consider applying IP filters to allow only PPTP traffic coming to and from the server, excluding all other traffic. This will help prevent unwanted traffic from being routed through your server to your LAN, or from the LAN to the Internet. Filters apply at the interface level, enabling you to configure filters differently for each interface, if needed.

In the RRAS console, expand the server then the IP Routing branch, and click the General branch. Right-click the interface on which you want to configure filters and click Properties. The General page is the place to go to configure filters, and I’ll start with the input filters. Click Input Filters and then click Add In The Input Filters dialog box. Select Destination Network as shown in Figure B, and then in the IP Address field, enter the address of the interface. Specify for the subnet mask. Select Other from the Protocol drop-down list and type 47 in the Protocol Number text box. Click OK to add the filter.

Figure B
Configure input and output filters to restrict traffic on the server to VPN traffic, if desired.

When the Input Filters window reappears, click Add again and add another filter with the same information as the first. However, this time select TCP from the Protocol list, specifying 0 for the Source Port and 1723 for the Destination Port.

You’ll need to add one more input filter if you intend to use the server as a PPTP client. Create a third filter using the same basic information as the first two, this time selecting TCP from the Protocol list, specifying 1723 as the Source Port and 0 as the Destination Port.

The last step in configuring the input filters is to specify the action to take for the filter. Back on the Input Filters dialog box, select Drop All Packets Except Those That Meet The Criteria Below, and then click OK.

Next, configure output filters using much the same process you used for the input filters. On the General page of the interface’s property sheet, click Output Filters. Create a filter for Source Network, specifying the IP address of the interface, the subnet mask, Protocol as Other, and 47 as the protocol. Add a second IP filter for Source Network with TCP as the protocol, 1723 as the Source Port, and 0 as the Destination Port. If the server will be used as a PPTP client, add a third filter for Source Network, TCP, Source Port 0, and Destination Port 1723. Return to the Output Filters dialog box and configure the filters to drop all packets except those that meet the filter criteria.

Configuring the server for L2TP VPN connections
As you do for PPTP, you need to configure the L2TP ports to allow remote access. Open the properties for the Ports branch, select L2TP from the Ports list, and click Configure. Select Remote Access Connections (Inbound Only) and then close the dialog boxes.

You also should configure filters to restrict traffic to and from the server to prevent unwanted traffic from being routed through the server. As you do for PPTP filters, you configure L2TP filters through the properties for the affected network interface. Start with the input filters. Create the first filter for Destination Network, the IP address of the interface, a subnet mask of, UDP as the protocol, and 500 for both the source and destination ports. Add a second input filter using the same information but specifying 1701 for both the source and destination ports. Configure the filter to drop all packets except those that meet the filter criteria.

Next, create the necessary output filters. Create the first filter for Source Network, the IP address of the interface, a subnet mask, UDP as the protocol, and source and destination ports specified as 500. Add a second output port with similar settings but with source and destination ports of 1701. Configure the filters to exclude all packets except those that fit the filter criteria.

Configuring RAS policy for PPTP/L2TP
After you configure the ports and other settings for PPTP and/or L2TP, turn your attention to configuring remote access policies to allow VPN connections (and potentially restrict access only to VPN access). First, create a group (or use an existing group) to give you a means of restricting VPN connections to specific users. Then, open the RRAS console, followed by the Remote Access Policies branch. Create a new remote access policy, giving it an appropriate name such as VPN Access. Configure the conditions for the policy to include group membership so that it restricts access only to users who belong in your VPN users group. Then, add a condition for NAS-Port-Type set to Virtual (VPN). Add a third condition for Tunnel-Type set to PPTP, L2TP, or both, depending on which protocols you’re supporting on the server. If you haven’t modified the default remote access policy, move it after the VPN policy. You need to make this change because the default policy denies access to all users.

Finally, configure encryption. Double-click the newly created policy to open its properties, and then click the Encryption tab. Select options on the Encryption tab depending on the levels of encryption you want to allow for VPN connections according to your clients’ configurations.

In this Daily Drill Down, I’ve shown you how to increase security for your remote access servers. You can do so using remote access policies and VPN. On VPNs, you have several different types of protocols to choose from, including PPTP and L2TP. I explained these protocols and how to configure RRAS to support them. In a future Daily Drill Down, I’ll take a look at configuring a network router, covering both unicast and multicast routers.

Editor's Picks