Title: 70299 MCSE Guide to Implementing and Administering Security in a Microsoft Windows Server 2003 Netwo
170-299 MCSE Guide to Implementing and
Administering Security in a Microsoft Windows
Server 2003 Network
- Chapter 10
- Planning and Deploying Authentication for Remote
Access Users
2Objectives
- Deploy and manage SSL certificates
- Configure a Web server for SSL certificates
- Configure a client for SSL certificates
- Determine certificate renewal
- Configure security for Remote Access users
3Objectives (continued)
- Provide Remote Access over a VPN
- Manage client configuration for Remote Access
security
4Deploying and Managing SSL Certificates
- Need to install IIS in a highly secure and locked
configuration - Secure Sockets Layer (SSL) public keybased
security protocol used by Internet services and
clients for authentication, message integrity,
and confidentiality - SSL process uses
- Certificates for authentication
- Encryption for message integrity and
confidentiality - Requires installation of valid server certificate
to establish encrypted communications using SSL
5Deploying and Managing SSL Certificates
(continued)
- Certificate-based SSL features in IIS consist of
- A server certificate
- A client certificate
- Various digital keys
- Ways to obtain certificates
- Can be created using Certificate Services
- Can be obtained from a mutually trusted
third-party organization called a certification
authority (CA)
6Deploying and Managing SSL Certificates
(continued)
Table 10-1 IIS Authentication Methods
7HTTPS
- HTTPS (HTTP over Secure Sockets Layer)
- A technology that encrypts individual messages in
Web communications rather than establishing a
secure channel - Popular e-commerce technology and is used for
secure online shopping - Communicates on port 443
- SSL-secured URLs begin with https// prefix
- Created by the Netscape Corporation and used a
40-bit RC4 stream encryption algorithm now
128-bit encryption keys available
8LDAPS
- Lightweight Directory Access Protocol (LDAP)
- Used to secure Active Directory traffic using SSL
- Enabled by installing a properly formatted
certificate from a certification authority (CA) - LDAPS communication occurs over port TCP 636
- LDAPS communication to a global catalog server
occurs over TCP 3269 - SSL/TLS is negotiated before any LDAP traffic is
exchanged when connecting to ports 636 or 3269
9LDAPS (continued)
Figure 10-1 LDAP communications on port 636
10Wireless Networks
- Possible to secure wireless communications using
Secure Shell (SSH) or HTTP with SSL or TLS
Table 10-2 SSL Advantages and Disadvantages
11Configuration of the Web Server for SSL
Certificates
- Use SSL encryption only for sensitive
information encrypted transmissions can
significantly reduce transmission rates and
server performance - Server certificates provide a way for users to
confirm the identity of your Web site - A server certificate contains following
information - Organization name affiliated with the server
content - Name of the organization that issued the
certificate - A public key that is used to establish an
encrypted connection
12Configuration of the Web Server for SSL
Certificates (continued)
Figure 10-2 Web Server Certificate Wizard screen
13Configuration of the Web Server for SSL
Certificates (continued)
Figure 10-3 Certificate Request Submission screen
14Configuration of the Web Server for SSL
Certificates (continued)
- Possible to configure Web server to require a
128-bit minimum session-key strength for all
SSL-secured communication sessions - You can configure computers running WS 2003 with
IIS 6.0 to accept certificates from predefined
list of CAs - Each Web site can be configured to accept
certificates from a different list by using CTLs - Certificate Trust List Wizard can be used to
- Create and edit CTLs
- Add new root certificates to your CTLs
15Configuration of the Web Server for SSL
Certificates (continued)
Figure 10-4 Welcome to the Certificate Import
Wizard screen
16Configuration of the Web Server for SSL
Certificates (continued)
Figure 10-5 Welcome to the Certificate Trust
List Wizard screen
17Self-Issued Certificates
- Considerations when deciding to issue your own
server certificates - Microsoft Certificate Services can accommodate
different certificate formats and provide for
auditing and logging of certificate-related
activity - Evaluate the cost of each
- Keep the learning curve in mind
- Evaluate the willingness of outside vendors
clients to trust your organization as a
certificate supplier
18Publicly Issued Certificates
- Used when a user suspects your self-issued
certificates - Certificate can be obtained from a mutually
trusted, third-party CA, e.g., VeriSign or Thawte - Requirements to obtain certificates from CA
- Providing of identification information
- Might require a personal interview with the CA
- Endorsement of a notary
- Wait time Several days to several months
- Must be renewed on a regular basis
19Publicly Issued Certificates (continued)
- General rules about any type of Web certificates
- Each Web site can have only one server
certificate assigned to it - One certificate can be assigned to multiple Web
sites - You can assign multiple IP addresses per Web site
- You can assign multiple SSL ports per Web site
20Configuration of the Client for SSL Certificates
- Typical client certificate contains following
items of information - Identity of the user
- Identity of the certification authority
- A public key used for establishing encrypted
communications - Validation information, such as an expiration
date and serial number
21Configuration of the Client for SSL Certificates
(continued)
- To protect your Web content from unauthorized
access you must do one of the following - Use Basic, Digest, or Integrated Windows
authentication, in addition to requiring a client
certificate - Create a Windows account mapping for client
certificates
22Configuration of the Client for SSL Certificates
(continued)
Figure 10-6 SSL browser options
23Certificate Renewal
- Security and renewal requirements for
certificates should be based on following
factors - Value of the network resources protected by the
CA trust chain - Degree to which you trust your certificate users
- Amount of administrative effort that you are
willing to devote to certificate renewal and CA
renewal - Business value of the certificate
24Certificate Renewal (continued)
Table 10-3 Recommendations for Validity Periods
25Configuring Security for Remote Access Users
- Secure and reliable remote access solution
requires careful planning and testing of remote
access design - Types of remote access authentication protocol
- Password Authentication Protocol (PAP)
- Challenge Handshake Authentication Protocol
(CHAP) - Microsoft CHAP (MS-CHAP)
- Microsoft CHAP version 2 (MS-CHAP v2)
- Extensible Authentication Protocol (EAP)
26Configuring Security for Remote Access Users
(continued)
Figure 10-7 Configure Routing and Remote Access
Server screen
27Configuring Security for Remote Access Users
(continued)
Figure 10-8 Configured Routing and Remote Access
28Configuring Security for Remote Access Users
(continued)
Figure 10-9 Configured Routing and Remote Access
Authentication policy
29Password Authentication Protocol
- Uses a two-way handshake to provide for user
authentication server asks for the credentials
and the user supplies them - PAP is strongly discouraged users credentials
are sent over the wire in clear text and can be
easily sniffed by an attacker - Cannot be used with Microsoft Point-to-Point
Encryption (MPPE) - Currently used only by older UNIX-based servers
30Challenge Handshake Authentication Protocol
- Used to provide on-demand authentication within
an ongoing data transmission - CHAP uses a one-way hashing function
authenticator compares clients hash value with
its own calculated value - Process is repeated at random intervals during a
data transaction session - CHAP authentication cannot be used with MPPE
- Two forms of CHAP that are Microsoft-specificMS-
CHAP and MS-CHAPv2
31Microsoft Challenge Handshake Authentication
Protocol
- MS-CHAP uses same type of challenge/response
mechanism as CHAP but it uses a nonreversible
encrypted password - MS-CHAP v2 challenge/response mechanism is much
more sophisticated than that of MS-CHAP - Server must first prove to the client that it
knows the correct password, client then answers
the challenge of the server - A dial-up connection typically uses MS-CHAP v2
- Supported by Windows XP, 2000, 98, ME, and NT v4.0
32Extensible Authentication Protocol
- EAP is an extension to PPP
- An arbitrary authentication mechanism that
authenticates a remote access connection - Authentication mechanism is not chosen during the
link establishment phase - EAP negotiation is performed during the
connection authentication phase - Routing and Remote Access includes support for
EAP-TLS and MD-5 Challenge by default
33Extensible Authentication Protocol (continued)
- EAP-MD5 used to authenticate the credentials of
remote access clients by using username and
password-based security systems requires that
local or domain passwords are stored in a
reversibly encrypted form - EAP-TLS designed for use with a certificate
infrastructure and either certificates or smart
cards supported only on servers that are - Running routing and remote access
- Configured to use windows authentication
- Members of a domain
34Multifactor Authentication
- Combining of two or three of the following
factors for proof of identification - Something he or she knows e.g., a password or a
PIN for a smart card can be used - Something he or she has e.g., smart card or
access card can be used - Something he or she is e.g., a fingerprint or
retinal scan can be used - Considerations for using smart card
authentication cost, infrastructure,
administrative overhead, and remote connections
35Providing Remote Access Over a VPN
- Virtual private network (VPN) method for
allowing remote access users to connect to a
corporate network over the Internet - Uses a combination of tunneling, authentication,
and encryption technologies to create secure
connections - VPNs offer following benefits
- Saves long-distance phone expenses
- Requires less hardware
- Prevents unauthorized users from connecting
- Difficult for a hacker to read sent data
36Providing Remote Access Over a VPN (continued)
- Procedure for designing security for a VPN remote
access server solution - Choose a VPN protocol
- Decide which authentication protocols are needed
- Pick the extent and level of encryption to use
- If organizational needs warrant the use of
certificates, plan a certificate infrastructure
that supports client authentication for remote
access - Consider enhancing security by using remote
access account lockout
37Internet Service Providers
- Two ways to access the Internet
- Register an IP address and maintain DNS server
and DNS resolution - Uses a DNS server and equipment that has been
registered by someone else, namely an ISP - Benefits of ISP
- Cost savings by minimizing both setup and
operations costs - Guaranteed level of service for some or all
components of your remote access solution
38Client Operating Systems
- Windows Server 2003 supports two VPN protocols
- Point-to-Point Tunneling Protocol (PPTP)
- Layer Two Tunneling Protocol with Internet
Protocol security (L2TP/IPSec)
Table 10-4 Comparison of Client Support for
Tunneling Protocols
39Client Operating Systems (continued)
Figure 10-10 Configuring a client tunneling
protocol
40Using Point-to-Point Tunneling Protocol
- Allows tunneling that works at Layer 2 of the OSI
model and enables single point-to-point
connection - Connection types where PPTP may be used
- Over the Internet (such as VPN)
- Via a dial-up connection
- Embeds its own network protocol within TCP/IP
packets carried by the Internet - PPTPVPN connections require use of following
MS-CHAP, MS-CHAP v2, or EAP-TLS - Not the most secure method
41Using Layer Two Tunneling Protocol
- L2TP is an extension of the PPP protocol, created
by combining the best qualities of PPTP and Layer
2 Forwarding (L2F) sets up a single
point-to-point connection between two computers - L2TP/IPSec provides following for each packet
data integrity, data origin authentication, data
confidentiality, and replay protection - It is protocol-independent and includes an
authentication mechanism
42Using Layer Two Tunneling Protocol (continued)
- L2TP/IPSec uses
- PPP user authentication methods
- IPSec encryption to encrypt IP traffic
- L2TP/IPSec can be used only by Windows 2000
Professional and newer clients - For the highest level of security, use a remote
access VPN based on L2TP/IPSec with
certificate-based IPSec authentication and
Triple-DES for encryption - If using a PPTP-based VPN solution, it is best to
use MS-CHAP v2
43Using Layer Two Tunneling Protocol (continued)
- When choosing an authentication protocol for VPN
connections, keep the following in mind - When using smart cards or certificates, use
EAP-TLS for both PPTP and L2TP connections - When using a password-based authentication
protocol, choose MS-CHAP v2, then use Group
Policy to enforce strong passwords - Always use the most secure protocols that your
network access servers and clients can support
44Network Address Translation Devices
- Translate IP addresses and TCP/UDP port numbers
of packets, thereby preventing others from
knowing real address of your private network
allows to use one public address to provide
Internet access to many users simultaneously - PPTP with its built-in MPPE encryption is able to
interoperate with NAT - Microsoft servers prior to Windows Server 2003
could not use IPSec and NAT together
45Network Address Translation Devices (continued)
Figure 10-11 Demand Dial Interface Wizard
46Network Address Translation Devices (continued)
Figure 10-12 Completing the Demand-Dial
Interface Wizard screen
47IP NAT Traversal
- Enables IPSec VPNs to work with NAT devices
- Works by providing UDP encapsulation of IPSec
packets to enable IKE and ESP protected traffic
to pass through the NAT device - In case of VPN client use with NAT
- PPTP-based VPN clients can be located behind NAT
if NAT includes an editor and Remote Access
service - If you locate L2TP/IPSec-based clients or servers
behind a NAT device, both client and server must
support IPSec NAT Traversal
48Routing and Remote Access Servers
- Steps to be taken when deploying a VPN
- Configure the server as a VPN remote access
server - Configure routing on the VPN server
- Implement security
- If required, install certificates
- Configure the remote access policy for the VPN
server - Configure remote access account lockout if
necessary
49Routing and Remote Access Servers (continued)
Figure 10-13 Configuring remote access account
lockout
50Routing and Remote Access Servers (continued)
- Options to increase the server performance when
planning deployment of remote access servers - Upgrading the server hardware
- Increasing the amount of RAM
- Using separate remote servers
51Routing and Remote Access Servers (continued)
- Guidelines for upgrading the server hardware in
case of dial-up networking - Modem or a multiport adapter and access to analog
telephone line for large number of clients,
install modem bank equipment and multiple phone
lines - For each modem, a server serial port or for modem
banks, a multiport serial adapter or a
high-density combination card - Consider using multiport serial boards to offload
processing from the remote access server
52Routing and Remote Access Servers (continued)
- Guidelines for upgrading the server hardware in
case of VPN - Use network adapters capable of IPSec hardware
offloading for interfaces on the public network - Configure all devices to 100 Mbps full duplex
- Private network interfaces and data servers and
routers that remote access clients will access
should be directly connected to a high-capacity
switch
53VPN Router Placement in Relation to Firewalls
Table 10-5 Comparison of Port Configuration
Based on Firewall Placement
54Managing Client Configuration for Remote Access
Security
- WS 2003 has built-in tools to assist in managing
client access to a remote access server - Clients can be configured using
- Native connection features in Windows best
suited for when there are few users connecting to
the network - Managed client solution, such as Connection
Manager and its components enables a network
administrator to preconfigure remote access
clients
55Remote Access Policy
- A collection of conditions and settings that
define authorization and access privileges for
connection attempts - Consist of three components that work together to
allow or deny the connection conditions,
permissions, and profiles - Possible to configure multiple remote access
policies on a single server - Default remote access policy Connections to
Microsoft Routing and Remote Access server
56Remote Access Policy (continued)
- Conditions are attributes that must be met in
order to satisfy the policy - First component that is checked on a connection
attempt - Checked only at the initial time of the
connection attempt - Might include Day and time restrictions,
connection types, and security group memberships - All of the conditions must be met to satisfy the
policy if multiple conditions are set
57Remote Access Policy (continued)
- Permissions checked after conditions, assuming
that a condition to deny has not already been met - User dial-in permissions can be set to Allow,
Deny, or Control Access through Remote Access
Policy (if domain is in at least Windows 2000
native mode) - Profiles must be met in order to obtain and to
continue a connection if user permissions are set
to Control access through Remote Access Policy - Profiles can include day and time restrictions,
idle-timeouts, session-timeouts, encryption,
authentication, connection types etc.
58Remote Access Policy (continued)
Figure 10-14 New remote access policy
59Connection Manager Administration Kit
- Connection Manager consists of three different
pieces - The Connection Manager client provides a
simplified way of connecting to a remote network - The Connection Manager Administration Kit (CMAK)
allows the administrator to create and configure
the service profile - Connection Point Services (CPS) allows for
creation and maintaining of phone books
60Connection Manager Administration Kit (continued)
- New features on the CMAK Wizard for Windows
Server 2003 include - Provide routing table updates that apply only
while clients are connected to your server (split
tunneling) - Automatically configure Internet Explorer proxy
settings for a client computer - Enable clients to choose which VPN server to use
when they make a connection - Automatically run applications on the client
computer or on the server at the time of the
connection
61Customizing Connection Manager
- Connection Manager also has the ability to run
custom actions at various points when
establishing a connection - CMAK Wizard is used to include custom actions in
your service profile, such as automatically
starting programs when users connect - Custom actions are quite flexible and can include
batch files, executable files, and dynamic link
libraries (DLLs), or they can use installed or
distributed programs
62Customizing Connection Manager (continued)
- List of the custom actions that can be performed
- Preinitialization actions
- Preconnect actions
- Predial actions
- Pretunnel actions
- Postconnect actions
- Disconnect actions
- On cancel actions
- On error actions
63Customizing Connection Manager (continued)
Figure 10-15 Configuring CMAK
64Customizing Connection Manager (continued)
Figure 10-16 Configuring a custom action
65Deploying Remote Access Clients
- CMAK can be used to automate client configuration
process - Ways to distribute client configuration
- Distribute CDs or floppy disks containing your
self-installing Connection Manager package - Send a service profile through e-mail to your
users - Set up a Web site where users can download the
service profile - Install the service profile on each client
individually. - Use a combination of distribution methods
66Summary
- SSL protocol can be used with IIS 6.0 to encrypt
confidential information exchanged between the
Web server and the client - SSL process uses certificates for authentication,
and encryption for message integrity and
confidentiality - You can configure computers running WS 2003 with
IIS 6.0 to accept certificates from a predefined
list of certification authorities - To place the VPN router behind the firewall and
attach the firewall to the Internet is recommended
67Summary (continued)
- You can use remote access account lockout on
remote access accounts - With remote access policy, users can be allowed
or denied access based on many factors - WS 2003 supports two VPN protocols PPTP and
L2TP/IPSec - NAT devices work by translating port numbers of
packets that are forwarded between private
network and Internet - You can use CMAK Wizard to create a custom
service profile