Secure the IAS RADIUS Server and RADIUS Proxy
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
It is important to secure your IAS server. Regardless of whether you configure your IAS server as a RADIUS server or a RADIUS proxy, you must apply a number of basic security precautions.
Use strong shared secrets
RADIUS supports a simple password called a secret. Configure strong shared secrets to prevent dictionary attacks, and change them frequently. RADIUS secrets are combined with a 16-byte random number and then passed through a one-way Message Digest 5 (MD5) hash to create a 16-byte encryption value. The 16-byte encryption value is stored with the password entered by the remote access user.
Include RADIUS secrets in your remote access design when you are mutually authenticating RADIUS computers and you encrypt the remote user password. It is best to specify RADIUS secrets that are at least 16 characters in length and that include uppercase letters, lowercase letters, numbers, and punctuation.
Use the Message-Authenticator attribute
Use the Message-Authenticator attribute (also known as a digital signature or the signature attribute) for connection requests that use the PAP, CHAP, MS-CHAP, and MS-CHAPv2 authentication protocols. This attribute ensures that an incoming RADIUS Access-Request message was sent from a RADIUS client configured with the correct shared secret. You must enable the use of the Message-Authenticator attribute on both the IAS server (as part of the configuration of the RADIUS client) and the RADIUS client (the network access server or RADIUS proxy). Ensure that the RADIUS client supports the Message-Authenticator attribute before you enable the attribute. The Message-Authenticator attribute is always used with EAP, regardless of whether it is enabled on the IAS server and access server.
Configure your Internet firewall
In the most common configuration, the Internet firewall is situated on your perimeter network between your secure network and the Internet. The perimeter network (also known as a screened subnet) is an IP network segment that contains resources (such as Web and VPN servers) that are available to Internet users. In this configuration, the IAS server is an intranet resource that is connected to the perimeter network.
If your IAS server is on a perimeter network, configure your Internet firewall to allow RADIUS messages to pass between your IAS server and RADIUS clients on the Internet. You might need to configure an additional firewall that is placed between your perimeter network and your intranet, which allows traffic to flow between the IAS server on the perimeter network and domain controllers on the intranet.
If your IAS server is on the perimeter network, it might use either of the following to contact a domain controller on the intranet:
An interface on the perimeter network and an interface on the intranet (IP routing is not enabled).
A single interface on the perimeter network. In this configuration, IAS communicates with intranet domain controllers through another firewall that connects the perimeter network to the intranet.
For more information about Internet firewalls, see "Deploying ISA Server" in this book.
Enable remote access account lockout
Enable remote access account lockout to protect against online dictionary attacks. Remote access account lockout disables network access for user accounts after a configured number of failed connection attempts has been reached.
Remote access account lockout can also be used to prevent a malicious user from intentionally locking out a domain account by attempting to make multiple dial-up or VPN connections with the wrong password. You can set the number of failed attempts for remote access account lockout to a number that is lower than the number of logon retries for domain account lockout. By doing this, remote access account lockout occurs before domain account lockout, which prevents the domain account from being intentionally locked out.
For more information about account lockout, see "Remote access account lockout" in Help and Support Center for Windows Server 2003.