Authorization

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Authorization

Virtual private network (VPN) connections are only accepted for those users and routers that have been authorized. In the Windows Server 2003 family, authorization of VPN connections is determined by the dial-in properties on the user account and remote access policies. For more information, see Remote Access Policies.

You do not need to create additional user accounts just for VPN connections. VPN servers use the user accounts specified in the available user accounts databases according to security in Windows Server 2003 operating systems.

How security works at connection

The following steps describe what happens during a connection attempt from a Point-to-Point Tunneling Protocol (PPTP)-based VPN client to a PPTP-based VPN server running Windows Server 2003:

1. The VPN client creates a PPTP tunnel with the VPN server.

2. The server sends a challenge to the client.

3. The client sends an encrypted response to the server.

4. The server checks the response against the user accounts database.

5. If the account is valid, and the connection is authorized, the server accepts the connection subject to the remote access policies and user account properties for the VPN client.

Note

• Steps 2 through 4 assume that the VPN client and the VPN server use the MS-CHAP or CHAP authentication protocols. The sending of client credentials may vary for other authentication protocols.

The following steps describe what happens during a connection attempt from a Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPSec)-based VPN client to an L2TP/IPSec-based VPN server running Windows Server 2003:

1. The IPSec security association is created by using computer certificates and the Internet Key Exchange (IKE) negotiation process.

2. The VPN client creates an L2TP tunnel with the VPN server.

3. The server sends a challenge to the client.

4. The client sends an encrypted response to the server.

5. The server checks the response against the user accounts database.

6. If the account is valid, and the connection is authorized, the server accepts the connection subject to the remote access policies and user account properties for the VPN client.

Note

• Steps 3 through 5 assume that the VPN client and the VPN server use the MS-CHAP v1 or CHAP authentication protocols. The sending of client credentials may vary for other authentication protocols.

Security after the connection is made

After passing authorization and authentication and connecting to the LAN, VPN clients for remote access VPN connections can only access network resources for which they have permission. Remote access VPN clients are subject to security in Windows Server 2003 operating systems--just as they are at the office. In other words, remote access VPN clients cannot do anything for which they lack sufficient rights, nor can they access resources for which they do not have permission.

The VPN server must authenticate the remote access VPN clients before they can access or generate traffic on the network. This authentication is a separate step from logging on to a Windows Server 2003 domain.

You use packet filters based on a remote access policy profile to restrict access for remote access VPN connections for IP traffic. With profile packet filters, you can configure the IP traffic that is allowed out of the connection (output filters) or into the connection (input filters) on an exception basis: either all remote access traffic except traffic specified by the filters or no traffic except traffic specified by the filters. Remote access policy profile filtering applies to all remote access connections that match the remote access policy.

For more information, see Elements of a remote access policy.

Credential caching

When remote access servers are configured to accept a user's domain credentials (user name and password) as the means for authenticating access requests, the credentials used for remote access are the same as those needed for access to network resources (such as file servers, application servers, and e-mail servers). Each time the remote access client tries to access a server on the network, the server challenges the client for its credentials to ensure that only authorized users can utilize server resources.

If the client computer is a member of the server's domain, then the client responds automatically with the user's logon credentials and gains access to resources for which the user has security permissions. If the client computer is not a member of the server's domain (for example, when the client is a non-domain member home computer), then the client does not have the appropriate logon credentials to meet the server's challenge; for each network resource the user attempts to access, the user is either prompted to enter credentials or is denied access.

When the client is running Windows XP or a Windows Server 2003 operating system, the credentials that are used for authentication to the remote access server are cached, or saved, by the client. If the non-domain member client attempts to access a domain server for which it has not previously established its credentials, the client responds to the server's challenge with the cached remote access credentials and gains access to resources for which the user has security permissions. Because the credentials are cached and sent automatically upon server challenge, users on non-domain member computers are not prompted for credentials every time they attempt to access network resources.