Best Remote Access practices
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following list provides best practices for implementing and configuring the remote access server and is based on recommendations from Microsoft Product Support Services:
Plan for security
When designing and implementing your remote access solution, be sure to plan for the most secure deployment possible. For more information, see Security information for remote access.
Use DHCP to obtain IP addresses
If you installed a DHCP server, configure the remote access server to use DHCP to obtain IP addresses for remote access clients. If you did not install a DHCP server, configure the remote access server with a static IP address pool, which is a subset of addresses from the subnet to which the remote access server is attached.
Use strong authentication
Use strong passwords more than 8 characters long that contain a mixture of uppercase and lowercase letters, numbers, and permitted punctuation. Do not use passwords based on names or words. Strong passwords are more resistant to a dictionary attack, where an attacker attempts to determine a password by sending a series of commonly used names and words.
Although EAP-TLS works with registry-based certificates, for security reasons you should use EAP-TLS with smart cards only.
If you are using MS-CHAP, use MS-CHAP version 2. You can obtain the latest MS-CHAP updates for Windows NT version 4.0, Windows 98, and Windows 95. For more information, see MS-CHAP version 2.
Avoid configuring different remote access policies for the same user
If a user dials in by using a multilink connection, all connections beyond the first connection are connected by using the remote access policy that matched the first connection.