Protect Against Access Server Vulnerabilities
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Some access servers expose the network to unwanted visitors who can gain access to your network. For example, intruders might connect to an authenticating switch accessible from a conference room network port, set up their own access server to connect to your network, and access your resources. To protect against this form of attack, configure mutual authentication by using PEAP-EAP-MS-CHAPv2 or EAP-TLS as the authentication method for network access connections. For more information about configuring mutual authentication, see "PEAP" in Help and Support Center for Windows Server 2003.
Authenticating RADIUS clients and RADIUS servers also protects against this type of network attack. You can use three methods to authenticate RADIUS clients and RADIUS servers.
RADIUS shared secrets
Include RADIUS shared secrets in your network access design. Specify RADIUS secrets that are at least 22 characters in length and consist of a random sequence of uppercase letters, lowercase letters, numbers, and punctuation.
Secure RADIUS traffic with IPSec
Securing RADIUS traffic with Internet Protocol security (IPSec) provides you with the ability to secure RADIUS servers against unwanted traffic by filtering on specific network adapters (allowing or blocking specific protocols) and enabling you to choose source IP addresses from which traffic is allowed. For organizational units, you can create IPSec policies, which are stored in Active Directory, or you can create local policies on RADIUS servers, and then apply the local policies to specific computers. If you create IPSec policies for an organizational unit, the policy is applied by using Group Policy.
You can enable IPSec between IAS proxies and IAS servers, or between RADIUS clients and IAS servers.
For more information about securing RADIUS traffic with IPSec, see "Securing RADIUS traffic with IPSec" in Help and Support Center for Windows Server 2003.
All RADIUS computers that require authorization support VPNs.