Remote Access

  • Article

Routing and Remote Access is the service that lets remote users connect to your local network by phone. This section deals only with the remote access security features of Routing and Remote Access. Remote access by its nature is an invitation to intruders; so Windows 2000 provides multiple security features to permit authorized access while limiting opportunities for mischief.

How Remote Access Works

A client dials a remote access server on your network. The client is granted access to the network if:

  • The request matches one of the remote access policies defined for the server.

  • The user's account is enabled for remote access.

  • Client/server authentication succeeds.

After the client has been identified and authorized, access to the network can be limited to specific servers, subnets and protocol types, depending on the remote access profile of the client. Otherwise, all services typically available to a user connected to a local area network (including file and print sharing, Web server access, and messaging) are enabled by means of the remote access connection.

Remote Access Policies

Windows 2000–based servers are governed by security policies that determine their remote access behavior. These policies establish whether a server accepts requests for remote access and, if so, during what hours of what days, what protocols are used, and what types of authentication are required.

You define remote access policies by using the Computer Management snap-in to MMC. You define the policy in the Remote Access Policies node

Computer Management (local)
 — Services and Applications
 — Routing and Remote Access
  — Remote Access Policies

Right-click a policy in the console tree and select Properties . A remote access policy is defined as a rule with conditions and actions. If the conditions are met, the action is taken. For example, if the time of day is appropriate for remote access, if the requested protocol is permitted, and if the requested port type is available, then access is granted. If granted, remote access is limited by the access profile of the policy. Click Edit Profile to view the available profile options.

How to Enable Remote Access

To enable remote access for a user, open the Active Directory Users and Computers snap-in to MMC. Right-click a user, and select Properties . Select the Dial-In tab in the property sheet.

For more information about remote access and installing and configuring the remote access server, see Windows 2000 Server Help. For more information about remote access authentication, see "Remote Access Server" in the Microsoft ® Windows ®  2000 Server Resource Kit Internetworking Guide.

Considerations About Remote Access

Granting remote access permission to a user is ineffective if there is no appropriate remote access policy in place for the remote access server.

Windows 2000 supports the following authentication options for remote access:

  • Standard Point-to-Point Protocol (PPP) challenge and response authentication methods based on user name and passwords.
    Standard PPP authentication methods offer limited security.

  • Custom Extensible Authentication Protocol (EAP) authentication methods.
    EAP modules can be developed or provided by third parties to extend the authentication capabilities of PPP. For example, you can use EAP to provide stronger authentication using token cards, smart cards, biometric hardware, or one-time password systems.

  • EAP Transport Layer Security (EAP-TLS) authentication based on digital certificates and smart cards.
    EAP-TLS provides strong authentication. Users' credentials are stored on tamper-proof smart cards. You can issue each user one smart card to use for all logon needs.

It is recommended that your network security plan include strategies for remote access and authentication, including the following information:

  • Logon authentication strategies to be used.

  • Remote access strategies by using Routing and Remote Access and virtual private networks.

  • Certificate services needed to support user logon authentication by digital certificates.

  • Process and strategies to enroll users for logon authentication certificates and remote access.

  • Whether to use callback with remote access, to help eliminate impersonation attacks.