Security Information for the Connection Manager Administration Kit
Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2012, Windows Vista
You can increase the security of your remote access solution by using the Connection Manager Administration Kit (CMAK) wizard to customize and control the connection experience for your users. By customizing the connection, you can control how your users connect to your network, and you can simplify troubleshooting.
Before you create a connection profile, you should understand your remote access solution, including its security requirements and limitations. You can consider remote access security in three parts: securing servers, including remote access servers and the computers on which you store the connection profiles; understanding and securing the computers on which users will install connection profiles; and designing, creating, and distributing the connection profile itself. For more information about securing servers, see Security information for remote access, Security information for VPN, and Security.
When you design your connection profile, you should consider the following:
Who can create or edit connection profiles by using the CMAK wizard. A user must be a member of the Administrators group to install the CMAK wizard. A user must be a member of either the Administrators or the Power Users group (present in Windows Server 2003 or earlier) to run the CMAK wizard.
Who can edit connection profile files by using a plain text editor. Connection profile files are plain text files that users can edit using a plain text editor, such as Notepad, instead of using the CMAK wizard. By using a plain text editor instead of the CMAK wizard, users do not need to be members of the Administrators or the Power Users group to edit or to delete these files. You can help prevent users from changing these files on the server by limiting access to the directories that contain the profile files. Recognize that, after you distribute the service profile, users can edit the service profile files on their own computers. For more information, see Methods of Editing Connection Profile Files and Including Connection Manager in Custom Applications.
Which operating systems your users will use. You should consider two things regarding the operating systems on your users' computers: the level of security inherent in the operating system itself, as well as the security features that you can configure for the operating system. Not all operating systems support all Connection Manager features. The more secure VPN tunneling protocols and authentication methods are only available when you are running newer versions of Windows. Therefore, if you want to deploy a highly secure VPN solution, you might need to limit your deployment to users running Windows Vista or later, and only on hard disks formatted with NTFS.
Depending on how your users have configured their computers, you might have these security considerations:
Whether the user's hard disk is formatted with FAT or NTFS. FAT systems are not as secure as NTFS systems.
What authentication and tunneling protocols are supported. Not all operating systems support all of the same protocols as Windows Server 2008 R2. For more information, see Dial-up networking clients and Virtual private networking clients.
Whether your users will install the profile for individual use only or for all users of that computer. When appropriate, you should encourage your users to install the profile for individual use only so that only the user who installed the profile and members of the Administrators or System Operators groups can modify the service profile files. If a user installs a profile for all users, all users of that computer can modify or delete the service profile files.
One example where installing for all users is appropriate is when ISP provides a single profile. It must be installed for all users, and the password saved for all users so that all users of the computer can connect to the Internet.
Whether the profile allows users to save the password for the profile. You can hide the check box that allows users to save passwords by configuring the HideRememberPassword key. For Windows XP and later versions of Windows, you can configure the GlobalCredentials key to prevent users from saving a user name and password for any other users of that computer. This key prevents other users from using another user’s credentials. The connection will close automatically if Fast User Switching is used.
Whether your connection profile will include a phone book or multiple phone books. If your profile will include one or more phone books, you will need to create the phone book with Phone Book Administrator (PBA), and you will need to include a Phone Book Service (PBS) server in your deployment. For more information, see Security information for Connection Point Services.
How you will distribute your connection profile. You can distribute your profile in several ways, including on a Web site, a network share, portable media, or a software distribution system, such as Microsoft System Center Configuration Manager. Depending on what kind of profile you create, you might want to consider how to control the distribution of your profile. For example, if you create a profile with a pre-shared key, you will want to limit distribution of the profile to authorized users, particularly if you do not encrypt the profile with a personal identification number (PIN). For more information about distributing service profiles, see Planning for Effective Implementation.