Configure Remote Access Policies for Secure Remote Connections

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Configure Remote Access Policies

You can create multiple remote access policies to accommodate the individual security requirements of your remote connections. For example, you can use remote access policies to grant or deny authorization according to the time of day and the day of the week, the Windows Server 2003 or Windows 2000 Server group to which the remote access user belongs, the type of connection being requested (dial-up networking or VPN connection), and so on. You can also configure settings within the remote access policies that limit the maximum session time, specify the authentication and encryption strengths, set Bandwidth Allocation Protocol (BAP) policies, and so forth.

Remote access policies are applied in the order in which they are listed. When a policy is found that contains conditions that match the connection attempt, access is granted or denied, regardless of the conditions specified by the other policies later in the list. Therefore, it is a good idea to list more specific remote access policies before general remote access policies.

If you do not implement any remote access policies, all connection attempts fail.

Before you configure remote access policies, you must make decisions about the following:

  • Whether to use Network Access Quarantine Control for VPN and dial-up connections.

  • Whether to use custom or common policies. When you use the New Remote Access Policy Wizard in the IAS snap-in, you can choose to create a common or a custom policy. For a common policy, you must configure an access method, whether to grant access permissions by user or by group, authentication methods, and levels of allowed encryption (depending on the access method selected). For a custom policy, you must configure a set of policy conditions, whether remote access permission for the policy is granted or denied, and remote access policy profile settings. For more information, see "Add a remote access policy" in Help and Support Center for Windows Server 2003.

  • The groups and users to which the remote access policies apply.

  • Whether the remote access policy grants or denies access to the users or the group.

  • The restrictions that are placed on the users or the group.

For more information about Internet Authentication Service, including remote access policies, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).