Security

Windows 2000 provides a channel for secure remote access using virtual private networks (VPNs).

Enabling Remote Access

To enable remote access for a Windows 2000 Professional computer, make a virtual private network (VPN) connection. For more information about how to do so, see Windows 2000 Professional Help.

To enable remote access, users must have dial-in permissions in the domain they will remotely accessing.

For more information about remote access and installing and configuring the remote access server, see Windows 2000 Server Help. For more information about remote access authentication, see Remote Access Server in the Microsoft Windows 2000 Server Resource Kit Internetworking Guide.

Considerations About Remote Access

Remote access permissions are ineffective if there is no appropriate remote access policy in place for the remote access server.

Windows 2000 supports the following authentication options for remote access:

  • Standard Point-to-Point Protocol (PPP) challenge and response authentication methods based on user name and passwords.
    Standard PPP authentication methods offer limited security.

  • Custom Extensible Authentication Protocol (EAP) authentication methods.
    EAP modules can be developed or provided by third parties to extend the authentication capabilities of PPP. For example, you can use EAP to provide stronger authentication using token cards, smart cards, biometric hardware, or one-time password systems.

  • EAP Transport Layer Security (EAP-TLS) authentication based on digital certificates and smart cards.
    EAP-TLS provides strong authentication. Users credentials are stored on tamper-proof smart cards. You can issue each user one smart card to use for all logon needs.

It is recommended that your network security plan include strategies for remote access and authentication, including the following information:

  • Logon authentication strategies to be used.

  • Remote access strategies by using Routing and Remote Access and virtual private networks.

  • Certificate Services needed to support user logon authentication by digital certificates.

  • Process and strategies to enroll users for logon authentication certificates and remote access.

  • Whether to use callback with remote access, to help eliminate impersonation attacks.

Remote Access Policies on Servers

Remote Access requires there be a server configured to accept remote access requests. Such Windows 2000–based servers are governed by security policies that determine their remote access behavior. These policies establish whether a server accepts requests for remote access and, if so, during what hours of what days, what protocols are used, and what types of authentication are required.

For more information about configuring Remote Access Policies on a server, see the Windows 2000 Deployment Planning Guide .