Security recommendations for a VPN

It is important to follow best practices for security when using Microsoft Forefront Threat Management Gateway as a virtual private network (VPN) server. The following is a list of recommendations for securing your Forefront TMG computer in its role as a VPN server:

  • Follow these guidelines when determining which authentication methods to enable:
    • Use authentication methods that provide adequate security. The most secure method of authentication is Extensible Authentication Protocol-Transport Level Security (EAP-TLS) when used in conjunction with smart cards. Despite the deployment challenges involved in using EAP-TLS and smart cards, which require a public key infrastructure (PKI), this is considered the most secure authentication method.
    • You should consider requiring your remote VPN clients to be authenticated with more secure authentication protocols, such as Extensible Authentication Protocol (EAP), rather than allowing them to use protocols such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
    • We recommend that you do not enable PAP, SPAP, and CHAP. These authentication protocols are disabled by default.
    • Enable EAP-TLS, which is disabled by default on the profile of a remote access policy. When you use the EAP-TLS authentication protocol, you must install a computer certificate on the Internet Authentication Service (IAS) server. For client and user authentication, you can install a certificate on the client computer, or you can use smart cards. Before you deploy certificates, you must design the certificate with the correct requirements.
  • Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPsec) connections are recommended for the strongest encryption.
  • We recommend that you implement and enforce a strong password policy, thereby reducing the chance of a dictionary attack. When you implement such a policy, you can disable account lockout, thereby reducing the chance that an attacker will trigger account lockout.
  • Consider requiring your remote VPN clients to run particular operating systems (such as Microsoft Windows Server 2003, Windows 2000 Server, Windows XP, or Windows Vista). Not all operating systems have equal levels of security in their file systems and in their user accounting. Also, not all remote access features are available on all operating systems.
  • Use the Forefront TMG Quarantine Control feature in order to provide phased network access for remote VPN clients. With Quarantine Control, clients are restricted to a quarantine mode before allowed access to the network. Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network.
  • The quarantine feature does not protect against malicious users on the VPN Clients network.
  • Virus-infected VPN client computers are not automatically blocked from flooding the Forefront TMG computer or the networks it protects with requests. To prevent this occurrence, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification to use e-mail messages. If an infected VPN client computer is identified, do one of the following:
    • Restrict VPN access by user name by using the remote access policy to exclude the user from the VPN clients who are allowed to connect.
    • Restrict VPN access by IP address. Do this by creating a new network to contain external IP addresses that are blocked, and move the IP address of the client out of the External network to the new network.
  • Consider implementing Network Access Protection (NAP) enforcement for your VPN clients with Windows Server 2008 and Windows Vista. NAP allows you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unlimited network access. For information on deploying NAP, see Configuring NAP based quarantine.