\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected], and you might see the answer in this column!\]
The primary purpose of RAS is to let employees dial in from home and access resources on the corporate network. However, RAS opens up many opportunities for attack, mainly because of the lack of protection on the home-computer side, so I want to provide strong protection on the RAS-server side. How can I set up a secure Windows NT 4.0 RAS server?
I maintain a list of recommendations that I keep in mind when I set up NT-based RAS. The recommendations focus on NT RAS as it is—without additional third-party security software. NT RAS uses a plain user ID-password authentication mechanism. Companies that can invest more money in the security of their remote access solution might want to seek a product or service that uses stronger authentication mechanisms. For example, many companies use RSA Security's RSA SecurID, which combines user ID-password authentica-tion with a challenge/response-based token mechanism. These recommendations will help you make your NT RAS solution as secure as possible.
- Grant remote access rights only to users who really need them—You can set remote access rights from the Dialin Information account properties in NT User Manager or from the Remote Access Permissions dialog box in the remote access administration program.
- Enforce callback to a number that you preset. Clear the Set By Caller option—You can preset the enforced callback feature either from User Manager or from the remote access administration program. Figure 1 shows the remote access administration program's Remote Access Permissions dialog box with a preset callback number for user Michael Angelo.
- Make sure your users choose high-quality passwords —You can create password quality guidelines. You can also enforce the use of strong passwords by setting up a password-filtering DLL file (passfilt.dll). For more information about how to use passfilt.dll to enforce strong password functionality in NT, see the Microsoft article "How to Enable Strong Password Functionality in Windows NT" (http://support.micro soft.com/support/kb/articles/q161/9/90.asp). Also, see my April 2001 column for information about using the L0pht Heavy Industries' L0phtCrack tool to audit the quality of your users' passwords.
- Use protocol barriers. RAS servers can give remote clients access through the TCP/IP, NetBEUI, and IPX protocols—The NT RAS service lets you limit the network protocols used across a RAS connection. For example, if you don't want remote users to access the Internet through a RAS connection, disable the TCP/IP protocol. You can set the supported protocols from the Network Configuration dialog box, which you can access from the RAS Network Service properties.
- Configure the supported RAS protocols to allow access to the RAS server only—In the Network Configuration dialog box, you can configure each protocol to let remote clients access the entire network or the local computer only. Figure 2, page 12, shows the This computer only option selected for the NetBEUI protocol. Selecting This computer only does, for example, prohibit users from using Connect As and another account to connect to resources beyond the RAS server. Limiting client access to the local computer doesn't lessen the need to harden your RAS server. An intruder who succeeds in compromising your RAS server might use it as a stepping-stone to launch attacks on your internal network.
- In the Network Configuration dialog box, select the Require Microsoft encrypted authentication option and the Require data encryption check box, as Figure 3 shows—These settings ensure that passwords and data are never passed in the clear over a dial-up connection. Note that data encryption is available only if you've selected the Require Microsoft encrypted authentication option. To provide strong 128-bit encryption, make sure you've installed the NT 4.0 high-encryption update. For more information about NT 4.0's high-encryption support, see Paula Sharick, "Securing Shared Resources," March 2001. Encrypting all the data sent across a dial-up line will obviously have a performance impact. Select the Require data encryption check box only if you are worried about somebody eavesdropping on your dial-up lines.
- Consider using a RAS gateway—A RAS gateway is an NT RAS server that sits between your remote users and your internal NT domains. You can install a RAS gateway as a standalone server or as the domain controller (DC) of a domain dedicated to RAS. In the latter case, the RAS domain can trust the internal domains. The purpose of this setup is to force users to authenticate by using a local or domain account defined on the RAS gateway. Users can't use this account to access resources beyond the RAS gateway security boundary. However, they can copy data to a home directory on the RAS gateway when they're connected to the internal network and access the data from home when they're connected to the RAS gateway.