RE: Secure Remote access - windows 2003



Welcome, it's quick and dirty, but it works - and is free ;)

Before you proceed, please consider the security implication of what you are
doing, especially in light of your question about the Domain Controller.

I can?t answer all of these in much detail, but others on the list will be
able to.
My answers inline, prefixed with JDS:
Cheers

James D. Stallard

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of dubaisans dubai
Sent: 04 January 2007 04:01
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Secure Remote access - windows 2003

That is cool !Thanks James

a few questions before I start th eimplementation - I will setup the RRAS
and the supporting IPSEC/L2TP as you have mentioned in the link.

is there any additional IPSEC/L2TP config to be done other than you have
explicitly mentioned in the link ?

JDS: For the most basic setup this is all that is necessary. The next step
with L2TP/IPSec is usually to implement certificates.

My requirement is only for known machines to connect - not cybercafes..so
this suits me . I will use PSK.

The access is needed to one file-server only for which I will assign a
public IP.[ or I can have a gateway machine dedicated for RRAS with public
IP and host this file-server machine behind the RRAS gateway]

JDS: Typically, your RRAS Server remains on your internal network and your
firewall is the only thing visible on the public network. All other servers
can remain on your internal network and are only accesible from the RRAS
Server. You can use port forwarding on the firewall to re-direct those
inbound ports and protocols to the RRAS Server, which will proxy the
authentication request to the Domain Controller and assign an IP Address to
the client.

This file-server is a domain controller. all remote users will be having
valid domain login-id/passwords. But their laptops will be configured as
part of workgroups. This file-server has shares which need to be accessible
to these remote users for file copy.

JDS: I would advise strongly against putting a Domain Controller on the
internet. You are creating a very large attack surface. Of course if you
only have 1 server then the point is rather moot.

I hope the connecting user will be asked for the user-id password in
addition to the IPSEC PSK.

JDS: They will be asked for a Username and Password and only granted access
if they are assign dial-in rights and logon successfully. This is the most
basic form of two-factor authentication.

Can my requirement be met with the RRAS solution?

JDS: I believe so. RRAS is very flexible as a small scale remote access
solution.

I hope everything from user/id password to file copy with be IPSEC-ed

JDS: All traffic between the client and the RRAS Server will be pushed down
the newly created tunnel. You will be able to see this for yourself if you
look at the logs on your firewall.

Thanks in advance




On 1/3/07, James D. Stallard <james@xxxxxxxxxxxxx> wrote:
You don't mention the number of users, but the budget suggests small
scale
:)

Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and
with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption
available.

Setting up RRAS to perform this task is done in less than 20 minutes
and is easy to get through a firewall inbound (IE your firewall). The
problems you have to face are:

. If you wish to use pre-shared keys (the "cheapest" way of doing it)
you will need to configure the PSK passphrase on each client
individually - easy with a small number of clients. Otherwise, you
will need to invest in a certificate authority.

. This is only suitable for access by known machines, not for internet
café type environments.

. This solution works great for the remote home user, but is less
successful for your travelling salesmen using the client's internet
connection as they generally have the relevant ports/protocols blocked.

. The locally configured PSK may not be stored in a highly secure
manner on the client machines and could possibly become known in the
event a machine configured with it is stolen. You may find yourself
having to re-deploy a new PSK.

I wrote a quick and dirty step-by-step here:
http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus

In case one of your configured laptops is stolen and an attempt is
made on your RRAS solution, pay attention to your account locking on
failed password settings. You want permanent locks on a small number
of attempts (say 5), thus forcing administrative intervention and
investigation in the event of an account becoming locked.

Cheers

James D. Stallard

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai
Sent: 02 January 2007 04:17
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Secure Remote access - windows 2003

I am planning to provide remote access from Internet to a windows 2003
domain

controller.User-ids, NTFS permissions are all configured.

The objective is file sharing and access.

Files will need to be copied. The machine has valid Internet IP
address and is

sitting behind a Firewall.

I would like to keep solution independent of Firewall.This will be
accessed by roaming users. I am thinking of something like 0penssh for
windows or maybe just GUI based Secure-FTP

Challenges I am facing
------------------------------------
Authentication should be strong. Something more than a password. [ No
budget for RSA securiD :-))) ]

Encryption for user-crentials/data access

Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy
is not simple and also you require Application Mode license.

The number of remote users - less than 100

Cost effective , easy to implement and easy to manage solution sought






On 1/3/07, James D. Stallard <james@xxxxxxxxxxxxx> wrote:
You don't mention the number of users, but the budget suggests small
scale
:)

Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and
with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption
available.

Setting up RRAS to perform this task is done in less than 20 minutes
and is easy to get through a firewall inbound (IE your firewall). The
problems you have to face are:

. If you wish to use pre-shared keys (the "cheapest" way of doing it)
you will need to configure the PSK passphrase on each client
individually - easy with a small number of clients. Otherwise, you
will need to invest in a certificate authority.

. This is only suitable for access by known machines, not for internet
café type environments.

. This solution works great for the remote home user, but is less
successful for your travelling salesmen using the client's internet
connection as they generally have the relevant ports/protocols blocked.

. The locally configured PSK may not be stored in a highly secure
manner on the client machines and could possibly become known in the
event a machine configured with it is stolen. You may find yourself
having to re-deploy a new PSK.

I wrote a quick and dirty step-by-step here:
http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus

In case one of your configured laptops is stolen and an attempt is
made on your RRAS solution, pay attention to your account locking on
failed password settings. You want permanent locks on a small number
of attempts (say 5), thus forcing administrative intervention and
investigation in the event of an account becoming locked.

Cheers

James D. Stallard

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai
Sent: 02 January 2007 04:17
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Secure Remote access - windows 2003

I am planning to provide remote access from Internet to a windows 2003
domain

controller.User-ids, NTFS permissions are all configured.

The objective is file sharing and access.

Files will need to be copied. The machine has valid Internet IP
address and is

sitting behind a Firewall.

I would like to keep solution independent of Firewall.This will be
accessed by roaming users. I am thinking of something like 0penssh for
windows or maybe just GUI based Secure-FTP

Challenges I am facing
------------------------------------
Authentication should be strong. Something more than a password. [ No
budget for RSA securiD :-))) ]

Encryption for user-crentials/data access

Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy
is not simple and also you require Application Mode license.

The number of remote users - less than 100

Cost effective , easy to implement and easy to manage solution sought







Relevant Pages

  • RE: Secure Remote access - windows 2003
    ... Q2 - what is the routing path between the LAN hosts and the VPN server? ... Secure Remote access - windows 2003 ... Address pool is configured and is getting allocated to Internet user when he connects. ... with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption available. ...
    (Focus-Microsoft)
  • Re: SBS2003 RRAS - client PCs cannot access Internet
    ... Internet Explorer just times-out with no error messages. ... TraceRT fails from all client ... Problem was caused by removal of ISA2004 from SBS2003 server. ... I am fairly confident the problem is in the SBS2003 server RRAS ...
    (microsoft.public.windows.server.sbs)
  • Re: Small business thinking about backing up data, having a server and 2-3 users - is SBS200
    ... USB but don't use anything USB on that server if you stick with that mb. ... I also have a spare PC here with XP Pro which I can play with as a client ... remote access to check it over and learn as we/I go. ... B - They would like to be able to use the internet securely on any of the ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2003 RRAS - client PCs cannot access Internet
    ... Internet Explorer just times-out with no error messages. ... TraceRT fails from all client ... Problem was caused by removal of ISA2004 from SBS2003 server. ... I am fairly confident the problem is in the SBS2003 server RRAS ...
    (microsoft.public.windows.server.sbs)
  • Re: Need help with remote access solution
    ... connections backwards to the customers network to internal devices. ... customer that has outgoing internet access. ... What communication protocols do you need to access systems at the client? ... If the number of customers is low, youou could install all remote access ...
    (comp.dcom.vpn)