Re: Secure Remote access - windows 2003
- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
- Date: Fri, 05 Jan 2007 09:10:52 -0800
There are those in the world that consider what Microsoft's small business server platform (providing file access to a domain controller) to be insane at best. Keep in mind that even SBS limits the Terminal server access to that DC to administrative mode and blocks TS in app mode.
In the Microsoft KBs they state for a DC
Don't run TS in application mode
Don't install IIS for security purposes....
and so on and so forth ...
I'd say that the thread should be titled "Remote access" as there are many that would debate the "Secure" part of it given the fact that it's the DC you are doing this on.
At this point in time from the threads I've seen, all you are doing is strengthening the authentication... and weakening the security on that Domain Controller.
Which.... let's be realistic... business gets chosen before security when there isn't lawsuits and regulation hanging over your head. One should then ask, do you have any SOX, Hipaa, GLBA, yadda yaddas that you need to worry about?
Jim Harrison wrote:
PSK won't give you the "only known machines" aspect you asked for.
The very nature of PSK (pre-shared; the "human" has it) is that anyone who knows it can use it; regardless of the machine where they operate.
These article are good starting points for anyone getting their heads around IPSec:
http://www.microsoft.com/technet/community/columns/secmgmt/sm121504.mspx
http://www.microsoft.com/technet/community/columns/secmgmt/sm0105.mspx
What you're asking for is a two-factor authentication mechanism, which falls outside of your stated "easily managed" solution.
You also need to rethink your choice of servers.
Providing Internet TS access and file services to a domain controller is asking for an opportunity to "seek new challenges" in most companies.
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai
Sent: Wednesday, January 03, 2007 8:01 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Secure Remote access - windows 2003
That is cool !Thanks James
a few questions before I start th eimplementation - I will setup the RRAS and the supporting IPSEC/L2TP as you have mentioned in the link.
is there any additional IPSEC/L2TP config to be done other than you have explicitly mentioned in the link ?
My requirement is only for known machines to connect - not cybercafes..so this suits me . I will use PSK.
The access is needed to one file-server only for which I will assign a public IP.[ or I can have a gateway machine dedicated for RRAS with public IP and host this file-server machine behind the RRAS gateway]
This file-server is a domain controller. all remote users will be having valid domain login-id/passwords. But their laptops will be configured as part of workgroups. This file-server has shares which need to be accessible to these remote users for file copy.
I hope the connecting user will be asked for the user-id password in addition to the IPSEC PSK.
Can my requirement be met with the RRAS solution?
I hope everything from user/id password to file copy with be IPSEC-ed
Thanks in advance
On 1/3/07, James D. Stallard <james@xxxxxxxxxxxxx> wrote:
You don't mention the number of users, but the budget suggests small scale
:)
Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption available.
Setting up RRAS to perform this task is done in less than 20 minutes and is easy to get through a firewall inbound (IE your firewall). The problems you have to face are:
. If you wish to use pre-shared keys (the "cheapest" way of doing it) you will need to configure the PSK passphrase on each client individually - easy with a small number of clients. Otherwise, you will need to invest in a certificate authority.
. This is only suitable for access by known machines, not for internet café type environments.
. This solution works great for the remote home user, but is less successful for your travelling salesmen using the client's internet connection as they generally have the relevant ports/protocols blocked.
. The locally configured PSK may not be stored in a highly secure manner on the client machines and could possibly become known in the event a machine configured with it is stolen. You may find yourself having to re-deploy a new PSK.
I wrote a quick and dirty step-by-step here:
http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus
In case one of your configured laptops is stolen and an attempt is made on your RRAS solution, pay attention to your account locking on failed password settings. You want permanent locks on a small number of attempts (say 5), thus forcing administrative intervention and investigation in the event of an account becoming locked.
Cheers
James D. Stallard
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai
Sent: 02 January 2007 04:17
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Secure Remote access - windows 2003
I am planning to provide remote access from Internet to a windows 2003 domain
controller.User-ids, NTFS permissions are all configured.
The objective is file sharing and access.
Files will need to be copied. The machine has valid Internet IP address and is
sitting behind a Firewall.
I would like to keep solution independent of Firewall.This will be accessed by roaming users. I am thinking of something like 0penssh for windows or maybe just GUI based Secure-FTP
Challenges I am facing
------------------------------------
Authentication should be strong. Something more than a password. [ No budget for RSA securiD :-))) ]
Encryption for user-crentials/data access
Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is not simple and also you require Application Mode license.
The number of remote users - less than 100
Cost effective , easy to implement and easy to manage solution sought
On 1/3/07, James D. Stallard <james@xxxxxxxxxxxxx> wrote:
You don't mention the number of users, but the budget suggests small scale
:)
Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption available.
Setting up RRAS to perform this task is done in less than 20 minutes and is easy to get through a firewall inbound (IE your firewall). The problems you have to face are:
. If you wish to use pre-shared keys (the "cheapest" way of doing it) you will need to configure the PSK passphrase on each client individually - easy with a small number of clients. Otherwise, you will need to invest in a certificate authority.
. This is only suitable for access by known machines, not for internet café type environments.
. This solution works great for the remote home user, but is less successful for your travelling salesmen using the client's internet connection as they generally have the relevant ports/protocols blocked.
. The locally configured PSK may not be stored in a highly secure manner on the client machines and could possibly become known in the event a machine configured with it is stolen. You may find yourself having to re-deploy a new PSK.
I wrote a quick and dirty step-by-step here:
http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus
In case one of your configured laptops is stolen and an attempt is made on your RRAS solution, pay attention to your account locking on failed password settings. You want permanent locks on a small number of attempts (say 5), thus forcing administrative intervention and investigation in the event of an account becoming locked.
Cheers
James D. Stallard
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai
Sent: 02 January 2007 04:17
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Secure Remote access - windows 2003
I am planning to provide remote access from Internet to a windows 2003 domain
controller.User-ids, NTFS permissions are all configured.
The objective is file sharing and access.
Files will need to be copied. The machine has valid Internet IP address and is
sitting behind a Firewall.
I would like to keep solution independent of Firewall.This will be accessed by roaming users. I am thinking of something like 0penssh for windows or maybe just GUI based Secure-FTP
Challenges I am facing
------------------------------------
Authentication should be strong. Something more than a password. [ No budget for RSA securiD :-))) ]
Encryption for user-crentials/data access
Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is not simple and also you require Application Mode license.
The number of remote users - less than 100
Cost effective , easy to implement and easy to manage solution sought
All mail to and from this domain is GFI-scanned.
--
Letting your vendors set your risk analysis these days? http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
- References:
- Secure Remote access - windows 2003
- From: dubaisans dubai
- Re: Secure Remote access - windows 2003
- From: dubaisans dubai
- RE: Secure Remote access - windows 2003
- From: Jim Harrison
- Secure Remote access - windows 2003
- Prev by Date: RE: Secure Remote access - windows 2003
- Next by Date: Re: How to deploy Microsoft OWA without using ISA?
- Previous by thread: RE: Secure Remote access - windows 2003
- Next by thread: RE: Secure Remote access - windows 2003
- Index(es):
Relevant Pages
|
