Re: how to secure VPN to a SQL server?
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Jun 2006 18:42:22 -0500
It does not matter if they have a dynamic IP address. The IP filtering I am
talking about is done post VPN after decryption by the VPN server on the IP
addresses that your RRAS assigns to them via DHCP or pool and Remote Access
Policies can be configured so that they apply based on user group membership
so that you can have different Remote Access Policy for different groups so
you could simply filter every user that matches a particular Remote Access
Policy. The trick for Remote Access Policies is to order then from specific
to general as the first one that applies to the connection will be used.
Since it seems you want to filter all VPN connections however you need to
only configure the default Remote Access Policy with the filtering you want
and yes it can be very restrictive though users do need access to DHCP/DNS
[unless RRAS does that] and domain controller if there is one. It would be
easy to restrict traffic to the IP of the SQL server. The link below
explains a little on configuring Remote Access Policy but in your case you
want to manage the input/output filters in the IP page. --- Steve
http://www.windowsecurity.com/articles/Securing_Remote_Access_Connections.html
"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message
news:e6SDiE9mGHA.1272@xxxxxxxxxxxxxxxxxxxxxxx
Steven,
Thanks for the response, unfortunately my situation is:
1. Some remote clients don't have static IPs (so filtering option on the
VPN server is out)
2. no guarantee the client has anything other than default XP admin
account (they also have legacy software that requires Admin)
Is there any way to restrict the VPN server to only support SQL traffic?
Thanks, Rob.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:unBFLf8mGHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
While using virus protection is a great idea there are other things you
should also do. If at all possible the users on the remote computer
should never be in the local administrators or power users group and
Software Restriction Policies can be implemented on XP Pro to control
what applications users do use and minimize the threat of malware. The
link below explains SRP in detail. You should also take advantage of
filtering capabilities of your VPN server to restrict what IP addresses
the VPN user can access and then what ports/protocols they are allowed to
access on those IP addresses. In Windows 2000/2003 RRAS you can configure
input/output filters in Remote Access Policy via edit profile - tcp/ip.
Of course the SQL server must be hardened including that the users have
only the needed permissions to do their job. --- Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message
news:uharm6vmGHA.4836@xxxxxxxxxxxxxxxxxxxxxxx
I have a deployment package that automatically sets up a VPN on a remote
client PC (public). What I'm concerned about is the client PC obtaining
a virus and that virus finding its way to our server via the VPN. The
client PC's do need Internet access & Email access while the VPN is
enabled. The VPN is used only for communication with the SQL server --
basically a split tunnel VPN solution. (TCP/IP settings, Use default
gateway on remote network is NOT checked)
What are my options?
Thanks, Rob.
.
- References:
- how to secure VPN to a SQL server?
- From: Rob R. Ainscough
- Re: how to secure VPN to a SQL server?
- From: Steven L Umbach
- Re: how to secure VPN to a SQL server?
- From: Rob R. Ainscough
- how to secure VPN to a SQL server?
- Prev by Date: Re: Disabling local user accounts on remote servers
- Next by Date: Re: Renaming a Certificate Root authority
- Previous by thread: Re: how to secure VPN to a SQL server?
- Next by thread: Re: msn messanger not working
- Index(es):
Relevant Pages
|
