Learning Center
Plans & pricing Sign in
Sign Out

Linux+ Guide to Linux Certification


									     70-299 MCSE Guide to
Implementing and Administering
Security in a Microsoft Windows
      Server 2003 Network

              Chapter 10
Planning and Deploying Authentication for
          Remote Access Users

•   Deploy and manage SSL certificates
•   Configure a Web server for SSL certificates
•   Configure a client for SSL certificates
•   Determine certificate renewal
•   Configure security for Remote Access users

Guide to MCSE 70-299                              2
            Objectives (continued)

• Provide Remote Access over a VPN
• Manage client configuration for Remote Access

Guide to MCSE 70-299                              3
       Deploying and Managing SSL
• Need to install IIS in a highly secure and locked
• Secure Sockets Layer (SSL): public key–based
  security protocol used by Internet services and
  clients for authentication, message integrity, and
• SSL process uses:
   – Certificates for authentication
   – Encryption for message integrity and confidentiality
• Requires installation of valid server certificate to
  establish encrypted communications using SSL
Guide to MCSE 70-299                                     4
       Deploying and Managing SSL
         Certificates (continued)

• Certificate-based SSL features in IIS consist of:
   – A server certificate
   – A client certificate
   – Various digital keys
• Ways to obtain certificates:
   – Can be created using Certificate Services
   – Can be obtained from a mutually trusted third-party
     organization called a certification authority (CA)

Guide to MCSE 70-299                                   5
       Deploying and Managing SSL
         Certificates (continued)

           Table 10-1: IIS Authentication Methods

Guide to MCSE 70-299                                6

• HTTPS (HTTP over Secure Sockets Layer):
   – A technology that encrypts individual messages in
     Web communications rather than establishing a
     secure channel
   – Popular e-commerce technology and is used for
     secure online shopping
   – Communicates on port 443
   – SSL-secured URLs begin with https:// prefix
   – Created by the Netscape Corporation and used a
     40-bit RC4 stream encryption algorithm; now 128-bit
     encryption keys available

Guide to MCSE 70-299                                  7

• Lightweight Directory Access Protocol (LDAP):
   – Used to secure Active Directory traffic using SSL
   – Enabled by installing a properly formatted certificate
     from a certification authority (CA)
   – LDAPS communication occurs over port TCP 636
   – LDAPS communication to a global catalog server
     occurs over TCP 3269
   – SSL/TLS is negotiated before any LDAP traffic is
     exchanged when connecting to ports 636 or 3269

Guide to MCSE 70-299                                     8
               LDAPS (continued)

       Figure 10-1: LDAP communications on port 636
Guide to MCSE 70-299                                  9
               Wireless Networks
• Possible to secure wireless communications using Secure
  Shell (SSH) or HTTP with SSL or TLS

       Table 10-2: SSL Advantages and Disadvantages
Guide to MCSE 70-299                                    10
  Configuration of the Web Server for
           SSL Certificates
• Use SSL encryption only for sensitive information;
  encrypted transmissions can significantly reduce
  transmission rates and server performance
• Server certificates provide a way for users to
  confirm the identity of your Web site
• A server certificate contains following information:
   – Organization name affiliated with the server content
   – Name of the organization that issued the certificate
   – A public key that is used to establish an encrypted

Guide to MCSE 70-299                                   11
  Configuration of the Web Server for
     SSL Certificates (continued)

      Figure 10-2: Web Server Certificate Wizard screen
Guide to MCSE 70-299                                      12
  Configuration of the Web Server for
     SSL Certificates (continued)

     Figure 10-3: Certificate Request Submission screen
Guide to MCSE 70-299                                      13
  Configuration of the Web Server for
     SSL Certificates (continued)
• Possible to configure Web server to require a 128-
  bit minimum session-key strength for all SSL-
  secured communication sessions
• You can configure computers running WS 2003
  with IIS 6.0 to accept certificates from predefined
  list of CAs
• Each Web site can be configured to accept
  certificates from a different list by using CTLs
• Certificate Trust List Wizard can be used to:
   – Create and edit CTLs
   – Add new root certificates to your CTLs

Guide to MCSE 70-299                               14
  Configuration of the Web Server for
     SSL Certificates (continued)

 Figure 10-4: Welcome to the Certificate Import Wizard screen
Guide to MCSE 70-299                                      15
   Configuration of the Web Server for
      SSL Certificates (continued)

Figure 10-5: Welcome to the Certificate Trust List Wizard screen
Guide to MCSE 70-299                                        16
            Self-Issued Certificates

• Considerations when deciding to issue your own
  server certificates:
   – Microsoft Certificate Services can accommodate
     different certificate formats and provide for auditing
     and logging of certificate-related activity
   – Evaluate the cost of each
   – Keep the learning curve in mind
   – Evaluate the willingness of outside vendors clients to
     trust your organization as a certificate supplier

Guide to MCSE 70-299                                   17
         Publicly Issued Certificates

• Used when a user suspects your self-issued
• Certificate can be obtained from a mutually trusted,
  third-party CA, e.g., VeriSign or Thawte
• Requirements to obtain certificates from CA:
   – Providing of identification information
   – Might require a personal interview with the CA
   – Endorsement of a notary
• Wait time: Several days to several months
• Must be renewed on a regular basis
Guide to MCSE 70-299                                  18
Publicly Issued Certificates (continued)

• General rules about any type of Web certificates:
   – Each Web site can have only one server certificate
     assigned to it
   – One certificate can be assigned to multiple Web
   – You can assign multiple IP addresses per Web site
   – You can assign multiple SSL ports per Web site

Guide to MCSE 70-299                                 19
   Configuration of the Client for SSL

• Typical client certificate contains following items of
   – Identity of the user
   – Identity of the certification authority
   – A public key used for establishing encrypted
   – Validation information, such as an expiration date
     and serial number

Guide to MCSE 70-299                                      20
   Configuration of the Client for SSL
        Certificates (continued)

• To protect your Web content from unauthorized
  access you must do one of the following:
   – Use Basic, Digest, or Integrated Windows
     authentication, in addition to requiring a client
   – Create a Windows account mapping for client

Guide to MCSE 70-299                                     21
   Configuration of the Client for SSL
        Certificates (continued)

             Figure 10-6: SSL browser options
Guide to MCSE 70-299                            22
              Certificate Renewal

• Security and renewal requirements for certificates
  should be based on following factors:
   – Value of the network resources protected by the CA
     trust chain
   – Degree to which you trust your certificate users
   – Amount of administrative effort that you are willing to
     devote to certificate renewal and CA renewal
   – Business value of the certificate

Guide to MCSE 70-299                                     23
     Certificate Renewal (continued)

      Table 10-3: Recommendations for Validity Periods
Guide to MCSE 70-299                                     24
     Configuring Security for Remote
              Access Users
• Secure and reliable remote access solution
  requires careful planning and testing of remote
  access design
• Types of remote access authentication protocol:
   – Password Authentication Protocol (PAP)
   – Challenge Handshake Authentication Protocol
   – Microsoft CHAP (MS-CHAP)
   – Microsoft CHAP version 2 (MS-CHAP v2)
   – Extensible Authentication Protocol (EAP)

Guide to MCSE 70-299                                25
      Configuring Security for Remote
        Access Users (continued)

Figure 10-7: Configure Routing and Remote Access Server screen
 Guide to MCSE 70-299                                    26
     Configuring Security for Remote
       Access Users (continued)

     Figure 10-8: Configured Routing and Remote Access
Guide to MCSE 70-299                                     27
     Configuring Security for Remote
       Access Users (continued)

     Figure 10-9 Configured Routing and Remote Access
                 Authentication policy
Guide to MCSE 70-299                                    28
    Password Authentication Protocol

• Uses a two-way handshake to provide for user
  authentication; server asks for the credentials and
  the user supplies them
• PAP is strongly discouraged; user’s credentials are
  sent over the wire in clear text and can be easily
  sniffed by an attacker
• Cannot be used with Microsoft Point-to-Point
  Encryption (MPPE)
• Currently used only by older UNIX-based servers

Guide to MCSE 70-299                              29
 Challenge Handshake Authentication
• Used to provide on-demand authentication within
  an ongoing data transmission
• CHAP uses a one-way hashing function;
  authenticator compares client’s hash value with its
  own calculated value
• Process is repeated at random intervals during a
  data transaction session
• CHAP authentication cannot be used with MPPE
• Two forms of CHAP that are Microsoft-specific:

Guide to MCSE 70-299                               30
     Microsoft Challenge Handshake
         Authentication Protocol
• MS-CHAP: uses same type of challenge/response
  mechanism as CHAP but it uses a nonreversible
  encrypted password
• MS-CHAP v2: challenge/response mechanism is
  much more sophisticated than that of MS-CHAP:
   – Server must first prove to the client that it knows the
     correct password, client then answers the challenge
     of the server
   – A dial-up connection typically uses MS-CHAP v2
   – Supported by Windows XP, 2000, 98, ME, and NT
Guide to MCSE 70-299                                     31
   Extensible Authentication Protocol

• EAP is an extension to PPP
• An arbitrary authentication mechanism that
  authenticates a remote access connection
• Authentication mechanism is not chosen during the
  link establishment phase
• EAP negotiation is performed during the
  connection authentication phase
• Routing and Remote Access includes support for
  EAP-TLS and MD-5 Challenge by default

Guide to MCSE 70-299                            32
   Extensible Authentication Protocol
• EAP-MD5: used to authenticate the credentials of
  remote access clients by using username and
  password−based security systems; requires that
  local or domain passwords are stored in a
  reversibly encrypted form
• EAP-TLS: designed for use with a certificate
  infrastructure and either certificates or smart cards;
  supported only on servers that are:
   – Running routing and remote access
   – Configured to use windows authentication
   – Members of a domain
Guide to MCSE 70-299                                 33
          Multifactor Authentication

• Combining of two or three of the following factors
  for proof of identification:
   – Something he or she knows: e.g., a password or a
     PIN for a smart card can be used
   – Something he or she has: e.g., smart card or access
     card can be used
   – Something he or she is: e.g., a fingerprint or retinal
     scan can be used
• Considerations for using smart card authentication:
  cost, infrastructure, administrative overhead, and
  remote connections
Guide to MCSE 70-299                                    34
Providing Remote Access Over a VPN

• Virtual private network (VPN): method for allowing
  remote access users to connect to a corporate
  network over the Internet
• Uses a combination of tunneling, authentication,
  and encryption technologies to create secure
• VPNs offer following benefits:
   –   Saves long-distance phone expenses
   –   Requires less hardware
   –   Prevents unauthorized users from connecting
   –   Difficult for a hacker to read sent data
Guide to MCSE 70-299                                 35
Providing Remote Access Over a VPN
• Procedure for designing security for a VPN remote
  access server solution:
   – Choose a VPN protocol
   – Decide which authentication protocols are needed
   – Pick the extent and level of encryption to use
   – If organizational needs warrant the use of
     certificates, plan a certificate infrastructure that
     supports client authentication for remote access
   – Consider enhancing security by using remote access
     account lockout

Guide to MCSE 70-299                                 36
          Internet Service Providers

• Two ways to access the Internet:
   – Register an IP address and maintain DNS server
     and DNS resolution
   – Uses a DNS server and equipment that has been
     registered by someone else, namely an ISP
• Benefits of ISP:
   – Cost savings by minimizing both setup and
     operations costs
   – Guaranteed level of service for some or all
     components of your remote access solution
Guide to MCSE 70-299                                  37
          Client Operating Systems
• Windows Server 2003 supports two VPN protocols:
   – Point-to-Point Tunneling Protocol (PPTP)
   – Layer Two Tunneling Protocol with Internet Protocol
     security (L2TP/IPSec)

        Table 10-4: Comparison of Client Support for
                    Tunneling Protocols
Guide to MCSE 70-299                                   38
 Client Operating Systems (continued)

     Figure 10-10: Configuring a client tunneling protocol
Guide to MCSE 70-299                                         39
      Using Point-to-Point Tunneling
• Allows tunneling that works at Layer 2 of the OSI
  model and enables single point-to-point connection
• Connection types where PPTP may be used:
   – Over the Internet (such as VPN)
   – Via a dial-up connection
• Embeds its own network protocol within TCP/IP
  packets carried by the Internet
• PPTPVPN connections require use of following:
• Not the most secure method

Guide to MCSE 70-299                              40
  Using Layer Two Tunneling Protocol

• L2TP is an extension of the PPP protocol, created
  by combining the best qualities of PPTP and Layer
  2 Forwarding (L2F); sets up a single point-to-point
  connection between two computers
• L2TP/IPSec provides following for each packet:
  data integrity, data origin authentication, data
  confidentiality, and replay protection
• It is protocol-independent and includes an
  authentication mechanism

Guide to MCSE 70-299                              41
  Using Layer Two Tunneling Protocol
• L2TP/IPSec uses:
   – PPP user authentication methods
   – IPSec encryption to encrypt IP traffic
• L2TP/IPSec can be used only by Windows 2000
  Professional and newer clients
• For the highest level of security, use a remote
  access VPN based on L2TP/IPSec with certificate-
  based IPSec authentication and Triple-DES for
• If using a PPTP-based VPN solution, it is best to
  use MS-CHAP v2
Guide to MCSE 70-299                             42
  Using Layer Two Tunneling Protocol

• When choosing an authentication protocol for VPN
  connections, keep the following in mind:
   – When using smart cards or certificates, use EAP-
     TLS for both PPTP and L2TP connections
   – When using a password-based authentication
     protocol, choose MS-CHAP v2, then use Group
     Policy to enforce strong passwords
   – Always use the most secure protocols that your
     network access servers and clients can support

Guide to MCSE 70-299                                    43
 Network Address Translation Devices

• Translate IP addresses and TCP/UDP port
  numbers of packets, thereby preventing others
  from knowing real address of your private network;
  allows to use one public address to provide Internet
  access to many users simultaneously
• PPTP with its built-in MPPE encryption is able to
  interoperate with NAT
• Microsoft servers prior to Windows Server 2003
  could not use IPSec and NAT together

Guide to MCSE 70-299                               44
 Network Address Translation Devices

       Figure 10-11: Demand Dial Interface Wizard
Guide to MCSE 70-299                                45
 Network Address Translation Devices

     Figure 10-12: Completing the Demand-Dial Interface
                   Wizard screen
Guide to MCSE 70-299                                      46
                IP NAT Traversal

• Enables IPSec VPNs to work with NAT devices
• Works by providing UDP encapsulation of IPSec
  packets to enable IKE and ESP protected traffic to
  pass through the NAT device
• In case of VPN client use with NAT:
   – PPTP-based VPN clients can be located behind
     NAT if NAT includes an editor and Remote Access
   – If you locate L2TP/IPSec-based clients or servers
     behind a NAT device, both client and server must
     support IPSec NAT Traversal
Guide to MCSE 70-299                                 47
 Routing and Remote Access Servers

• Steps to be taken when deploying a VPN:
   – Configure the server as a VPN remote access server
   – Configure routing on the VPN server
   – Implement security
   – If required, install certificates
   – Configure the remote access policy for the VPN
   – Configure remote access account lockout if

Guide to MCSE 70-299                                48
 Routing and Remote Access Servers

   Figure 10-13: Configuring remote access account lockout
Guide to MCSE 70-299                                     49
 Routing and Remote Access Servers

• Options to increase the server performance when
  planning deployment of remote access servers:
   – Upgrading the server hardware
   – Increasing the amount of RAM
   – Using separate remote servers

Guide to MCSE 70-299                            50
 Routing and Remote Access Servers

• Guidelines for upgrading the server hardware in
  case of dial-up networking:
   – Modem or a multiport adapter and access to analog
     telephone line: for large number of clients, install
     modem bank equipment and multiple phone lines
   – For each modem, a server serial port or for modem
     banks, a multiport serial adapter or a high-density
     combination card
   – Consider using multiport serial boards to offload
     processing from the remote access server

Guide to MCSE 70-299                                   51
 Routing and Remote Access Servers

• Guidelines for upgrading the server hardware in
  case of VPN:
   – Use network adapters capable of IPSec hardware
     offloading for interfaces on the public network
   – Configure all devices to 100 Mbps full duplex
   – Private network interfaces and data servers and
     routers that remote access clients will access should
     be directly connected to a high-capacity switch

Guide to MCSE 70-299                                   52
 VPN Router Placement in Relation to

   Table 10-5: Comparison of Port Configuration Based on
               Firewall Placement
Guide to MCSE 70-299                                       53
    Managing Client Configuration for
       Remote Access Security

• WS 2003 has built-in tools to assist in managing
  client access to a remote access server
• Clients can be configured using:
   – Native connection features in Windows: best suited
     for when there are few users connecting to the
   – Managed client solution, such as Connection
     Manager and its components: enables a network
     administrator to preconfigure remote access clients

Guide to MCSE 70-299                                  54
            Remote Access Policy

• A collection of conditions and settings that define
  authorization and access privileges for connection
• Consist of three components that work together to
  allow or deny the connection: conditions,
  permissions, and profiles
• Possible to configure multiple remote access
  policies on a single server
• Default remote access policy: Connections to
  Microsoft Routing and Remote Access server

Guide to MCSE 70-299                               55
   Remote Access Policy (continued)

• Conditions are attributes that must be met in order
  to satisfy the policy:
   – First component that is checked on a connection
   – Checked only at the initial time of the connection
   – Might include: Day and time restrictions, connection
     types, and security group memberships
   – All of the conditions must be met to satisfy the policy
     if multiple conditions are set

Guide to MCSE 70-299                                     56
   Remote Access Policy (continued)

• Permissions: checked after conditions, assuming
  that a condition to deny has not already been met
• User dial-in permissions can be set to Allow, Deny,
  or Control Access through Remote Access Policy (if
  domain is in at least Windows 2000 native mode)
• Profiles: must be met in order to obtain and to
  continue a connection if user permissions are set to
  Control access through Remote Access Policy
• Profiles can include day and time restrictions,
  idle-timeouts, session-timeouts, encryption,
  authentication, connection types etc.
Guide to MCSE 70-299                              57
   Remote Access Policy (continued)

           Figure 10-14: New remote access policy
Guide to MCSE 70-299                                58
  Connection Manager Administration

• Connection Manager consists of three different
   – The Connection Manager client: provides a
     simplified way of connecting to a remote network
   – The Connection Manager Administration Kit
     (CMAK): allows the administrator to create and
     configure the service profile
   – Connection Point Services (CPS): allows for creation
     and maintaining of phone books

Guide to MCSE 70-299                                  59
  Connection Manager Administration
           Kit (continued)

• New features on the CMAK Wizard for Windows
  Server 2003 include:
   – Provide routing table updates that apply only while
     clients are connected to your server (split tunneling)
   – Automatically configure Internet Explorer proxy
     settings for a client computer
   – Enable clients to choose which VPN server to use
     when they make a connection
   – Automatically run applications on the client computer
     or on the server at the time of the connection

Guide to MCSE 70-299                                   60
   Customizing Connection Manager

• Connection Manager also has the ability to run
  custom actions at various points when establishing
  a connection
• CMAK Wizard is used to include custom actions in
  your service profile, such as automatically starting
  programs when users connect
• Custom actions are quite flexible and can include
  batch files, executable files, and dynamic link
  libraries (DLLs), or they can use installed or
  distributed programs
Guide to MCSE 70-299                               61
   Customizing Connection Manager

• List of the custom actions that can be performed:
   –   Preinitialization actions
   –   Preconnect actions
   –   Predial actions
   –   Pretunnel actions
   –   Postconnect actions
   –   Disconnect actions
   –   On cancel actions
   –   On error actions

Guide to MCSE 70-299                              62
   Customizing Connection Manager

              Figure 10-15: Configuring CMAK
Guide to MCSE 70-299                           63
   Customizing Connection Manager

          Figure 10-16: Configuring a custom action
Guide to MCSE 70-299                                  64
   Deploying Remote Access Clients

• CMAK can be used to automate client configuration
• Ways to distribute client configuration:
   – Distribute CDs or floppy disks containing your self-
     installing Connection Manager package
   – Send a service profile through e-mail to your users
   – Set up a Web site where users can download the
     service profile
   – Install the service profile on each client individually.
   – Use a combination of distribution methods

Guide to MCSE 70-299                                       65
• SSL protocol can be used with IIS 6.0 to encrypt
  confidential information exchanged between the
  Web server and the client
• SSL process uses certificates for authentication,
  and encryption for message integrity and
• You can configure computers running WS 2003
  with IIS 6.0 to accept certificates from a predefined
  list of certification authorities
• To place the VPN router behind the firewall and
  attach the firewall to the Internet is recommended

Guide to MCSE 70-299                                66
             Summary (continued)

• You can use remote access account lockout on
  remote access accounts
• With remote access policy, users can be allowed or
  denied access based on many factors
• WS 2003 supports two VPN protocols: PPTP and
• NAT devices work by translating port numbers of
  packets that are forwarded between private
  network and Internet
• You can use CMAK Wizard to create a custom
  service profile
Guide to MCSE 70-299                             67

To top