Task 6.2: Configuring the VPN Server

As more and more employees telecommute to the office, VPN technology has become increasingly important. A VPN server at the office enables secure communications for the worker at home connecting to the office LAN over the public wires of the Internet.

There are many vendors of VPN server software and appliances, offering a wide variety of strengths of authentication, encryption, and integrity validation. Any Microsoft server-class operating system has the capability to be configured as a VPN server, securely connecting the telecommuter to the corporate LAN as if they were directly connected to the Ethernet cabling inside the office.

The weaker—but often considered acceptable-strength—VPN implements Point-to-Point Tunneling Protocol (PPTP), which is based on the RC4 encryption algorithm. This is available only for Microsoft clients (Windows 95 and up), and uses standard Microsoft authentication schemes (NTLM or NTLMv2).

The next step up in VPN strength is IPSec, which implements 3DES (or DES) for encryption and SHA1 (or MD5) for integrity validation. Windows Server 2008 and Windows Vista implement AES-128 and SHA1 for IPSec by default. Microsoft’s IPSec is available only for Microsoft operating systems (Windows 2000 and up) and uses standard Microsoft authentication schemes (Kerberos), but can be strengthened to use digital certificates for authentication.

The third and strongest VPN from Microsoft is the combination of Layer 2 Tunneling Protocol (L2TP) with IPSec. L2TP provides strong, mutual authentication based on digital certificates on the VPN client and server computers. This authentication scheme is so strong that a sender cannot deny sending the message. This is called nonrepudiation. L2TP also provides strong integrity validation using Message Integrity Check (MIC). Interestingly, L2TP does not provide data encryption. This is why you typically add IPSec that does provide data encryption for confidentiality.

Remember that, generally speaking, the stronger the security (authentication, encryption, and integrity validation), the poorer the performance on both the VPN server and the VPN client. The mathematical calculations implemented by the encryption and hashing algorithms and the increased complexity of authentication all take their toll on the speed of the connection and data flow.

Scenario

You are the administrator of a Microsoft Windows Active Directory environment and have workers who telecommute. You must configure a system to securely provide resources to these workers who connect over the Internet.

You will build the VPN client and test the configuration in Task 6.3, “Configuring the VPN Client.”

Scope of Task

Duration

This task should take 20 minutes.

Setup

You will initialize and configure the VPN server. On Windows Server 2003, the VPN is configured in the Routing and Remote Access Services (RRAS) server.

Caveat

VPN servers are often connected to public networks, like the Internet. In other words, these systems are exposed to the most hostile of environments and are subject to frequent attacks. Because of this public exposure, it is not uncommon that these systems become compromised. These systems should be hardened and dedicated-purpose servers. Don’t run anything more on these systems than is absolutely required.

Procedure

For this task, you will initialize and configure the RRAS server on a Windows Server 2003 server. You will configure the ports for inbound VPN connections.

You will also configure a user account with the privilege to connect to the server using the RRAS service. VPN technology is an extension of dial-in services, originally utilizing slow, analog modems over telephone lines. Users require the privilege to dial in to connect to the VPN server. No user account is granted the dial-in privilege by default.

Equipment Used

For this task, you must have:

  • Windows Server 2003 system
  • Access to Active Directory Users And Computers (ADUC)
  • Administrator access

Details

Initializing the VPN Services in RRAS

1. Log on to the Windows Server 2003 system as the Administrator.

2. Select Start ⇒ Programs ⇒ Administration Tools ⇒ Routing And Remote Access.

3. If this is the first time you’ve used RRAS, the service will be stopped.

image

4. In the left pane, select the server_name (local). Right-click and select Configure And Enable Routing And Remote Access. Click Next in the RRAS Setup Wizard.

5. Select Custom Configuration, and click Next.

image

6. On the Custom Configuration screen, select VPN Access and click Next, and then click Finish.

image

7. You will be prompted to start the RRAS Service. Click Yes.

8. Expand server_name (local) as necessary. Select Ports.

image

9. Right-click on Ports and select Properties. Notice that by default, 128 PPTP ports and 128 L2TP ports are enabled. For performance and security reasons, you should reduce these numbers to something closer to the number of concurrent VPN connections you are expected to support.

image

10. Select WAN Miniport (PPTP) and click Configure to open the Configure Device dialog box.

image

11. Reduce the Maximum Ports value to 10 and click OK. You will receive a warning message about possibly disconnecting active sessions. Click Yes to continue.

12. Select WAN Miniport (L2TP) and click Configure.

13. Reduce the Maximum Ports value to 10 and click OK. You will receive a warning message about possibly disconnecting active sessions. Click Yes to continue.

14. Minimize the RRAS console.

image

You will be returning to this console in the following task, “Configuring the VPN Client.”

Granting the Dial-in Privilege to Users

1. Select Start ⇒ Programs ⇒ Administration Tools ⇒ Active Directory Users And Computers (ADUC).

2. Expand the domain. Select the Users container.

3. In the right pane, select the Administrator account. Right-click the Administrator account and select Properties.

image
image

You will remember that in Task 5.4, “Securing the Default User Accounts,” you renamed the Administrator account and created a useless account named Administrator to increase security for default accounts. The account named TopDog in the preceding graphic is the administrator for the domain. You would select (multiple-select with Shift-click or Ctrl-click) the accounts that require VPN access and grant the dial-in privilege, as necessary.

image

In production, it is generally not advisable to install the RRAS/VPN service on a domain controller. Domain controllers are the foundation for the security of the Active Directory environment and remote connectivity is typically not enabled for these systems. In your configuration, if the VPN server is configured on a domain controller, additional privilege must be granted to any nonadministrator VPN users. Nonadministrator users are not allowed to log on to a domain controller by default. Nonadministrator users would need to be granted the right to log on locally to the domain controller/VPN server.

4. Select the Dial-in tab of the user account Properties dialog box. Select Allow Access in the Remote Access Permission (Dial-in Or VPN) section.

image

5. Click OK to close the user Properties dialog box. Close ADUC.

Criteria for Completion

You have completed this task when you have initialized and configured RRAS for 10 PPTP ports and 10 L2TP ports, then granted the dial-in privilege to the appropriate VPN user accounts in ADUC.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.128.31.180