Windows 2000 Server Remote Access Overview
Windows 2000 Server Remote Access is part of the entire "Route and Remote Access" service, connecting remote or moving workers on the organization network. Remote users can work like a computer physically connected to the network.
The user runs the remote access software and initializes the connection to the remote access server. Remote Access Server, which is running a Windows 2000 Server and the Routing and Remote Access service, until the user or network administrator terminates it, has always verified the user and service session. Through remote access, you can enable all services that are usually available to LAN users (including files and print sharing, web server access, and messaging).
Remote access clients use standard tools to access resources. For example, on a computer running Windows 2000, the client can use Windows Explorer to connect to the drive and printer. Connection is lasting: During the remote session, the user is not allowed to reconnect to the network resources. Because remote access is supported for the name named letter and regular name habits (UNC), most business and custom applications can be used to modify.
Remote Access Servers running Windows 2000 provide two different remote access:
Dial-up network
The remote client uses a non-permanent dial-up to the physical port of the remote access server using a non-permanent dial-up connection. The network used is the dial network. The best example of the dial-up network is to dial the network client to use the dial-up network to call the phone number of a port remote access server.
Dialing the telephone line or ISDN is a direct physical connection between the dial network client and the dial-up network server. You can encrypt the data transmitted on the connection, but this is not necessary.
Virtual private network
Virtual private networks are products that cross-dedicated networks, secure, point-to-point connections, or public networks like Internet. The virtual private network client uses specific, called TCP protocols, based on TCP / IP-based protocols, to virtual calls for virtual ports of virtual private network servers. The best example of a virtual private network is that the virtual network client connects to the remote access server connected to the Internet using a virtual private network connection. Remote Access Server Answer virtual calls, verifying the caller identity, and transmitting data between virtual private network clients and corporate networks.
Compared to dial-up networks, virtual private networks are always logical, non-direct connections between virtual private network clients and virtual private network servers. To ensure privacy, you must encrypt the data transmitted on the connection.
Remote access server as a virtual private web server
Connection to the Virtual Dedicated Network Connection "Point-to-Point" connection. To simulate the "point-to-point" connection, use and provide additional header file packages or packages with routing information that provides the endpoint. The endpoint is a virtual private network client, or a virtual private web server. The part of the virtual private network connection used to encapsulate data is called a tunnel.
For a secure virtual private network, data will be encrypted before the package. If there is no added pony, the intercepted packet will not be understood. The part of the virtual private network connection for encryption is called a virtual private network (VPN) connection.
You can create, manage, and terminate the VPN connection by using a special protocol called Tunneling Agreement. Virtual private network clients and virtual private network servers must support the same "Tunnel Protocol" to create virtual private network connections. For the Point Tunnel Protocol (PPTP) "and" Layer 2 Tunnel Protocol (L2TP) ", running Window 2000 remote access servers are virtual private web servers.
Point-to-point protocol
Windows 2000 Server Supports "Point-to-Point Protocol (PPP)", which is a set of industrial standard frames and authentication protocols that enable remote access scenarios to work on multiple vendors. Due to the flexibility of PPP and as an industrial standard, it is also recommended that the client and server hardware and software flexibility, so I recommend you to use PPP. PPP supports the computer that runs Windows 2000 can via any server that follows the PPP standard, dials onto the remote network. PPP compatibility also enables computers running Windows 2000 to receive calls from remote access software from other vendors, and provide network access to these software.
The PPP architecture also enables remote access clients to use IPX, TCP / IP, NetBEUI, and AppleTalk any combination. Running Windows NT and Windows 2000, Windows 98, and Windows 95 remote access clients can use TCP / IP, IPX, NetBeui with any combination of programs written in Windows Sockets, NetBIOS, or IPX interfaces. Microsoft Remote Access Client does not support the use of Appletalk protocols on remote access.
The PPP standard is defined in the Notes Request (RFC), while RFC is released by the Internet Engineering Task Group and other working groups. For a list of PPP RFCs supported by remote access servers that run Windows 2000, see Remote Access RFC.
PPP connection order
When you connect to a remote computer, the PPP negotiation completes the following:
Establish a frame rule between the remote computer and the server. This rule allows continuous communication (frame transmission).
The remote access server then verifies the identity of the remote user by using the PPP authentication protocol (MS-CHAP, EAP, CHAP, SPAP, PAP). The protocol called depends on the security configuration of the remote client and server.
After authentication, if the callback is enabled, the Remote Access server will hang up and call the remote access client.
"Network Control Protocol (NCP)" enables and configures a remote client to use the required LAN protocol.
When each step of the PPP connection is successfully completed, the remote access client and server can transfer data from the program written to the Windows Sockets, RPC or NetBIOS programming interface.
data encryption
You can use data encryption to protect the data sent between remote access clients and servers. Data encryption is important for financial institutions, law enforcement agencies and government agencies, and companies that require secure transmission of data. For installations that require data encryption, the network administrator can set the remote access server to request encrypted communication. The user connected to the server must encrypt the data, otherwise the connection will be refused.
For dial-up network connections, you can protect it by encrypting data on a communication link between a remote access client and a server. Data encryption should be used when there is an unauthorized intercept transmission between the communication link between the remote access client and the server. For dial-up network connections, Windows 2000 uses "Microsoft Point Point Encryption (MPPE)".
For virtual private network connections, it can be protected by encrypting data between two endpoints of a virtual private network (VPN). For VPN connections, data encryption should always be used when dedicated data is transmitted through public networks such as Internet, because there is always danger of unauthorized interception on public networks. For VPN connections, Windows 2000 uses "IP Security (IPSec)" encryption with "Point Tone Protocol (PPTP)", and "IPSec)" encrypted with "Layer 2 Tunnel Protocol (L2TP)".
Because data encryption is performed between the VPN client and the VPN server, there is no need to use data encryption on the communication link between the Dial-up Customer and Internet Service Provider (ISP). For example, mobile users can use dial-up network connections to local ISPs. Once the Internet connection is established, the user creates a VPN connection with the enterprise VPN server. If the VPN connection is encrypted, you do not have to encrypt the dial-up network connection between the user and the ISP. On the "Encrypted" tab of the remote access policy property, MPPE can be configured to use 40 bits ("Basic" settings), 56 bits ("powerful" settings), or 128 bits ("most powerful" settings) key, spoon. 40 and 56-bit keys can be internationally international. For the old version of the Microsoft operating system that does not support 56 MPPE keys, 40-bit key should be connected to it. With a 56-bit key for the operating system that supports 56 MPPE keys. The 128-bit key is only used in North America and is only available in North American version of Windows 2000. Confirm the key when connecting. MPPE requires the use of MS-CHAP (Version 1 or version 2) or EAP-TLS authentication protocol.
How to work when connecting
The incident occurred in the process of remote access server call running Windows 2000 remote access client call and is configured to use Windows authentication:
Remote Access Client Dial Remote Access Server.
The server sends a question to the client.
The client sends an encrypted response to the server, which contains the username, domain name, and password.
The server checks the response based on the correct user account database.
If the user account is valid, the server will authorize the server using the dial-in attribute and remote access policy of the user account.
If the callback is enabled, the server will call the client and continue the connection negotiation process.
Security host
The security host is an authentication device that verifies whether the call from the remote access client is authorized to connect to the remote access server. This verification complements security provided by the remote access server that is running Windows 2000.
The safety host is located between the remote access client and the remote access server. The security host typically provides an additional security layer by requested a hardware key to provide authentication. Before allowing access to the remote access server, verify that the remote access client has the key from physically. This open architecture allows customers to select various security hosts to enhance security in remote access.
For example, a security system includes two hardware devices: security hosts and security cards. The security host is installed between the remote access server and its modem. The size of the security card is equivalent to a credit card, which is similar to a pocket calculator that does not have a button. The security card displays a different number of accesss per minute. This number is synchronized with the same digitally calculated in the safety host. When connecting, remote users transmit numbers on the security card to the host. If the number is correct, the security host connects the remote access client as a remote access server.
Another safety host prompts remote access client to type username (can be different from the remote access client name) and password (different from the password of the remote access client).
The security host must be configured to initialize the modem before the remote access server is active before the security function takes effect. Remote Access Server must also be able to directly initialize the modem connected to the secure host without having to check from the security host. The security host may explain the request to the modem for an attempt to disclose.
Account lock
You can use the account lock feature to specify the number of times the remote access to the valid user account before rejecting user access. For remote access virtual private network (VPN) on the Internet, the account lock is especially important. The Internet may access the enterprise intranet by transmitting credentials (effective user names, guess passwords) through the VPN connection authentication process. In a dictionary attack, a malicious user sends thousands of credentials by using a range of passwords based on common words and phrases. After the account lock is enabled, the dictionary attack is invalid after the number of fails attempts. As a network administrator, two account lock variables must be considered:
1. The number of times the attempt is failed before the attempt to refuse.
After each attempt failed, the user account failed attempting counter plus 1. If the user account's failure attempts the counter to achieve the maximum number of configured, the future connection attempt will be rejected.
When the value of the failed attempts the counter is smaller than the configured maximum, the successful authentication can be reset to zero. In other words, failure attempts the counter will not accumulate on the basis of successful authentication.
2. Failure to try the frequency of the counter reset.
You must regularly reset the failure attempt counter to prevent the account from locking the account due to the user's conventional error (such as a password when you type a password).
Multi-link and BAP
Windows 2000 Remote Access Supports Multi-Link and Bandwidth Assignment Protocol (BAP). With multi-link, multiple physical links can be transmitted and received as a logical link. "ISDN Basic Rate Interface (BRI)" set of two B channels is a good example. Since the B channel that supports the merge and by hardware support ISDN is just for the ISDN adapter, it is recommended to use a multi-link as a plurality of B channels that merge BRI connections. Multi-links can be used for any ISDN adapter. Both sides of the connection must support multiple links.
Although the multi-link allows a set of multiple physical connections, the multi-link does not terminate additional connections when it is not required to add additional connections when needed, providing a mechanism for adapting to bandwidth conditions. This additional function is provided by the Bandwidth Allocation Protocol (BAP) ". BAP is dynamically managed using a multi-link connection.
For example, multi-link and remote access clients and servers that enable BAP create a multi-link connection consisting of a single physical link. When the use of a single link increases to a certain extent, the remote access client will use the BAP request message to request additional links. The BAP request message specifies the required link type, such as analog phone, ISDN, or X.25. The Remote Access server then sends a BAP response message, which contains a telephone number on a remote access server on a mobile phone number, which is the same as the type specified in the BAP request.
Use RADIUS for multiple remote access servers
If you have multiple Windows 2000 Remote Access Servers, don't manage all remote access policies for all remote access servers, you can use the Internet Authentication Service (IAS), configure a computer that runs Windows 2000 as "remote identity Verify the Dial-in User Service (RADIUS) server and configure the remote access server as the RADIUS client. The IAS server provides centralized remote access authentication, authorization, billing, and auditing.
Virtual private network
Virtual Dedicated Network (VPN) is a dedicated network extension that contains shared or public network links similar to Internet. The data can be transmitted between the two computers in the way to simulate the point dedicated link through the VPN. Virtual private networking is the behavior of creating and configuring virtual private networks.
To simulate point-to-point link, compress or packaging data, and add a header that provides routing information, which allows data to reach its endpoint over a shared or public network. To simulate a dedicated link, see the data should be encrypted for confidentiality. It is difficult to decrypt the packets that are intercepted from sharing or public networks without keys. The link between packages and encrypted data is a virtual private network (VPN) connection. New feature of Windows 2000 virtual private network
Windows 2000 provides the following new features for virtual private networks:
Layer 2 tunnel agreement
In addition to point-to-point tunneling protocol (PPTP), Windows 2000 includes industry standard "Layer 2 Tunnel Protocol (L2TP), which is used to connect to the Windows 2000 Internet Protocol Security (IPSec) connection to create a secure virtual private network connection.
Remote access strategy
Remote Access Policy is a set of conditions and connection settings that provide greater flexibility to network administrators in terms of setting remote access and connection properties. Through remote access policies, you can force VPN users to use powerful authentication and encryption, and use a set of different identity verification and encryption constraints for dial-up users.
MS-CHAP version 2
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) Version 2 Mainly enhances security credentials during the negotiation process of remote access connections and encrypted keyword generation. MS-Chap Special Design Version 2 To authenticate virtual private network connections.
Scalable authentication protocol
Scalable Authentication Protocol (EAP) allows new authentication methods to remote access, remote access features are especially important to smart card-based security deployments. EAP is an interface that allows other authentication modules to insert Windows 2000 remote access to PPP devices. Windows 2000 supports EAP-MD5 CHAP, EAP-TLS (for smart cards and certificates-based authentication), and transfer EAP messages to the RADIUS server.
Account lock
Account lock is a safe performance, which refuses to access after the configuration number failed to identify. The account lock is used to prevent attacks that are carried out with the dictionary. A attack by the dictionary refers to an illegal user attempts to use a known username, and use the common list of words in the dictionary as a password attempt to log in. Account lock is disabled by default.
Authentication
VPN connection authentication uses three different ways:
User-level authentication via PPP authentication
If you want to create a VPN connection, the VPN server will use the user-level authentication method of the Point Association Protocol (PPP) to verify the identity of the VPN customer attempt to use the connection and verify that the VPN customer has appropriate access. If you use mutual authentication, the VPN client also verifies the identity of the VPN server, which prevents camouflage VPN servers.
Machine grade authentication using Isakmp
If you want to build an IPSec security association, the VPN client and the VPN server will use the machine certificate and Internet Security Association and Key Management Protocol (Isakmp) and Oakley Key Generation Protocol. For more information, see IPSec Security Negotiation.
Data verification and integrity
To verify that the data sent from the VPN connection begins with the other end of the connection and does not change during the transfer process, the data contains encrypted inspections based on only the sender and the recipient know the encrypted keyword. Data verification and integrity are only enabled for L2TP on the IPSec connection.
How to work when connecting
The following steps describe when trying to connect to a PPTP-based VPN client connection to a PPN server based on PPN servers:
The VPN client creates a PPTP tunnel using the VPN server.
The server sends a question to the client.
Customers send encrypted responses to the server.
The server check corresponds to the response of the user account database.
If the account is valid and has a remote access, the server will accept a connection that complies with the VPN client remote access policy and the user account property.
data encryption
Data encryption must be used to protect the data sent between VPN clients and VPN servers or shared or shared or public networks, because these networks typically have unauthorized interception hazards. You can configure the VPN server to enforce encrypted communication. The user connected to the server must encrypt the data, otherwise the connection is not allowed. For VPN connections, Windows 2000 uses Microsoft Point Point Clear (MPPE) with a Point Tunnel Protocol (PPTP) and Internet Protocol Security (IPSec) encryption using the second layer tunnel protocol (L2TP). Because the data is done between the VPN client and the VPN server, there is no need to perform data encryption on the communication link between the Dial Customer and Internet Service Provider (ISP). For example, mobile users can use dial-up connections to local ISPs. After establishing an Internet connection, the user created a VPN connection with the company VPN server. If the VPN connection is encrypted, you do not have to encrypt the dial-up connection between the user and the ISP.
Internet Agreement Security: Definition
Internet Protocol Security (IPSec) is:
Long-term guidance from the security network.
Active protection against private networks and Internet attacks while maintaining easyibility.
A set of protection services and security protocols based on an encrypted.
End-to-end security. The only computer that must understand IPsec protection is the sender and receiver of the communication.
Protective Working Groups, LAN Computers, Domain Customers, and Servers, Distance Distance, Extranet, Roaming Customers, and Remote Management of Inter-Cataical Communications.
Strategy-based security
More powerful encryption-based security methods may result in substantially increased management overhead. Windows 2000 avoids this defect by implementing policy-based Internet protocol security (IPSec) management.
IPSec can be configured using a policy rather than an application or operating system. Network security administrators can configure multiple IPsec policies, from a single computer to Active Directory domain, site, or organizational unit. Windows 2000 provides centralized management console, IP security policy management to define and manage IPsec policies. In most existing networks, you can configure these policies to provide a variety of levels of protection.
Deep defense
Because network attacks may cause system shutdown, productivity loss, and sensitive data public exposure, protection information is not authorized by unauthorized third-party deciphery or modification is a high priority.
Network protection strategies are generally focused on weekly security, by using firewall, security gateway, and user authentication to prevent attacks from private network outside. However, it does not protect from attacks from internal interior.
It is only focused on access control security (such as using smart cards and kerberos) may not bring comprehensive protection because these methods depend on the username and password. There are many computers to be shared by multiple users, since it is often in a logged statement, it is not safe. In addition, if a username or password has been intercepted by an attacker, the security of access control is not allowed to prevent illegal access to network resources.
Physical grade protection strategies are usually not used, which protects the physical network cable and access points are not used. However, this seems that it is impossible to guarantee the safety of the entire network path, because the data will have to spread from the source to the destination.
A good security plan contains multiple security policies to achieve depth protection. Any of these strategies can be combined with IPsec. This is performed by ensuring that the sender computer is protected by each IP packet to reach the network cable, and the receiving end computer only has the protection of the data after the data is received and verified, thereby providing another Layer security.
cyber security
Advanced protection for IPSec will enable IPSEC to enable IPSec. Configuring Use IPSec does not need to change existing applications or operating systems. You can configure IPSec for existing corporate programs, for example:
work group
LAN (LAN): Customer / Server, Peer
Remote Access: Roaming customers, Internet Access, EXTRANET, remote office. Other security mechanisms (such as security sockets, SSL) running over the network layer 3 are only protected using SSL applications, such as web browsers. All other applications must be modified to use SSL to protect communications. Other security mechanisms (eg, link layer encryption) running below network layer 3 (such as link layer encryption) only protects the link without having to protect all links on the data path. This makes the link layer encryption cannot be applied to the Internet or the end-to-end data protection on the Route Intranet scheme.
The IPSec protection of the IPSec protection of the IPSec protection TCP / IP protocol clusters, such as TCP, UDP, ICMP, RAW (protocol 255), even protecting a custom protocol to send communication on the IP layer. The main benefit of protecting this layer is that all applications and services that use IP transfer data can use IPSec protection without having to modify these applications and services. (To protect non-IP protocols, packets must be encapsulated by IP.)
Virtual private network using IPSec
The package, sending, and unpacking processes are called "tunnels". The tunnel hides the original packet (or encapsulated) inside the new packet. The new packet may contain new addressing and routing information, which makes the new packet to transmit on the network. When the tunnel is combined with confidentiality, the person who is eavesdropped on the network will not be able to obtain raw packet data (and the original source and purpose). This network can be any type: dedicated intranet or Internet. After the packaged packet reaches the destination, the package header is deleted, and the original packet header is used to route the packet to the final destination.
The tunnel itself is a logical data path passed by the package data. For the original source and destination, the tunnel is invisible, but only the point-to-point connection in the network path. Connecting the two sides does not care about any router, switches, proxy servers, or other security gateways between the tunnel starting point and the end. The tunnel and confidentiality can be provided to provide a virtual private network (VPN).
In Windows 2000, there are two tunnels that use IPSec:
Layer 2 Tunnel Protocol (L2TP / IPSEC), where L2TP is responsible for providing package and tunnel management, the IPSec of the transmission mode provides the security of the L2TP tunnel data package for any type of network communication.
The IPSec of the tunnel mode, where IPsec is only packaged by IP communication.
Establish an IPSec security plan
Regardless of the large domain or a small working group, IPSec means that balancing a large number of users can easily use information and prevent unauthorized access to sensitive data.
Find the right balance:
Evaluate risks and determine the correct security level for the Organization.
Identify important information.
Define security policies that use risk management standards and protection identification information.
Decide to implement the best way to implement strategies in the existing organization.
Ensure that management and technical requirements are in place.
Provide access to appropriate resource security to all users according to user needs.
The way using your computer will also affect security considerations. For example, the required security may vary, depending on that the computer is a domain controller, a web server, remote access server, file server, database server, and intranet customer or remote customers. The Windows 2000 security architecture can complete the most demanding security requirements. However, if there is no serious planning and evaluation, effective safety guidelines, mandatory, audit, and sensible security strategy design and allocation, only relying on software effects.
Defining standard security has no clear scale. There may be great differences based on the organization's strategies and infrastructure. The following security level can be used as a general basis for planning IPSec configurations:
Minimum security
The computer does not exchange sensitive data. IPSec is inactive by default. No need to disable IPSec management measures.
Standard security
Computers (especially file servers) are used to store valuable data. Security must balance so that it does not hinder the legality of the user who tries to perform the task. Windows 2000 provides a predefined IPSec policy, but does not require the highest security level: Customer (respond) and server (request security settings). These strategies and similar custom policies will optimize efficiency and will not endanger security. High security
Computers containing highly sensitive data have data stolen, accidental or malicious destruction systems (especially in remote dialing schemes) or any public network communication. "Safety Server" (requires security) is a predefined policy that requires all traffic sent or received. "Safety Server" (requires security) includes powerful confidentiality and integrity algorithms, complete transfer of confidential, key lifetime, and restrictions, powerful Diffie-Hellman groups. Computers that do not support IPSec lead to unsafe communication, failed security negotiations are blocked.
Define NetBeui
NetBIOS Enhanced User Interface (NetBeui) is a non-routed network transmission for a small network consisting of less than 50 computers. NetBeui is one of two network solutions that support the Basic Input / Output System (NetBIOS) Usage, which is used early Windows versions for network name resolution. Other NetBIOS-based solutions for large or routing networks are NetBIOS (NetBt) on TCP / IP.
Define RADIUS
Remote Authentication Dial-in User Services (RADIUS) is a secure verification client / server protocol that is widely used by Internet service providers for other remote access servers. RADIUS is the most common way to authenticate and authorize dial and tunneling network users.
Windows 2000 SNMP services greatly simplifies network management. Maximize the following:
Follow the security model released by Windows 2000 and attempt to organize the SNMP group by functional organization.
Use SNMP security check by configuring all SNMP proxy authentication traps.
If you monitor service-specific components, such as Dynamic Host Configuration Protocol (DHCP), or Windows Internet Name Service (WINS), verify that these services have been properly installed and configured.
SNMP definition
Simple Network Management Protocol (SNMP) As a network management standard, a widely used in TCP / IP networks, recently used for Internet Packet Exchange (IPX) network.
SNMP provides a method of managing network hosts such as a workstation or server computer, router, bridge, and hubs, from a central computer running network management software. SNMP executes management services, the method is to use the distributed architecture and agent of the management system.
Because network management is critical to audits and resource management, SNMP can be used:
Configure the remote device. Configuration information can be sent from the management system to each network host.
Monitor network performance. You can track the processing speed and network throughput, and collect information about data transfer success.
Detect network failures or inappropriate access. You can configure the trigger warning on the network when some event occurs. When a warning trigger, the device forwards the event message to the management system. A common warning type includes a device to be closed and restarted, and a failed link is detected on the router, as well as illegal access.
Audit network use. The overall use of the network can be monitored to identify user or group permissions, as well as the type of use of network devices and services. Use this information to generate a direct bill of accounts, or adjust the current network fees and planned expenses.
