There are no security-related Group Policy settings for the Remote Access Service role service. However, you can configure NPS (RADIUS) policy settings to help secure users who remotely access your network.
More Information
The following resources on Microsoft.com can provide you with additional best practice information about how to harden server computers that run the Remote Access role service role:
IPsec overview.
Routing and Remote Access.
Routing and Remote Access Blog.
Server and Domain Isolation.
Windows Server 2008 Step-by-Step Guides: Step-by-Step Guide: Deploying SSTP Remote Access.
Virtual Private Networks.
Virtual Private Networking with Windows Server 2003: Deploying Remote Access VPNs.
The Routing role service is a subelement of the Routing and Remote Access role service. The Routing role service is responsible for providing edge-of-network routing services. Typically, these routing services are used to provide point-to-point connections between geographic locations by using dial-up or VPN connections instead of the traditional router within an intranet.
For more information about the Routing role service, see:
Routing and Remote Access.
Routing and Remote Access Blog.
Attack Surface
The Routing role service is susceptible to security attacks that are typical of edge-of-network routing services, such as port scanning, transit traffic, receive traffic, man-in-the-middle attacks, and so on. To identify the attack surface for this role service, you need to identify the following factors:
Installed files. The files that are installed as part of the Routing role service.
Running services. The services that run as part of the Routing role service.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The Windows Firewall rules that the Routing role service uses.
Note Some of the Windows Firewall rules that the Routing role service uses are disabled until you run the Configure and Enable Routing and Remote Access wizard. For more information on how to run this wizard, see "Install and Enable the Routing and Remote Access Service" in the Windows Server 2008 Help and Support.
Role dependencies. The dependencies for the Routing role service.
The details of the attack surface for the Routing role service are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this role service, on the NPAS tab of the workbook, view the sections that correspond to each of the items in the previous list.
Security Measures
This section describes the security measures that you can incorporate into your Routing role service configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the Routing role service option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.
Configuration Checklist
The following table lists the recommended security configuration tasks for hardening servers that perform the Routing role service. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 10.5 Configuration Checklist
|
Configuration tasks
|
|
Place computers that run the Routing role service in perimeter networks.
|
|
Configure the firewall rules on intervening firewalls.
|
|
Limit routing connections to known end points.
|
|
Make computers that run the Routing role service members of an extranet forest.
|
|
Use secured tunnels to secure communication between routers.
|
|
Require multifactor authentication for authenticating routers.
|
|
Use the PEAP or EAP-TLS authentication protocol to authenticate routers.
|
Place Computers That Run the Routing Role Service in Perimeter Networks
Typically, the server computer that runs the Routing role service needs to communicate with other computers that run the Routing role service through public networks, such as the Internet. The computers that typically run the Routing role service are immediately behind the outward-facing firewalls that provide Internet ingress and egress.
The computers that run the Routing role service also communicate with others that use it in an intranet. The connection to the intranet is usually sent through the inner-facing firewalls that provide intranet ingress and egress.
Configure the Firewall Rules on Intervening Firewalls
The computers that run the Routing role service are typically placed in your extranet or perimeter network. The routers communicate with the following resources:
Other routers through outward-facing firewalls that provide Intranet ingress and egress. For these firewalls, you need to enable the appropriate ports for one of the following tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP). This protocol uses TCP port 1723 and the GRE protocol (protocol ID 47).
Layer 2 Tunneling Protocol (L2TP). This protocol uses UDP port 1701 for L2TP, UDP port 500 for Internet Key Exchange (IKE) in IPsec, and UDP 4500 for IPsec Network Address Translation (NAT-T).
SSTP. This protocol uses TCP port 443 for secured SSL tunneling.
IPsec tunnel mode. This protocol uses UDP port 500 for IKE in IPsec, and UDP 4500 for IPsec NAT-T.
An intranet through inner facing firewalls that provide intranet ingress and egress. For these firewalls, you need to enable all the protocols that you wish to use between locations. Alternatively, you could connect the router network interface used for intranet communication directly to the intranet instead of connecting the interface to inner-facing firewalls.
Limit Routing Connections to Known End Points
In typical scenarios for the Routing role service, the routing occurs as point-to-point routes between locations in an organization. In such scenarios, the end points of the point-to-point routes are well-defined and limited to a finite number of end points. Ensure that you configure the Routing role service and the outward-facing firewalls to only allow traffic between the end points of the point-to-point routes.
The computers that run the Routing role service are typically placed in less secure environments, such as a perimeter network or extranet. Many extranets have an AD DS extranet forest that manages the credentials used by services that run on computers in the extranet. These credentials include user accounts and certificates that are used in authenticating router tunnels.
Deploy the computers that run the Routing role service as members of the extranet forest. The extranet forest typically has a one-way trust with the AD DS forest in your intranet.
Use Secured Tunnels to Secure Communication Between Routers
The computers that run the Routing role service communicate with other computers that run the Routing role service over the Internet or other public networks. Most organizations deploy the Routing role service to provide secured, point-to-point routing between locations within the organization.
You can secure traffic between routers by using the following protocols:
PPTP. A VPN tunneling protocol based on Point-to-Point Protocol (PPP) that enables IP traffic to be encrypted, and then encapsulated in an IP header to be sent across private or public IP networks. For more information, see the Point-to-Point Tunneling Protocol (PPTP) page on TechNet.
L2TP. A VPN tunneling protocol that, like PPTP, is also based on PPP. L2TP allows traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP, X.25, frame relay, or asynchronous transfer mode (ATM). The encryption for L2TP is often provided by ESP in IPsec.
SSTP. A new form of VPN tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. Using PPP allows support for strong authentication methods such as EAP-TLS. Using HTTPS makes traffic flow through TCP port 443, a port commonly used for Web access. Secure Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption, and integrity checking. For more information, see Step-by-Step Guide: Deploying SSTP Remote Access on the Windows Server 2008 Step-by-Step Guides page of the Microsoft Download Center.
IPsec tunnel mode. For routing, the IPsec protocol is commonly used for encryption in conjunction with L2TP. However, IPsec can be used as a tunneling protocol. IPsec in tunnel mode allows IP packets to be encrypted and then encapsulated in an IP header to be sent across private or public networks. For more information, see the IPsec overview page on TechNet.
Each of the methods for securing traffic allow for mutual authentication of routers and encryption of routed packets.
Require Multifactor Authentication for Router Authentication
You can use multifactor authentication to enhance security for routers. Multifactor authentication typically includes a physical device, such as a smart card reader, USB security token, or fingerprint reader. For routers, the most common physical device is a USB security token or PCMCIA card. Without the physical device, the router is unable to initiate the tunnels with other routers within the organization.
Use the PEAP or EAP-TLS Authentication Protocol to Authenticate Routers
Windows-based operating systems, including Windows Server 2008, support a variety of authentication protocols. The strongest of the supported authentication protocols are Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol - Transport Level Security (EAP-TLS).
Both of these authentication protocols provide the security framework for mutual authentication between computers that run the Routing role service. PEAP is not as secure as Transport Level Security (TLS), but PEAP has the advantage of using username/password authentication instead of client certificate authentication.
For more information about the PEAP authentication protocol, see Protected Extensible Authentication Protocol (PEAP) on MSDN. For more information about EAP-TLS, see Extensible Authentication Protocol on TechNet.
|
