The Distribution Of Network Access Policy Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


Keeping the network secure is one of the more important goals for a network administrator which is including when our users remotely access the network. The Group Policy Object (GPO) in Windows Server 2008 provides a dial to set permissions for user groups and abilities.

This report describes the distribution of network access policy and configuration files are used to grant or deny users access network resources across remote connections. We will first look in more detail the authentication protocol is included in Windows Server 2008. We will also learn how to deal with remote access operating system security. We will then enter the configure user access profiles and details of strategies and diving. We will also learn how to configure our server to use Windows authentication or RADIUS authentication.

This report has covered configuring network authentication, may include but is not limited to: LAN authentication by using NTLMv2 and Kerberos., WLAN authentication by using 802.1x, RAS authentication by using MS-CHAP, MS-CHAPv2 and EAP, Remote Access Policy, Network Address Translation (NAT), Connection Manager. It is configuring Network Access Protection (NAP). May include but is not limited to: Network layer protection, DHCP enforcement, Default user profiles, VPN enforcement, Configure NAP health policies, IPSec enforcement, 802.1x enforcement, and Flexible host isolation. Its configuring firewall settings, may include but not limited to: incoming and outgoing traffic filtering, Active Directory account integration, Identify ports and protocols, Windows Firewall vs. Windows Firewall with advanced security, Configure firewall by using group policy, Isolation policy.


Remote Access Security

In the past, the majority of remote access is rarely part of the company's network. This is too difficult to implement, manage too hard, too hard security. It is fairly easy to gain unauthorized physical access to our network, but it is considered remote access even more difficult to do so. Recently, security policies, protocols and techniques have been developed to alleviate this problem.

User Authentication

In the establishment of secure remote access connection is one of the first step, allowing the user to make some credentials to the server. We can use any or all of the authentication protocol support for Windows Server 2008:

Password Authentication Protocol

The Password Authentication Protocol (PAP) is the simplest authentication protocol. It transmits all authentication information in clear text with no encryption, which makes it vulnerable to snooping if attackers can put themselves between the modem bank and the remote access server. However, this type of attack is unlikely in most networks. The security risk with PAP is largely overemphasized considering the difficulty of setting up a sniffer in between the modems and the remote access server. If an attacker has the ability to install a sniffer this deep in the network, we have larger problems to address.

PAP is the most widely supported authentication protocol, therefore may find that we need to leave it enabled.

Microsoft CHAPv2

Microsoft CHAPv2 device (MS - CHAPv2) CHAP protocol by Microsoft as an extension, allow the use of Windows authentication information. Version 2 Release 1 ratio, which is not supported by the Windows 2008 security. Other operating systems support MS - CHAP version 1.

Extensible Authentication Protocol

Extensible Authentication Protocol (EAP) does not provide any authentication itself. Instead, it relies on external third-party authentication method; we can be added to the existing server. Instead of a hard connection to any authentication protocol, client / server can understand negotiate EAP authentication methods. Required to authenticate a computer to verify who is free to ask a few pieces of information, such that for every single query. This allows almost any use of authentication methods, including smart cards, secure access, such as SecurID tokens, such as the S / key, or an ordinary user name / password system, a one-time password system.

Each authentication schema supported in EAP is called an EAP type. Each EAP type is as a plug-in module. Windows Server 2008 can support any type of EAP ranked first in the Routing and Remote Access Service (RRAS) server can use any type of EAP authentication, the module if we are allowed to have problems with the client for the module.

Windows Server 2008 comes with EAP-Transport Level Security (TLS). ). This EAP type can be used to verify the public key certificate. TLS is similar to the familiar Secure Sockets Layer (SSL) protocol used Web browser. When EAP_TLS is turned on, the client and server send TLS-encrypted message back and forth EAP - TLS is the most powerful authentication method, we can use; as a bonus, it supports smart cards. However, EAP - TLS needs of our RRAS server is part of Windows Server 2008 domain.

The radius is another EAP authentication method with the Window Server 2008 in. Radius EAP type is false to any incoming message to the Remote Authentication Dial in User Service (RADIUS) authentication server.


NTLMv2 help system for Windows NT4 or earlier versions of the certification process and between any two computers running these transactions allow the old system. Networks use NTLMv2 is called mixed-mode, which is the default setting in Windows Server 2008 domain.


Active Directory domain authentication is done by using the Kerberos authentication protocol. By default, all computers joined to a Windows Server 2008 domain to use the Kerberos authentication protocol Allow Kerberos single sign-on to a domain or trusted domain network resources. Administrators have the ability to control, through the account of the Kerberos security policy set some parameters.


In IEEE 802.1X a certification standard called Wireless.802.1X authenticated wireless network to wired Ethernet or wireless allows 802.11 networks. IEEE 802.1X standard EAP authentication process used in the exchange of information.

Connection Security

We can use some additional features for us to provide remote access client connection-level security:

Callback Control Protocol (CBCP) to allow our RRAS server or client in consultation with the other end of the callback. When the CBCP is enabled, the client or server can ask the server at the other end of the call by the customer or reservation number stored on the server back to the figures provided by the client.

We can program the RRAS server to accept or reject the caller ID or automatic number identification (ANI) information transfer Phone Company's phone. For example, we can indicate major RRAS server only accepts analog line from our home phone. This means that we cannot call the server, we are on the road, and it also prevents strangers' server.

We can specify different types and levels of encryption to protect our connection is blocked or tampered with.

Access Control

Addition to connection-level measures, we can use it to talk to the server other than the prohibited calls, we can restrict which users can remotely connect in a variety of ways:

We can enable or disable user accounts from a single remote access. This is the same limited control which have in Windows NT, but it is only the beginning for the Windows Server 2008.

We can use the network access policies to control whether users can access.

Like Group Policy, network access policies give us a simple way to apply a consistent set of policies for the user group. However, the policy mechanism is a little different: we create a rule, included or excluded in the policy of our user needs.

Unlike group policy, network access policy applies only to Windows 2000 native mode, Windows Server 2003 and Windows Server 2008 domain functional level (that is, each of these areas, including Windows NT domain controller does not exist).This means that we may not choose to use until our Windows 2000 and Windows Server 2003 and Windows Server 2008 to deploy network access strategy is to go further. In the next section, we will learn how to configure user access control.

Configuring User Access

In the previous section, we set the server to accept incoming calls. Now is the time to decide who can actually use the remote access service. We can do this in two ways:

By setting up remote access profiles on individual accounts

By creating and managing network access policies that apply to groups of users

The distinction is subtle but very important, because we management and application profiles in different places and policies.

Setting up User Profiles

Windows Server 2008 stored in the user's account information for each lot. In general, this information is known as the account's configuration file, which is usually stored in Active Directory. Configuration file in the user settings are available through some of these one of the user management unit:

If our RRAS server is part of an Active Directory domain, the user profile settings are in the Active Directory Users and Computer snap-in.

If our RRAS server is not part of an Active Directory domain, the user profile settings are in the Local Users and Group snap-in.

In both cases, the configuration file of the interesting part is the dial-up user's Properties dialog box tab (see Figure 1.1). This tab has a number of controls that regulate how the user

Network Access Permission control group

The first and probably most familiar in this tab control the network access control group. These options control whether the user has dial-in permissions. They are similar to the control of us may remember from the Windows NT User Manager, however, Windows Server 2008's new features: In addition to explicitly allow or deny access, we can access through the network access policy control.

Verify Caller-ID controls

RRAS can verify the user's caller ID information, and use the results to allow or deny access. Caller ID when we check that box, and enter a phone number in the field, we tell RRAS the phone to anyone who refused to provide the user name and password, but the caller ID information does not match our input. This means that users can only call a phone number.

Callback Option control group

The Callback Option control group gives us three choices for regulating callback:

No Callback (the default setting) means the server will never honor callback requests from this account.

Set By Caller allows the calling system to specify a number honor callback requests from this account.

Always Callback To allows us to enter a number that the server will call back no matter from where the client is actually calling. This option is less flexible but more secure than the Set By Caller option.

Assign A Static IP Address controls

If we want this user to always get the same static IP address, we can choose a static IP address allocation arrangements for check box, and enter the IP address. This allows us to set the non-dynamic DNS records for individual users, to ensure that their machines will always have a valid DNS entry. On the other hand, this can be easier than the dynamic DNS, DHCP combination, we can install and use, instead of printing errors.

Apply Static Routes check box

In a normal LAN, we do not do anything special clients, enabling them to route packets, only configure a default gateway to them, the rest of the gateway treatment. For dial-up connection, but we may want to define a static routing table so that the remote client to the host on the network, otherwise, no packet is sent to the gateways. Depending on the remote access server, but the client may be able to use a local device Address Resolution Protocol (ARP) of the. If we want to define a static route on the client settings, we will have to do it manually. If we want to assign a static route on the server, static routing to apply check box, and then use the static route button, add and remove routes as needed.

Using Network Access Policies

Windows Server 2008 includes support for two additional configuration systems:

Network access policies (which used to be called remote access policy)

Remote access profiles

Policies determine who can and cannot connect; our definition of the conditions of the rules, systems assessment, to see if a particular user can connect

We can either pure Windows Server 2008 domain, some of the policies; each policy must have an associated personal data.

We have to manage remote access logging and policy network access policy folder in the RRAS snap-in. Our policy conditions, including selection from the list. When a caller connects, the policy's conditions are evaluated, one by one, to see whether the caller gets in. All the conditions in the policy must match for the user to gain access. If there are multiple strategies, they evaluate the order us specify.

Network Access Policy Attributes

Authentication Type - Specifies the authentication methods required to match this policy.

Allowed EAP Types - Specifies the EAP types required for client computer authentication method configuration to match this policy.

Called-Station-Id - Specifies the phone number of the remote access port called by the caller.

Calling-Station-Id - Specifies the caller's phone number.

Client-Friendly-Name - Specifies the name of the RADIUS server that's attempting to validate the connection.

Client-IP-Address (IPv4 and IPv6) - Specifies the IP address of the RADIUS server that's attempting to validate the connection.

Client-Vendor - Specifies the vendor of remote access server that originally accepted the connection. This is used to set different policies for different hardware.

Day-And-Time Restrictions - Specifies the weekdays and times when connection attempts are accepted or rejected.

Framed-Protocol - Specifies the protocol to be used for framing incoming packets (for example, PPP, SLIP, and so on).

HCAP (Host Credential Authorization Protocol) User Groups - Used for communications between NPS and some third-party network access serves (NAS).

Location Groups - Specifies the HCAP location groups required to match this policy. This is used for communications between HCAP and some third-party network access servers (NAS).

MS-RAS Vendor - Specifies the vendor identification number of the network access server (NAS) that is requesting authentication.

NAS-Identifier - Specifies the friendly name of the remote access server that originally accepted the connection.

NAS-IP-Address (IPv4 and IPv6) - Specifies the IP address of the remote access server that originally accepted the connection.

NAS-Port-Type - Specifies the physical connection (for example, ISDN, POTS) used by the caller.

Service-Type - Specifies Framed or Async (for PPP) or login (Telnet).

Tunnel-Type - Specifies which tunneling protocol should be used (L2TP or PPTP).

Windows-Groups - Specifies which Windows groups are allowed access.

Using Attributes with Authentication

Be careful when using attributes for network access policies. We can effectively prevent the authentication, if we specify the property is not correct, or if a person's sudden change in the value of the property.

For example, if we use the NAS port type attribute to specify the line type that a user can verify the changes and NAS port type, the user can not be verified.

Different network access server vendor NAS-Port-Type defined different. A supplier can be called a device called the framework of another vendor's equipment, asynchronous even though both describe a typical dial-up line connected to a modem. In addition, the value of certain properties may change between versions of the software vendor. Imagine thousands of updated firmware for the modem to find the name of a property has changed, and now no one can dial it!

Using Remote Access Profiles

Remote access policy configuration file is part of network access. Configuration file determines the establishment and completion of the call. Each policy has an associated profile; configuration file settings determine what will be applied to the connection line with the policy of a condition.

For security reasons, is usually a good idea to restrict access to the network administrator account? In particular, as a consultant, we usually tell customers are limited to the administrator account for remote access; this way, from a dial-up reduces the potential risk of compromise.

The Constraints Tab

Constrained to set the label, we think of when we consider the most dial-in access control. This control allows us to adjust how long the connection can be idle before it gets dropped, how long can be achieved, the date and time to establish a connection, and the medium can be used for dial-up ports and connections.

Authentication Link

In the Authentication Methods pane, we can specify the authentication method in this specific policy allowed. Please note that these settings, like other policy settings, will be useful only when the server settings match. For example, if EAP authentication is turned off in the server's Properties dialog box, the authentication method configured in the file pane of the Properties dialog box will not have any effect on.

Settings Tab

IP Settings pane

The IP Setting pane gives us control over the IP-related settings associated with an incoming call.

Multilink And Bandwidth Allocation Protocol (BAP) pane

Mechanism for the configuration file gives a control server how to handle multiple demands level. Normally this setting is configured so that server-specific settings take precedence, but we can override them.

Bandwidth Allocation Protocol (BAP) Settings group

Bandwidth Allocation Protocol (BAP) set the control group provides a way for us to control the call occurred during the use of multi-link bandwidth is below a certain threshold. Why, for example, three analog lines tied to providing 168Kbps bandwidth connections only 56Kbps of? We can adjust the capacity and time threshold, by default, a multi-line call to drop the bandwidth used by each down to less than 50 percent of the available bandwidth and maintain two minutes. Please check the link for dynamic multi-BAP request, refused to let customer's phone does not support BAP, which is a simple way to ensure that no customer's multi-link bandwidth hog.

Encryption tab

The Encryption tab controls which type of encryption for remote users to be able to access. The following radio buttons are on the Encryption tab:

Basic Encryption (MPPE 40-Bit) means single Data Encryption Standard (DES) for IPSec or 40-bit Microsoft Point-to-Point Encryption (MPPE) for Point-to-Point Tunneling Protocol (PPTP).

Strong Encryption (MPPE 56 Bit) means 56-bit encryption (single DES for IPSec; 56-bit MPPE for PPTP).

Strongest Encryption (MPPE128 Bit) means triple DES for IPSec or 128-bit MPPE for PPTP connections.

No Encryption allows users to connect using no encryption at all. Unless this button is selected, a remote connection must be encrypted, or it will be rejected.

Setting Up a VPN Network Access Policy

Early in this report, we learned how to use Windows Server 2008 domain network access policy mechanism. Now time to apply what we have learned a virtual private network (VPN). Recall that, we have two ways to control which specific users can access the remote access server:

We can grant and deny dial-up permission to individual users in each user's Properties dialog box.

We can create a network access policy that embodies whatever restrictions we want to impose.

Facts have proved that we can do the same thing VPN connection, but there are some additional things to consider.

Granting and Denying Per-User Access

To grant or deny VPN access to individual users, all have to do is make the appropriate change on the Dial-In tab of each user's Properties dialog box. Although this is the easiest method to understand, it gets tedious quickly if need to change VPN permissions for more than a few users. Furthermore, this method offers no way to distinguish between dial-in and VPN permissions.

Creating a Network Access Policy for VPNs

We may find it helps to create a network access policy enforcement authority, we want the end user has. We can do this in many ways the result of which one we use will depend on our overall use of network access policy.

The easiest way is to create a policy that allows all users to use the VPN. Back in this report, we learn how to create a network access policy, and specify their settings; one thing, we may have noticed, there is a NAS port type attributes, we can use the policy conditions. The property is to build a policy to allow or deny remote access via VPN the cornerstone, because we use it to accept or reject the connection, in a particular type of VPN connection to arrive. For best results, we will use in conjunction with the NAS port type attribute type attribute tunnel.

If we do not want everybody to give VPN access, we can fine-tune some of the process of change. First of all, we might want to move the VPN policy to the top of the list. We can create an Active Directory group and put our VPN users. Then, we can create a strategy, with two-plus-one condition, use the Windows group attribute to specify the new group the conditions outlined. We can also use this process, so that everyone VPN dial-up access for small groups function and reserve.

Connection Manager

To help administrators create and manage remote access connections, including Microsoft Windows Server 2008 package components are called Connection Manager. Connection Manager is not installed by default. We can install using the Server Manager; add the role of Connection Manager, and Internet access services.

Connection Manager allows administrators to create a remote access connection as service configuration file. These profiles, and then displayed in the client computer's network connection. We can use the network connection to the client to connect to the VPN or remote networks.

Configuring Security

When we configure a remote access security, we must consider several aspects, the most fundamental configuration, including the type of authentication and encryption will accept client requests the server to use. We will look at each of these in the following sections.

Controlling Server Security

The server's Properties dialog box Security tab allows specifying the authentication and accounting methods RRAS uses. We can use the Authentication provider drop-down list one of two authentication providers.

RADIUS Authentication Settings

When we select the RADIUS Authentication option from the Authentication Provider drop-down menu, we are enabling a RADIUS client that passes authentication duties to a RADIUS server. This communication is sent through UDP port 1645 or 1812, depending on the version we are using RADIUS.

Windows Authentication Settings

Select Windows Authentication from the Authentication drop-down menu provides choices, if we want to authenticate the local computer remote access users. To configure the server, telling it the authentication method, we want to use it, click the button to the authentication method, it shows Authentication Methods dialog box. If we are in front of the authentication protocol, a list of chapters in the report, we will find that everyone has the appropriate check box here: EAP time, MS - CHAPv2, CHAP and PAP authentication. We can also open a checking allows access to remote systems without connection, without authentication box, but not recommended because it allows anyone to access and use of our server (and therefore by our network expansion).

There is actually a set of special requirements to use CHAP, because it needs access to each user's encrypted password. Windows Server 2008 is generally not in a format that guy can use to store user passwords.

Configuring Network Access Protection

Another way we can have is to let users secure access to the identity of the client computer based resources. The new security solution called Network Access Protection (NAP).Determined by the customer needs; network administrators can now determine the network using NAP access granular level. National action program also allows administrators to determine on the basis of client access policy compliance and corporate governance.

Network layer protection

Network layer protection is the ability to secure communications at the Network layer of OSI model.

DHCP enforcement

If the computer's IPv4 networks want to get unlimited access, the computer must meet the corporate governance policies. DHCP force authentication before granting access to unlimited computer standards. If the computer does not meet, the computer receives the IPv4 address of a very limited network access and the default user profile.

VPN enforcement

VPN enforcement works a lot like DHCP enforcement except that VPN enforcement verifies the compliancy of the system before the VPN connection is given full access to the network.

IPSec enforcement

The implementation of IPSec will allow computers and other computer communications, as long as the computer's IPSec standard. We have the ability to configure the computer system compatibility between the secure communication requirements. We can configure the IP address or TCP / UDP port number of IPSec-based communication.

802.1X enforcement

For a computer system with an 802.1x network connection (Ethernet or wireless 802.11 access point) unlimited access, the computer system must 802.1X standard.802.1X enforcement verify the connection system is 8021X connection standard. Noncompliant computers will obtain only limited access to network connections.

Flexible host isolation

Flexible host isolation allows the computer server and domain isolation to help it possible to design a security layer between computers or network. Even if the hacker can access our network using the authorized user name and password, server and domain isolation to stop the attack, because the computer is the computer does not recognize the domain.

Configuring Firewall Options

A firewall is a software or hardware device to check has been received from the external (Internet) or an external network, and from information to decide whether to accept or reject the packet information. Different on the firewall, we may have the ability to check all Active Directory, remote users, remote users authorized to verify the domain account. This process is called Active Directory account integration. Microsoft Windows Server 2008 has a built-in firewall. The following are some of the configuration options included the Windows Firewall Settings dialog box:

Windows Firewall Settings-General tab

On the Windows Firewall Settings dialog box's General tab, we have the ability to turn the firewall on and off. When we open the firewall, we also have the ability to block all incoming traffic. This will stop all traffic on the access server.

Windows Firewall Settings-Exceptions tab

In the Exceptions tab allows to apply for their exclusion from the firewall settings. If enable the firewall, this tab gives the following options:

We can allow certain applications to continue to access the firewall.

We also have the ability to add programs to the exceptions.

We also have the ability to do traffic filtering by ports and protocols

Finally, we have the ability to see the properties of any of the applications for exclude.

Traffic filtering

When the set of Microsoft Windows Server 2008 firewall, administrators have the ability to filter traffic to the port and protocol.

Windows Firewall Settings-Advanced tab

Windows Firewall Settings dialog box Advanced tab allows to select the network connection and want to enable the firewall. For example, if we have multiple network cards, we can choose which connection, the firewall settings are applied.

Firewall With Advanced Security

Windows Server 2008 firewall in the control panel further than the normal firewall settings. An MMC snap-in called Windows Firewall with Advanced Security to block all incoming and outgoing connections of its configuration.

One of the main advantages of using the Advanced Security snap-in firewall is the ability to use Group Policy settings in the firewall configuration on the remote computer. Another advantage is the ability to use the MMC to set firewall security using IPSec. Firewall with Advanced Security snap-in allows administrators to set a more in-depth Microsoft Active Directory users and groups, source and destination Internet Protocol (IP) address, IP port number, ICMP settings, IPSec settings, the specific rules of interface types and services.


In this report, we have learned about remote access and authentication. We have learned that the user authentication protocols included with Windows Server 2008 are PAP, CHAP, MS-CHAPv2, Kerberos, NTLMv2, 802.1X, and EAP. We also learned that the Dial-In tab of a user's Properties dialog box has a number of interesting controls that regulate how the user account may be used for dial-in access. We covered how to use network access policies to determine who may and may not connect, as well as the process for defining rules with conditions that the system evaluates to see whether a particular user can connect. We have learned about the Windows Firewall option and the Windows Firewall With Advanced Security MMC. We discussed the Network Access Protection (NAP) options and features. In addition, you learned how to use network access profiles that contain settings that determine what happens during call setup and completion. Finally, you learned how to configure which accounting and authentication methods RRAS use.