Welcome, it's quick and dirty, but it works - and is free ;) Before you proceed, please consider the security implication of what you are doing, especially in light of your question about the Domain Controller.
I cant answer all of these in much detail, but others on the list will be able to. My answers inline, prefixed with JDS: Cheers James D. Stallard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai Sent: 04 January 2007 04:01 To: [email protected] Subject: Re: Secure Remote access - windows 2003 That is cool !Thanks James a few questions before I start th eimplementation - I will setup the RRAS and the supporting IPSEC/L2TP as you have mentioned in the link. is there any additional IPSEC/L2TP config to be done other than you have explicitly mentioned in the link ? JDS: For the most basic setup this is all that is necessary. The next step with L2TP/IPSec is usually to implement certificates. My requirement is only for known machines to connect - not cybercafes..so this suits me . I will use PSK. The access is needed to one file-server only for which I will assign a public IP.[ or I can have a gateway machine dedicated for RRAS with public IP and host this file-server machine behind the RRAS gateway] JDS: Typically, your RRAS Server remains on your internal network and your firewall is the only thing visible on the public network. All other servers can remain on your internal network and are only accesible from the RRAS Server. You can use port forwarding on the firewall to re-direct those inbound ports and protocols to the RRAS Server, which will proxy the authentication request to the Domain Controller and assign an IP Address to the client. This file-server is a domain controller. all remote users will be having valid domain login-id/passwords. But their laptops will be configured as part of workgroups. This file-server has shares which need to be accessible to these remote users for file copy. JDS: I would advise strongly against putting a Domain Controller on the internet. You are creating a very large attack surface. Of course if you only have 1 server then the point is rather moot. I hope the connecting user will be asked for the user-id password in addition to the IPSEC PSK. JDS: They will be asked for a Username and Password and only granted access if they are assign dial-in rights and logon successfully. This is the most basic form of two-factor authentication. Can my requirement be met with the RRAS solution? JDS: I believe so. RRAS is very flexible as a small scale remote access solution. I hope everything from user/id password to file copy with be IPSEC-ed JDS: All traffic between the client and the RRAS Server will be pushed down the newly created tunnel. You will be able to see this for yourself if you look at the logs on your firewall. Thanks in advance On 1/3/07, James D. Stallard <[EMAIL PROTECTED]> wrote: > You don't mention the number of users, but the budget suggests small > scale > :) > > Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and > with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption available. > > Setting up RRAS to perform this task is done in less than 20 minutes > and is easy to get through a firewall inbound (IE your firewall). The > problems you have to face are: > > . If you wish to use pre-shared keys (the "cheapest" way of doing it) > you will need to configure the PSK passphrase on each client > individually - easy with a small number of clients. Otherwise, you > will need to invest in a certificate authority. > > . This is only suitable for access by known machines, not for internet > café type environments. > > . This solution works great for the remote home user, but is less > successful for your travelling salesmen using the client's internet > connection as they generally have the relevant ports/protocols blocked. > > . The locally configured PSK may not be stored in a highly secure > manner on the client machines and could possibly become known in the > event a machine configured with it is stolen. You may find yourself > having to re-deploy a new PSK. > > I wrote a quick and dirty step-by-step here: > http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus > > In case one of your configured laptops is stolen and an attempt is > made on your RRAS solution, pay attention to your account locking on > failed password settings. You want permanent locks on a small number > of attempts (say 5), thus forcing administrative intervention and > investigation in the event of an account becoming locked. > > Cheers > > James D. Stallard > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai > Sent: 02 January 2007 04:17 > To: [email protected] > Subject: Secure Remote access - windows 2003 > > I am planning to provide remote access from Internet to a windows 2003 > domain > > controller.User-ids, NTFS permissions are all configured. > > The objective is file sharing and access. > > Files will need to be copied. The machine has valid Internet IP > address and is > > sitting behind a Firewall. > > I would like to keep solution independent of Firewall.This will be > accessed by roaming users. I am thinking of something like 0penssh for > windows or maybe just GUI based Secure-FTP > > Challenges I am facing > ------------------------------------ > Authentication should be strong. Something more than a password. [ No > budget for RSA securiD :-))) ] > > Encryption for user-crentials/data access > > Options considered > ---------------------------------- > I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy > is not simple and also you require Application Mode license. > > The number of remote users - less than 100 > > Cost effective , easy to implement and easy to manage solution sought > > > > On 1/3/07, James D. Stallard <[EMAIL PROTECTED]> wrote: > You don't mention the number of users, but the budget suggests small > scale > :) > > Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and > with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption available. > > Setting up RRAS to perform this task is done in less than 20 minutes > and is easy to get through a firewall inbound (IE your firewall). The > problems you have to face are: > > . If you wish to use pre-shared keys (the "cheapest" way of doing it) > you will need to configure the PSK passphrase on each client > individually - easy with a small number of clients. Otherwise, you > will need to invest in a certificate authority. > > . This is only suitable for access by known machines, not for internet > café type environments. > > . This solution works great for the remote home user, but is less > successful for your travelling salesmen using the client's internet > connection as they generally have the relevant ports/protocols blocked. > > . The locally configured PSK may not be stored in a highly secure > manner on the client machines and could possibly become known in the > event a machine configured with it is stolen. You may find yourself > having to re-deploy a new PSK. > > I wrote a quick and dirty step-by-step here: > http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus > > In case one of your configured laptops is stolen and an attempt is > made on your RRAS solution, pay attention to your account locking on > failed password settings. You want permanent locks on a small number > of attempts (say 5), thus forcing administrative intervention and > investigation in the event of an account becoming locked. > > Cheers > > James D. Stallard > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai > Sent: 02 January 2007 04:17 > To: [email protected] > Subject: Secure Remote access - windows 2003 > > I am planning to provide remote access from Internet to a windows 2003 > domain > > controller.User-ids, NTFS permissions are all configured. > > The objective is file sharing and access. > > Files will need to be copied. The machine has valid Internet IP > address and is > > sitting behind a Firewall. > > I would like to keep solution independent of Firewall.This will be > accessed by roaming users. I am thinking of something like 0penssh for > windows or maybe just GUI based Secure-FTP > > Challenges I am facing > ------------------------------------ > Authentication should be strong. Something more than a password. [ No > budget for RSA securiD :-))) ] > > Encryption for user-crentials/data access > > Options considered > ---------------------------------- > I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy > is not simple and also you require Application Mode license. > > The number of remote users - less than 100 > > Cost effective , easy to implement and easy to manage solution sought > > > >
