Control RAS/VPN with AD computer accounts

  • Thread starter Thread starter Phil
  • Start date Start date
P

Phil

I'm sure I'm not the first person to ask this: What are
my options for making sure people aren't connecting to my
LAN with their home computers? Basically I would like to
lock down the ability to VPN into my network to
authenticated users on authenticated company
hardware/images.

Is there a way to do it with IAS policies? Do I need to
script? If so, how? Am I stuck with connection
manager/NAQC? Thanks in advance!

Environment:
- Windows 2003 AD
- Windows 2000 IAS server
- Windows XP clients
 
One way would be to use l2tp and issue computer certificates to domain
computers and the VPN server. Then you can use Remote Access Policies and/or
firewall rules to restrict access to only l2tp. L2tp can require computer
certificates for computer authentication or else the VPN connection fails.
You will have to install the NAT-T client on your VPN clients if use a NAT
device for firewall/internet connection. To create and issue certificates,
you can use one of your Windows Server domain computers as an Enterprise
Certificate Authority and use autoenrollment, Web Enrollment, or mmc
certificates snapin for computers; to issue or request certificates for
domain computers.. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp
 
If you are using Windows 2000 SP4 and all computers that you want to allow
access are Windows 2000 or XP Pro, you can actually assingn dial in
permissions to computer accounts in their account properties. Then you can
add the authorized computer accounts to a global group and use that group
with Remote Access Policy that is configured with that group name as
condition for the policy that must match to gain access to the VPN. If you
do that be sure to delete the default Remote Access Policy so that computers
not in the group will not gain access. Note that you must have at least one
Remote Access Policy or no one will be able to gain access to the VPN which
is why there is a default policy. Windows 2003 has a technology called
quarantine but that takes a whole lot more configuration than
ertitifcates. --- Steve

http://www.windowsecurity.com/articles/Securing_Remote_Access_Connections.html
-- basics or Remote Access Policies.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q313082&ID=KB;EN-US;q313082
 
Back
Top