Re: How secure is my VPN?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Oliver Maynard wrote:
Hi all,

I was wondering if the vpn I have just setup is done correctly and securely.

I have a single NIC server wich is connected to a router. The router has a pass through rule on port 1723 pointing to the static IP of the server.

I have added the users on my domain that need external access to the 'SBS Mobile users' group (as they are required in the standard RAS policy.

And thats about it! users connect with their active directory username and password and all seems good!

Many thanks in advance for any comments or suggestions

As I'm sure you realise, your security is exactly as strong as your passwords. What you may not realise is that you cannot lock out the Administrator account, even if it's not in the Mobile Users group.

So make up an enormous and absolutely unbreakable password for it, write it down and lock it in the company safe. It's extremely rare that you actually need to use the Administrator account, virtually everything can be done by a domain admin.

Insist on very strong passwords for the users who have access, and if some of them are people you don't insist with, then make sure they get a written statement making it clear that network security depends on their passwords. Mention in passing that the account which gets cracked will be logged...

In the longer term, move away from VPN. Its only important use is for people who use the same laptop on the LAN and remotely, who tend to be salemen or managers and need life to be made as easy as possible. Anyone whose remote computer isn't a domain member doesn't need VPN. There are much more secure ways of doing whatever they do. If you're not already familiar with it, investigate Remote Web Workplace.

My usual note of caution: Microsoft Access and other primitive databases which rely on FAT or NTFS file sharing and locking are extremely vulnerable to damage due to network disconnections, and should not be used over VPN. Not that you would anyway, as complete tables need to be copied across and that is s-l-o-w... Many low-cost accounts packages are of this kind.

As Leythos says, there are better ways of doing VPN, but they all cost significantly more. You probably can't do much better with what you already have, and management are never willing to pay for insurance against risks which by definition you cannot quantify.
.

Relevant Pages

  • Re: Mapping a Network Drive in XP Results in asking for login cred
    ... If they are not in the office, then they open a VPN session to the server. ... Noone has changed their passwords at all, and I've been combing over the ... Recently an issue arose that occurs when mapping a network drive. ...
    (microsoft.public.windows.server.sbs)
  • Re: How secure is my VPN?
    ... strong/complex passwords for VPN. ... Administrator account, even if it's not in the Mobile Users group. ... Anyone whose remote computer isn't a domain member doesn't need VPN. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Security Management Question
    ... capturing the passwords is trivial regardless ... The VPN should not bypass network or server security. ... > then they could call the vpn connection manager, and, if the passwords ...
    (microsoft.public.security)
  • RE: [fw-wiz] SaveUserPassword in Cisco VPN Client with PIX
    ... Recent versions of the Cisco VPN ... client offers this as a method of authentication instead of passwords; ... Midwest Network Services Group ... > crypto map configs with VPN clients on the same PIX by creating ...
    (Firewall-Wizards)
  • Re: Changing domain password remotely
    ... some doctors offices that need to access hospital info. ... are implementing passwords to expire after X number of days. ... their office PC with our hospital domain accounts, ... and then VPN with a hospital domain account. ...
    (microsoft.public.security)