Re: How secure is my VPN?
- From: "kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 5 Oct 2007 13:59:11 -0700
Joe wrote:
Just some minor 'nits' and an important addition for re-emphasis of
strong/complex passwords for VPN.
Oliver Maynard wrote:
Hi all,
I was wondering if the vpn I have just setup is done correctly and
securely. I have a single NIC server wich is connected to a router. The
router
has a pass through rule on port 1723 pointing to the static IP of
the server. I have added the users on my domain that need external access
to the
'SBS Mobile users' group (as they are required in the standard RAS
policy. And thats about it! users connect with their active directory
username and password and all seems good!
Many thanks in advance for any comments or suggestions
As I'm sure you realise, your security is exactly as strong as your
passwords. What you may not realise is that you cannot lock out the
Administrator account, even if it's not in the Mobile Users group.
The Administrator account *can* be locked out with the exception of the
server console, but by default it is not so enabled.
http://support.microsoft.com/kb/885119/en-us
So make up an enormous and absolutely unbreakable password for it,
write it down and lock it in the company safe. It's extremely rare
that you actually need to use the Administrator account, virtually
everything can be done by a domain admin.
Insist on very strong passwords for the users who have access, and if
some of them are people you don't insist with, then make sure they
get a written statement making it clear that network security depends
on their passwords. Mention in passing that the account which gets
cracked will be logged...
Remote Access (VPN uses this) Account lockout should also be configured,
which by default is not.
http://support.microsoft.com/kb/816118
In the longer term, move away from VPN. Its only important use is for
people who use the same laptop on the LAN and remotely, who tend to be
salemen or managers and need life to be made as easy as possible.
Anyone whose remote computer isn't a domain member doesn't need VPN.
There are much more secure ways of doing whatever they do. If you're
not already familiar with it, investigate Remote Web Workplace.
My usual note of caution: Microsoft Access and other primitive
databases which rely on FAT or NTFS file sharing and locking are
extremely vulnerable to damage due to network disconnections, and
should not be used over VPN. Not that you would anyway, as complete
tables need to be copied across and that is s-l-o-w... Many low-cost
accounts packages are of this kind.
As Leythos says, there are better ways of doing VPN, but they all cost
significantly more. You probably can't do much better with what you
already have, and management are never willing to pay for insurance
against risks which by definition you cannot quantify.
--
/kj
.
- Follow-Ups:
- Re: How secure is my VPN?
- From: Joe
- Re: How secure is my VPN?
- From: Colin
- Re: How secure is my VPN?
- References:
- Re: How secure is my VPN?
- From: Joe
- Re: How secure is my VPN?
- Prev by Date: Re: DHCP & Sharepoint Issue - Server Error in '/'
- Next by Date: Re: How secure is my VPN?
- Previous by thread: Re: How secure is my VPN?
- Next by thread: Re: How secure is my VPN?
- Index(es):
Relevant Pages
|
