Re: How secure is my VPN?

Hi,

Actually, here's the whole help file info on this:

Configure Remote Access Client Account Lockout Feature
The remote access account lockout feature is managed separately from the
account lockout settings that are maintained in Active Directory Users and
Computers. Remote access lockout settings are controlled by manually editing
the registry. Note that these settings do not distinguish between a
legitimate user who mistypes a password and an attacker that is trying to
"crack" an account.

Remote access server administrators control two features of remote access
lockout: • The number of failed attempts before future attempts are denied.
• How frequently the failed attempts counter is reset.
If you use Microsoft Windows Authentication on the remote access server,
configure the registry on the remote access server. If you use RADIUS for
remote access authentication, configure the registry on the Internet
Authentication Server (IAS) .


Back to the top

Activate Remote Access Client Account Lockout
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.

The failed attempts counter is periodically reset to zero (0). If an account
is locked out after the maximum number of failed attempts, the failed
attempts counter is automatically reset to zero after the reset time. To
activate remote access client account lockout and reset time, follow these
steps: 1. Click Start, click Run, type regedit in the Open box, and then
press ENTER.
2. Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
3. Double-click the MaxDenials value.

The default value is zero, which indicates that account lockout is turned
off. Type the number of failed attempts before you want the account to be
locked out.
4. Click OK.
5. Double-click the ResetTime (mins) value.

The default value is 0xb40 which is hexadecimal for 2,880 minutes (two
days). Modify this value to meet your network security requirements.
6. Click OK.
7. Quit Registry Editor.

Back to the top

Manually Unlock a Remote Access Client
If the account is locked out, the user can try to log on again after the
lockout timer has run out, or you can delete the DomainName:UserName value in
the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
registry key. To manually unlock an account, follow these steps: 1. Click
Start, click Run, type regedit in the Open box, and then press ENTER.
2. Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
3. Find the Domain Name:User Name value, and then delete the entry.
4. Quit Registry Editor.
5. Test the account to confirm that it is no longer locked out.


"Colin" wrote:

Hi,

If you can't go down the hardware VPN route (and if you can afford it you
should), then at least configure Remote Access Lockout. Use Regedit to change
the default of 'unlimited' access attempts with the wrong password to 3 or
whatever you consider appropriate. Edit this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

Personally, I'd set it to 3 and no more.

If someone tries a dictionary/brute force attack, by the time they get to 3
tries, the account is locked out for 48 hours (by default, you can change
this but I can't see why you'd want to).

Regards Colin.

"kj [SBS MVP]" wrote:

Joe wrote:

Just some minor 'nits' and an important addition for re-emphasis of
strong/complex passwords for VPN.

Oliver Maynard wrote:
Hi all,

I was wondering if the vpn I have just setup is done correctly and
securely. I have a single NIC server wich is connected to a router. The
router
has a pass through rule on port 1723 pointing to the static IP of
the server. I have added the users on my domain that need external access
to the
'SBS Mobile users' group (as they are required in the standard RAS
policy. And thats about it! users connect with their active directory
username and password and all seems good!

Many thanks in advance for any comments or suggestions

As I'm sure you realise, your security is exactly as strong as your
passwords. What you may not realise is that you cannot lock out the
Administrator account, even if it's not in the Mobile Users group.

The Administrator account *can* be locked out with the exception of the
server console, but by default it is not so enabled.
http://support.microsoft.com/kb/885119/en-us


So make up an enormous and absolutely unbreakable password for it,
write it down and lock it in the company safe. It's extremely rare
that you actually need to use the Administrator account, virtually
everything can be done by a domain admin.

Insist on very strong passwords for the users who have access, and if
some of them are people you don't insist with, then make sure they
get a written statement making it clear that network security depends
on their passwords. Mention in passing that the account which gets
cracked will be logged...

Remote Access (VPN uses this) Account lockout should also be configured,
which by default is not.
http://support.microsoft.com/kb/816118


In the longer term, move away from VPN. Its only important use is for
people who use the same laptop on the LAN and remotely, who tend to be
salemen or managers and need life to be made as easy as possible.
Anyone whose remote computer isn't a domain member doesn't need VPN.
There are much more secure ways of doing whatever they do. If you're
not already familiar with it, investigate Remote Web Workplace.

My usual note of caution: Microsoft Access and other primitive
databases which rely on FAT or NTFS file sharing and locking are
extremely vulnerable to damage due to network disconnections, and
should not be used over VPN. Not that you would anyway, as complete
tables need to be copied across and that is s-l-o-w... Many low-cost
accounts packages are of this kind.

As Leythos says, there are better ways of doing VPN, but they all cost
significantly more. You probably can't do much better with what you
already have, and management are never willing to pay for insurance
against risks which by definition you cannot quantify.

--
/kj



.

Relevant Pages

  • Re: Question on Remote Access policies
    ... if I was responsible for managing the user ... the user account management is delegated to other administrators. ... These administrators are not responsible for the RRAS policies. ... they are also a member of the remote access global group. ...
    (microsoft.public.windows.server.networking)
  • Remote Desktop available only when the account is logged in?
    ... I have an XP Pro desktop, ... for remote access. ... to the box until I physically log in again at the box. ... The account has admin rights, so according to the MSKB it ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Routing and Remote Access - Authentication Failure
    ... local SAM of the VPNSERVER if it is a workgroup. ... Remote Access Policies in Routing and Remote Access. ... Does the AD account have dial-in permissions? ... and policy all have to be configured with at least one common ...
    (microsoft.public.windows.server.networking)
  • Re: Remote Access Connection Manager
    ... launch as the Local System account. ... directly start Remote Access Connnection Manager service. ... When I try properties the logon tab ...
    (microsoft.public.windowsxp.security_admin)
  • Re: VERY frustrating 2000 server RRAS/VPN problem
    ... If you are using the domain name when logging one with the VPN client, ... the server is mostlikely trying to use the domain admin account. ... >>> i setup rras as a remote access server. ...
    (microsoft.public.windows.server.networking)
Loading