Improving Remote Access Security - download.microsoft.comdownload.microsoft.com/documents/australia/teched2005/hol/HOL152.pdf · Improving Remote Access Security Objectives At the

Improving Remote Access Security

Objectives At the end of this lab, you will be able to:

Implement a secure VPN solution that incorporates L2TP/IPSec and Network Access Quarantine.

Configure the remote access polices for VPN to support L2TP and PPTP remote access connections. You will also learn how to configure Certificate provisioning to support L2TP VPN connections.

Implement VPN Network Quarantine: configure a remote access policy for network quarantine and implement the Remote Access Quarantine Service.

Configure and deploy a Connection Manager profile for use with VPN Network Quarantine.

Scenario Northwind Traders has drawn a plan to deploy a secure VPN remote access

solution with the following requirements.

Deploy L2TP/IPSec as the primary VPN security solution.

Establish a security protocol for granting network access to remote clients that:

Initially places each remote client in quarantine. Determines whether the remote access client is in compliance with security

policies:

• Authenticates using a domain account.

• Is running Windows Firewall.

• Has the latest security patches installed. Allows access or drops the connection request, depending on client

compliance with security policies.

A portion of the Northwind Traders network infrastructure is illustrated below:

Important This hands-on lab is designed to test the installation and configuration of specific features on a limited number of computer resources. The placement of network services reflects neither best

2 Improving Remote Access Security

practices nor a desired or recommended configuration for a production environment. For prescriptive architectural guidance visit the Microsoft Patterns & practices Web site at: http://www.microsoft.com/resources/practices/default.mspx

This lab uses the following computers: VAN-DC1, VAN-VPN1 and VAN-CL1.

Computers

Estimated time to complete this lab: 75 minutes

Before you begin the lab, you must start the VAN-DC1, VAN-VPN1 and VAN-CL1 computers.

Improving Remote Access Security 3

Lab Setup To complete each lab module, you need to review the following:

Virtual PC

This lab makes use of Microsoft Virtual PC 2004, an application that allows you to run multiple virtual computers on the same physical hardware. During the lab, you will switch among different windows, each of which contains a separate virtual machine.

Before you start the lab, familiarize yourself with the following basics of Virtual PC:

Task Procedure To switch the focus for your mouse and keyboard to the virtual machine.

Click inside the virtual machine window.

To remove the focus from a virtual machine.

Move the mouse pointer outside the virtual machine window.

To issue the CTRL+ALT+DELETE keyboard combination inside a virtual machine.

Use the <RIGHT>ALT+DELETE keyboard combination. In Virtual PC, the <RIGHT>ALT key is called the host key.

To make the virtual machine window larger.

Drag the lower-right corner of the window.

To switch to full-screen mode, and to return from full-screen mode.

Press the <RIGHT>ALT+ENTER keyboard combination.

To complete this lab, you need to start the virtual machines and then log on to the computers. In each exercise, you only have to start the virtual machines that are needed.

To log on to a computer in a virtual machine

1. Press <RIGHT>ALT+DEL (instead of CTRL+ALT+DEL) to open the Logon dialog box.

Important If a service startup error appears on VAN-DC1 during the boot process, check to ensure that the Exchange Server services have started as expected.


Exercise 1 Configuring Network Services to Support VPN Security In this exercise you install and configure the network services required to secure a VPN remote access solution.

Scenario The first exercise in deploying a secure VPN remote access solution is to install and configure the require network services. These services include Internet Authentication Services, Certificate Services, Routing and Remote Access, and the Connection Manager Administration Kit (CMAK).

Tasks Detailed steps

Note: This exercise uses the following computers: VAN-DC1and VAN-VPN1.

Note: Perform the following steps on the VAN-DC1 computer.

1. Install the Internet Authentication Service on VAN-DC1.

a. Log on to VAN-DC1 as Administrator with the password P@ssw0rd.

b. Click Start, point to Control Panel, and then click Add or Remove Programs.

The Add or Remove Programs dialog box opens.

c. Click Add/Remove Windows Components. After a few moments the Windows Components Wizard is displayed.

d. In the Components list, scroll down and select Networking Services. Do not click the check box. Click Details.

The Networking Services dialog box opens. Be careful not to select the check box next to Networking Services because all services will then be selected on this page.

e. In the Networking Services dialog box, click the check box next to Internet Authentication Service. Click OK.

f. Click Next. The Configuring Components page is displayed and the installation continues. This may take a several minutes to complete.

a. When the Completing the Windows Components Wizard dialog box is displayed, click Finish.

g. Close the Add or Remove Programs dialog box.

2. Configure the Internet Authentication Service. Friendly Name: VPN1 Client Address: 10.10.0.12 Shared secret: P@ssw0rd

a. Click Start, point to Administrative Tools, and then click Internet Authentication Service.

The Internet Authentication Service console opens.

b. Right-click Internet Authentication Service (Local) and then click Register Server in Active Directory.

The Register Server in Active Directory prompt is displayed asking if you wish to authorize this computer to read user’s dial-in properties.

c. Click OK to close the Register Server in Active Directory prompt. A Server registered prompt is now displayed to confirm that the



server registration was successful.

d. Click OK to close the Server registered prompt.

e. In the left-hand console, right-click RADIUS Clients and then click New RADIUS Client.

The New RADIUS Client dialog box is displayed.

f. In the New RADIUS Client dialog box, type VPN1 in the Friendly name text box.

g. In the New RADIUS Client dialog box, type 10.10.0.12 for the Client address.

h. Click Next.

i. In the Additional Information page, type P@ssw0rd in both the Shared secret and Confirm shared secret text boxes.

j. Click Finish.

k. Click the RADIUS Clients folder. Notice that VPN1 is configured as a RADIUS client with IP Address 10.10.0.12.

l. Close the Internet Authentication Service console.

3. Configure Certificate Services on VAN-DC1 to be used to provide remote access certificates. CA Type: Enterprise Root CA Common Name: Northwind Traders CA

a. Click Start, point to Control Panel, and then click Add or Remove Programs.

b. In the Add or Remove Programs window, click Add/Remove Windows Components.

After a few moments the Windows Components Wizard opens.

c. Click the check box next to Certificate Services. A Microsoft Certificate Services message is displayed stating that the machine name and domain membership may not be changed.

d. Click Yes to continue.

e. In the Windows Components dialog box, click Next.

f. In the CA Type dialog box, select Enterprise root CA and then click Next.

g. In the CA Identifying Information dialog box, under Common name for this CA, type Northwind Traders CA.

h. Click Next.

i. On the Certificate Database Settings dialog box, accept the defaults and then click Next.

A Microsoft Certificate Services message is displayed stating that Internet Information Services must be temporarily stopped.

j. In the Microsoft Certificate Services prompt, click Yes. The Configuring Components page displays to show the progress of the component configuration and installation.

k. When the Insert Disk prompt displays, click OK.

l. In the Files Needed dialog box, click the Browse button.

m. Browse to C:\Win2k3\I386 and then click Open.

n. In the Files Needed dialog box, click OK. The component configuration continues. This may take a few



minutes to complete.

o. On the Completing the Windows Components Wizard page, click Finish.

p. Close the Add or Remove Programs window.

4. Create the public file share. This share will be accessible to VPN clients. Folder Name: Public Share Name: Public Share Permissions: Authenticated Users – Full Control NTFS Permissions: Default

a. Click Start, and then click Windows Explorer.

b. Browse to Local Disk (C:).

c. Click the File menu and then click New, Folder.

d. Name the new folder Public.

e. Right-click the Public folder and then click Properties.

f. Click the Sharing tab.

g. On the Sharing tab, select the radio button next to Share this folder.

h. Accept the default Share name of Public.

i. Click the Permissions button. The Permissions for Public dialog box opens.

j. Click the Add button.

k. In the Select Users, Computers, or Groups dialog box, type Authenticated Users, and then click OK.

l. In the Permissions for Public dialog box, select the Authenticated Users object and then allow Full Control permissions.

m. In the Permissions for Public dialog box, select the Everyone object and then click the Remove button.

n. Click OK.

o. Click the Security tab. Notice that the Users group has Read and Execute permissions by default.

p. Click OK to close the Public Properties dialog box.

q. Double-click the Public folder and create a new text document called This is the public folder.

r. Close Windows Explorer.

Note: Perform the following steps on the VAN-VPN1 computer.

5. Configure Routing and Remote Access on VAN-VPN1.

a. Log on to VAN-VPN1 as Administrator with the password P@ssw0rd.

b. Click Start, point to Administrative Tools, and click Routing and Remote Access.

c. In the left-hand console, right-click VAN-VPN1 (local) and click Configure and Enable Routing and Remote Access.

The Routing and Remote Access Server Setup Wizard opens.

d. On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next.

e. On the Configuration page, ensure that Remote access (dial-up or VPN) is selected. Click Next.

f. On the Remote Access page, select the VPN check box. Click Next.

g. On the VPN Connection page, in the Network interfaces section,



click the External interface. Click Next.

h. On the IP Address Assignment page, select From a specified range of addresses. Click Next.

i. On the Address Range Assignment page, click the New button.

j. In the New Address Range dialog box, enter the following information:

• Start IP Address: 10.10.0.100

• End IP Address: 10.10.0.109

• Number of addresses: 10 (automatically configured)

k. Click OK to close the New Address Range dialog box.

l. Click Next.

m. On the Managing Multiple Remote Access Servers page, click Yes, set up this server to work with a RADIUS server. Click Next.

n. On the RADIUS Server Selection page, in the Primary RADIUS server box, type 10.10.0.2.

o. In the Shared secret text box type P@ssw0rd.

p. Click Next.

q. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish.

After a few moments a message is displayed stating that a DHCP Relay Agent must be configured to support the relaying of DHCP messages.

r. In the Routing and Remote Access dialog box, click OK. After a few moments the Routing and Remote Access service starts. You can verify that the service has started by the green arrow appearing on the VAN-VPN1 server icon in the console.

s. Close the Routing and Remote Access console.

6. Install the Connection Manager Administration Kit (CMAK) on VAN-VPN1.

a. Click Start, point to Control Panel, and then click Add or Remove Programs.

b. In the Add or Remove Programs window, click Add/Remove Windows Components.


c. In the Components list, scroll down and select Management and Monitoring Tools. Do not click the check box. Click Details.

d. Click the check box next to Connection Manager Administration Kit. Click OK.

e. Click Next. The Configuring Components page displays to show the progress of the component configuration and installation.

f. When the Insert Disk prompt displays, click OK.

g. In the Files Needed dialog box, click the Browse button.

h. Browse to C:\Win2k3\I386 and then click Open.

i. In the Files Needed dialog box, click OK. The component configuration continues. This may take a few



minutes to complete.

j. On the Completing the Windows Components Wizard page, click Finish.

k. Close the Add or Remove Programs window.


Exercise 2 Configuring VPN Remote Access Policy and Certificate Provisioning In this exercise, you configure VPN remote access policies for L2TP/IPSec VPN connections and PPTP VPN connections. To support the L2TP/IPSec VPN connections you will also configure certificate templates and certificate autoenrollent.

Scenario Now that the services have been installed, the next step is to configure the required VPN remote access policies. In order to support the L2TP/IPsec VPN connections, you also need to configure the Certificate Authority with the appropriate certificate templates and configure Group Policy to implement certificate autoenrollment.


Note: This exercise uses the following computers: VAN-DC1.


1. Create a group to be used for VPN connections. Group name: VPNUsers Members: Don Hall and Kim Akers

a. If necessary, log on to VAN-DC1 as Administrator with the password P@ssw0rd.

b. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

c. In the left-hand console pane, click the Users container.

d. Right-click Users and then click New, Group. The New Object - Group dialog box opens.

e. In the Group name box, type VPNUsers.

f. Ensure that the following settings are configured:

• Group scope: Global

• Group type: Security

g. Click Next.

h. Do not create an Exchange e-mail address for the group. Click Next.

i. Click Finish.

j. In the details pane, right-click VPNUsers and then click Properties. The VPNUsers Properties dialog box opens.

k. Click the Members tab.

l. Click the Add button.

m. In the Select Users, Contacts, Computers, or Groups dialog box, type Kim and Don separated by a semicolon (;). Click OK.

n. Click OK to close the VPNUsers Properties dialog box.

o. Close Active Directory Users and Computers.

2. Create a remote access policy for L2TP/IPSec VPN




connections.

b. In the left-hand console pane, right-click Remote Access Policies, and then click New Remote Access Policy.

The New Remote Access Policy Wizard opens.

c. On the Welcome to the New Remote Access Policy Wizard, click Next.

d. On the Policy Configuration Method page, in the Policy name box, type L2TP VPN Access and then click Next.

e. On the Access Method page, click VPN, and click Next.

f. On the User or Group Access page, click Group and then click Add.

g. In the Select Groups dialog box, type VPNUsers and then click OK.

h. Click Next.

i. On the Authentication Methods page, make sure that Microsoft Encrypted Authentication version 2 (MS-CHAPv2) is selected. Click Next.

j. On the Policy Encryption Level page, clear the Basic encryption and Strong encryption check boxes. Click Next.

k. On the Completing the New Remote Access Policy Wizard page, click Finish.

3. Modify the L2TP VPN Access policy condition to specify Layer Two Tunneling Protocol as the Tunnel-Type.

a. In the left-hand console pane, click Remote Access Policies.

b. In the details pane, right-click L2TP VPN Access and then click Properties.

The L2TP VPN Access Properties dialog box opens.

c. In the L2TP VPN Access Properties dialog box, click Add. The Select Attribute dialog box opens.

d. In the Select Attribute dialog box, click Tunnel-Type, and then click Add.

e. In the Tunnel-Type dialog box, click Layer Two Tunneling Protocol (L2TP) and then click Add.

f. Click OK to close the Tunnel-Type dialog box.

g. Click OK to close the L2TP VPN Access Properties dialog box.

4. Create a remote access policy for PPTP VPN connections.

a. In the left-hand console pane, right-click Remote Access Policies, and then click New Remote Access Policy.


b. On the Welcome to the New Remote Access Policy Wizard, click Next.

c. On the Policy Configuration Method page, in the Policy name box, type PPTP VPN Access and then click Next.

d. On the Access Method page, click VPN, and click Next.

e. On the User or Group Access page, click Group and then click Add.

f. In the Select Groups dialog box, type VPNUsers and then click OK.

g. Click Next.

h. On the Authentication Methods page, make sure that Microsoft Encrypted Authentication version 2 (MS-CHAPv2) is selected. Click Next.



i. On the Policy Encryption Level page, clear the Basic encryption and Strong encryption check boxes. Click Next.

j. On the Completing the New Remote Access Policy Wizard page, click Finish.

5. Modify the PPTP VPN Access policy condition to specify Point-to-Point Tunneling Protocol (PPTP) as the Tunnel-Type. Edit the Profile to consist of a dial-in constraint that disconnects PPTP sessions after 5 minutes. This will be enough time for a VPN client to perform quarantine scans and obtain a certificate if needed for L2TP VPN access.

a. In the details pane, right-click PPTP VPN Access and then click Properties.

The PPTP VPN Access Properties dialog box opens.

b. In the PPTP VPN Access Properties dialog box, click Add. The Select Attribute dialog box opens.

c. In the Select Attribute dialog box, click Tunnel-Type, and then click Add.

d. In the Tunnel-Type dialog box, click Point-to-Point Tunneling Protocol (PPTP) and then click Add.

e. Click OK to close the Tunnel-Type dialog box.

f. In the PPTP VPN Access Properties dialog box click Edit Profile.

g. On the Dial-in Constraints tab, select the Minutes client can be connected (Session-Timeout) check box.

h. Type 5 in the text box and then click OK.

i. Click OK to close the PPTP VPN Access Properties dialog box.

j. Close the Internet Authentication Service console.

6. Configure Active Directory for autoenrollment of certificates.

a. Click Start, point to Administrative Tools, and then click Group Policy Management.

The Group Policy Management console opens.

b. In the Left-hand console pane, expand Forest: NWtraders.msft, Domains, NWtraders.msft, and then click Group Policy Objects.

c. Right-click Default Domain Policy and then click Edit. The Group Policy Object Editor opens.

d. In the left-hand console pane, expand Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

e. In the details pane, right-click Autoenrollment Settings, and then click Properties.

The Autoenrollment Settings Properties dialog box opens.

f. Click Enroll certificates automatically.

g. Click the check box next to Renew expired certificates, update pending certificates, and remove revoked certificates.

h. Click the check box next to Update certificates that use certificate templates.

i. Click OK to close the Autoenrollment Settings Properties dialog box.

j. Close the Group Policy Object Editor.



k. Close the Group Policy Management console.

l. Click Start, and then click Run.

m. Type CMD in the Open text box. Click OK.

n. At the command prompt, type gpupdate /force. Press ENTER. This command refreshes Group Policy on VAN-DC1.

o. Close the command prompt.

7. Create and issue certificate templates for L2TP/IPSec VPN access.

a. Click Start, and then click Run.

b. Type certtmpl.msc in the Open text box. Click OK. The Certificate Templates console opens.

c. In the details pane, right-click the Authenticated Session template, and click Duplicate Template.

d. On the General tab, in the Template display name box, type Authenticated Session for NWtraders.

e. On the Security tab, click Authenticated Users.

f. Configure the following permissions:

• Read: Allow

• Enroll: Allow

• Autoenroll: Allow

g. Click OK.

h. In the details pane, right-click the RAS and IAS Server template, and then click Properties.

i. Click the Security tab.

j. Click Authenticated Users and configure the following permissions:

• Read: Allow

• Enroll: Allow

• Autoenroll: Allow

k. Click OK.

l. Close the Certificate Templates console.

8. Configure the Certificate Authority to issue the new certificates.

a. Click Start, point to Administrative Tools, and then click Certification Authority.

The Certification Authority console opens.

b. Expand Northwind Traders CA.

c. Right-click Certificate Templates, point to New, and click Certificate Template to Issue.

d. In the Enable Certificate Templates dialog box, hold down the CTRL key and click Authenticated Session for NWtraders and RAS and IAS Server.

e. Click OK.

f. In the left-hand console pane, click the Certificate Templates folder. Verify that the new templates are listed.

g. Close the Certification Authority console.

h. Click Start, and then click Run.



i. Type CMD in the Open text box. Click OK.

j. At the command prompt, type gpupdate /force. Press ENTER. This command refreshes Group Policy on VAN-DC1.

k. Close the command prompt.


Exercise 3 Implementing VPN Network Quarantine In this exercise, you learn the steps required to implement a VPN network quarantine solution. You begin by creating a remote access policy for VPN network quarantine. You will then install the Network Access Quarantine Service on VAN-VPN1.

Scenario To secure your remote VPN connections, you need to implement VPN network quarantine. The quarantine will place all remote access connections in a limited connection state, and run scripts on the client computer to ensure that specific security policies are in place. The network quarantine for Northwind Traders will scan each client computer to ensure that:

Windows Firewall is enabled on all the interfaces on the client machine. Internet Connection Sharing is disabled on all the interfaces on the client machine. Password Strength values meet the configured criteria. A Screen Saver must be enabled and password-protected for the current user. All the requisite security updates are installed on the client machine.


Note: This exercise uses the following computers: VAN-DC1 and VAN-VPN1.


1. Create a remote access policy for network quarantine.


b. In the left-hand console pane, right-click Remote Access Policies, and then click New Remote Access Policy.


c. On the Welcome to the New Remote Access Policy Wizard, click Next.

d. On the Policy Configuration Method page, in the Policy name box, type Quarantined VPN remote access connections and then click Next.

e. On the Access Method page, click VPN, and click Next.

f. On the User or Group Access page, click Group and then click Add.

g. In the Select Groups dialog box, type VPNUsers and then click OK.

h. Click Next.

i. On the Authentication Methods page, make sure that Microsoft Encrypted Authentication version 2 (MS-CHAPv2) is selected. Click Next.

j. On the Policy Encryption Level page, clear the Basic encryption and Strong encryption check boxes. Click Next.

k. On the Completing the New Remote Access Policy Wizard page, click Finish.



2. Modify the Quarantined VPN remote access connections policy profile to add the following attributes: MS-Quarantine-Session-Timeout: 120 MS-Quarantine-IPFilter: Port: 7250 (TCP: rqc) Port 53 (UDP: DNS) Network: 10.10.0.12

a. In the left-hand console pane, click Remote Access Policies.

b. In the details pane, right-click Quarantined VPN remote access connections and then click Properties.

The Quarantined VPN remote access connections Properties dialog box opens.

c. In the Quarantined VPN remote access connections Properties dialog box, click Edit Profile.

d. In the Edit Dial-in Profile dialog box, click the Advanced tab. Click Add.

The Add Attribute dialog box opens.

e. In the Add Attribute dialog box click MS-Quarantine-Session-Timeout. Click Add.

f. In the Attribute Information dialog box, type 120. Click OK.

g. In the Add Attribute dialog box, click MS-Quarantine-IPFilter, and then click Add.

h. In the IP Filter Attribute Information dialog box, click Input Filters.

i. In the Inbound Filters dialog box, click New.

j. In the Add IP Filter dialog box, next to Protocol, click TCP from the menu.

k. In the Destination port box, type 7250. Click OK. This input filter allows the notification message from the rqc.exe component configured in the Connection Manager profile and installed on the VPN client.

l. In the Inbound Filters dialog box, click New.

m. In the Add IP Filter dialog box, next to Protocol, click UDP from the menu.

n. In the Destination port box, type 53. Click OK. This input filter allows DNS traffic to be resolved between remote access clients that are quarantined and the DNS server.

o. In the Inbound Filters dialog box, click New.

p. In the Add IP Filter dialog box, click the check box next to Destination network.

q. In the IP address box, type 10.10.0.12.

r. In the Subnet mask box, type 255.255.255.255.

s. In the Protocol menu, click Any. Click OK This input filter allows remote access clients to access the quarantine resources on VAN-VPN1.

t. In the Inbound Filters dialog box, click the radio button next to Permit only the packets listed below.

u. Click OK to close the Inbound Filters dialog box.

v. Click OK to close the IP Filter Attribute Information dialog box.

w. Click Close to close the Add Attribute dialog box.

x. Click OK to close the Edit Dial-in Profile dialog box.



y. Click OK to close the Quarantined VPN remote access connections Properties dialog box.

z. Close the Internet Authentication Service console.

Note: Perform the following steps on the VAN-VPN1 computer.

3. Install the Network Access Quarantine Service on VAN-VPN1.

a. If necessary, log on to VAN-VPN1 as the Administrator with the password of P@ssw0rd.

b. Click Start, point to Control Panel, and then click Add or Remove Programs.

c. In the Add or Remove Programs window, click Add/Remove Windows Components.


d. In the Components list, scroll down and select Networking Services. Do not click the check box. Click Details.

The Networking Services dialog box opens. Be careful not to select the check box next to Networking Services because all services will then be selected on this page.

e. Click the check box next to Remote Access Quarantine Service. Click OK.

f. Click Next. The Configuring Components page is displayed and the installation continues. This may take a several minutes to complete.

g. When the Completing the Windows Components Wizard dialog box is displayed, click Finish.

h. Close the Add or Remove Programs window.

4. Start the Remote Access Quarantine Service.

a. Click Start, point to Administrative Tools, and then click Services.

b. In the Services console, right-click Remote Access Quarantine Agent and then click Start.

After a few moments the Remote Access Quarantine Agent starts.

c. Close the Services console.

5. Configure the Quarantine access folder. This folder will be used to hold update files for access from clients that are in quarantine. Folder Name: Quarantine Share Name: Quarantine Share Permissions: Default NTFS Permissions: Default

a. Click Start, and then click Windows Explorer.

b. Browse to Local Disk (C:).

c. Click the File menu and then click New, Folder.

d. Name the new folder Quarantine.

e. Right-click the Quarantine folder and then click Properties.

f. Click the Sharing tab.

g. On the Sharing tab, select the radio button next to Share this folder.

h. Accept the default Share name of Quarantine.

i. Click OK to close the Quarantine Properties dialog box.

j. Close Windows Explorer.



6. Refresh Group Policy on VAN-VPN1.

a. Type CMD in the Open text box. Click OK.

b. At the command prompt, type gpupdate /force. Press ENTER. This command refreshes Group Policy on VAN-DC1.

c. Close the command prompt.

7. Stop and start the Routing and Remote Access service. Start the Remote Access Quarantine Agent.

a. Click Start, point to Administrative Tools, and then click Routing and Remote Access.

b. Right-click VAN-VPN1 (local), point to All Tasks, and click Stop. Wait for the Routing and Remote Access service to stop.

c. When the service has stopped, right click VAN-VPN1 (local), point to All Tasks, and click Start.

This task ensures both that the remote access policies have been refreshed from VAN-DC1 and that the RAS and IAS Servers certificate on VAN-VPN1, which has been autoenrolled through Group Policy, will be accessible.

d. Close the Routing and Remote Access console.

e. Click Start, point to Administrative Tools, and then click Services.

f. Right-click Remote Access Quarantine Agent and then click Start.

g. Close the Services console.


Exercise 4 Creating the Quarantine Connection Manager Profile In this exercise, you will learn how use the Connection Manager Administration Kit to create a Connection Manager Profile package. The Connection Manager profile will contain settings to support VPN access quarantine and L2TP/IPSec security. You will then install the profile package on to a client computer and test the VPN connection.

Scenario The final step to implementing the VPN remote access security solution is to create a customized Connection Manager Profile. The Connection Manager Administration Kit will be used to create the profile package which includes settings to support VPN access quarantine and L2TP.


Note: This lab exercise uses the following computers: VAN-VPN1 and VAN-CL1.

Note: Perform the following step on the VAN-VPN1 computer.

1. Apply a quarantine script to be used to verify that client computers meet specific organizational security policies. This script has already been pre-configured for this lab.

a. If necessary, log on to VAN-VPN1 as Administrator with the password P@ssw0rd.

b. Click Start, and then click Windows Explorer.

c. Browse to C:\Scripts.

d. Right-click QSamples.cmd and then click Edit. Scroll through the sample script. Notice that there are sections related to Windows Firewall checking, ICS checking, password strength validation, screen saver validation, antivirus validation and operating system updates validation. Note that the antivirus validation has been disabled for this lab.

e. Close the QSamples.cmd file.

2. Create a new Connection Manager Profile using Connection Manager Administration Kit (CMAK).

a. Click Start, point to Administrative Tools, and then click Connection Manager Administration Kit.

The Connection Manager Administration Kit Wizard starts.

b. On the Welcome to the Connection Manager Administration Kit Wizard, click Next.

c. On the Service Profile Selection page, select New Profile. Click Next.

d. On the Service and File Names page, in the Service Name text box, type VPN Access to NWtraders.

e. In the File name box, type NWtrVPN. Click Next.

f. On the Realm Name page, click Next.

g. On the Merging Profile Information page, click Next.

h. On the VPN Support page, select the Phone Book from this profile check box.

i. In the VPN Server Name or IP Address section, type VPN1.nwtraders.msft. Click Next.

j. On the VPN Entries page, click Edit.



k. On the Edit Virtual Private Networking Entry dialog box, on the Security tab, click Use advanced security settings and then click Configure.

l. Under Authentication methods, clear the check box next to Microsoft CHAP (MS-CHAP).

m. In VPN strategy, click Try Layer Two Tunneling Protocol First. Click OK.

n. Click OK to return to the VPN Entries page. Click Next.

o. On the Phone book page, clear the check box next to Automatically download phone book updates. Click Next.

p. On the Dial-up Networking Entries page, click Next.

q. On the Routing Table Update page, click Next.

r. On the Automatic Proxy Configuration page, click Next.

3. Add custom actions to the Connection Manager profile to perform quarantine policy checks for VPN users.

a. On the Custom Actions page, click New.

b. In the New Custom Action dialog box complete the following:

• Description: Quarantine policy check

• Program to run: Qsamples.cmd (Browse to C:\scripts)

• Parameters: %ServiceDir% %ServiceName% RASQuarantineConfigPassed %Domain% %Username%

• Action Type: Post-connect

• Run this custom action for: All connections

c. Click OK.

d. On the Custom Actions page, click Next.

4. Complete the creation of the profile and add addition files to the profile. rqc.exe

a. On the Logon Bitmap page, click Next.

b. On the Phone Book Bitmap page, click Next.

c. On the Icons page, click Next.

d. On the Notification Area Shortcut Menu page, click Next.

e. On the Help File page, click Next.

f. On the Support Information page, click Next.

g. On the Connection Manager Software page click Next.

h. On the License Agreement page, click Next.

i. On the Additional Files page, click Add.

j. Browse to the C:\Program Files\cmak\support folder, click rqc.exe, and then click Open.

k. On the Additional Files page, click Add.

l. Browse to the C:\scripts folder, and then select all files. Click Open.

m. On the Additional Files page, click Next.

n. On the Ready to Build the Service Profile page, click Next. A command prompt window opens.

o. When the Completing the Connection Manager Administration Kit Wizard page opens, click Finish.

The profile is saved at C:\Program Files\cmak\Profiles.



p. Open Windows Explorer and browse to C:\Program Files\cmak\Profiles\ NWtrVPN.

Notice the various application and support files.

q. Right-click the Profiles folder and click Properties.

r. Click the Sharing tab.

s. Click the button next to share this folder.

t. Click OK.

u. Close the Explorer window.

Note: Perform the following steps on the VAN-CL1 computer.

5. Copy the Connection Manager Profile package to VAN-CL1.

a. Log on to VAN-CL1 as Don with the password P@ssw0rd.

b. Click Start, and then click Run.

c. In the Open text box type \\VAN-VPN1\Profiles. Click OK. The Profiles on van-vpn1 window opens.

d. Right-Click the NWtrVPN folder.

e. Click Copy.

f. Right-click the Windows desktop and then click Paste.

g. Close the Profiles on van-vpn1 window.

6. Configure VAN-CL1 as an external client.

a. On the Windows desktop double-click ExternalClient. The batch file configures VAN-CL1 as an external client with the IP Address of 131.107.0.10. It also configures a host file to provide name resolution for VPN1.nwtaders.msft.

7. Install the Connection Manager Profile package.

a. On the Windows desktop double-click the NWtrVPN folder.

b. In the NWtrVPN window double-click NWtrVPN.

c. In the VPN Access to NWtraders dialog box, click Yes. The Connection Manager installation begins.

d. In the VPN Access to NWtraders dialog box, click My use only and click the check box next to Add a shortcut on the desktop.

e. Click OK. The installation continues. After a few moments the VPN Access to NWtraders.msft logon prompt is displayed.

f. In the VPN Access to NWtraders logon box, click Cancel.

g. Close all open windows.

8. Verify that policy violations exist on VAN-CL1

a. Click Start and then click Control Panel.

b. Click Security Center.

c. In the Security Center, click Windows Firewall. Verify that the firewall is turned off.

d. Close all windows.

e. Right-click the desktop and then click Properties.

f. Click the Screen Saver tab. Verify that the screen saver is disabled.



9. Connect to the NWtraders VPN.

a. On the Windows desktop, double-click Shortcut to VPN Access to NWtraders.

The VPN Access to NWtraders logon prompt is displayed.

b. In the User name box type Don.

c. In the Password box, type P@ssw0rd.

d. In the Logon domain, type NWtraders.

e. Click Connect. A DOS prompt is displayed which shows the progress of the policy compliance scan. At this point VAN-CL1 only has access to the quarantine resources. When the script pauses, scroll though the text and verify that the firewall and screensaver was enabled.

10. Verify that VAN-CL1 is now compliant with the company security policy.

a. Click Start and then click Control Panel.

b. Click Security Center.

c. In the Security Center, click Windows Firewall. Verify that the firewall has been enabled.

d. Close all windows.

e. Right-click the desktop and then click Properties.

f. Click the Screen Saver tab. Verify that the screen saver has been enabled.

g. In the system tray, right-click the VPN connection icon and then click Status.

h. Click the Details tab.

i. Verify that WAN Miniport (L2TP) is listed as the Device Name and that IPSec, ESP 3DES is listed for IPSEC Encryption.

j. Open a Web browser and attempt to access http://van-dc1.nwtraders.msft/test.htm. Click each link to test connectivity.

This is an internal web site. Connecting to this web site means that you have been removed from quarantine.

11. Shut down computers. a. Shut down all Virtual PC computers without saving the changes.

Documents

Improving Remote Access Security - download.microsoft.comdownload.microsoft.com/documents/australia/teched2005/hol/HOL152.pdf · Improving Remote Access Security Objectives At the