Control RAS/VPN with AD computer accounts

P

Phil

I'm sure I'm not the first person to ask this: What are
my options for making sure people aren't connecting to my
LAN with their home computers? Basically I would like to
lock down the ability to VPN into my network to
authenticated users on authenticated company
hardware/images.

Is there a way to do it with IAS policies? Do I need to
script? If so, how? Am I stuck with connection
manager/NAQC? Thanks in advance!

Environment:
- Windows 2003 AD
- Windows 2000 IAS server
- Windows XP clients
 
S

Steven L Umbach

One way would be to use l2tp and issue computer certificates to domain
computers and the VPN server. Then you can use Remote Access Policies and/or
firewall rules to restrict access to only l2tp. L2tp can require computer
certificates for computer authentication or else the VPN connection fails.
You will have to install the NAT-T client on your VPN clients if use a NAT
device for firewall/internet connection. To create and issue certificates,
you can use one of your Windows Server domain computers as an Enterprise
Certificate Authority and use autoenrollment, Web Enrollment, or mmc
certificates snapin for computers; to issue or request certificates for
domain computers.. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp
 
S

Steven L Umbach

If you are using Windows 2000 SP4 and all computers that you want to allow
access are Windows 2000 or XP Pro, you can actually assingn dial in
permissions to computer accounts in their account properties. Then you can
add the authorized computer accounts to a global group and use that group
with Remote Access Policy that is configured with that group name as
condition for the policy that must match to gain access to the VPN. If you
do that be sure to delete the default Remote Access Policy so that computers
not in the group will not gain access. Note that you must have at least one
Remote Access Policy or no one will be able to gain access to the VPN which
is why there is a default policy. Windows 2003 has a technology called
quarantine but that takes a whole lot more configuration than
ertitifcates. --- Steve

http://www.windowsecurity.com/articles/Securing_Remote_Access_Connections.html
-- basics or Remote Access Policies.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q313082&ID=KB;EN-US;q313082
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VPN users not prompted to change their domain passwords 2
IAS Server 1
VPN to Cisco via Radius fails ppp 6
VPN to Windows Network with ACE/SecurID 1
RAS VPN problem with connection 0
Win2K3 domain account connecting to Win2K VPN server in an NT4 dom 2
Server 2008 RAS Only allowing clients to see local subnet 0
SP2: Strange VPN Problem 5

Top