You can use the Network Connection wizard to create the following connections :
| Dial-up to a private network |
This option gives the ability to enter a number to connect to, to determine if only you or every user on the computer can use to connection and set a friendly name for the connection.
| Dial-up to the internet |
Sign up for a new internet account (select an ISP and enter billing information), transfer an existing internet account (enter ISP number and user-id and password) or set up an internet connection manually.
| Connect to a private network through the internet |
To be able to reach another network via the internet, TCP/IP, IPX or NetBeui packets are encapsulated in a tunnel. Due to this encapsulating the outside can only see the source- and destination address of the external network connectors.
Packets can be encapsulated and encrypted with the Point-to-Point Tunneling Protocol (PPTP). Another tunneling option is the Layer 2 Tunneling Protocol (L2TP) which only encapsulates packets but does not encrypt data.
| Accept incoming connections |
Via this option Windows 2000 Professional can act as a Remote Access Server (RAS). Windows 2000 Professional can handle three simultaneous connections of different types (dial up, vpn, direct serial connection) For each type of connection you can set which user can access the machine and if they are allowed to use call back with a fixed or variable number. Remote users need a local account. You can also set if you allow Virtual Private Connections. At the TCP/IP properties you can allow user to access the local network of the client, assign ip address via dhcp or offer fixed addresses or let the client determine it's own address.
| Connect directly to another computer |
For a dial up and private network connections you can set to following entries :
| General tab |
Connect using. Which modem to use.
Phone number (Area code, phone number, country/region code) and alternates.
Show icon in task bar.
| Options tab Dialing options. (progress while dialing, prompt for name and password, including Windows logon domain, prompt for phone number) Redialing options. (number of attempts, time between redials, idle time before hanging up) Redial if line is dropped. X25 button. (Network, X 121 address, user data, facilities) |
| Security tab Typical options (Allow unsecured password, require secure password, use smart card). When using require secure password you can automatically use the Windows logon and domain name and require data encryption. Advanced options Set data encryption (optional, no-encryption, required) Logon security. Use EAP (MD5-challenge or Smart card) or allow the following protocols : * Unencrypted password (PAP) * Shiva Password Authentication Protocol (SPAP) * Challenge Handshake Authentication Protocol (CHAP) * Microsoft CHAP (MS-CHAP) inclusive Older version (Windows 95) * Microsoft CHAP version 2 (MS-CHAP v2) You can set to let MS-CHAP use the default user- and domain name. Set interactive logon items (show terminal window, run script) |
| Networking tab Set the type of dial up server (PPP or SLIP) or the type of VPN server (PPTP or L2TP) Select the protocols and clients (TCP/IP, Client for Microsoft networks etc.) and set their properties |
| Sharing tab Allow Internet Connection Sharing (ICS) for this connection. If allowed you can activate on demand dialing. |
On Windows 2000 server RAS is enabled via the Routing and Remote Access service. You can configure inbound connections via the Routing and Remote Access mmc. (rrasmgmt.msc) You can configure the server via the Configure and enable routing and remote access option available when you right-click the server. This will offer the following options :
| Internet connection server Set up Internet connection sharing (ICS) or set up a router with the NAT routing protocol. | ||||||||||||||
| Remote access server Configure remote access server with the following options :
|
Under the server properties you can customize the following tabs :
| General tab. Enable the server as a router or RAS server. |
| Security tab. Set the authentication provider (Windows
authentication or a RADIUS authentication) and accounting provider (none,
Windows accounting or RADIUS accounting) You can select the following
authentication methods : * EAP (MD5 or Smart card) * Microsoft Encrypted authentication version 2 (MS-CHAP v2) * Microsoft Encrypted authentication (MS-CHAP) * Encrypted authentication (CHAP) * Shiva password authentication protocol (SPAP) * Unencrypted password (PAP) * Unauthenticated access |
| IP tab. Enabled or disable ip routing (default on), allow the ip
protocol for RAS connections (default on) and set how ip addresses are
assigned (dhcp or static address pool) If other protocols are installed, a tab to customize them will be there. |
| PPP tab. Allow mulitlink connections (default on), control
bandwidth with BAP or BACP (default on), Link Control protocol (LCP)
extensions (default on) and software compression. (default on) |
| Event log tab. Log errors only, log errors and warnings, log the maximum amount of information, disable event logging, enable ppp loging (c:\winnt\tracing\ppp.log). By default the Log errors and warnings option is selected. |
To give a user access to dial-in, you have to authorize their account via the dial-in tab. You can set if the users is allowed to dial in, if the remote access policy should be applied, the caller id, the call back options (no callback, set by caller or always call back to a specified number), apply static ip address and apply static routes.
| Virtual private network (VPN) server. See summary VPN. |
| Network router. See summary routing. |
| Manually configure server. |
At the Remote Access Logging folder of the RRAS mmc, you can set where a logfile is stored and what the contents should be :
Settings-tab :
| Log accounting requests. |
| Log authentication requests. |
| Log periodic status. |
Local file tab :
|
Log file format. Database compatible format or IAS format. (default) |
|
New log time period. Daily, Weekly, Monthly, Unlimited file size (default), When log file reaches x mb. |
|
Log file directory. Default e:\winnt\system32\LogFiles. (iaslog.log) |
Netsh is a command-line and scripting tool. You can use the RAS, Routing and Interface parts to configure and monitor RRAS.
Network monitor can be used to monitor network traffic at a computer's interface.
A resource kit utility that display RRAS server announcements from a network.
A resource kit utility to monitor details of the RRAS server.
A resource kit utility to show all users on a domain or server that have been granted permissions to dial in via RRAS.
A resource kit utility to trace RRAS internal components.
Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) are
protocols for dial-up connections. SLIP is older, less secure and can only be
used for outbound connections. SLIP can only used for TCP/IP,
PPP is a data link protocol that can be used for TCP/IP, IPX and NetBeui. PPP
support various authentication protocols, data encryption and compression. PPP
has three main components :
| Encapsulation. Encapsulation packeges multiple protocols (TCP/IP, IPX and NetBeui) into frames. |
| LCP. The Link Control Protocol is used to provide the handshake for encapsulation format, packet size, authentication, bringing up or dropping extra lines, etc. |
| Network Control Procols. They offer the configuation needs for the transport protocols TCP/IP, IPX and NetBeui. |
Least secure protocol. Uses unencrypted passwords that can be captured from the network. PAP provides no protection against replay attacks or remote client impersonation once the user's password is compromised
Challenge Handshake Authentication Protocol. The server send a challenge with a session ID and an arbitrary challenge string to the client. The client uses the MD5 one-way hashing algorithm to return a encryption of the challenge and the user name. (The username is returned unhashed) This server than checks the returned hash with the password on the server. If it matches, access is provided. (the password is never send over the network) CHAP protects against replay attacks by using an arbitrary challenge string for each authentication attempt. CHAP protects against remote client impersonation by unpredictably sending repeated challenges to the remote client throughout the duration of the connection.
Microsoft Encrypted Authentication. Just like chap, the server send a
challenge containing a session ID and an arbitrary challenge string. The client
return the username, a MD4 hash of the challenge string, the session id and a
MD4 hashed password. This gives the server the ability to store hash password
instead of clear-text password. MS-Chap also offers the ability to send
additional error codes to the client like password expired and the ability to
change the password.
When using MS-CHAP both the client and the server independently generate an
initial key for subsequent data encryption by MPPE.
An improved version of MS-CHAP with higher security. Lan manager encoding is no longer supported, both the client and the server are authenticated, cryptographic keys are created for data transmission.
Shiva Password Authentication protocol. Used by Shiva Lan Rovers. Uses reversible encryption to encrypt the password.
Extensible Authentication Protocol. Offers stronger authentication than CHAP and can be extended with third party tools. Part of EAP is :
| Cards that provide passwords. |
| MD5-CHAP. Message Digest 5 Challenge Handshake Authentication Protocol. Uses hashing for authentication like CHAP. |
| TLS. Transport Level Security. Support for smart cards and certificates. Offers authentication and encryption. |
Remote Authentication Dial-In Service. A central radius server manages dial-in accounts. When a clients log on to a radius client, this client forwards the authentication request to the radius server.
Bandwidth Allocation (Control) Protocol for multilinking (various lines) solutions. Offers the ability to dynamically add or drop links. It is configured via Remote Access policies. Policies to drop lines can be set for different groups and different line usage.
Point-to-Point Tunneling Protocol (PPTP) is an extension of the PPP protocol. PPTP can only be used over TCP/IP connections, it does not support compression or provide authentication. For authentication IPSec can be used.
Another tunneling protocol is the Layer 2 Tunneling Protocol (L2TP) which only encapsulates packets, it does not encrypt data. L2TP can be used over IP connections but also over Frame Relay, ATM and X25. It also supports compression and tunnel authentication. For encryption, IPSec can be used.
A Windows NT 4.0 Remote Access Service/Routing and Remote Access Service server uses the LocalSystem account to retrieve user account information. As this LocalSystem account uses Null credentials to logon to a domain controller this can cause problems as this is not allowed in Windows 2000. This also occurs after an upgrade. There are three solutions to solve this :
| Run the domain in mixed mode and make a NT 4.0 domain controller available for the RAS/RRAS server. Keep in mind that if the RAS server contact a Windows 2000 domain controller, the logon will fail. |
| Run the RAS server on a Windows NT 4.0 domain controller. |
| Give the user Everyone permissions to read any property on any user object. This can be configured with the Active Directory Installation Wizard, dcpromo, by selecting Permission Compatible with Pre-Windows 2000 Server. This can also be done in a native environment but it decreases security. |
In larger scale installations, the Connection Manager Administration Kit and Connection Point Services can be used together to deliver a customized remote access direct-dial and VPN client to corporate systems.
| Internet: All-user remote access service credential. One account and its credentials is available for all users on the same computer to access the internet (WH1323N020601) |
| Internet: TCP/IP name resolution over RAS without WINS/DNS. NetBIOS over TCP/IP gateway for RAS (WH1160N020601) |
| Internet: RAS audio acceleration (WH1262N020701) |
| Connecting remote users to your network |
| Internet Authentication Service (IAS) for Windows 2000 |
Last update : 3 September 2002
