PSK won't give you the "only known machines" aspect you asked for. The very nature of PSK (pre-shared; the "human" has it) is that anyone who knows it can use it; regardless of the machine where they operate. These article are good starting points for anyone getting their heads around IPSec: http://www.microsoft.com/technet/community/columns/secmgmt/sm121504.mspx http://www.microsoft.com/technet/community/columns/secmgmt/sm0105.mspx
What you're asking for is a two-factor authentication mechanism, which falls outside of your stated "easily managed" solution. You also need to rethink your choice of servers. Providing Internet TS access and file services to a domain controller is asking for an opportunity to "seek new challenges" in most companies. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai Sent: Wednesday, January 03, 2007 8:01 PM To: [email protected] Subject: Re: Secure Remote access - windows 2003 That is cool !Thanks James a few questions before I start th eimplementation - I will setup the RRAS and the supporting IPSEC/L2TP as you have mentioned in the link. is there any additional IPSEC/L2TP config to be done other than you have explicitly mentioned in the link ? My requirement is only for known machines to connect - not cybercafes..so this suits me . I will use PSK. The access is needed to one file-server only for which I will assign a public IP.[ or I can have a gateway machine dedicated for RRAS with public IP and host this file-server machine behind the RRAS gateway] This file-server is a domain controller. all remote users will be having valid domain login-id/passwords. But their laptops will be configured as part of workgroups. This file-server has shares which need to be accessible to these remote users for file copy. I hope the connecting user will be asked for the user-id password in addition to the IPSEC PSK. Can my requirement be met with the RRAS solution? I hope everything from user/id password to file copy with be IPSEC-ed Thanks in advance On 1/3/07, James D. Stallard <[EMAIL PROTECTED]> wrote: > You don't mention the number of users, but the budget suggests small > scale > :) > > Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and > with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption > available. > > Setting up RRAS to perform this task is done in less than 20 minutes > and is easy to get through a firewall inbound (IE your firewall). The > problems you have to face are: > > . If you wish to use pre-shared keys (the "cheapest" way of doing it) > you will need to configure the PSK passphrase on each client > individually - easy with a small number of clients. Otherwise, you > will need to invest in a certificate authority. > > . This is only suitable for access by known machines, not for internet > café type environments. > > . This solution works great for the remote home user, but is less > successful for your travelling salesmen using the client's internet > connection as they generally have the relevant ports/protocols blocked. > > . The locally configured PSK may not be stored in a highly secure > manner on the client machines and could possibly become known in the > event a machine configured with it is stolen. You may find yourself > having to re-deploy a new PSK. > > I wrote a quick and dirty step-by-step here: > http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus > > In case one of your configured laptops is stolen and an attempt is > made on your RRAS solution, pay attention to your account locking on > failed password settings. You want permanent locks on a small number > of attempts (say 5), thus forcing administrative intervention and > investigation in the event of an account becoming locked. > > Cheers > > James D. Stallard > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai > Sent: 02 January 2007 04:17 > To: [email protected] > Subject: Secure Remote access - windows 2003 > > I am planning to provide remote access from Internet to a windows 2003 > domain > > controller.User-ids, NTFS permissions are all configured. > > The objective is file sharing and access. > > Files will need to be copied. The machine has valid Internet IP > address and is > > sitting behind a Firewall. > > I would like to keep solution independent of Firewall.This will be > accessed by roaming users. I am thinking of something like 0penssh for > windows or maybe just GUI based Secure-FTP > > Challenges I am facing > ------------------------------------ > Authentication should be strong. Something more than a password. [ No > budget for RSA securiD :-))) ] > > Encryption for user-crentials/data access > > Options considered > ---------------------------------- > I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy > is not simple and also you require Application Mode license. > > The number of remote users - less than 100 > > Cost effective , easy to implement and easy to manage solution sought > > > > On 1/3/07, James D. Stallard <[EMAIL PROTECTED]> wrote: > You don't mention the number of users, but the budget suggests small > scale > :) > > Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and > with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption > available. > > Setting up RRAS to perform this task is done in less than 20 minutes > and is easy to get through a firewall inbound (IE your firewall). The > problems you have to face are: > > . If you wish to use pre-shared keys (the "cheapest" way of doing it) > you will need to configure the PSK passphrase on each client > individually - easy with a small number of clients. Otherwise, you > will need to invest in a certificate authority. > > . This is only suitable for access by known machines, not for internet > café type environments. > > . This solution works great for the remote home user, but is less > successful for your travelling salesmen using the client's internet > connection as they generally have the relevant ports/protocols blocked. > > . The locally configured PSK may not be stored in a highly secure > manner on the client machines and could possibly become known in the > event a machine configured with it is stolen. You may find yourself > having to re-deploy a new PSK. > > I wrote a quick and dirty step-by-step here: > http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus > > In case one of your configured laptops is stolen and an attempt is > made on your RRAS solution, pay attention to your account locking on > failed password settings. You want permanent locks on a small number > of attempts (say 5), thus forcing administrative intervention and > investigation in the event of an account becoming locked. > > Cheers > > James D. Stallard > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai > Sent: 02 January 2007 04:17 > To: [email protected] > Subject: Secure Remote access - windows 2003 > > I am planning to provide remote access from Internet to a windows 2003 > domain > > controller.User-ids, NTFS permissions are all configured. > > The objective is file sharing and access. > > Files will need to be copied. The machine has valid Internet IP > address and is > > sitting behind a Firewall. > > I would like to keep solution independent of Firewall.This will be > accessed by roaming users. I am thinking of something like 0penssh for > windows or maybe just GUI based Secure-FTP > > Challenges I am facing > ------------------------------------ > Authentication should be strong. Something more than a password. [ No > budget for RSA securiD :-))) ] > > Encryption for user-crentials/data access > > Options considered > ---------------------------------- > I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy > is not simple and also you require Application Mode license. > > The number of remote users - less than 100 > > Cost effective , easy to implement and easy to manage solution sought > > > > All mail to and from this domain is GFI-scanned.
