Microsoft Windows Security Resource Kit

Securing Remote Access Clients

In addition to securing the remote access server, you must implement security measures at client computers. These security measures ensure that the client is configured with the required security settings for remotely accessing your corporate network. The measures that you can implement at the remote access client include the following:

• Configuring the CMAK packages.

• Implementing strong authentication.

• Deploying required certificates.

Configuring the CMAK Packages

The CMAK allows you to create Connection Manager packages that are preconfigured with your company s required security settings. In addition to choosing the type of authentication and encryption strength used by remote clients, the CMAK allows you to define other options, such as preventing a user s password from being saved or removing specific tabs from the Properties dialog box of the dial-up or VPN connection.

Implementing Strong Authentication

To ensure that user credentials cannot be determined from intercepted traffic, you should implement the strongest form of authentication available. Microsoft recommends using MS-CHAPv2 only for password-based authentication and using EAP-TLS only for certificate-based authentication. This is because these forms of authentication mutually authenticate both the remote client and the remote access server.

If you use the CMAK to create the remote client connection packages, you can specify within the package that only MS-CHAPv2 and EAP-TLS authentication are supported.

Deploying Required Certificates

The remote client will require certificates if either of the following conditions exist:

• The remote client connects by using an L2TP/IPSec connection. L2TP/IPSec requires that an IPSec or Computer certificate be installed at the remote access client.

• The remote client authenticates with the remote access server by using EAP-TLS authentication. In this case, the user must have a certificate that includes the Client Authentication OID in the Extended Key Usage attribute of the certificate. This OID indicates that the certificate can be used for client authentication. The certificate can be stored in either the user s profile or on a physical device, such as a smart card.

  It is always recommended you use a smart card rather than a certificate stored in the user s profile because a smart card is a form of two-factor authentication. To compromise a smart card, attackers must obtain both the smart card and the personal identification number (PIN) that protects the private key stored on the smart card. For a certificate stored in the user s profile, the attacker can access the private key material if they can compromise the user s password.