1. Home
  2. Server Administration
  3. Securing Windows Server 2003

14.3 Authentication and Encryption Protocols

Windows Server 2003 supports a number of authentication and encryption protocols, which are designed to support a wide range of remote access clients. Selecting the strongest possible protocols that your clients support provides the best security for your remote access infrastructure.

14.3.1 Authentication Protocols

Windows Server 2003 supports several remote access authentication protocols. You can use remote access policies to determine which protocols your server will accept, as shown in Figure 14-3.

Figure 14-3. Selecting remote access authentication protocols in a remote access policy
figs/sws_1403.gif


The three basic protocols that Windows Server 2003 supports are:


Extensible Authentication Protocol (EAP)

EAP is primarily used to support advanced authentication mechanisms such as smart cards and requires additional configuration settings depending on how your environment is set up to handle those mechanisms.


Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)

MS-CHAP is an older authentication protocol used by client operating systems like Windows 95.


MS-CHAP v2

Version 2 of the MS-CHAP protocol is native to Windows 2000 and Windows Server 2003 (and is included in Windows NT 4.0 Service Pack 4 and later) and provides more secure authentication than the older MS-CHAP.

Be sure your remote access policies will accept older authentication protocols if your remote access clients need them. However, always allow your policies to accept connections on the strongest protocols as well. Newer clients like Windows XP will attempt to use MS-CHAP v2 first, if your server permits it.

Your remote access clients must be configured to use the same authentication protocols as your server. Figure 14-4 shows the dial-up configuration for a typical Windows client. Selecting the strongest authentication method will cause the client to disconnect if the server does not support that method.

Figure 14-4. Typical Windows client dial-up configuration
figs/sws_1404.gif


By selecting the Advanced configuration on the client's dial-up properties, you can manually select the protocols that the client will attempt to use. The Advanced configuration dialog box is shown in Figure 14-5.

Figure 14-5. Advanced Windows client dial-up configuration
figs/sws_1405.gif


14.3.2 Encryption Protocols

Windows Server 2003 also allows you to restrict remote access connections to those that use specific levels of data encryption. As with authentication protocols, dial-up clients must be configured to use data encryption. Figure 14-6 shows a Windows client configured to use the strongest possible data encryption and to disconnect if the server does not support that level of encryption.

Figure 14-6. Configuring encryption in a remote access policy
figs/sws_1406.gif




    		Securing Windows Server 2003
    		Preface
    		Chapter 1. Introduction to Windows Server 2003 Security
    		Chapter 2. Basics of Computer Security
    		Chapter 3. Physical Security
    		Chapter 4. File System Security
    		Chapter 5. Group Policy and Security Templates
    		Chapter 6. Running Secure Code
    		Chapter 7. Authentication
    		Chapter 8. IP Security
    		Chapter 9. Certificates and Public Key Infrastructure
    		Chapter 10. Smart Card Technology
    		Chapter 11. DHCP and DNS Security
    		Chapter 12. Internet Information Services Security
    		Chapter 13. Active Directory Security
    		Chapter 14. Remote Access Security
    		14.1 What Is Remote Access?
    		14.2 Controlling Access
    		14.3 Authentication and Encryption Protocols
    		14.4 Virtual Private Networks
    		14.5 Example Implementations for Remote Access
    		14.6 Summary
    		Chapter 15. Auditing and Ongoing Security
    		Appendix A. Sending Secure Email
    		Colophon