Back in the early days of computing, some things were simple. If you wanted to use a computer, you had to go to it and stay with it while you worked with it. This working method was acceptable for a while, but convenience and accessibility needs were eventually considered. How does a remote salesperson access data if in the office only once a month? How does a homebound employee continue to use computing resources? How can an administrator check errors or logs during off hours without having to get to the computer? For these and other reasons, remote access needed to be addressed.
Remote access in Windows Server 2003 is a set of features that allows remote users to access resources on a remote network. Generally, users can connect to a corporate network and use the resources as if directly connected to that network. Connections to the corporate network can be via direct dial-up networking or through virtual private networking (VPN), in which the computer uses an intermediate network (such as the Internet) to connect to the corporate network. VPN connections can use either of two tunneling protocol varieties in Windows Server 2003: Point-to-Point Tunneling Protocol (PPTP) and its newer version, Layer 2 Tunneling Protocol (L2TP). As you'll see later, L2TP has some significant security advantages over PPTP.
Windows Server 2003 offers several new features for remote access. The most important is its extensive integration with IPSec. Using IPSec to protect VPN connections was introduced in Windows 2000, but several specific needs were not met until Windows Server 2003. These included using preshared keys for VPNs and the ability to create tunnels when connected to network address translation (NAT) networks.
Remote access functionality adds enormous flexibility for users to connect to corporate resources. It also adds opportunities for attackers to connect to those same resources. An attacker that makes a VPN connection to your corporate network is essentially sitting at a desk at your company. Therefore, you must provide protection against such attackers. This chapter describes how to put such protection into place.