Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Secure Remote access - windows 2003

from [Jim Harrison] Network Security [Permanent Link]
Subject: RE: Secure Remote access - windows 2003
Date: Fri, 5 Jan 2007 08:15:39 -0800 
This "..enabled IP forwarding in the through Registry.." is a bit unclear; 
exactly what registry change(s) did you make?  If you edited anything under 
HKLM\System\CCS\Services\TCPIP, then undo it.  James' instructions gave you all 
you need to enable routing through your RRAS server.

You also have to consider the routing structure in your LAN.
Q1 - what IP assignments did you apply to the VPN clients?
Q2 - what is the routing path between the LAN hosts and the VPN server?
[you need to use a netcap tool (netmon, Wireshark, etc.) for the next two]
Q3 - did the LAN machine even see the ping?
Q4 - If Q3 = 'yes', did the LAN machine respond to the ping?

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of dubaisans dubai
Sent: Thursday, January 04, 2007 6:48 AM
To: James D. Stallard
Cc: focus-ms@securityfocus.com
Subject: Re: Secure Remote access - windows 2003

Using the instructions I have successfully setup the L2TP/IPSEC tunnel up till 
the gateway. Now if I want to access the internal network what else should I do 
on the RRAS server. From Internet user machine I am able to ping both the 
Internet interface and the internal interface [ 192.168.0.200] of the RRAS 
server. But I cannot ping any other internal machine [192.168.0.201].connected 
on the same LAN as internal network interface.

On the RRAS server I have enabled IP forwarding in the through Registry. 
Address pool is configured and is getting allocated to Internet user when he 
connects.

On 1/3/07, James D. Stallard <james@leafgrove.com> wrote:

You don't mention the number of users, but the budget suggests small 
scale
:)

Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and 
with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption 
available.

Setting up RRAS to perform this task is done in less than 20 minutes 
and is easy to get through a firewall inbound (IE your firewall). The 
problems you have to face are:

. If you wish to use pre-shared keys (the "cheapest" way of doing it) 
you will need to configure the PSK passphrase on each client 
individually - easy with a small number of clients. Otherwise, you 
will need to invest in a certificate authority.

. This is only suitable for access by known machines, not for internet 
café type environments.

. This solution works great for the remote home user, but is less 
successful for your travelling salesmen using the client's internet 
connection as they generally have the relevant ports/protocols blocked.

. The locally configured PSK may not be stored in a highly secure 
manner on the client machines and could possibly become known in the 
event a machine configured with it is stolen. You may find yourself 
having to re-deploy a new PSK.

I wrote a quick and dirty step-by-step here:
http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus

In case one of your configured laptops is stolen and an attempt is 
made on your RRAS solution, pay attention to your account locking on 
failed password settings. You want permanent locks on a small number 
of attempts (say 5), thus forcing administrative intervention and 
investigation in the event of an account becoming locked.

Cheers

James D. Stallard

-----Original Message-----
From: listbounce@securityfocus.com 
[mailto:listbounce@securityfocus.com] On Behalf Of dubaisans dubai
Sent: 02 January 2007 04:17
To: focus-ms@securityfocus.com
Subject: Secure Remote access - windows 2003

I am planning to provide remote access from Internet to a windows 2003 
domain

controller.User-ids, NTFS permissions are all configured.

The objective is file sharing and access.

Files will need to be copied. The machine has valid Internet IP 
address and is

sitting behind a Firewall.

I would like to keep solution independent of Firewall.This will be 
accessed by roaming users. I am thinking of something like 0penssh for 
windows or maybe just GUI based Secure-FTP

Challenges I am facing
------------------------------------
Authentication should be strong. Something more than a password. [ No 
budget for RSA securiD :-))) ]

Encryption for user-crentials/data access

Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy 
is not simple and also you require Application Mode license.

The number of remote users - less than 100

Cost effective , easy to implement and easy to manage solution sought






All mail to and from this domain is GFI-scanned.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Secure Remote access - windows 2003, tima soni
Next by Date:  RE: How to deploy Microsoft OWA without using ISA?, Jim Harrison
Previous by Thread:  RE: Secure Remote access - windows 2003, Tom Geairn
Next by Thread:  RE: Secure Remote access - windows 2003, Jones, David - UK
Indexes:  [Date] [Thread] [Top] [All Lists]