Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to create and enforce a remote access security policy in Windows Server 2003


View products that this article applies to.

For a Microsoft Windows 2000 version of this article, see 313082 .

↑ Back to the top


Summary

This step-by-step article describes how to enforce a remote access security policy in a Microsoft Windows Server 2003-based native-mode domain. This article also describes how to enforce a remote access security policy on a stand-alone Windows Server 2003-based remote access server.

In a Windows Server 2003-based native-mode domain, you can use the following three types of remote access policies:

  • Explicit allow

    The remote access policy is set to "Grant remote access permission" and the connection attempt matches the policy conditions.
  • Explicit deny
    The remote access policy is set to "Deny remote access permission" and the connection attempt matches the policy conditions.
  • Implicit deny
    The connection attempt does not match any remote access policy conditions.
To enforce a remote access policy, configure the policy. Then, configure the user account dial-in settings to specify that remote access permissions are controlled by the remote access policy.

How to configure a remote access policy

By default, two remote access policies are available in Windows Server 2003:
  • Connections to Microsoft Routing and Remote Access server
    This policy matches every remote access connection that is made to the Routing and Remote Access service.
  • Connections to other access servers
    This policy matches every incoming connection, regardless of the network access server type.
Windows Server 2003 uses the Connections to other access servers policy only when one of the following conditions is true:
  • The Connections to Microsoft Routing and Remote Access server policy is unavailable.
  • The order of the policies has been changed.
To configure a new remote access security policy, follow these steps:
  1. Click Start, point to Programs, point to
    Administrative Tools, and then click Routing and Remote Access.
  2. Expand
    Server_Name, and then click Remote Access Policies.

    Note If you have not configured remote access, click Configure and Enable Routing and Remote Access on the Actionmenu, and then follow the steps in the Routing and Remote Access Server Setup Wizard.
  3. Create a new remote access policy.

    The following example steps illustrate how to create a new remote access policy that explicitly grants remote access permissions to a specific user on certain days. This policy implicitly blocks access on other days.
    1. Right-click Remote Access Policies, and then click New Remote Access Policy.
    2. In the New Remote Access Policy Wizard, click Next.
    3. In the Policy name box, type
      Test Policy, and then click Next.
    4. On the Access Method page, click Dial-up, and then click Next.
    5. On the User or Group Access page, click User or Group, and then click Next.

      Note If you want to configure the remote access policy for a group, click Add, type the name of the group in the Enter Object Names To Select box, and then click OK.
    6. On the Authentication Methods page, make sure that only the Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check box is selected, and then click Next.
    7. On the Policy Encryption Level page, click Next.
    8. Click Finish.

      A new policy named Test Policy appears in the Remote Access Policies node.
    9. In the right pane, right-click Test Policy, and then click Properties.
    10. In the Test Policy Properties dialog box, make sure that Grant remote access permission is selected.
    11. Click Edit Profile, click to select the Allow access only on these days and at these times check box, and then click
      Edit.
    12. Click Denied, click Monday through Friday from 8:00 A.M. to 4:00 P.M., click
      Permitted, and then click OK.
    13. Click OK to close the Edit Dial-in Profile dialog box.
    14. Click OK to close the Test Policy Properties dialog box.

      The Test Policy policy is in effect.
    15. Repeat steps a through h to create another remote access policy named Test Block Policy.
    16. In the right pane, right-click Test Block Policy, and then click Properties.
    17. In the Test Block Policy Properties dialog box, click Deny remote access permission.

      The Test Block Policy policy is in effect.
  4. Quit Routing and Remote Access.


How to configure the user account dial-in setting

To specify that remote access permissions are controlled by the remote access policy, follow these steps:
  1. Click Start, point to
    Programs, point to Administrative Tools, and then use one of the following methods.

    Method 1: For an Active Directory domain controller

    If the computer is an Active Directory directory service domain controller, follow these steps:
    1. Click Active Directory Users and Computers.
    2. In the console tree, expand
      Your_domain, and then click Users.

    Method 2: For a stand-alone Windows Server 2003 server

    If the computer is a stand-alone Windows Server 2003 server, follow these steps:
    1. Click Computer Management.
    2. In the console tree, click System Tools, click Local Users and Groups, and then click
      Users.
  2. Right-click the user account, and then click
    Properties.
  3. On the Dial-in tab, click Control access through Remote Access Policy, and then click
    OK.

    Note If Control access through Remote Access Policyis unavailable, the Active Directory may be running in Mixed mode.
    For more information about dial-in options that are unavailable when Active Directory is, click the following article number to view the article in the Microsoft Knowledge Base:

    193897 Dial-in options unavailable with Active Directory in Mixed mode

Troubleshooting

If you do not use groups to specify remote access permissions in your policy configuration, make sure that the Guest account is disabled. Also, make sure that you set the remote access permission for the Guest account to Deny access. To do this, use one of the following methods.

Method 1: For an Active Directory domain controller

  1. Click Start, point to
    Programs, point to Administrative Tools, and then click
    Active Directory Users and Computers.
  2. In the console tree, expand
    Your_domain, and then click Users.
  3. Right-click Guest, and then click
    Properties.
  4. On the Dial-in tab, click Deny access, and then click OK.
  5. Right-click
    Guest, point to All Tasks, and then click
    Disable Account.
  6. When you receive the "Object Guest has been disabled" message, click OK.
  7. Quit Active Directory Users and Computers.

Method 2: For a stand-alone Windows Server 2003 server

  1. Click Computer Management.
  2. In the console tree, click System Tools, click Local Users and Groups, and then click
    Users.
  3. Right-click Guest, and then click
    Properties.
  4. On the Dial-in tab, click Deny access, and then click OK.
  5. Right-click Guest, and then click Properties.
  6. Click to select the Account is disabled check box, and then click OK.
  7. Quit Computer Management.

↑ Back to the top


References

For more information about remote access policies, click Start, click Help and Support, type remote access policies in the Search box, and then press ENTER to view the available topics.

↑ Back to the top


Keywords: kbsecurityservices, kbentirenet, kbhowtomaster, kbbillprodsweep, kb

↑ Back to the top

Article Info
Article ID : 816522
Revision : 8
Created on : 4/12/2018
Published on : 4/12/2018
Exists online : False
Views : 312