VPN Security Tricks

Published on Friday 21st September, 2007 (AEST)

As well as using strong passwords, encryption, and authentication protocols, there are a few other steps you can take to secure your Windows Server 2003 RRAS VPN connections, that aren’t quite so well known.

The first is the Verify Caller-ID setting on the Dial-in tab of an Active Directory user account. While most administrators know are familiar with using this setting to restrict dial-up access to a specific phone number, what isn’t obvious is that it can also be used to restrict a VPN connection to a specific source IP address. That’s right—the field can contain a phone number for dial-up connections or an IP address for VPN connections. This setting is useful when an account should only be used to make a VPN connection from a specific location, such as a branch office or a staff member’s home, and requires that they have a static IP address assigned.

Another security feature available is RRAS Account Lockout. This enables you to configure account lockout features on VPN and dial-up connections. So, when an attacker launches a brute-force attack on a user account via VPN, RRAS can temporarily lock that user’s account. The lockout only applies to login attempts made through RRAS, and does not affect standard window logins. It’s worth keeping in mind that account lockouts can be used in a DoS attack—if an attacker knows a valid username—by repetitively guessing invalid passwords and denying the real user from making a VPN or dial-up connection.

RRAS account lockout settings are configured in the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\RemoteAcces s\Parameters\AccountLockout

There are two settings to configure. The first is the MaxDenials value, which specifies how many failed attempts are allowed on an account before locking it. By default, this is set to 0 (zero), meaning that account lockouts are disabled. It’s usually best to set this to at least 5 or 10, as this will catch brute force attacks without inconveniencing your users. The second setting is the ResetTime (mins), used to specify how long you want an account to be disabled. The default value is set to two days (2,880 minutes, or 0xb40 in hex).

When an account is locked, a value is created in this registry key in the form of DomainName:UserName. If you need to unlock an account, simply delete the value matching the account's username and domain name.

Save to del.icio.us Digg this Submit to StumbleUpon