How to create and enforce a remote access security policy in Windows Server 2003

Article translations Article translations
Article ID: 816522 - View products that this article applies to.
For a Microsoft Windows 2000 version of this article, see 313082.
Expand all | Collapse all

On This Page

SUMMARY

This step-by-step article describes how to enforce a remote access security policy in a Microsoft Windows Server 2003-based native-mode domain. This article also describes how to enforce a remote access security policy on a stand-alone Windows Server 2003-based remote access server.

In a Windows Server 2003-based native-mode domain, you can use the following three types of remote access policies:
  • Explicit allow
    The remote access policy is set to "Grant remote access permission" and the connection attempt matches the policy conditions.
  • Explicit deny
    The remote access policy is set to "Deny remote access permission" and the connection attempt matches the policy conditions.
  • Implicit deny
    The connection attempt does not match any remote access policy conditions.
To enforce a remote access policy, configure the policy. Then, configure the user account dial-in settings to specify that remote access permissions are controlled by the remote access policy.

How to configure a remote access policy

By default, two remote access policies are available in Windows Server 2003:
  • Connections to Microsoft Routing and Remote Access server
    This policy matches every remote access connection that is made to the Routing and Remote Access service.
  • Connections to other access servers
    This policy matches every incoming connection, regardless of the network access server type.
Windows Server 2003 uses the Connections to other access servers policy only when one of the following conditions is true:
  • The Connections to Microsoft Routing and Remote Access server policy is unavailable.
  • The order of the policies has been changed.
To configure a new remote access security policy, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  2. Expand Server_Name, and then click Remote Access Policies.

    Note If you have not configured remote access, click Configure and Enable Routing and Remote Access on the Action menu, and then follow the steps in the Routing and Remote Access Server Setup Wizard.
  3. Create a new remote access policy.

    The following example steps illustrate how to create a new remote access policy that explicitly grants remote access permissions to a specific user on certain days. This policy implicitly blocks access on other days.
    1. Right-click Remote Access Policies, and then click New Remote Access Policy.
    2. In the New Remote Access Policy Wizard, click Next.
    3. In the Policy name box, type Test Policy, and then click Next.
    4. On the Access Method page, click Dial-up, and then click Next.
    5. On the User or Group Access page, click User or Group, and then click Next.

      Note If you want to configure the remote access policy for a group, click Add, type the name of the group in the Enter Object Names To Select box, and then click OK.
    6. On the Authentication Methods page, make sure that only the Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check box is selected, and then click Next.
    7. On the Policy Encryption Level page, click Next.
    8. Click Finish.

      A new policy named Test Policy appears in the Remote Access Policies node.
    9. In the right pane, right-click Test Policy, and then click Properties.
    10. In the Test Policy Properties dialog box, make sure that Grant remote access permission is selected.
    11. Click Edit Profile, click to select the Allow access only on these days and at these times check box, and then click Edit.
    12. Click Denied, click Monday through Friday from 8:00 A.M. to 4:00 P.M., click Permitted, and then click OK.
    13. Click OK to close the Edit Dial-in Profile dialog box.
    14. Click OK to close the Test Policy Properties dialog box.

      The Test Policy policy is in effect.
    15. Repeat steps a through h to create another remote access policy named Test Block Policy.
    16. In the right pane, right-click Test Block Policy, and then click Properties.
    17. In the Test Block Policy Properties dialog box, click Deny remote access permission.

      The Test Block Policy policy is in effect.
  4. Quit Routing and Remote Access.

How to configure the user account dial-in setting

To specify that remote access permissions are controlled by the remote access policy, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then use one of the following methods.

    Method 1: For an Active Directory domain controller

    If the computer is an Active Directory directory service domain controller, follow these steps:
    1. Click Active Directory Users and Computers.
    2. In the console tree, expand Your_domain, and then click Users.

    Method 2: For a stand-alone Windows Server 2003 server

    If the computer is a stand-alone Windows Server 2003 server, follow these steps:
    1. Click Computer Management.
    2. In the console tree, click System Tools, click Local Users and Groups, and then click Users.
  2. Right-click the user account, and then click Properties.
  3. On the Dial-in tab, click Control access through Remote Access Policy, and then click OK.

    Note If Control access through Remote Access Policy is unavailable, the Active Directory may be running in Mixed mode. For more information about dial-in options that are unavailable when Active Directory is, click the following article number to view the article in the Microsoft Knowledge Base:
    193897 Dial-in options unavailable with Active Directory in Mixed mode

Troubleshooting

If you do not use groups to specify remote access permissions in your policy configuration, make sure that the Guest account is disabled. Also, make sure that you set the remote access permission for the Guest account to Deny access. To do this, use one of the following methods.

Method 1: For an Active Directory domain controller

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand Your_domain, and then click Users.
  3. Right-click Guest, and then click Properties.
  4. On the Dial-in tab, click Deny access, and then click OK.
  5. Right-click Guest, point to All Tasks, and then click Disable Account.
  6. When you receive the "Object Guest has been disabled" message, click OK.
  7. Quit Active Directory Users and Computers.

Method 2: For a stand-alone Windows Server 2003 server

  1. Click Computer Management.
  2. In the console tree, click System Tools, click Local Users and Groups, and then click Users.
  3. Right-click Guest, and then click Properties.
  4. On the Dial-in tab, click Deny access, and then click OK.
  5. Right-click Guest, and then click Properties.
  6. Click to select the Account is disabled check box, and then click OK.
  7. Quit Computer Management.

REFERENCES

For more information about remote access policies, click Start, click Help and Support, type remote access policies in the Search box, and then press ENTER to view the available topics.

Properties

Article ID: 816522 - Last Review: December 3, 2007 - Revision: 6.3
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
Keywords: 
kbsecurityservices kbhowtomaster KB816522

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com