Increasing Security on Windows 2000 VPN Server
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
This article was previously published under Q255784
A Windows 2000 virtual private network (VPN) server that is configured by
using the Routing and Remote Access Services (RRAS) Setup Wizard is
installed with a default set of Input and Output filters. These filters
support Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling
Protocol (L2TP), and IP Security Protocol (IPSec) connectivity. The
filters are generic and can be modified to tighten security on a VPN
server. This article describes modifications that you can make to these
filters to increase security. All filter configurations mentioned in this
article should be tested prior to being deployed in a production
environment.
The RRAS Setup Wizard creates a set of default Input and Output Filters on
the external adapter on the VPN server. To display and edit these filters:
1.
Start the Routing and Remote Access snap-in in Microsoft Management
Console (MMC).
2.
Expand the
IP Routing
node in the left pane.
3.
Click
General
in the left pane.
4.
Right-click the external adapter listed in the right pane, and then click
Properties.
5.
You can view and edit the Inbound and Outbound filters on the
General
tab.www.tartoos.com
These are the default filters that are configured.
|
Src addr |
Src mask |
Dest addr |
Dest mask |
Protocol |
Src port |
Dest port |
Description |
|
Any |
Any |
Any |
Any |
47 |
Any |
Any |
GRE |
|
Any |
Any |
Any |
Any |
TCP |
1723 |
Any |
PPTP Inbound |
|
Any |
Any |
Any |
Any |
TCP |
Any |
1723 |
PPTP Outbound |
|
Any |
Any |
Any |
Any |
UDP |
500 |
500 |
ISAKMP |
|
Any |
Any |
Any |
Any |
UDP |
1701 |
1701 |
L2TP |
Greater security can be provided by editing each of these filters (with
the exception of the PROTOCOL 47 GRE filter) and further restricting the
flow of PPTP and/or L2TP/IPSec packets. You must edit the Input and Output
filters. The result is that inbound PPTP, L2TP/IPSec traffic will be
restricted to the IP address of the external adapter and only PPTP, L2TP/IPSec
traffic will be allowed to pass out through the external adapter from the
internal network or the VPN server itself.
Input and Output filters are edited individually by selecting the filter
and then clicking
Edit
button. The
Edit
IP Filter
dialog box allows you to modify each filter setting. As an example, assume
that the external adapter has an IP address of 192.0.0.40 with a subnet
mask of 255.255.255.0. After modifying the Input filters, the displayed
matrix would look like:
|
Src addr |
Src mask |
Dest addr |
Dest mask |
Protocol |
Src port |
Dest port |
Description |
|
Any |
Any |
Any |
Any |
47 |
Any |
Any |
GRE |
|
Any |
Any |
192.0.0.40 |
255.255.255.255 |
TCP |
1723 |
Any |
PPTP Inbound |
|
Any |
Any |
192.0.0.40 |
255.255.255.255 |
TCP |
Any |
1723 |
PPTP Outbound |
|
Any |
Any |
192.0.0.40 |
255.255.255.255 |
UDP |
500 |
500 |
ISAKMP |
|
Any |
Any |
192.0.0.40 |
255.255.255.255 |
UDP |
1701 |
1701 |
L2TP |
After modifying the Output filters, the displayed matrix would look like:
|
Src addr |
Src mask |
Dest addr |
Dest mask |
Protocol |
Src port |
Dest port |
Description |
|
Any |
Any |
Any |
Any |
47 |
Any |
Any |
GRE |
|
192.0.0.40 |
255.255.255.255 |
Any |
Any |
TCP |
1723 |
Any |
PPTP Inbound |
|
192.0.0.40 |
255.255.255.255 |
Any |
Any |
TCP |
Any |
1723 |
PPTP Outbound |
|
192.0.0.40 |
255.255.255.255 |
Any |
Any |
UDP |
500 |
500 |
ISAKMP |
|
192.0.0.40 |
255.255.255.255 |
Any |
Any |
UDP |
1701 |
1701 |
L2TP |
These filter settings also accommodate a VPN server that can support a
requirement for initiating a demand-dial connection to another VPN server,
for example.
The default filter settings that installed by using the RRAS Setup Wizard
allow for VPN connections only. The information in this article is
provided for those who want increased security.
|
مدرسة
الكمبيوتر 