Microsoft KB Archive/816522

= How to create and enforce a remote access security policy in Windows Server 2003 =

Article ID: 816522

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-





For a Microsoft Windows 2000 version of this article, see 313082.





SUMMARY
This step-by-step article describes how to enforce a remote access security policy in a Microsoft Windows Server 2003-based native-mode domain. This article also describes how to enforce a remote access security policy on a stand-alone Windows Server 2003-based remote access server.

In a Windows Server 2003-based native-mode domain, you can use the following three types of remote access policies:
 * Explicit allow

The remote access policy is set to &quot;Grant remote access permission&quot; and the connection attempt matches the policy conditions.
 * Explicit deny

The remote access policy is set to &quot;Deny remote access permission&quot; and the connection attempt matches the policy conditions.
 * Implicit deny

The connection attempt does not match any remote access policy conditions.

To enforce a remote access policy, configure the policy. Then, configure the user account dial-in settings to specify that remote access permissions are controlled by the remote access policy.

How to configure a remote access policy
By default, two remote access policies are available in Windows Server 2003:
 * Connections to Microsoft Routing and Remote Access server

This policy matches every remote access connection that is made to the Routing and Remote Access service.
 * Connections to other access servers

This policy matches every incoming connection, regardless of the network access server type.

Windows Server 2003 uses the Connections to other access servers policy only when one of the following conditions is true:
 * The Connections to Microsoft Routing and Remote Access server policy is unavailable.
 * The order of the policies has been changed.

To configure a new remote access security policy, follow these steps:  Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access. Expand  , and then click Remote Access Policies.

Note If you have not configured remote access, click Configure and Enable Routing and Remote Access on the Action menu, and then follow the steps in the Routing and Remote Access Server Setup Wizard. Create a new remote access policy.

The following example steps illustrate how to create a new remote access policy that explicitly grants remote access permissions to a specific user on certain days. This policy implicitly blocks access on other days.  Right-click Remote Access Policies, and then click New Remote Access Policy. In the New Remote Access Policy Wizard, click Next. In the Policy name box, type Test Policy, and then click Next.</li> On the Access Method page, click Dial-up, and then click Next.</li> On the User or Group Access page, click User or Group, and then click Next.

Note If you want to configure the remote access policy for a group, click Add, type the name of the group in the Enter Object Names To Select box, and then click OK.</li> On the Authentication Methods page, make sure that only the Microsoft Encrypted Authentication version 2 (MS-CHAPv2) check box is selected, and then click Next.</li> On the Policy Encryption Level page, click Next.</li> Click Finish.

A new policy named Test Policy appears in the Remote Access Policies node.</li> In the right pane, right-click Test Policy, and then click Properties.</li> In the Test Policy Properties dialog box, make sure that Grant remote access permission is selected.</li> Click Edit Profile, click to select the Allow access only on these days and at these times check box, and then click Edit.</li> Click Denied, click Monday through Friday from 8:00 A.M. to 4:00 P.M., click Permitted, and then click OK.</li> Click OK to close the Edit Dial-in Profile dialog box.</li> Click OK to close the Test Policy Properties dialog box.

The Test Policy policy is in effect.</li> Repeat steps a through h to create another remote access policy named Test Block Policy.</li> In the right pane, right-click Test Block Policy, and then click Properties.</li> In the Test Block Policy Properties dialog box, click Deny remote access permission.

The Test Block Policy policy is in effect.</li></ol> </li> Quit Routing and Remote Access.</li></ol>

How to configure the user account dial-in setting
To specify that remote access permissions are controlled by the remote access policy, follow these steps: <ol>  Click Start, point to Programs, point to Administrative Tools, and then use one of the following methods.

Method 1: For an Active Directory domain controller
If the computer is an Active Directory directory service domain controller, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Active Directory Users and Computers.</li> <li>In the console tree, expand  , and then click Users.</li></ol>

Method 2: For a stand-alone Windows Server 2003 server
If the computer is a stand-alone Windows Server 2003 server, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Computer Management.</li> <li>In the console tree, click System Tools, click Local Users and Groups, and then click Users.</li></ol> </li> <li>Right-click the user account, and then click Properties.</li> <li>On the Dial-in tab, click Control access through Remote Access Policy, and then click OK.

Note If Control access through Remote Access Policy is unavailable, the Active Directory may be running in Mixed mode. For more information about dial-in options that are unavailable when Active Directory is, click the following article number to view the article in the Microsoft Knowledge Base:

193897 Dial-in options unavailable with Active Directory in Mixed mode

</li></ol>

Troubleshooting
If you do not use groups to specify remote access permissions in your policy configuration, make sure that the Guest account is disabled. Also, make sure that you set the remote access permission for the Guest account to Deny access. To do this, use one of the following methods.

Method 1: For an Active Directory domain controller

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand  , and then click Users.
 * 3) Right-click Guest, and then click Properties.
 * 4) On the Dial-in tab, click Deny access, and then click OK.
 * 5) Right-click Guest, point to All Tasks, and then click Disable Account.
 * 6) When you receive the &quot;Object Guest has been disabled&quot; message, click OK.
 * 7) Quit Active Directory Users and Computers.

Method 2: For a stand-alone Windows Server 2003 server

 * 1) Click Computer Management.
 * 2) In the console tree, click System Tools, click Local Users and Groups, and then click Users.
 * 3) Right-click Guest, and then click Properties.
 * 4) On the Dial-in tab, click Deny access, and then click OK.
 * 5) Right-click Guest, and then click Properties.
 * 6) Click to select the Account is disabled check box, and then click OK.
 * 7) Quit Computer Management.

<div class="references_section">