Windows 2003 FTP and RRAS (VPN) services best practices / locations? PPTP secur

  • Thread starter Thread starter markm75
  • Start date Start date
M

markm75

I'm trying to restructure our domain.. and I believe I have had the
ftp service in a "bad" location prior..

Prior to now.. it was installed on a domain (member) server.. I used a
dummy account to provide access to the directory though..


Now i've virtualized alot of the infrastructure and created an "edge"
server, which is not joined to the domain.


It is my belief that the FTP service should reside here. On this edge
server (virtual).. i have two nics, but one isnt in use and the other
has a local ip address to our network. So for now i'm not using a
public ip address, but i'm guessing i probably should assign a public
ip to the one nic?


My other question relates to the placement of our RRAS service which
supplies access to PPTP vpn, as of now it resides on a member server..
using the single NIC on that system etc..


Is this location ok? What about moving it to the edge server? I'm
not sure how this would work over there, as once they connect, they
need access to the domain.. I'm guessing i could set up a one way
vpn.. but wouldnt this technically compromise the ftp security?


Also.. any thoughts on how to "secure" the PPTP connection, so the
passwords arent sent in clear text.. ie: with a certificate (not sure
how this would work)..


Thanks in advance
 
=?Utf-8?B?bWFya203NQ==?= <markm75@discussions.microsoft.com> wrote in
news:DBE59A43-750C-4E95-AF51-59D3C19A0DBE@microsoft.com:

> I'm trying to restructure our domain.. and I believe I have had the
> ftp service in a "bad" location prior..
>
> Prior to now.. it was installed on a domain (member) server.. I used a
> dummy account to provide access to the directory though..
>
>
> Now i've virtualized alot of the infrastructure and created an "edge"
> server, which is not joined to the domain.
>
>
> It is my belief that the FTP service should reside here. On this edge
> server (virtual).. i have two nics, but one isnt in use and the other
> has a local ip address to our network. So for now i'm not using a
> public ip address, but i'm guessing i probably should assign a public
> ip to the one nic?
>
>
> My other question relates to the placement of our RRAS service which
> supplies access to PPTP vpn, as of now it resides on a member server..
> using the single NIC on that system etc..
>
>
> Is this location ok? What about moving it to the edge server? I'm
> not sure how this would work over there, as once they connect, they
> need access to the domain.. I'm guessing i could set up a one way
> vpn.. but wouldnt this technically compromise the ftp security?
>
>
> Also.. any thoughts on how to "secure" the PPTP connection, so the
> passwords arent sent in clear text.. ie: with a certificate (not sure
> how this would work)..
>
>
> Thanks in advance
>
>
>

You can place the VPN server on the perimeter network as long as there is a
firewall in front of it, but it needs two NICs (public/private).

I believe there is good information in the RRAS Help about this subject.

The most secure VPN connections are L2TP/IPsec connections, which require
the deployment of Extensible Authentication Protocol (EAP) with Transport
Layer Security (TLS), or EAP-TLS.

EAP-TLS uses a server certificate on the IAS server and client computer
certificates on client computers or on smart cards.

If the people connecting are doing so through non domain member computers,
smart cards would be the best choice, though they are more difficult and
costly to deploy.

If users connect with domain member computers, you can autoenroll user and
client computer certificates to users and clients.

You can deploy both server and client/user certificates using Certificate
Services, however the certificates must meet the minimum certificate
requirements. The following Help topic provides these requirements and
also discusses other issues related to deploying certs:

"Network access authentication and certificates" in Windows Server 2003 IAS
or VPN Help, or on the web at
http://technet2.microsoft.com/windowsserver/en/library/9d8b61c9-a870-4627-
a8f2-148625fd7fba1033.mspx

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top