Profile Settings A remote access policy profile is a set of properties that are applied to a connection when it is authorized. For VPN connections, you can use the following profile settings: Dial-in constraints can be used to define how long the connection can exist or be idle before being terminated by the answering router, among others. Authentication settings can define which authentication protocols the calling router can use when sending its credentials and the configuration of EAP types, such as EAP-TLS.
Encryption settings can define whether encryption is required and the encryption strength. For example, you can create a Windows group called VPNRouters whose members are the user accounts of all calling routers. Using the Wizard, you can also select a specific authentication method and encryption strength. They have no effect on demand-dial connections. User accounts contain the user name and a form of the users password that can be used for validation of the calling routers user credentials.
Additional account properties determine whether the user account is enabled or disabled, locked out, or permitted to logon only during specific hours. If a user account is disabled, locked out, or not permitted to logon during the time of the VPN connection, the site-to-site VPN connection attempt is rejected. Additionally, if the user account of the calling router is configured to change the password at the next login, the site-to-site VPN connection attempt will fail because changing the password while attempting to make the connection is an interactive process.
Demand-dial routers need to be able to make connections as needed without requiring human intervention. Therefore, all user accounts for calling routers must be configured with the User must change password at next logon checkbox cleared and the Password never expires checkbox selected for the account options on the Account tab on the properties of the user account.
When you create dial-in accounts with the Demand-Dial Interface Wizard, these account settings are automatically configured. You should use a separate user account for each site that contains a calling router. Each user account should have a name that matches a demand-dial interface configured on the answering router. When you create dial-in accounts with the Demand-Dial Interface Wizard, this one-to-one relationship between user accounts used by calling routers in separate sites and demand-dial interfaces is automatically created.
User accounts also contain dial-in settings. The dial-in setting most relevant for VPN connections is the remote access permission setting, which has the following values: Allow access Deny access Control access through Remote Access Policy The Allow access and Deny access settings explicitly allow or deny remote access and are equivalent to the remote access permission setting of Windows NT 4.
When you use the Control access through Remote Access Policy setting, the remote access permission is determined by the remote access permission setting of the matching remote access policy. If the user account is in a mixed-mode domain, the Control access through Remote Access Policy setting is not available and you must manage remote access permission on a per-user basis. If the user account is in a native-mode domain, the Control access through Remote Access Policy setting is available and you can manage remote access permission on a per-user basis or using groups.
When a dial-in account is created with the Demand-Dial Interface Wizard, the remote access permission is set to Allow access. When using groups to manage access, you can use your existing groups and create remote access policies that either allow or reject access or restrict access based on the group name. For example, the Employees group has no VPN remote access restrictions, however, the Contractors group can only create VPN connections during business hours.
Alternately, you can create groups based on the type of connection being made. One-way Initiated Connections and Static Routes on the User Account With one-way initiated connections, one router is always the answering router and one router is always the calling router. The answering router accepts the connection and the calling router initiates the connection.
One-way initiated connections are well suited to a spoke-and-hub topology where the branch office router is the only router that initiates the connection. To simplify configuration for one-way initiated connections, user accounts on stand-alone Windows Server or in a native-mode Active Directory domain support the configuration of static routes.
The static routes are automatically added to the routing table of the VPN router when a VPN connection using the user account is made.
Static routes on user accounts are configured by selecting the Apply static routes check box on the Dial-in tab on the properties of a user account, and then adding static routes. To use static routes on the user account, configure the calling router normally. On the answering router, all you have to do is create a user account that is used by the calling router and configure static routes that correspond to the calling router's site.
Because there is no demand-dial interface on the answering router with the same name as the user account of the calling router, the incoming VPN connection is determined to be a remote access connection. The static routes of the calling router's user account are added to the VPN router's routing table and all traffic to the locations implied by the static routes is sent across the logical remote access connection to the calling router. Note Static routes on the user account are only applied to the answering router when the incoming connection is a remote access VPN connection the user name in the credentials of the calling router does not match the name of a demand-dial interface on the answering router.
Static routes on the user account are not applied when the incoming connection is a demand-dial connection. Whether configured locally or on an IAS server, use remote access policies to authorize VPN connections and specify connection constraints. For example, use remote access policies to grant access based on group membership, to enforce the use of encryption and a specific encryption strength, or specify the use of EAP-TLS.
For one-way initiated connections, you can configure the calling router normally and configure the answering router with a user account that contains the static routes of the calling router's site. Make the shared secret a long 22 characters or longer , random sequence of letters, numbers, and punctuation and change it often to protect your RADIUS traffic.
Certificate Infrastructure To perform certificate-based authentication for L2TP connections and user certificate-based authentication for site-to-site VPN connections using EAP-TLS, a certificate infrastructure must be in place to issue the proper certificates to submit during the authentication process and to validate the certificate being submitted. The root CAs in this list correspond to the root CAs that issued certificates that are stored in the computer certificate store.
Ensure one of the following before attempting an L2TP connection: Both the calling router and answering router were issued computer certificates from the same CA. Both the calling router and answering router were issued computer certificates from CAs that follow a valid certificate chain up to the same root CA. In general, the calling router must have a valid computer certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the answering router trusts.
Additionally, the answering router must have a valid computer certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the calling router trusts.
A single CA commonly issues computer certificates to all computers in an organization. Because of this, all computers within the organization both have computer certificates from a single CA and request certificates for authentication from the same single CA. To configure the calling router, click IPSec Settings on the Security tab in the properties of a demand-dial interface, and then type the preshared key. The authenticating server must be configured with a computer certificate to submit during the EAP-TLS authentication process.
The authenticating server is either the answering router if the answering router is configured to use the Windows authentication provider or a RADIUS server if the answering router is configured to use the RADIUS authentication provider. EAP-TLS authentication is successful when the following conditions are met: The calling router submits a valid user certificate that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the answering router trusts.
The authenticating server submits a valid computer certificate that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the calling router trusts. The user certificate of the calling router contains the Client Authentication enhanced key usage object identifier "1. The computer certificate of the answering router contains the Server Authentication enhanced key usage object identifier "1.
For a Windows Server CA, a Router Offline request certificate, a special type of user certificate for demand-dial connections, is created and mapped to an Active Directory user account. When the calling router attempts a VPN connection, the Router Offline request certificate is sent during the connection negotiation process. If the Router Offline request certificate is valid, it is used to determine the appropriate user account from which dial-in properties are obtained.
After connecting, use the Certificate Manager snap-in or Internet Explorer to request the appropriate certificates. Once the certificates are installed, disconnect and then reconnect with the appropriate VPN protocol and authentication method. If you are only using a password-based authentication protocol such as MS-CHAP v2, a certificate infrastructure is not required and is not used for the authentication of the VPN connection.
To deploy a Router Offline request certificates for a calling router, the network administrator must: Configure the Windows Server CA to issue Router Offline request certificates. Request a Router Offline request certificate. Export the Router Offline request certificate. Map the certificate to the appropriate user account. Send the Router Offline request certificate to the network administrator of the calling router.
Import the Router Offline request certificate on the calling router. For more information about deploying Router Offline request certificates for demand-dial routing, see the topic titled Branch office demand-dial connection in Windows Server Help and Support. For a third-party CA, see the documentation for the CA software for instructions about how to create a user certificate with the Client Authentication enhanced key usage object identifier "1.
You must also export the root CA certificate, the certificate of the issuing CA, and the certificates of any intermediate CAs and import them to the proper folder of the computer certificate store of the answering router using the Certificate Manager snap-in. If you want to configure the names of the authenticating servers, select Connect to these servers and type the server names. To require the servers computer certificate to have been issued a certificate from a specific trusted root CA, select the CA in the list of Trusted Root Certification Authorities.
Right-click the demand-dial interface and click Set credentials. In the Connect dialog box, select the correct user or Router Offline request certificate in User name on certificate , and then click OK. Installing a Computer Certificate on the Authenticating Server To install a computer certificate, a certification authority must be present to issue certificates.
If the CA is a Windows Server CA and the authenticating server is either the answering router or a Windows Server Internet Authentication Service IAS RADIUS server, you can install a certificate in the computer certificate store of the authenticating server in the following different ways: By configuring the automatic allocation of computer certificates to computers in an Active Directory domain.
This method allows a single point of configuration for the entire domain. All members of the domain automatically receive a computer certificate through Group Policy. In this method, each computer must separately request a computer certificate from the CA. You must have administrator permissions to install a certificate using the Certificate Manager snap-in.
By using Internet Explorer and web enrollment to request a certificate and store it in local machine store. You must have administrator permissions to install a certificate using Web enrollment.
Based on the certificate policies in your organization, you only need to perform one of these methods. For a third-party CA, see the documentation for the CA software for instructions about how to create a certificate with the Server Authentication enhanced key usage object identifier "1.
Additionally, the root CA certificate, the certificate of the issuing CA, and the certificates of any intermediate CAs must be exported and imported on the calling router.
If the computer on which the remote access policy is being configured has multiple computer certificates installed, configure the properties of the Smart Card or other certificate EAP type and select the correct computer certificate to submit during the EAP-TLS authentication process.
In the most common configuration, the VPN routers are placed behind the firewall on the perimeter network between your site and the Internet. Deploying the Answering Router Deploying the answering router for a site-to-site VPN connection consists of the following: Configure the answering router's connection to the site.
Configure a demand-dial interface. Note that you must not configure the default gateway on the site connection to prevent default route conflicts with the default route pointing to the Internet.
Click Next. If you additionally want to use the answering router as a network address translator NAT , Web server, or other function, see Appendix B. If you also want the answering router to support dial-up site-to-site connections, click Dial-up. In VPN Connection , click the connection that corresponds to the interface connected to the Internet or your perimeter network, and then click Next. Or, click From a specified range of addresses to use one or more static ranges of addresses.
If any of the static address ranges is an off-subnet address range, routes must be added to the routing infrastructure in order for the virtual interfaces of calling routers to be reachable. When IP address assignment is complete, click Next. Click Finish.
By default, L2TP ports are also configured. Configuring a Demand-dial Interface From the Routing and Remote Access snap-in on the answering router, perform the following steps: In the console tree, right-click Network Interfaces , and then click New Demand-dial Interface. On the Interface Name page, type the name of the demand-dial interface, and then click Next.
On the Destination Address page, type the IP address of the calling router. For a two-way-initiated router to-router VPN connection, configure the IP address of the calling router. For a one-way initiated site-to-site VPN connection, you can skip this step because the answering router never uses this interface to initiate a connection to the calling router.
On the Protocols and Security page, select the Route IP packets on this interface and Add a user account so that a remote router can dial in check boxes, and then click Next. On the Static Routes for Remote Networks page, click Add to add static routes assigned to the demand-dial interface as needed. On the Dial In Credentials page, type the password of the user account used by the calling router in Password and Confirm password , and then click Next. This step automatically creates a user account with the same name as the demand-dial interface that is being created.
This is done so that when the calling router initiates a connection to the answering router, it is using a user account name that matches the name of a demand-dial interface. Therefore, the answering router can determine that the incoming connection from the calling router is a demand-dial connection rather than a remote access connection. On the Dial Out Credentials page, type the user name in User name , the user account domain name in Domain , and the user account password in both Password and Confirm password.
For a two-way-initiated router to-router VPN connection, configure the name, domain, and password when this router is acting as the calling router. For a one-way initiated site-to-site VPN connection, you can type any name in User name and skip the rest of the fields because this router never uses this interface to initiate a connection to the calling router. A user account with the same name as the demand-dial interface is automatically added with correct account and dial-in settings.
Deploying the Calling Router Deploying the calling router for a site-to-site VPN connection consists of the following: Configure the calling router's connection to the site. If you additionally want to use the calling router as a network address translator NAT , Web server, or other function, see Appendix B.
If you also want the VPN router to support dial-up site-to-site connections, click Dial-up. If any of the static address ranges is an off-subnet address range, routes must be added to the routing infrastructure in order for the virtual interfaces of routers calling this router to be reachable.
Configuring a Demand-dial Interface From the Routing and Remote Access snap-in on the calling router, perform the following steps: In the console tree, right-click Network Interfaces , and then click New Demand-dial Interface. On the Interface Name page, type the name of the demand-dial interface. For a two-way initiated connection, this is the same name as the user name in the user credentials used by the answering router when it is acting as a calling router.
On the Destination Address page, type the IP address of the answering router. For a two-way initiated connection, select the Add a user account so that a remote router can dial in check box. For a two-way initiated connection, in the Dial In Credentials page, type the password of the user account used by the answering router acting as a calling router in Password and Confirm password , and then click Next. This is done so that when the answering router acting as a calling router initiates a connection to this router, it is using a user account name that matches the name of a demand-dial interface.
Therefore, this router can determine that the incoming connection from the answering router acting as a calling router is a demand-dial connection rather than a remote access connection. On the Completing the demand-dial interface wizard page, click Finish. A user account with the same name as the demand-dial interface is automatically added with correct account and dial-in settings if needed.
Configure the primary IAS server on a domain controller. Configure the secondary IAS server on a different domain controller. This configuration must be done at each site containing an answering router.
For branch offices with few computers and a single answering router, it is easier to configure the Routing and Remote Access service for Windows authentication and use locally configured remote access policies than configuring a separate IAS server computer. Configuring Active Directory for User Accounts and Groups To configure Active Directory for user accounts and groups, do the following: Ensure that all calling routers have a corresponding user account with the correct account and dial-in settings.
This includes calling routers for branch offices and business partners. User accounts with the correct account and dial-in settings are automatically created when you select the Add a user account so that a remote router can dial in check box on the Protocols and Security page of the Demand-Dial Interface Wizard.
Organize user accounts used by calling routers into the appropriate universal and nested groups to take advantage of group-based remote access policies. Configure the IAS server computer the domain controller to read the properties of user accounts in the domain.
If the IAS server authenticates connection attempts for user accounts in other domains, verify that these domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information about trust relationships, see the topic titled "Understanding Domains and Forests" in Windows Server Help and Support.
If the IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains. Enable file logging for accounting and authentication events.
For more information, see the topic titled "Configure log file properties" in Windows Server Help and Support. If you are using names, use the internal name of the VPN router. Use strong shared secrets. Create remote access policies that reflect your remote access usage scenarios. Configure the secondary IAS server computer the other domain controller to read the properties of user accounts in the domain. If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member.
Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. If the secondary IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the secondary IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains. This stores the configuration settings, including registry settings, in a text file.
The path can be relative, absolute, or a network path. Copy the file created in step 4 to the secondary IAS server. If IAS is not installed on a domain controller, you must configure the secondary IAS server computer to read the properties of user accounts in the domain.
Verify reachability from each VPN router. Configure routing for off-subnet address pools. Configuring Routing on the VPN Routers In order for your VPN routers to properly forward traffic to locations within the site in which they are located, you must configure them with either static routes that summarize all the possible addresses used on in the site or with routing protocols so that the VPN router can participate as a dynamic router and automatically add routes for site subnets to its routing table.
To add static routes, see the topic titled "Add a static route" in Windows Server Help and Support. Configuring Routing for Off-subnet Address Pools If you configured any of the VPN routers with a static address pool and any of the ranges within the pool are an off-subnet range, you must ensure that the route s representing the off-subnet address range s are present in your site routing infrastructure to reach the virtual interfaces of calling routers. You can ensure this by adding static route s representing the off-subnet address range s as static routes to the neighboring router s of the VPN router s and then using the routing protocol of your site to propagate the route to other routers.
When you add the static route s , you must specify that the gateway or next hop address is the site interface of the VPN router. Deploying Intersite Network Infrastructure Deploying the intersite network infrastructure consists of configuring each VPN router with the set of routes for subnets that are available in the other sites across each site-to-site VPN connection. This can be done in the following ways: Manually configure static routes on each VPN router.
Perform auto-static updates on each VPN router. LemP Volunteer Moderator. Having multiple versions of Office at the same time is not recommended, although it will work. It's my recollection that when I did that, the version of Office that was not the most recently used one would go through an "install" process when you started it unless you make the registry changes described in the KB article below. Browse to the Word executable, select it, and check the box to "Always use this program to open this type of file.
You can use the same process for Excel. Instead, it uses a challenge response with a one-way hash algorithm.
It is an industrystandard protocol that can be used to authenticate non[nd]Windowsbased clients. MS-CHAP version 2 provides strong encryption and separate encryption keys for sending and receiving data. This authentication protocol requires the presence of a PK infrastructure. Knowing the features and the differences among the following authentication protocols is important for achieving success on the exam.
For example, if your remote access clients use smart card authentication, you need to enable EAP on the remote access server. Using the Properties dialog box for the remote access server that is shown in Figure 5.
Clicking the Authentication Methods button from the Security tab opens the Authentication Methods dialog box, from which you can select the authentication protocols that are available on the server. Figure 5. You configure authentication methods by clicking the Authentication Methods button on the Security tab.
When you have enabled the authentication protocols at the server level, you can use the Authentication tab in the policy's Properties dialog box see Figure 5.
To do so, click the Remote Access Policies container, right-click the appropriate policy within the Details pane, and click Properties. You can access the Authentication tab by clicking the Edit Profile button. Configuring authentication methods in a remote access policy via the Authentication tab. If you're sending sensitive data across the network, you might want to add another level of security by implementing some form of data encryption. The two types of encryption available are as follows:.
Some older Microsoft operating systems do not support bit encryption. To support these clients, you must use bit encryption instead. Otherwise, you should use bit encryption.
Also keep in mind that bit encryption is supported only in North America. Encryption for a dial-up connection is configured at the policy level. Right-click the remote access policy within the Details pane for the Remote Access Policies container. Open the Properties dialog box for the remote access policy, click the Edit Profile button, and select the Encryption tab see Figure 5.
Select one or more of the following encryption levels:. No Encryption Select this option to allow remote access clients to connect without requiring a form of encryption. Configuring the encryption level for a profile. Windows 98 requires DUN 1. As your networks increase in size, you might need to implement multiple remote access servers.
To ease the administrative overhead of managing multiple RAS servers, you can implement a RADIUS server to centralize the authentication of remote access clients and the storage of accounting information. IAS provides the benefit of centralizing user authentication and centralizing the storage of auditing and accounting information collected from the RAS servers.
Any authentication requests to the remote access server are sent to the server running IAS. Connection request[nd]processing rules are configured to tell the IAS server where to forward the authentication request messages. Depending on the connection request[nd]processing rules configured, some connection requests can be authenticated and others can be forwarded.
From the list of Windows components, select Networking Services and click the Details button. From the list of subcomponents, select Internet Authentication Service. Click OK. Click Next.
A remote access policy enables you to control which users are permitted remote access to the network and specify the characteristics of the connection. In terms of remote access, Windows introduced some major changes from Windows NT 4. One of these changes is the use of remote access policies. Before Windows , remote access was controlled through the Properties dialog box of a user account.
Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account also known as a service account that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server functional level, this setting is found on the Delegation tab.
It is available only for accounts that have been assigned service principal names SPNs , which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously. Gives control over a user account, such as for a Guest account or a temporary account. This option can be used if this account cannot be assigned for delegation by another account. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment.
Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option.
Note that domain controllers running Windows or Windows Server can use other mechanisms to synchronize time. After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers.
You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer.
In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner.
For more information about creating and managing local user accounts in Active Directory, see Manage Local Users. You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network. You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager SCM tool.
For more information, see Microsoft Security Compliance Manager. Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object.
This means, when you want to modify the permissions on a service administrator group or on any of its member accounts, you are also required to modify the security descriptor on the AdminSDHolder object. This approach ensures that the permissions are applied consistently.
Be careful when you make these modifications, because this action can also affect the default settings that are applied to all of your protected administrative accounts. Restricting and protecting domain accounts in your domain environment requires you to adopt and implement the following best practices approach:. Member accounts in the Administrators, Domain Admins, and Enterprise Admins groups in a domain or forest are high-value targets for malicious users.
It is a best practice to strictly limit membership to these administrator groups to the smallest number of accounts in order to limit any exposure. Restricting membership in these groups reduces the possibility that an administrator might unintentionally misuse these credentials and create a vulnerability that malicious users can exploit.
Moreover, it is a best practice to stringently control where and how sensitive domain accounts are used. Restrict the use of Domain Admins accounts and other administrator accounts to prevent them from being used to sign in to management systems and workstations that are secured at the same level as the managed systems.
When administrator accounts are not restricted in this manner, each workstation from which a domain administrator signs in provides another location that malicious users can exploit. Note that, to provide for instances where integration challenges with the domain environment are expected, each task is described according to the requirements for a minimum, better, and ideal implementation.
As with all significant changes to a production environment, ensure that you test these changes thoroughly before you implement and deploy them. Then stage the deployment in a manner that allows for a rollback of the change in case technical issues occur. Restrict Domain Admins accounts and other sensitive accounts to prevent them from being used to sign in to lower trust servers and workstations.
Restrict and protect administrator accounts by segregating administrator accounts from standard user accounts, by separating administrative duties from other tasks, and by limiting the use of these accounts. Create dedicated accounts for administrative personnel who require administrator credentials to perform specific administrative tasks, and then create separate accounts for other standard user tasks, according to the following guidelines:.
Privileged account. Allocate administrator accounts to perform the following administrative duties only:. Create separate accounts for domain administrators, enterprise administrators, or the equivalent with appropriate administrator rights in the domain or forest. Use accounts that have been granted sensitive administrator rights only to administer domain data and domain controllers.
Create separate accounts for administrators that have reduced administrative rights, such as accounts for workstation administrators, and accounts with user rights over designated Active Directory organizational units OUs. Create multiple, separate accounts for an administrator who has a variety of job responsibilities that require different trust levels. Set up each administrator account with significantly different user rights, such as for workstation administration, server administration and domain administration, to let the administrator sign in to given workstations, servers and domain controllers based strictly on his or her job responsibilities.
Standard user account. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business LOB applications. These accounts should not be granted administrator rights. Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section.
Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks.
Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see Separate administrator accounts from user accounts. If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task.
Build dedicated administrative workstations and block Internet access on those workstations including web browsing and email. Use the following ways to block Internet access:. Configure authenticating boundary proxy services, if they are deployed, to disallow administrator accounts from accessing the Internet. Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that are assigned to dedicated administrative workstations.
Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications.
The following procedure describes how to block Internet access by creating a Group Policy Object GPO that configures an invalid proxy address on administrative workstations.
These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings. In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure.
As a domain administrator on a domain controller, open Active Directory Users and Computers, and create a new OU for administrative workstations. You might have to delegate permissions to join the domain by using KB if the account that joins the workstations to the domain does not already have permissions to join computers to the domain.
Configure which members of accounts can log on locally to these administrative workstations as follows:.
0コメント