pc micro systems

Company Info

Using Microsoft Remote Access Service (RAS)

Microsoft RAS is a feature in the Windows Server family, and is included in all versions of Windows Server. A Limited version of RAS is also included in Non-server editions of Windows, including Windows 7, XP and Vista. RAS allows remote dial-up clients to connect to a Local Area Network using analog phone lines or ISDN lines. A typical use would be by an ISP (Internet Service Provider) to allow users to dial in to their LAN, or by a corporate network administrator to allow their users to connect to the corporate LAN from remote sites. The remote clients connect to RAS using the TCP/IP protocol encapsulated in the Point-to-Point (PPP) protocol, which allows the remote client to access the LAN as if they were plugged directly into it.

A RAS Server will typically have either multiple analog phone lines, or it will have one or more T1, E1, or ISDN-BRI lines for the incoming calls. When a large number of telephone lines are required, they are usually provided by the phone company in bundles of lines known as 'T1 ISDN-PRI' or 'E1 ISDN-PRI' lines. A T1 contains 23 phone lines, and an E1 contains 30 phone lines. An ISDN-BRI only contains two phone lines. These lines will either connect to digital modems, which can support both analog and digital calls, or they will connect to analog modems. Digital modems require a digital connection from the telephone company (T1, E1, or single ISDN-BRI lines). If you use analog modems on your RAS server, the maximum speed is 33.6k rather then 56k, because 56k speeds require one end of the connection to be a digital modem.

Building a Microsoft Remote Access Service (RAS) can be very simple, but there are some security precautions that need to be addressed before you begin. The RAS server is responsible for authenticating that the user is really who they claim to be, and granting them access. A RAS Server is a common target for hackers who may wish to break into your network, or just happened to find it while war-dialing a range of phone numbers. Once a hacker locates a phone number to your RAS Server, the most common method of breaking in is to guess common usernames such as 'Administrator' and trying thousands of passwords using a script and a dictionary file. Therefore you should always use passwords that are a combination of letters and numbers, rather then plain words.

If your users always dial in from a specific phone number, then one of the best methods of securing your RAS is a function known as 'call back'. The way this works is when a particular user dials in, they log in with their username and password, and then the server disconnects them and immediately calls them back on their pre-defined phone number. This makes it virtually hack proof, even if the users password was ever breached.

If your users need to dial in while they are traveling, then good security becomes more complex. For the maximum security in this situation, a third party token based system could be used, in which users need to have a pin number and also a token. The token is either a device or a program that generates a key which changes every minute, and only the token and the server know the sequence in which it changes. The most popular token based system is RSA SecurID.

Once a users dials in, they are assigned an IP address on the network, which can be done by the RAS server, or by a seperate DHCP server on the network.

You will need to choose to use either 'workgroup' security, or the more advanced 'domain' type of security. Workgroup security is very basic and harder to administer, and the Domain method is more secure. A domain controller maintains a list of users, and you can configure which ones are allowed Dial-In access, what days and times they are allowed in, and set an optional call-back number. On a larger network you might want to consider using AIS>, which is a RADIUS based security system included with Windows Server 2000 or 2003. RADIUS stands for Remote Authentication Dial-In User Service. The AIS in the standard edition of Windows Server 2003 supports a maximum of 50 RADIUS clients, so if you need support for more clients you will need Windows Server 2003 Enterprise Edition, or DataCenter Edition, or you can use a third-party RADIUS solution. There is an excellent open source FreeRADIUS Server designed for Linux which can also be run under Windows using CygWin, MinGW32, or the Microsoft Windows Services for Unix . There is a precompiled Windows CygWin distribution available from FreeRADIUS.net.

If you wish to allow your network users to be able to dialout on the same pool of modems which RAS uses for inbound conections, you can install a third party modem pooling server such as NetModem which is designed to co-exist with RAS.

Detailed information on how to configure Microsoft RAS policies and security features can be found on the Microsoft TechNet Windows Server 2003 Deployment guide, under the sections titled:
Setting up Dial-up Remote Access
Deploying Dial-up and VPN Remote Access Services


hot deals on computers

Modem Pool

Copyright © 1995 - 2007 pcmicro.com    All rights reserved