FTP and RRAS (VPN) services best practices / locations? PPTP secur

[Guest markm75]

I'm trying to restructure our domain.. and I believe I have had the

ftp service in a "bad" location prior..

 

Prior to now.. it was installed on a domain (member) server.. I used a

dummy account to provide access to the directory though..

 

 

Now i've virtualized alot of the infrastructure and created an "edge"

server, which is not joined to the domain.

 

 

It is my belief that the FTP service should reside here. On this edge

server (virtual).. i have two nics, but one isnt in use and the other

has a local ip address to our network. So for now i'm not using a

public ip address, but i'm guessing i probably should assign a public

ip to the one nic?

 

 

My other question relates to the placement of our RRAS service which

supplies access to PPTP vpn, as of now it resides on a member server..

using the single NIC on that system etc..

 

 

Is this location ok? What about moving it to the edge server? I'm

not sure how this would work over there, as once they connect, they

need access to the domain.. I'm guessing i could set up a one way

vpn.. but wouldnt this technically compromise the ftp security?

 

 

Also.. any thoughts on how to "secure" the PPTP connection, so the

passwords arent sent in clear text.. ie: with a certificate (not sure

how this would work)..

 

 

Thanks in advance

[Guest James McIllece [MS]]

Re: FTP and RRAS (VPN) services best practices / locations? PPTP secur

 

=?Utf-8?B?bWFya203NQ==?= <markm75@discussions.microsoft.com> wrote in

news:DBE59A43-750C-4E95-AF51-59D3C19A0DBE@microsoft.com:

> I'm trying to restructure our domain.. and I believe I have had the

> ftp service in a "bad" location prior..

>

> Prior to now.. it was installed on a domain (member) server.. I used a

> dummy account to provide access to the directory though..

>

>

> Now i've virtualized alot of the infrastructure and created an "edge"

> server, which is not joined to the domain.

>

>

> It is my belief that the FTP service should reside here. On this edge

> server (virtual).. i have two nics, but one isnt in use and the other

> has a local ip address to our network. So for now i'm not using a

> public ip address, but i'm guessing i probably should assign a public

> ip to the one nic?

>

>

> My other question relates to the placement of our RRAS service which

> supplies access to PPTP vpn, as of now it resides on a member server..

> using the single NIC on that system etc..

>

>

> Is this location ok? What about moving it to the edge server? I'm

> not sure how this would work over there, as once they connect, they

> need access to the domain.. I'm guessing i could set up a one way

> vpn.. but wouldnt this technically compromise the ftp security?

>

>

> Also.. any thoughts on how to "secure" the PPTP connection, so the

> passwords arent sent in clear text.. ie: with a certificate (not sure

> how this would work)..

>

>

> Thanks in advance

>

>

>

 

You can place the VPN server on the perimeter network as long as there is a

firewall in front of it, but it needs two NICs (public/private).

 

I believe there is good information in the RRAS Help about this subject.

 

The most secure VPN connections are L2TP/IPsec connections, which require

the deployment of Extensible Authentication Protocol (EAP) with Transport

Layer Security (TLS), or EAP-TLS.

 

EAP-TLS uses a server certificate on the IAS server and client computer

certificates on client computers or on smart cards.

 

If the people connecting are doing so through non domain member computers,

smart cards would be the best choice, though they are more difficult and

costly to deploy.

 

If users connect with domain member computers, you can autoenroll user and

client computer certificates to users and clients.

 

You can deploy both server and client/user certificates using Certificate

Services, however the certificates must meet the minimum certificate

requirements. The following Help topic provides these requirements and

also discusses other issues related to deploying certs:

 

"Network access authentication and certificates" in Windows Server 2003 IAS

or VPN Help, or on the web at

http://technet2.microsoft.com/windowsserver/en/library/9d8b61c9-a870-4627-

a8f2-148625fd7fba1033.mspx

 

--

James McIllece, Microsoft

 

Please do not send email directly to this alias. This is my online account

name for newsgroup participation only.

 

This posting is provided "AS IS" with no warranties, and confers no rights.