Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

13.4.2. Call-Back Security

RAS Server has the capability to automatically disconnect a remote user after he has connected and then call that user back. You can enable this feature with the Remote Access Administrator utility shown in Figure 13.10.

Figure 13.10.  Enable call-back security with the Remote Access Administrator.

In this window, highlight the RAS Server you want to administer, and select Permissions from the Users menu. This will open the Remote Access Permissions dialog box shown in Figure 13.11.

Figure 13.11.  Set user permissions in the Remote Access Permissions dialog box.

You set permissions on a user-by-user basis. You have a choice of two call-back methods to use. The first is Set By Caller. This option provides for a small amount of security because your company’s phone bill should reflect the numbers dialed by the RAS Server.

The Set By Caller option also is useful if you want your company rather than your remote users to bear any charges for long distance calls.

Note that call-back security is within the scope of the NT Server exam. You must know how to enable it and what it is.

The second callback option available is Preset to:. This option provides a greater security advantage because it enables you to set a predetermined number at which a particular user will be called back. If you set this option, no one will be able to dial in to the network from a different location and impersonate that user.

13.4.3. Allowing Access to Your Network

As mentioned in the section “Choosing LAN Protocols,” you can determine whether RAS Server enables remote users to access your entire network or only the machine on which RAS is installed (see Figures 13.6 through 13.8). Although you cannot select this option for each user, you can select it for each protocol, and thus you can allow different users access to different parts of your network. This option is discussed in more detail in the section titled “Routing via RAS.”

13.4.4. Forcibly Disconnecting a Remote User

Using RAS Server, you also can forcibly disconnect a user who is connected to your network. You do this by using the Remote Access Administrator (refer to Figure 13.10). Choose the server for which you want to view the active users, and select Active Users from the Users menu. This brings up the Remote Access Users dialog box. From here you can disconnect users, view users’ account information, and send messages to connected users.

13.4.5. Third-Party Solutions

You also can use various third-party security enhancements (such as encrypters/decrypters and enhanced authentication devices) in conjunction with the RAS Server. These typically are installed between the connection device and the RAS Server.

13.5. Granting Dial-In Access

When you install the RAS service, two programs install with it: Dial-Up Networking Monitor and Remote Access Manager. Dial-Up Networking Monitor is discussed in detail in the section “RAS Performance Monitoring.” Remote Access Administrator (refer to Figure 13.10) is the utility you use to grant dial-in permissions.

From the Users menu of Remote Access Administrator, choose Permissions. This brings up the Remote Access Permissions dialog box (refer to Figure 13.11). In the window titled Users, you see a list of users configured on your server. For each user, you can choose to Grant dial-in permission. You also may set the call-back procedure, if any, for each user for whom you grant dial-in permission. (This is discussed in detail in the section titled “Configuring RAS Security.”) Note also the Grant All and Revoke All buttons to the right of the Users list. These buttons enable you to grant or revoke dial-in access to all users in the Users list.

You also may grant dial-in access by using User Manager for Domains. By viewing the User Account properties for any user and then selecting Dial-in, you can enable dial-in permissions for that user.

If you have not already enabled security auditing using the User Manager for Domains utility, you might consider doing so. Opening up your network to dial-in access dramatically increases the potential for security violations. Auditing, combined with the judicial granting of dial-in access, is a powerful step toward ensuring network security

Auditing your resources also can be a valuable troubleshooting tool because you can view a record of the successes and failures of certain resource access. Be careful, however, that when you enable auditing you enable auditing of only those items you really must track. Auditing increases the overhead on a system, thus slowing performance.

Although RAS security is not featured much in the NT Server exam, you must know a few points. Know that the RAS server allows encrypted NT authentication, thus allowing NT to extend its single logon feature to RAS clients. Know that you can audit a RAS client just as with any other user. Finally, know that you can set the call-back for particular users.

13.6. RAS Performance Monitoring

Monitoring the performance of your RAS Server provides two very important services. First, if you are familiar with the way in which your network normally operates, you can be more certain of spotting and correcting problems before they grow out of hand. Second, regular monitoring of your network also can help you identify the capacity of your current configuration and help you make an informed decision when you must increase this capacity. Two primary tools are available for monitoring the performance of your RAS Server:

•  Dial-Up Networking Monitor

•  Performance Monitor

13.6.1. Dial-Up Networking Monitor

The Dial-Up Networking Monitor utility runs automatically at any time there is a connection to the RAS Server. It usually runs in a minimized state, but double-clicking its icon in the taskbar brings up the window shown in Figure 13.12.

Figure 13.12.  Quickly view the current connections to each device configured for your RAS server in the Dial-Up Networking Monitor.