23.5. Best Practices

• Allow only MS-CHAPv2 or EAP-TLS authentication for remote access clients. Only MS-CHAPv2 and EAP-TLS allow mutual authentication between VPN client and authentication server. In addition, MS-CHAPv2 and EAP-TLS provide the strongest protection for a user’s credential information.

• Allow only strong encryption for remote access clients. Ensure that the remote access policy enforces the strongest form of encryption to ensure that connections use 128-bit MPPE for PPTP connections, Advanced Encryption Standard (AES) for L2TP/IPsec connections, or 128-bit SSL for SSTP connections for encryption.

• Create separate remote access policies for VPN access. Do not try to create an all-in-one remote access policy for VPN and dial-up connections. Create separate remote access policies for each application, and ensure that the policy conditions do not overlap.

  ---

  Note:

  

  If the policy conditions overlap, you must order the remote access policies so that the desired policy is applied to the correct users. For example, if you have one remote access policy applied to Domain Admins and another applied to Domain Users, you must place the remote access policy applied to Domain Admins higher in the remote access policy policy listing. This ensures that an administrator, who is a member of both Domain Admins and Domain Users, has the Domain Admins policy applied to his or her connection.

  ---

• Deploy IPsec certificates to all VPN servers and clients if deploying L2TP/IPsec. Create a version 2 certificate template based on the IPsec certificate template to enable autoenrollment of the certificates to client computers running Windows Vista and Windows XP.

• Implement RADIUS for all remote access authentication and accounting. RADIUS allows centralized administration of all remote access policy and collection of VPN connection activity logs. Also, configure both primary and secondary RADIUS servers for all VPN devices so that VPN connectivity still succeeds if a single RADIUS server fails.

• Deploy RAS and IAS Server certificates to all RADIUS servers. If you use Windows Server 2008 NPS servers, you can deploy the RAS and IAS Server certificates by using autoenrollment. This server certificate is required for EAP-TLS mutual authentication.

• Deploy a Web Server certificate to the SSTP VPN Server. The Web Server certificate allows you to provide a custom subject name, matching the DNS name used by the clients to connect to the VPN server.

• Do not use preshared keys for IPsec authentication; use only certificate-based authentication. Although it is possible to configure L2TP/IPsec to use preshared keys for authentication, the risks are high. If a single laptop is compromised, an attacker could gain access to the preshared key and use the preshared key from other computers to connect to the corporate network.

• Use smart cards for user certificate–based authentication to provide the strongest protection of user credentials. A smart card provides additional security by applying two-factor protection. An attacker must gain access to both the smart card and the PIN to access the network.

• Implement a custom application policy OID in the user authentication certificates, and require the existence of the application policy OID in the remote access policy. The implementation of a custom application policy OID increases security by requiring the authentication certificate to contain the application policy OID. Use of a custom application policy OID limits authentication only to the designated certificate.