Use IAS to Centralize Authentication, Accounting and Authorization

Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.

Use IAS to Centralize Authentication, Accounting and Authorization

The Internet Authentication Service is the Microsoft implementation of RADIUS. When IAS is added to a network, it can provide centralized authentication, authorization, and auditing for remote access. Remote access policies are configured on the IAS server and manage policy for all RRAS servers configured to use the IAS server. (If remote access policies exist on the RRAS server, only the IAS remote access policies will be used.)

Harden the IAS server as you would the RRAS server. In addition, harden authentication and communications between RRAS and IAS servers.

Harden RADIUS/RRAS Authentication

When IAS is used for authentication, a shared secret must be configured on the RRAS and IAS servers and is used to authenticate connections between them. Use a long shared secret (22 characters or more) composed of a random sequence of letters, numbers, and punctuation and change it often. Use a different shared secret for each RADIUS client and RADIUS server pair, and for each RADIUS proxy and RADIUS server pair. (This will not be possible if you specify RRAS servers by IP address range.)

Provide RADIUS Message Authentication and Integrity

Use the Message Authenticator Attribute to protect IAS from spoofed IP addresses. RRAS servers are identified in the IAS properties and used to determine which RRAS servers can connect to IAS. When the Message Authenticator Attribute is used, an MD5 hash of the RADIUS message is made using the shared secret as a key. The IAS server can therefore determine that the message came from an RRAS server with knowledge of the shared secret, not just a server with one of the approved IP addresses. This also guarantees the integrity of the message.

The RADIUS Message Authenticator Attribute is configured on the property page of the RADIUS client in the RADIUS Clients node of the Internet Authentication Services console, as shown in Figure 11-5.

Use IPSec to Secure RADIUS Messages

Use IPSec to secure the entire RADIUS message. Create an IPSec policy that secures all communication between the RRAS and IAS servers.

Click for the next excerpt in this series: Secure Wireless Access.