Security information for the Connection Manager Administration Kit
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Security information for the Connection Manager Administration Kit
You can increase the security of your remote access solution by using the Connection Manager Administration Kit (CMAK) wizard to customize and control the connection experience for your users. By customizing the connection, you can control how your users connect to your network, and you can simplify troubleshooting.
Before you create a profile, you should understand your remote access solution, including its security requirements and limitations. You can consider remote access security in three parts: securing servers, including remote access servers and the computers on which you store profiles; understanding and securing the computers on which users will install profiles; and designing, creating, and distributing the profile itself. For more information about securing servers, see Security information for remote access, Security issues for VPN, and Security.
When you design your service profile, you should consider the following:
Who can create or edit service profiles using the CMAK wizard. A user must be a member of the Administrators group to install the CMAK wizard. A user must be a member of either the Administrators or the Power Users group to run the CMAK wizard.
Who can edit service profile files using a plain text editor. Service profile files are plain text files that users can edit using a plain text editor, such as Notepad, instead of using the CMAK wizard. By using a plain text editor instead of the CMAK wizard, users do not need to be members of the Administrators or the Power Users group to edit or to delete these files. You can help prevent users from changing these files on the server by limiting access to the directories that contain service profile files. Recognize that, after you distribute the service profile, users can edit the service profile files on their own computers. For more information, see Methods of editing service profile files and Including Connection Manager in custom applications.
Which operating systems your users will use. You should consider two things regarding the operating systems on your users' computers: the level of security inherent in the operating system itself, as well as the security features that you can configure for the operating system. Not all operating systems support all Connection Manager features. For example, Windows 98 does not support user certificates. Therefore, if you want to deploy a highly secure VPN solution, you might need to limit your deployment to users running Windows XP on hard disks formatted with NTFS.
Depending on how your users have configured their computers, you might have these security considerations:
Whether the user's hard disk is formatted with FAT or NTFS. FAT systems are not as secure as NTFS systems.
What authentication and tunneling protocols are supported. Not all operating systems support all of the same protocols as the Windows Server 2003 family. For more information, see Dial-up networking clients and Virtual private networking clients.
Whether your users will install the profile for individual use only or for all users of that computer (Windows 2000, Windows XP, and the Windows Server 2003 family only). You should encourage your users to install the profile for individual use only so that only the user who installed the profile and members of the Administrators or System Operators groups can modify the service profile files. If a user installs a profile for all users, all users of that computer can modify or delete the service profile files.
Whether the profile allows users to save the password for the profile. You can hide the check box that allows users to save passwords by configuring the HideRememberPassword key. For Windows XP and the Windows Server 2003 family, you can configure the GlobalCredentials key to prevent users from saving a user name and password for any other users of that computer. This key prevents other users from using another user’s credentials. The connection will close automatically if Fast User Switching is used.
If necessary, you can create different service profiles for different operating systems, restricting access for users with less secure systems.
Whether your service profile will include a phone book or multiple phone books. If your service profile will include one or more phone books, you will need to create the phone book with Phone Book Administrator (PBA), and you will need to include a Phone Book Service (PBS) server in your deployment. For more information, see Security information for Connection Point Services.
How you will distribute your service profile. You can distribute your service profile in several ways, including on a Web site and on portable media such as floppy disks. Depending on what kind of service profile you create, you might want to consider how to control the distribution of your profile. For example, if you create a profile with a pre-shared key, you will want to limit distribution of the profile to authorized users, particularly if you do not encrypt the profile with a personal identification number (PIN). For more information about distributing service profiles, see Planning for effective implementation.
For detailed information about deploying Connection Manager, see "Deploying Remote Access Clients Using Connection Manager" at the Microsoft Windows Resource Kits Web site.