New features of Windows Server 2008 RRAS



If you are familiar with RAS (Remote Access Service) or RRAS (Routing and Remote Access Service) in Windows NT or Windows 2000, you will find all of those same features in Windows Server 2008 RRAS. You will also find several enhancements to existing features, along with many new features, including those explained in the following sections.

AD integration

Windows Server 2008 RRAS integrates with the Active Directory (AD). AD integration allows client settings to be replicated throughout the organization to provide expanded access by clients and easier administration. Integration with the AD can also simplify administration by allowing you to browse and manage multiple RRAS servers through the AD-aware RRAS management console snap-in, providing a single point of management for RRAS services in an organization.

Bandwidth Allocation Protocol and Bandwidth Allocation Control Protocol

The Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control Protocol (BACP) enable Windows Server 2008 RAS to dynamically add or remove links in a multilink PPP connection as bandwidth requirements for the connection change. When bandwidth utilization becomes heavy, RAS can add links to accommodate the increased load and enhance performance. When bandwidth utilization decreases, RAS can remove links to make the connection more cost efficient. You can configure BAP policies through a Network Policy Server (NPS) policy that you can apply to individual users, groups, or an entire organization.

MS-CHAP version 2

Previous versions of RAS supported Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) to authenticate remote clients. MS-CHAP v2 gives stronger security and is designed specifically to support Virtual Private Network (VPN) connections, which allow remote clients to set up secure connections to a private network through a public network such as the Internet. MS-CHAP v2 offers several security enhancements:

1) LAN Manager coding of responses, formerly supported for backward compatibility with older remote access clients, is no longer supported. This provides improved security. MS-CHAP v2 no longer supports LAN Manager encoding of password changes for the same reason.

2) Mutual authentication, which provides bi-directional authentication between the remote client and the RAS server, is supported. Previously, MS-CHAP provided only one-way authentication and did not provide a mechanism for the remote client to determine whether the remote server actually had access to its authentication password for verification. Version 2 not only enables the server to authenticate the client’s request, but also enables the client to verify the server’s ability to authenticate its account.

3) Stronger encryption is given in MS-CHAP v2. The 40-bit encryption used in previous versions operated on the user’s password and resulted in the same cryptographic key being generated for each session. Version 2 uses the remote client’s password, along with an arbitrary challenge string, to create a unique cryptographic key for each session, even when the client password remains the same.

4) Better security for data transmission is provided by using separate cryptographic keys for data sent in each direction.

Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) enables authentication methods to be added to RAS without redesigning the underlying RAS software base, much like new features in NTFS 5.0 enable new functionality to be added to the file system without re-designing the file system. EAP allows the client and server to negotiate the mechanism to be used to authenticate the client. Currently, EAP in Windows Server 2008 supports EAP-MD5 CHAP (Challenge Handshake Authentication Protocol), EAP-TLS (Transport Level Security), and redirection to a RADIUS server.

RADIUS support

Windows Server 2008 RRAS can function as a RADIUS client, funneling logon requests to a RADIUS server, which can contain the Internet Authentication Service (also included with Windows Server 2008) running on the same or a different server. The RADIUS server doesn’t have to be a Windows Server 2008 system, however, which allows RRAS to use Unix-based RADIUS servers or third-party RADIUS services. One of the benefits of using RADIUS is its capability for accounting, and several third-party utilities have been developed to provide integration with database backends such as SQL Server to track and control client access.

Network access policies

Windows Server 2008 improves considerably on the flexibility you have as an administrator to control a user’s remote access and dial-up settings. Earlier versions gave you control only over call-back options, and settings were assigned on a user-by-user basis. Although Windows Server 2008 still permits you to assign remote access permissions through a user’s account, as with Windows Server 2008 RRAS, you can also use an NPS policy to define the remote access settings for one or several users. This is achieved using the Network Policy Server policy service (NPS). NPS access policies give you a fine degree of control over the users’ settings, controlling options such as allowed access time, maximum session time, authentication, security, BAP policies, and more.

Account lockout

Windows Server 2008 RAS enhances security by supporting account lockout, which locks an RRAS account after a specified number of bad logon attempts. This feature assists to guard against dictionary attacks in which a hacker attempts to get remote access by repeatedly attempting to log on using a dictionary of passwords against a valid account. You can configure two settings that control lockout — the number of bad logon attempts before the account is locked out and how long the account remains locked before the lockout counter is reset.