Question : Problem: SBS 2003 - Routing and Remote Access - VPN Security Flaws?

Hello all,

I have heard info floating around that RRAS enabled on SBS Windows Server 2003 for VPN can be problematic and insecure.
I'd like some feedback on my current solution and any/all potential security flaws - wasn't sure which Topic Area to use, but decided in VPN.

I only have 2-4 users who will be using this VPN connection on a regular basis.

RRAS Properties:
Authentication: MS-CHAP and MS-CHAPv2
Enable IP Routing (for users to connect to network), DCHP assigns IP, Enable broadcast name resolution
For Remote Access Policies, I created Group with selected Users in AD, granted Access.

On our Netgear Router/Firewall FVM318, I have 1723 opened for VPN.
(Also, this router provides VPN, too, but I wasn't sure which was more secure (or both?))

So, a user sets up their VPN through Network Connections, inserts the Router's IP, connects using their UN/PW from AD.
Then, they're in... oh, and they're not connecting to a member server... (gulp), they're connecting directly to the SBS2003.
So, the SBS2003 is file/print/RRAS server (and everything else).

My primary questions are:
1) Well, how secure is that? Should I configure the FVM318 instead?
2) How serious is the consideration that VPN clients might have viruses and insecure computers? (e.g., no personal firewall, etc.)
3) What else could I do within RRAS to make more secure? Or within SBS2003?

Thanks to all - I'm hoping to get as much varied feedback as possible about this question, and it's pretty important/time-sensitive.

Answer : Problem: SBS 2003 - Routing and Remote Access - VPN Security Flaws?

Well... I'm not sure what you mean by "floating around" information... doesn't sound very reilable to me.... SBS has it's own built-in VPN client that is configured automatically when you set up the server. The client can only be downloaded through Remote Web Workplace -- a secure site for remote access. They don't set up their connection through Network Connections.

However, if you are at all uncomfortable with RRAS, you can easily eanble IPSEC on your SBS. Here's a great resoruce of links to help you out: http://msmvps.com/bradley/archive/2005/03/28/40026.aspx

You might also want to have your remote users NOT use VPN because VPNs (without using ISA --- available only on SBS Premium) open your network to whatever happens to be on the remote users computer. Instead, they can use Remote Web Workplace if they have a desktop machine in the office.

Also, I ALWAYS use an additional hardware router/firewall in front of the SBS, and then two NICs on the server. The FVM318 is okay, but it can be a pain to configure... compared to something like the D-Link DI604 which configures automatically from the SBS. You don't really need the VPN capability of the FVM318 with two NICS in the SBS.

Here's a 3rd party published opinion on SBS: http://www.pcmag.com/article2/0,4149,1388962,00.asp

And I'd also suggest that you take a look at Small Business Server boks by Harry Brelsford http://snipurl.com/bestpractices and http://snipurl.com/advanced

Jeff
TechSoEasy

Jeff
TechSoEasy

Random Solutions

Problem: ESXi networking

Problem: Mouse pointer speed adjustment.

Problem: How to configure Parallels Desktop from Shared to Bridge Mode

Problem: Dell Poweredge 1600SC PERC 4 BIOS Configuration Utility - Easy Configuration. Will it delete existing Partition?

Problem: Using Cisco 3560\3750 SFP port for Tape Library

Problem: Remove front cover from Dell Optiplex GX150 tower to allow me replace on/off switch

Problem: Flashdrive has autorun files that cannot be erased. U3 or not U3?

Problem: OfficeJet G85 Scanner Suddenly 'Unknown'

Problem: WTF's up with my iSCSI network config ???

Problem: ScanWizard Pro error Code: -204, SCSI Microtek 9600 XL Scans B&W but not color