After the Routing and Remote Access service (RRAS) is installed, you must specify the users who are allowed to connect to the RRAS server. RRAS authorization is determined by the dial-in properties on the user account, the network policies, or both.
You do not need to create user accounts just for remote access users. RRAS servers can use existing user accounts in the user accounts databases. In both Local Users and Groups and Active Directory Users and Computers, user accounts have a Dial-in tab on which you can configure remote access permissions. For a large number of users, we recommend that you configure network policies on a server running Network Policy Server (NPS). For more information, see Network Policy Server (http://go.microsoft.com/fwlink/?linkid=139764).
Security before the connection
The following steps describe what happens during a connection attempt from a remote access client to an RRAS server that is configured to use Windows authentication:
- A remote access client attempts to connect to an RRAS
- The server sends a challenge to the client.
- The client sends an encrypted response to the server that
consists of a user name, a domain name, and a password.
- The server checks the response against the user accounts
- If the account is valid and the authentication credentials are
correct, the server uses the dial-in properties of the user account
and network policies to authorize the connection.
If the connection is dial-up and callback is enabled, the server hangs up the connection, calls the client back, and continues the connection negotiation process.
Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Security after the connection
Credentials used for remote access only provide a communication channel to the target network. The client does not log on to the network as a result of a remote access connection. Each time the client attempts to access a network resource, it will be challenged for credentials. If it does not respond to the challenge with correct credentials, the access attempt will fail. Windows adds a feature to simplify remote access. After a successful connection, remote access clients that run Windows Vista®, Windows® 7, Windows Server® 2008, and Windows Server® 2008 R2 cache these credentials as default credentials for the duration of the remote access connection. When a network resource challenges the remote access client, the client provides the cached credentials so the user is not required to enter them again.