Ken Larrow IS423-Mon E1 Unit 8 Assignment Due: 5/14/2012 Best Practices for Remote Access Domain Compliance Decisions

on the best way to provide remote access will vary depending on the tools you have chosen. Here are some thoughts on best practices: Focus security policies on protecting corporate assets instead of the devices used to reach them. Require approved antivirus software on all endpoints of remote access sessions. Avoid modem banks or other dial-up access services. Limit who can enable, configure, and disable Routing and Remote Access. Install and test RRAS servers before making them Internet Authentication Services clients. Immediately after installation, back up the IAS database file, ias.mdb, from the %systemroot%system32ias folder. Back up the ias.mdb file whenever changes to the IAS configuration are made. The IAS and RAS servers should be dedicated servers. This will help eliminate the possibility that unauthorized users will gain access and weaken the security configuration.

Physically secure IAS, VPN and RRAS servers. Ensure RRAS server uses a static IP pool or can allocate through your DHCP server.

Protect IAS and VPN routers behind a firewall. Utilize secure application access through cloud computing for things like messaging.

Require strong passwords and, if possible, use two factor authentication for remote access.

Provide remote access only to users whose job duties require it.

Limit permissions and rights of remote access users to those absolutely required for their job duties. This is often a subset of what is permitted to physically-attached users.

Turn on the account lockout feature. Limit remote access sessions to one per user. Disable authentication protocols you do not use. Do not use PAP (Password Authentication Protocol) unless you must support legacy systems.

Determine desired logging for audit purposes and back up IAS logs.

Save all logs to a storage location not available to remote access users.

Do not use telnet. Secure remote administration sessions with IPsec or with VPNs if these sessions are being initiated externally to your network.

Increase encryption levels on Terminal Services when providing remote access.

Ensure encryption is utilized for all VPN traffic. Limit VPN ports and configure router to bypass the firewall for these encrypted packets directly to the VPN server.

Place a firewall behind the VPN server by creating a DMZ.

References SANS Institute http://www.sans.org Department of Health and Human Services, Health Information Technology http://healthit.hhs.gov More information on the Sarbanes-Oxley Act http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi? dbname=107_cong_bills&docid=f:h3763enr.tst.pdf More information on PCI https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml More information on HIPAA - http://www.cms.hhs.gov/HIPAAGenInfo Microsoft TechNet - http://technet.microsoft.com/enus/library/cc780755(v=ws.10).aspx