Permissions for Remote Access Users
Applies To: Windows 7, Windows Server 2008 R2
After the Routing and Remote Access service (RRAS) is installed, you must specify the users who are allowed to connect to the RRAS server. RRAS authorization is determined by the dial-in properties on the user account, the network policies, or both.
You do not need to create user accounts just for remote access users. RRAS servers can use existing user accounts in the user accounts databases. In both Local Users and Groups and Active Directory Users and Computers, user accounts have a Dial-in tab on which you can configure remote access permissions. For a large number of users, we recommend that you configure network policies on a server running Network Policy Server (NPS). For more information, see Network Policy Server (https://go.microsoft.com/fwlink/?linkid=139764).
Security before the connection
The following steps describe what happens during a connection attempt from a remote access client to an RRAS server that is configured to use Windows authentication:
A remote access client attempts to connect to an RRAS server.
The server sends a challenge to the client.
The client sends an encrypted response to the server that consists of a user name, a domain name, and a password.
The server checks the response against the user accounts database.
If the account is valid and the authentication credentials are correct, the server uses the dial-in properties of the user account and network policies to authorize the connection.
If the connection is dial-up and callback is enabled, the server hangs up the connection, calls the client back, and continues the connection negotiation process.
Note
Steps 2 and 3 assume that the remote access client and the RRAS server use the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Challenge Handshake Authentication Protocol (CHAP). The sending of client credentials varies for other authentication protocols.
If the RRAS server is a member of domain and the user response does not contain a domain name, then by default, the domain name of the RRAS server is used. If you want to use a domain name different from that of the RRAS server, on the remote access client, set the following registry value to the name of the domain that you want to use:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn\DefaultDomain
Warning
Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Security after the connection
Credentials used for remote access only provide a communication channel to the target network. The client does not log on to the network as a result of a remote access connection. Each time the client attempts to access a network resource, it will be challenged for credentials. If it does not respond to the challenge with correct credentials, the access attempt will fail. Windows adds a feature to simplify remote access. After a successful connection, remote access clients that run Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 cache these credentials as default credentials for the duration of the remote access connection. When a network resource challenges the remote access client, the client provides the cached credentials so the user is not required to enter them again.