PlayUKlottery.com - win up to 42 million Pounds
Lesson 4: Examining Remote Access Policies

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 4: Examining Remote Access Policies

Remote access policies allow the assignment of a connection type to a user according to a set of conditions such as group membership. Understanding how policies are applied helps you to provide customized access to the various users and groups in your organization. It is likely that the default policy settings are adequate for your remote access needs. However, it is important that you become familiar with remote access policies because using them effectively provides you with a great deal of flexibility in granting remote access permissions and usage.

After this lesson, you will be able to

  • Explain remote access policy and profile concepts.

  • Evaluate remote access policies and profiles.

Estimated lesson time: 10 minutes

Remote Access Policies

Windows 2000 RRAS and IAS both use remote access policies to accept connection attempts. Remote access policies are stored on the remote access server, not in the Active Directory database, so that policies can vary according to remote access server capabilities.

A remote access policy consists of three components that cooperate with Active Directory directory services to provide secure access to remote access servers. The three components of a remote access policy are its conditions, permissions, and profile.

Conditions

This is a list of parameters such as the time of day, user groups, Caller IDs, or IP addresses that is matched to the parameters of the client connecting to the server. The first policy that matches the parameters of the incoming connection request is processed for access permission and configuration.

Permissions

In Windows NT 3.5 and later, remote access was granted based on the Grant Dial-In Permission To User option in the User Manager tool or the Remote Access Administration tool. In Windows 2000, remote access connections are granted based on the dial-in properties of a user account and remote access policies.

The permission setting to allow or deny access on the remote access policy works together with the user's dial-in permissions in Active Directory directory services to create both positive and negative rules. For example, a policy could grant access to all users in Group A from 8 am-5 pm, but the permissions for User X in Group A could be set to deny access in Active Directory directory services. On the other hand, another policy could deny access to Group A from 5 pm-8 am, but the permissions for User Y in Group A could be set to allow access. As a result, Group A can gain access only from 8 am-5 pm, but User X is denied access completely, and User Y is granted 24-hour access.

Profile

Each policy includes a profile of settings that are applied to the connection. If the settings of the connection do not match the user's dial-in settings or the profile properties, Windows 2000 denies access to the connection.

Remote Access Policy Evaluation

Windows 2000 evaluates a connection attempt based on logic that incorporates user and remote access permissions, policy conditions, and profile settings. Using this logic, both mixed and native-mode networks can use Windows 2000 remote access servers.

Policy Logic

If all of the conditions of a remote access policy are met, the user's dial-in permission is checked by Active Directory directory services and can override the policy's permission. However, when dial-in permission on a user account is set to the Control Access Through Remote Access Policy option, it is the policy's permission that determines whether the user is granted access.

Granting access through the user's permissions or the policy's permissions is only the first step in accepting a connection. The connection attempt is then matched to the settings of the user account and the policy profile. If the connection attempt does not match the settings of the user account or the profile, the connection attempt is rejected.

Default Remote Access Policy

The default policy that is created when RRAS installs is named Allow Access If Dial-In Permission Is Enabled, meaning that the user's dial-in permission will control access. Table 9.1 describes the settings of the default policy.

Table 9.1 Default Policy Settings

Setting Value
Conditions Current date/time = any day, any time
Permissions Deny Access
Profile None

This default policy is designed to be sufficient for many organizations. However, you should be aware of the implications of the default policy on native- and mixed-mode domains.

Native Mode

If you set the dial-in permission on every user account to Control Access Through Remote Access Policy, and if you do not change the default remote access policy, all connection attempts will be rejected. However, if one user's dial-in permission is set to Allow Access, that user's connection attempts will be accepted. If you change the permission setting on the default policy to Grant Remote Access Permission, all connection attempts are accepted.

Mixed Mode

The default policy is always overridden in a mixed-mode domain, because the user's dial-in permission, Control Access Through Remote Access Policy, is not available on mixed-mode domain controllers. However, remote access policies are applied to users in a mixed-mode domain. If the user's dial-in permission is set to Allow Access, the user still must meet the conditions of a policy to gain access.

NOTE
When converting from mixed mode to native mode, all users with a dial-in setting of Deny Access will be changed to Control Access Through Remote Access Policy. Users with a dial-in permission set to Allow Access will remain set to Allow Access.

Multiple Policies

It is often necessary to administer remote access using multiple remote access policies. You should create these policies carefully. If a connection attempt does not match any of the remote access policies, the connection attempt is rejected, even when a user's dial-in permission is set to Allow Access. The requirement that at least one policy's conditions are matched also means that if the default policy is deleted and no other remote access policies exist, users will not be able to gain access to the network, regardless of their individual dial-in permission settings.

Lesson Summary

Remote access policies allow the assignment of a connection type to a user according to a set of conditions such as group membership. Both Windows 2000 RRAS and IAS use remote access policies to accept connection attempts. If a connection attempt does not match any of the remote access policies, the connection attempt is rejected, even when a user's dial-in permission is set to Allow Access. The requirement that at least one policy's conditions are matched also means that if the default policy is deleted and no other remote access policies exist, users will not be able to gain access to the network, regardless of their individual dial-in permission settings.

Remote access policies are stored on the remote access server, not in Active Directory directory services, so policies can vary according to remote access server capabilities. A remote access policy consists of three components that cooperate with Active Directory directory services to provide secure access to remote access servers. The three components of a remote access policy are its conditions, permissions, and profile.