Increasing Security on Windows 2000 VPN Server (255784)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q255784

SUMMARY

A Windows 2000 virtual private network (VPN) server that is configured by using the Routing and Remote Access Services (RRAS) Setup Wizard is installed with a default set of Input and Output filters. These filters support Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP Security Protocol (IPSec) connectivity. The filters are generic and can be modified to tighten security on a VPN server. This article describes modifications that you can make to these filters to increase security. All filter configurations mentioned in this article should be tested prior to being deployed in a production environment.

MORE INFORMATION

The RRAS Setup Wizard creates a set of default Input and Output Filters on the external adapter on the VPN server. To display and edit these filters:
  1. Start the Routing and Remote Access snap-in in Microsoft Management Console (MMC).
  2. Expand the IP Routing node in the left pane.
  3. Click General in the left pane.
  4. Right-click the external adapter listed in the right pane, and then click Properties.
  5. You can view and edit the Inbound and Outbound filters on the General tab.
These are the default filters that are configured.

Src addrSrc maskDest addrDest maskProtocolSrc portDest portDescription
AnyAnyAnyAny47AnyAnyGRE
AnyAnyAnyAnyTCP1723AnyPPTP Inbound
AnyAnyAnyAnyTCPAny1723PPTP Outbound
AnyAnyAnyAnyUDP500500ISAKMP
AnyAnyAnyAnyUDP17011701L2TP

Greater security can be provided by editing each of these filters (with the exception of the PROTOCOL 47 GRE filter) and further restricting the flow of PPTP and/or L2TP/IPSec packets. You must edit the Input and Output filters. The result is that inbound PPTP, L2TP/IPSec traffic will be restricted to the IP address of the external adapter and only PPTP, L2TP/IPSec traffic will be allowed to pass out through the external adapter from the internal network or the VPN server itself.

Input and Output filters are edited individually by selecting the filter and then clicking Edit button. The Edit IP Filter dialog box allows you to modify each filter setting. As an example, assume that the external adapter has an IP address of 192.0.0.40 with a subnet mask of 255.255.255.0. After modifying the Input filters, the displayed matrix would look like:

Src addrSrc maskDest addrDest maskProtocolSrc portDest portDescription
AnyAnyAnyAny47AnyAnyGRE
AnyAny192.0.0.40255.255.255.255TCP1723AnyPPTP Inbound
AnyAny192.0.0.40255.255.255.255TCPAny1723PPTP Outbound
AnyAny192.0.0.40255.255.255.255UDP500500ISAKMP
AnyAny192.0.0.40255.255.255.255UDP17011701L2TP

After modifying the Output filters, the displayed matrix would look like:

Src addrSrc maskDest addrDest maskProtocolSrc portDest portDescription
AnyAnyAnyAny47AnyAnyGRE
192.0.0.40255.255.255.255AnyAnyTCP1723AnyPPTP Inbound
192.0.0.40255.255.255.255AnyAnyTCPAny1723PPTP Outbound
192.0.0.40255.255.255.255AnyAnyUDP500500ISAKMP
192.0.0.40255.255.255.255AnyAnyUDP17011701L2TP

These filter settings also accommodate a VPN server that can support a requirement for initiating a demand-dial connection to another VPN server, for example.

The default filter settings that installed by using the RRAS Setup Wizard allow for VPN connections only. The information in this article is provided for those who want increased security.

Modification Type:MajorLast Reviewed:11/4/2003
Keywords:kbhowto kbIPSec kbTunneling KB255784
©2003 Microsoft Corporation. All rights reserved.