Geek School: Windows 7 Remote Access

Extending Windows Management Beyond the Local Network

Previously in this series, we explored methods for managing and utilizing your Windows computers remotely, provided they were connected to the same network. However, a common scenario involves accessing these systems when not on the local network.

This article builds upon the foundation established in earlier segments, detailing how to maintain control and functionality even with geographical separation.

Review of Previous Geek School Articles

For those new to this Windows 7 focused series, or needing a refresher, here's a list of previously covered topics:

Introducing How-To Geek School: An overview of the series' objectives and scope.
Upgrades and Migrations: Guidance on upgrading and migrating Windows installations.
Configuring Devices: Details on setting up and configuring hardware devices.
Managing Disks: Techniques for disk management and optimization.
Managing Applications: Methods for installing, updating, and removing software.
Managing Internet Explorer: Customization and security settings for Internet Explorer.
IP Addressing Fundamentals: A foundational understanding of IP addressing.
Networking: Core networking concepts and configurations.
Wireless Networking: Setting up and securing wireless network connections.
Windows Firewall: Configuring and utilizing the Windows Firewall for security.
Remote Administration: Initial exploration of remote computer management.

Understanding these preceding topics will enhance your comprehension of the concepts discussed in this article.

Further articles in this series will be released throughout the week, continuing to expand your knowledge of Windows 7 administration.

Network Access Protection

Network Access Protection (NAP) represents Microsoft’s strategy for regulating network resource access based on the security posture of connecting clients. Consider a scenario involving a laptop user frequently traveling and disconnected from the corporate network for extended periods.

During such times, there’s no assurance that the laptop remains free from viruses or malware, or that its anti-virus definitions are current.

Upon returning to the office and connecting to the network, NAP automatically assesses the device’s health against a pre-defined policy configured on a NAP server.

If the connecting device fails this health assessment, it’s automatically relocated to a highly restricted network segment known as the remediation zone.

Within this zone, remediation servers attempt to resolve any identified issues with the client machine. Examples of automated remediation include:

Should the client’s firewall be disabled, while the policy mandates its activation, the remediation servers will enable it.
If the health policy requires the latest Windows updates, and they are missing, a WSUS server within the remediation zone can install those updates.

The machine will only be permitted back onto the corporate network once it’s verified as healthy by the NAP servers. NAP can be enforced in four distinct ways, each offering unique benefits:

VPN – Employing VPN enforcement is particularly effective for companies with remote workers utilizing personal computers. The security of these externally managed devices can be uncertain. Client health is verified with each VPN connection attempt.
DHCP – With DHCP enforcement, clients are not assigned valid network addresses from the DHCP server until they are deemed compliant by the NAP infrastructure.
IPsec – IPsec provides encrypted network traffic via certificates and can also be leveraged for NAP enforcement, though it’s less frequently used.
802.1x - Also known as port-based authentication, 802.1x authenticates clients at the network switch level. Utilizing 802.1x for NAP policy enforcement is a common and recommended practice.

Dial-Up Connections

Despite advancements in technology, Microsoft continues to acknowledge the existence of older dial-up connections. These connections utilize the traditional analog telephone network, formally known as POTS (Plain Old Telephone Service), for data transmission between computers.

This process relies on a modem, a device derived from the terms 'modulate' and 'demodulate'. The modem connects to a computer, typically via an RJ11 cable, and converts digital signals into an analog format suitable for transmission over phone lines.

Upon reaching the destination, another modem reverses this process, demodulating the analog signal back into a digital format understandable by the receiving computer.

Establishing a Dial-Up Connection

To initiate a dial-up connection, a user can right-click the network status icon and access the Network and Sharing Center.

Subsequently, selecting the "Set up a new connection or network" hyperlink will appear.

The next step involves choosing the option to "Set up a dial-up connection" and clicking 'next' to proceed.

Connection Details

Following this, a form will be presented where all necessary connection information can be entered.

It's important to note that if a question regarding dial-up connection setup appears on an exam, all required details will be provided.

The necessary information for configuration will be given.
You won't be expected to know default settings.

Virtual Private Networks

VPNs, or Virtual Private Networks, create secure connections over public networks like the internet, enabling access to another network with enhanced security.

For instance, a VPN connection can be established between a personal computer on a home network and a corporate network. This effectively makes the home PC appear as an integrated part of the corporate infrastructure. Access to network resources, such as shared files, becomes available as if the computer were directly connected via an Ethernet cable.

However, the connection speed will be influenced by the user’s broadband internet speed, differing from the Gigabit Ethernet speeds achievable within a physical office environment.

The security of these “private tunnels” is often questioned, given their transmission over the public internet. However, data remains protected because VPN connections employ encryption, justifying the term virtual “private” network.

The specific protocol used for encapsulation and encryption is configurable, and Windows 7 supports several options:

Important Note: Familiarity with these definitions is crucial for exam preparation.

Point-to-Point Tunneling Protocol (PPTP) – PPTP facilitates the encapsulation of network traffic within an IP header for transmission across an IP network, like the internet.
- Encapsulation: PPP frames are contained within an IP datagram, utilizing a modified version of GRE.
- Encryption: PPP frames are secured using Microsoft Point-to-Point Encryption (MPPE). Encryption keys are generated during authentication, employing protocols like MS-CHAP v2 or EAP-TLS.
Layer 2 Tunneling Protocol (L2TP) - L2TP is a secure tunneling protocol designed to transport PPP frames over the Internet Protocol, building partially on PPTP. Unlike PPTP, Microsoft’s L2TP implementation doesn’t utilize MPPE for encryption. Instead, it leverages IPsec in Transport Mode. This combination is known as L2TP/IPsec.
- Encapsulation: PPP frames are initially wrapped with a L2TP header and then a UDP header, subsequently encapsulated using IPSec.
- Encryption: L2TP messages are encrypted using either AES or 3DES encryption, with keys generated during the IKE negotiation process.
Secure Socket Tunneling Protocol (SSTP) – SSTP operates as a tunneling protocol utilizing HTTPS. Because TCP Port 443 is commonly open on corporate firewalls, it’s a suitable choice for environments restricting traditional VPN connections. It also provides strong security through SSL certificate-based encryption.
- Encapsulation: PPP frames are encapsulated within IP datagrams.
- Encryption: SSTP messages are encrypted using SSL.
Internet Key Exchange (IKEv2) - IKEv2 is a tunneling protocol that employs the IPsec Tunnel Mode protocol over UDP port 500.
- Encapsulation: IKEv2 encapsulates datagrams using IPSec ESP or AH headers.
- Encryption: Messages are encrypted with either AES or 3DES encryption, utilizing keys generated from the IKEv2 negotiation process.

Establishing a VPN server requires specific configurations.

To enable VPN connections to your network, a server running Windows Server must be configured with the following roles:

Routing and Remote Access (RRAS)
Network Policy Server (NPS)

Furthermore, either DHCP must be configured or a static IP address pool allocated for use by devices connecting via VPN.

Creating a VPN Connection

To initiate a VPN connection, right-click the network status icon and access the Network and Sharing Center.

Select the “Set up a new connection or network” link.

Choose the option to connect to a workplace and proceed to the next step.

Opt to use your existing broadband connection.

Enter the IP address or DNS name of the VPN server you intend to connect to, then click next.

Provide your username and password, and then click connect.

Upon successful connection, you can verify the VPN status by clicking on the network status icon.

Assignment: VPN Security Planning

Review the article on TechNet that details the process of planning security measures for a Virtual Private Network (VPN).

Please be aware that this assignment extends slightly beyond the specific content covered in the 70-680 exam syllabus.

However, completing it will provide a comprehensive understanding of the underlying mechanisms involved when establishing a VPN connection from a Windows 7 operating system.

Should any questions arise during your review, feel free to reach out via Twitter @taybgibb, or simply post a comment below.