Information Technology Reference
In-Depth Information
How It Works
Remote access policies permit connections based on criteria such as these:
Remote access permission
Group membership
Type of connec ion
Time of day
Authentication methods
They also permit connections based on advanced conditions, such as these:
Access server identity
Access client phone number or MAC address
Whether user account dial-in properties are ignored
Whether unauthenticated access is allowed
After the connection is granted, remote access policies can also be used to specify connec-
tion restrictions based on criteria such as these:
Idle timeout time
Maximum session time
Encryption strength
IP packet filters
Advanced connection restrictions include the following:
IP address for PPP connections
Static routes
For example, you can have policies that permit remote access only to the Engineering
group but deny it to the HR group. You could also restrict relevant groups to access during
normal business hours and specify that the connection should be terminated if left idle for
more than 15 minutes.
In order to take full advantage of remote access policies, your Windows 2000 or 2003 domain
must be running in native mode. If you are still operating in mixed mode, your restrictions are
limited to allowing or denying access on a per-user basis.
If a particular user is configured such that the account properties explicitly grant or deny
dial-in permissions, then the server-based remote access policy will be ignored unless an
advanced restriction is defined on the server that specifies that the user account properties
should be ignored.
Group permissions can only be created and managed using server policies; it is not possible
to allow or deny access to a group in a manner analogous to a specific user account. However,
if you do configure a server policy that is based on group membership, you should be certain
