Information Technology Reference
In-Depth Information
that corresponds to the locked-out user account. (These entries will be deleted automatically
by the operating system when the account lockout reset time has elapsed.)
If you find that you are repeatedly required to unlock remote access accounts that have
been locked, you may need to rethink the values that you've configured for
MaxDenials
and the
reset time on the local IAS server. While you may initially think that it's good for security to
create a very low value for a maximum number of bad passwords before accounts are locked,
you need to balance this against the possibility that you may be inadvertently creating a denial-
of-service attack against your own network through overly harsh lockout settings.
See Also
Recipe 6-13 for configuring remote access account lockouts
Microsoft TechNet: “Configuring Remote Access Account Lockout for a VPN Solution”
(
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/
2c9f964c-5fae-4109-bd70-8a6fb65c9c69.mspx
)
6-15. Creating a Quarantine IP Filter
Problem
You want to configure a remote access policy to restrict remote access on a Windows Server 2003
network that is configured for Network Access Quarantine Control (NAQC).
Solution
1.
Open the IAS MMC snap-in.
2.
Select the Remote Access Policies node in the left pane.
3.
Right-click the policy that you want to modify and select Properties.
4.
On the Settings tab, click Edit Profile.
5.
On the Advanced tab, click Add.
6.
On the Add Attribute screen, select the MS-Quarantine-IPFilter attribute, and then
click Add.
7.
On the IP Filter Attribute Information screen, click Input Filters.
8.
On the Inbound Filters screen, click New to create a new input filter.
9.
On the Add IP Filter screen, set the following:
Place a check mark next to Destination Network.
Enter the IP address or network number of your quarantine servers in the IP Address
text box.
Enter the appropriate subnet mask in the Subnet Mask text box.
