T 5.91 Disabling of RAS access security mechanisms

The security of RAS access depends significantly on correct use of the security mechanisms provided. However, it is generally possible to configure the RAS system (client and/or server) in such away that either weak or no security mechanisms are used. If, for example, the mechanisms used for data encryption are dynamically negotiated between client and server when a connection is established (e.g. this can occur if IPSec or SSL is used), generally this negotiation process entails the client offering the server a list of procedures supported (known as cipher suites) for selection, from which the server chooses one. The list of algorithms can be altered by making the appropriate configuration changes. Usually there is also a "no encryption" option.

If an unencrypted connection is one of the options allowed between clients and server, then there is a risk that protection of the data transmitted will be disabled. This is particularly problematic where users are able in the event of problems to modify the RAS system configuration settings on RAS clients to fit local circumstances.

Examples

• RAS communications are to be protected by means of IPSec running under Windows 2000. The RAS server has been configured so that IPSec encryption is requested but is not enforced, so that RAS clients can potentially also establish insecure connections. As the loss of performance associated with encryption appears unacceptable to a RAS user who is working with an older laptop, he disables IPSec encryption. The RAS connection is now established in plaintext.

• Under older Windows NT versions, encryption of the RAS connection using Microsoft Point to Point Encryption (MPPE) can only be performed if MS-CHAP has been specified as the authentication procedure. Consequently only if MS-CHAP is used are the parameters which are necessary for encryption exchanged between client and server. In order to use a standard authentication procedure, a user selects the CHAP procedure in the configuration settings. Encryption of the RAS connection is no longer possible using MPPE even though the appropriate option is enabled