7. Configuring Identity Validation
Proper identity
validation is essential to maintaining the integrity of your network.
When users dial in to the office, you should ensure that identities are
validated securely if at all possible. This isn’t the default setting
for standard dial-up connections, however. With most connections, the
user’s logon information can be passed in clear text over the
connection. If you don’t allow unencrypted passwords to be used, this
forces Windows 8 to attempt to pass logon information by using a secure technique, such as MS-CHAP Version 2 or Challenge Handshake Authentication Protocol (CHAP), rather than clear text. You can also configure connections to use Extensible Authentication Protocol (EAP).
With dial-up and broadband connections, you can use any of these
options. With VPN, you can use only the secure techniques. When you
require a secured password, you can also automatically pass the Windows
logon name, password, and domain specified in the configuration. Passing
the Windows logon information automatically is useful when users
connect to the office and must be authenticated in the Windows domain.
With both secure validation techniques, you can require data encryption
and force Windows 8 to disconnect if encryption cannot be used. Data
encryption is automatically used with Windows Authentication for both
secured passwords and smart cards.
To configure identity validation, follow these steps:
-
In Control Panel, tap or click Network And Internet. In Network And
Internet, tap or click Internet Options. In the Internet Properties
dialog box, tap or click the Connections tab.
-
In the Dial-Up And Virtual Private Network Settings list, select the
connection you want to configure, and then tap or click Settings.
-
In the Settings dialog box, tap or click Properties.
-
In the Properties dialog box, tap or click the Security tab. With
VPNs, you can specify the connection protocol to use or use automatic
detection. If you require secure passwords, you can also set automatic
logon and require data encryption. Both options are useful when logging
on to a Windows domain. The settings must be supported, however; if they
aren’t, users won’t be able to validate their logons and connections
won’t be completed.
If you use smart cards, you should also require data encryption. Data
encryption is essential to ensuring the integrity and security of the
data passed between the originating computer and the authenticating
computer. If you select Require Encryption and the connection is not
secured with encryption, the client computer will drop the connection.
-
Specify the allowed authentication protocols, and then tap or click OK.
8. Configuring Networking Protocols and Components
The way in which networking protocols and components are configured depends on the type of connection. As Table 1 describes, dial-up connections can use either Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP) as the connection protocol. Broadband connections use Point-to-Point Protocol over Ethernet (PPPoE). Most VPN connections use either PPTP or L2TP. Newer VPN connections, however, may use Secure Sockets Tunneling Protocol (SSTP) or IKEv2. With IKEv2, connections can use machine certificates during authentication.
Table 1. Connection Protocol Availability by Connection Type
|
CONNECTION TYPE |
CONNECTION PROTOCOL |
DESCRIPTION |
|---|
|
Dial-up |
PPP |
Used to establish connections to Windows servers over dial-up. |
|
Dial-up |
SLIP |
Used to establish connections to UNIX servers over dial-up; available if you’ve installed third-party software. |
|
Broadband |
PPPoE |
Used to establish a point-to-point broadband connection over Ethernet. |
|
VPN |
Automatic |
Used to detect automatically which VPN protocol is available and establish a virtual tunnel using that protocol. |
|
VPN |
PPTP VPN |
Sets the PPTP for a VPN. PPTP is an extension of PPP. |
|
VPN |
L2TP IPSec VPN |
Sets the L2TP for a VPN. L2TP uses IPSec to enhance security. |
|
VPN |
IKEv2 |
Sets the IKE Version 2 for a VPN. IKEv2 uses IPSec tunnel mode to enhance security. |
|
VPN |
SSTP |
Sets the SSTP for a VPN. SSTP transports PPP or L2TP traffic through an SSL channel. |
|
DirectAccess |
IPv6 over IPSec |
Used to establish a secure tunnel to a workplace over an existing connection. |
Three network components
are used with mobile networking: Transmission Control Protocol/Internet
Protocol (TCP/IP), File And Printer Sharing For Microsoft Networks, and
Client For Microsoft Networks. As Table 2
shows, the way these components are configured by default depends on
the type of connection that was created originally. You can change these
settings to suit your needs. If necessary, you can also install
additional networking components.
Table 2. Default Component Configuration by Connection Type
|
DIAL-UP COMPONENT |
DESCRIPTION |
BROADBAND |
STANDARD DIAL-UP |
DIAL-UP TO OFFICE |
VPN |
|---|
|
Transmission Control Protocol/Internet Protocol (TCP/IP) |
TCP/IPv4 and TCP/IPv6 are required for network communications. By
default, DHCP is used with connections unless overridden in the property
settings. |
Yes |
Yes |
Yes |
Yes |
|
File And Printer Sharing For Microsoft Networks |
Enables the sharing of printers and files over the network connection; allows for mapping printers and drives. |
No |
No |
No |
Yes |
|
Client For Microsoft Networks |
Enables Windows Authentication in Windows domains; enables the computer to act as the domain client. |
No |
No |
Yes |
Yes |
To view or change the networking options for a connection, follow these steps:
-
In Control Panel, tap or click Network And Internet. In Network And
Internet, tap or click Internet Options. In the Internet Properties
dialog box, tap or click the Connections tab.
-
In the Dial-Up And Virtual Private Network Settings list, select the
connection that you want to configure, and then tap or click Settings.
-
In the Settings dialog box, tap or click Properties.
-
In the Properties dialog box, tap or click the Networking tab. You can now do the following:
-
Enable network components by selecting the related check box in the This Connection Uses The Following Items list.
-
Disable network components by clearing the related check box in the This Connection Uses The Following Items list.
Tip
If any of the network components shown in Table 2
are not available and are necessary for the connection, you can install
them by tapping or clicking Install on the Networking tab. Afterward,
select the component type, tap or click Add, and then select the
component to use in the list provided.
-
By default, connections use DHCP to configure network settings,
including the IP address, subnet mask, default gateway, DNS servers, and
WINS servers. If you want to assign a static IP address or override
other default settings, select Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol
Version 6 (TCP/IPv6), and then tap or click Properties.
-
Tap or click OK three times.
9. Enabling and Disabling Windows Firewall for Network Connections
With dial-up,
broadband, and VPN connections, you might want to give the computer
added protection against attacks by using Windows Firewall. This
built-in firewall protects Windows 8 systems by restricting the types of
information that can be communicated. By enforcing the appropriate
restrictions, you reduce the possibility that malicious individuals can
break into a system—and reducing security risks is extremely important
when users are accessing the organization’s network from outside your
protective firewalls and proxy servers.
Windows Firewall is enabled by default for all connections and can be
enabled or disabled for each type of network to which a user connects.
To enable or disable Windows Firewall on a per-connection basis, follow
these steps:
-
In Control Panel, tap or click System And Security.
-
Tap or click Windows Firewall. In the left pane of the Windows Firewall page, tap or click Turn Windows Firewall On Or Off.
-
Windows Firewall settings for each network type to which a user can
connect are listed on the Customize Settings page. Select Turn On
Windows Firewall or Turn Off Windows Firewall for each network type as
appropriate.
-
Tap or click OK when you have finished.
