Announcement

Collapse
No announcement yet.

Create RRAS/NPS IP blacklist

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Create RRAS/NPS IP blacklist

    Hi

    Checking through the logs of our RRAS I am seeing lots of failed connections from particular IP addresses attempting to connect via VPN.

    I have a policy set up that only allows connections from user accounts that are members of a security group. I know this should be sufficient but I don't want any of the bogus attempts to successfully access our network due to a lucky name/password combination.

    I have had a quick look through the various options for setting up policies in NPS but cannot see one that allows straight-forward blocking of an IP, or blocking based on membership of a blacklist.

    This is set up on a Windows Server 2012 Standard Edition member server.

    Anyone have any suggestions, please?

    Thanks!
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: Create RRAS/NPS IP blacklist

    Is there a firewall device between your ISP circuit and your server (like a Cisco ASA or a Watchguard device)? If so, it might be simpler to set up a blacklist of 'bad' IPs, or maybe a whitelist of 'good' IPs that will allow only selected IPs to get to the server for VPN authentication.

    As well, it's hard for someone to brute-force try username/password combinations if the passwords are changed regularly, and complexity is enforced to prevent simple dictionary attack success.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Create RRAS/NPS IP blacklist

      Thanks for responding.

      We've got a router but the firewall documentation is impenetrable.

      The LAN passwords rely on passing the complexity requirements and those who connect via VPN have to change their passwords every 90 days, except for one person. Nevertheless, being able to stop an IP address from connecting would be great. I was hoping that there was some way to do this via NPS.

      Cheers!
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: Create RRAS/NPS IP blacklist

        I generally find that maintaining blacklists that way isn't sustainable, particularly as the sort of people who are trying brute force attacks like that rarely keep the same IP for long.

        Personally I'd go 2-factor authentication (L2TP with Certificates being my preferred option) which gives you much greater administrative control over devices. Anyone can setup a PPTP VPN but the added requirement of a Computer Certificate or Smart Card makes brute force entry a pretty hollow threat.

        An even better option, which is what we use in our office, is Direct Access. However the added cost for Enterprise or Ultimate editions of Windows (which we get free for internal use as Microsoft partners) is generally a show-stopper there. It's completely seamless, the users don't even have to dial a VPN because it's there automatically.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: Create RRAS/NPS IP blacklist

          Does this help.
          http://technet.microsoft.com/en-us/l...=ws.10%29.aspx
          Please remember to award reputation points if you have received good advice.
          I do tend to think 'outside the box' so others may not always share the same views.

          MCITP -W7,
          MCSA+Messaging, CCENT, ICND2 slowly getting around to.

          Comment


          • #6
            Re: Create RRAS/NPS IP blacklist

            Originally posted by cruachan View Post
            I generally find that maintaining blacklists that way isn't sustainable, particularly as the sort of people who are trying brute force attacks like that rarely keep the same IP for long.

            Personally I'd go 2-factor authentication (L2TP with Certificates being my preferred option) which gives you much greater administrative control over devices. Anyone can setup a PPTP VPN but the added requirement of a Computer Certificate or Smart Card makes brute force entry a pretty hollow threat ...
            Yes, I agree, and had considered this. I've looked at certificates in the past but it looks like a nightmare to set up and seeing some of the questions and solutions that have been posted here and on MS's forums quite frankly scares me.

            I guess I'll just have to take the plunge and go through that training I received.

            Originally posted by uk_network View Post
            Thanks, but that only allows packet filtering which I have disabled. When I initially set this up on our Win2k8 server I misunderstood what enabling this would do when configuring the options and ended up isolating the domain controller from the network. I queried MS's required ports list for AD and added them to the filter but access was unbelievably slow. I ended up disabling it altogether.


            Thanks to both of you for your replies, I appreciate the help.
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment

            Working...
            X