Create RRAS/NPS IP blacklist

Home Forums Server Operating Systems Windows Server 2012 / 2012 R2 Create RRAS/NPS IP blacklist

Tagged: ,

This topic contains 6 replies, has 5 voices, and was last updated by Avatar mike_coreit 1 week, 5 days ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • Blood
    Blood
    Moderator
    #162562

    Hi

    Checking through the logs of our RRAS I am seeing lots of failed connections from particular IP addresses attempting to connect via VPN.

    I have a policy set up that only allows connections from user accounts that are members of a security group. I know this should be sufficient but I don’t want any of the bogus attempts to successfully access our network due to a lucky name/password combination.

    I have had a quick look through the various options for setting up policies in NPS but cannot see one that allows straight-forward blocking of an IP, or blocking based on membership of a blacklist.

    This is set up on a Windows Server 2012 Standard Edition member server.

    Anyone have any suggestions, please?

    Thanks!

    Avatar
    Anonymous
    #371614

    Re: Create RRAS/NPS IP blacklist

    Is there a firewall device between your ISP circuit and your server (like a Cisco ASA or a Watchguard device)? If so, it might be simpler to set up a blacklist of ‘bad’ IPs, or maybe a whitelist of ‘good’ IPs that will allow only selected IPs to get to the server for VPN authentication.

    As well, it’s hard for someone to brute-force try username/password combinations if the passwords are changed regularly, and complexity is enforced to prevent simple dictionary attack success.

    Blood
    Blood
    Moderator
    #336319

    Re: Create RRAS/NPS IP blacklist

    Thanks for responding.

    We’ve got a router but the firewall documentation is impenetrable.

    The LAN passwords rely on passing the complexity requirements and those who connect via VPN have to change their passwords every 90 days, except for one person. Nevertheless, being able to stop an IP address from connecting would be great. I was hoping that there was some way to do this via NPS.

    Cheers!

    Avatar
    cruachan
    Participant
    #330636

    Re: Create RRAS/NPS IP blacklist

    I generally find that maintaining blacklists that way isn’t sustainable, particularly as the sort of people who are trying brute force attacks like that rarely keep the same IP for long.

    Personally I’d go 2-factor authentication (L2TP with Certificates being my preferred option) which gives you much greater administrative control over devices. Anyone can setup a PPTP VPN but the added requirement of a Computer Certificate or Smart Card makes brute force entry a pretty hollow threat.

    An even better option, which is what we use in our office, is Direct Access. However the added cost for Enterprise or Ultimate editions of Windows (which we get free for internal use as Microsoft partners) is generally a show-stopper there. It’s completely seamless, the users don’t even have to dial a VPN because it’s there automatically.

    Avatar
    uk_network
    Member
    #307844

    Re: Create RRAS/NPS IP blacklist

    Does this help.
    http://technet.microsoft.com/en-us/library/dd469754%28v=ws.10%29.aspx

    Blood
    Blood
    Moderator
    #336322

    Re: Create RRAS/NPS IP blacklist

    cruachan;278174 wrote:
    I generally find that maintaining blacklists that way isn’t sustainable, particularly as the sort of people who are trying brute force attacks like that rarely keep the same IP for long.

    Personally I’d go 2-factor authentication (L2TP with Certificates being my preferred option) which gives you much greater administrative control over devices. Anyone can setup a PPTP VPN but the added requirement of a Computer Certificate or Smart Card makes brute force entry a pretty hollow threat …

    Yes, I agree, and had considered this. I’ve looked at certificates in the past but it looks like a nightmare to set up and seeing some of the questions and solutions that have been posted here and on MS’s forums quite frankly scares me.

    I guess I’ll just have to take the plunge and go through that training I received.

    Thanks, but that only allows packet filtering which I have disabled. When I initially set this up on our Win2k8 server I misunderstood what enabling this would do when configuring the options and ended up isolating the domain controller from the network. I queried MS’s required ports list for AD and added them to the filter but access was unbelievably slow. I ended up disabling it altogether.

    Thanks to both of you for your replies, I appreciate the help.

    Avatar
    mike_coreit
    Participant
    #626157

    Hi does anyone know if RRAS offers some kind of temporary IP block for incorrect login attempts?

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.