Authentication (Recommended). This option enables users with computers running Remote Desktop with Network Level Authentication to connect to your computer. This is the most secure option if people connecting to your computer are running Windows 7, 8.1, or 10. If you do not select this option, users with any version of Remote Desktop can connect to your computer, regardless of Windows version in use.
Step 5. Click OK or Apply.
You also need to specify the users that are entitled to make a remote
connection to your computer. By default, members of the Administrators and Remote Desktop Users groups are allowed to connect to your computer. To add a nonadministrative user to the Remote Desktop Users group, click the Select Users button in the Remote tab previously shown in Figure 15-4. This opens the Remote Desktop Users dialog box shown in Figure 15-5. Click Add, and in the Select Users dialog box that appears, type the name of the user to be granted access, and then click OK. The Select Users dialog box also enables you to add users from an Active Directory Domain Services (AD DS) domain if your computer is a domain member.
Figure 15-5. Remote Desktop Users Dialog Box Enabling You to Grant Remote Desktop Access to Nonadministrative Users
Selecting a Nondefault Port
You can configure the listening port, from the default TCP 3389, to another port of your choice. When you do so, only the people who specify the port can connect and then run a remote session. In Windows 10, you are able to adjust the port only by editing the Registry:
Step 1. Open the Registry Editor, supply your UAC credentials, and navigate to the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP- Tcp key.
Step 2. Select the PortNumber value, click the Edit menu, and then select Modify.
Step 3. Click Decimal and type in the new port number.
Step 4. Click OK and close the Registry Editor.
On the client computer, you then make a connection by opening the Remote Desktop Connection dialog box as previously described and shown in Figure 15-2. In the Computer text box, type the name or IP address of the Remote Desktop host computer, concatenated with a colon and the port number. For example, if you edited the Registry of the host computer named NANC511 with an IP address of 192.168.0.8 and changed the port number to 4233, then you would type either NANC511:4233 or 192.168.0.8:4233 into the
Computer text box of the Remote Desktop Connection dialog box.
Keep in mind that a Remote Desktop connection functions across any TCP/IP link, whether dial-up, local, or otherwise. When you configure a host
computer, be sure to add users to the Remote Desktop users group and to create an exception for Remote Desktop traffic for the Windows Firewall.
You should also create the exception on the client computer as well. Refer to Chapter 16, “Configuring and Maintaining Network Security,” for
information on configuring Windows Firewall.
Configuring VPN Authentication and Settings
Connectivity is the most valuable capability in a computer. By connecting to other computers, a computer can access other information, applications, and peripheral equipment. Businesses have long since discovered that their employees will work longer hours and greatly increase their productivity when they are able to connect to the company’s network from remote sites.
For this reason, they provide Remote Access Service (RAS) servers with VPN servers and Internet connections, and may offer dial-up networking with modems when needed. When connecting to a corporate network using VPN (or dialing up with a modem), the user can open files and folders, use
applications, print to printers, and pretty much use the network just as if he or she were connected to the network through its network adapter.
When you configure a VPN connection in Windows 10, it will typically negotiate protocols with the server automatically. You can configure which protocols to use manually. Organizations need to protect the entire
connection for remote users on VPN connections, including routing
information for the internal network. The encryption, therefore, is performed at the network level between the two end points, namely the Windows 10 client and the device or server at the other end.
The following are standard protocols used to create a VPN connection:
• Point-to-Point (PPP) VPN Protocol: The oldest of the protocols, it uses Microsoft Point-to-Point Encryption (MPPE) to secure the connection data. It uses 128-bit keys and is considered to have weaker security than others.
• Point-to-Point Tunneling Protocol (PPTP): A protocol used to transmit private network data across a public network in a secure fashion. PPTP
supports multiple networking protocols and creates a secure VPN connection.
• Layer 2 Tunneling Protocol (L2TP): Similar to PPTP, it improves security by including support for IPsec. Used with IP Security (IPsec), it creates a secure VPN connection encrypted with either 3DES or AES, which can use up to 256 bit keys.
• Secure Socket Tunneling Protocol (SSTP): A newer tunneling protocol that uses Secure Hypertext Transfer Protocol (HTTPS) over TCP port 443 and is able to transmit traffic across firewalls and proxy servers that might block PPTP and L2TP traffic. SSTP uses Secure Sockets Layer (SSL) for transport-level security that includes enhanced key negotiation, encryption, and integrity checking.
• Internet Key Exchange Version 2 (IKEv2): A tunneling protocol that uses IPsec Tunnel Mode over UDP port 500. This combination of protocols also supports strong authentication and encryption methods.
Understanding Remote Access
When you set up a new connection or network in Windows 10, the Connect to a Workplace option allows you to set up dial-up networking connections using a modem or any other type of connection—between two different
computers, between a computer and a private network, between a computer and the Internet, and from a computer through the Internet to a private
network using a tunneling protocol. You can share both dial-up connections and connections configured as VPN connections using Internet Connection Sharing (ICS). All these functions and features offer different ways of connecting computers across large geographical distances.
When a computer connects to a remote access server, it performs functions nearly identical to logging on locally while connected to the network. The major difference is the method of data transport at the physical level, because the data is likely to travel across a rather slow telephone line for dial-up and some Internet connections. Another difference between a local network user and a remote access user is the way that the user’s identification is
authenticated. If using Remote Authentication Dial-In User Service
(RADIUS), the RADIUS server takes on the task of authenticating users and passing along their data to the directory service(s) in which the users’
accounts are listed.
Don’t confuse remote access with remote control. Remote access is the capability to connect across a dial-up or VPN link, and from that point forward, to be able to gain access to and use network files, folders, printers, and other resources identically to the way a user could do on a local network computer. Remote control, on the other hand, is the capability to connect to a computer remotely, and then, through the use of features such as Remote Desktop or Remote Assistance discussed earlier in this chapter, control the computer as if you were at the console.
Establishing VPN Connections and Authentication
We’ve already touched on VPN connections. The way a VPN works is rather interesting. The private network is connected to the Internet. One method for establishing a VPN or DirectAccess services is for an administrator to set up a VPN server or appliance that sits between the private network and the Internet (also known as dual-homed). When a remote computer connects to the Internet, whether via dial-up or other means, the remote computer can connect to the VPN server by using TCP/IP. Then the tunneling protocols encapsulate the data inside the TCP/IP packets that are sent to the VPN
server. After the data is received at the VPN server, it strips off the encapsulating headers and footers and then transmits the packets to the appropriate network servers and resources.
The tunneling protocols, although similar and all supported by Windows 10 and Windows Server 2016, act somewhat differently. PPTP incorporates security for encryption and authentication in the protocol by using Microsoft Point-to-Point Encryption (MPPE). SSTP encrypts data by encapsulating PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.
IKEv2 encapsulates datagrams by using IPsec ESP or AH headers. L2TP does not provide encryption on its own. Instead, you must use IPsec to secure the data.
To establish the VPN client connection on Windows 10, use the following procedure. To follow along with this exercise and to test it, you should have a client computer and a VPN server that can both connect to the Internet. These two computers should not be connected in any other way than through the Internet.
Step 1. Open the Network and Sharing Center by searching for it in the
Search bar or Cortana under Settings, or by right-clicking the network icon in the Notification area and selecting Open Network and Sharing Center.
Step 2. Click Set Up a New Connection or Network.
Step 3. The Set Up a Connection or Network page shown in Figure 15-6 offers several connection options. Select Connect to a Workplace and then click Next.
Figure 15-6. Set Up a Connection or Network Dialog Box Enabling You to Connect to Several Types of Networks
Step 4. You are given the option for selecting a dial-up or a VPN connection.
Click Use My Internet Connection (VPN).
Step 5. On the Connect to a Workplace page (see Figure 15-7), type the name of the organization and the Internet address (FQDN, IPv4 address, or IPv6 address). You can select to use a smart card if it is required, and if you check the Remember My Credentials box, your authentication information for the connection will be saved by Credential Manager. The Allow Other People to Use This Connection check box will configure the connection for use with Internet Connection Sharing (ICS). When you have finished with the options, click Create.
Figure 15-7. Internet Address and Destination Name of the Network You Want to Access
Step 6. Windows displays the Networks Settings pane after it creates the connection. Click the new connection and then click the Connect button that appears to start the connection.
Step 7. On the Network Authentication prompt, type the username and
password you will use to access the network. If this is a domain-based
network, type the domain name with the username in the box, as depicted in Figure 15-8. Click OK to connect.
Figure 15-8. Entering Authentication Credentials for Connecting to the VPN network
Step 8. To connect later to your connection, access the Action Center, click Start > Settings, and then select Network & Internet. The network status page is displayed by default, showing your current connection. To connect to your VPN connection, click the VPN menu option and then click the VPN connection to use, which displays the connection options as shown in Figure 15-9. Click the Connect button to connect to the network.
Figure 15-9. Connecting to a VPN Network Connection from the Network Settings Page
After you have set up a VPN connection, you can modify its properties if required. From the Network Connections Control Panel applet, right-click the connection and choose Properties. The connection’s Properties dialog box consists of the following tabs, each with different types of configurations:
• General: This tab enables you to specify the hostname or IP address of the
destination, and the need to connect to a public network such as the Internet before attempting to set up the VPN connection.
• Options: This tab provides access to disable credential saving and a setting to determine how long to allow an idle connection before closing the network (or hanging up). The PPP Settings button enables you to use Link Control Protocol (LCP) extensions and software compression, or to negotiate
multilink (use of multiple dial-up lines for increased transmission speed) for single-link connections.
• Security: As you can guess, the Security tab lets you select the type of VPN (automatic, PPTP, L2TP/IPsec, SSTP, or IKEv2), the authentication
protocols to use, including EAP (for smart cards, certificates already on this computer, or trusted root certification authorities), CHAP, MS-CHAPv2, PAP, and so on. You can also configure encryption to be optional, required, or required at maximum strength.
• Networking: This tab enables you to specify the use of TCP/IPv4 and TCP/IPv6, as well as File and Printer Sharing for Microsoft Networks, and the Client for Microsoft Networks. Click Install to install additional features, including network clients, services, and protocols. To install these features, you should have an installation disc.
• Sharing: This tab lets you configure ICS to share the connection with other computers on your local network. You can also select options to establish dial-up connections when other computers attempt to access the Internet, or allow other users on the network to control or disable a shared connection.
Click Settings to configure ICS.
VPN Connection Security
As already mentioned, any of PPTP, L2TP, SSTP, or IKEv2 enable you to set up a tunneled connection from a remote location across the Internet to servers in your office network and access shared resources as though you were
located on the network itself. Recall that PPTP, SSTP, and IKEv2 include built-in security for encryption and authentication, whereas L2TP does not.
You must use IPsec to secure data being sent across an L2TP connection.
An issue that you should be aware of concerns the encryption levels used by client and server computers when establishing a VPN connection. If these encryption levels fail to match, you might receive an error code 741
accompanied by the message stating The Local Computer Does Not Support the Required Encryption Type or an error code 742 with the message The Remote Server Does Not Support the Required Encryption Type. This
problem occurs if the server is using an encryption level different from that of your mobile computer. Older servers might be using Rivest Cipher 4 (RC4) encryption at a level of either 40-bits or 56-bits. By default, Windows Vista and later clients, including Windows 10, use 128-bit encryption. You can try modifying the encryption level on the client to resolve this:
Step 1. From the Network and Sharing Center, click Change Adapter Settings to access the Network Connections dialog box.
Step 2. Right-click the desired VPN connection and select Properties.
Step 3. On the Security tab of the VPN Connection Properties dialog box shown in Figure 15-10, select Maximum Strength Encryption (Disconnect if Server Declines) and then click OK.
Step 4. Attempt your connection again.
Figure 15-10. Security Tab of the Connection's Properties Dialog Box
Enabling You to Specify the Level of Encryption Used in a VPN Connection
Enabling VPN Reconnect
First introduced in Windows 7 is the VPN Reconnect feature, which utilizes IKEv2 technology to automatically reestablish a VPN connection when a
user has temporarily lost her Internet connection. This avoids the need to manually reconnect to the VPN and possibly having to restart a download.
VPN Reconnect can reestablish a connection as long as eight hours after the connection was lost. A user could be connected to an airport Wi-Fi
connection when his flight is called for boarding; when he lands at his destination, he can reconnect and finish his download.
Use the following procedure to set up VPN Reconnect:
Step 1. Access the Security tab of the connection's Properties dialog box as previously shown in Figure 15-10.
Step 2. Click the Advanced Settings button.
Step 3. In the Advanced Properties dialog box shown in Figure 15-11, click the IKEv2 tab and ensure that Mobility is selected, and then select a value (30 minutes by default) in the Network Outage Time dialog box.
Step 4. Click OK, and click OK again to close the connection's Properties dialog box.
Figure 15-11. Choosing a Reconnection Time of Up to Eight Hours from the Advanced Properties Dialog Box
App-Triggered VPN, Traffic Filters, and Lockdown VPN
You have seen how to set up and configure VPN connections on Windows 10
computers and devices. The interfaces you used work with the underlying Windows VPN platform. Many users of enterprise VPN solutions may also use third-party VPN clients that administrators distribute to their users or preconfigure on their devices. For the 70-698 exam, and in order to support VPNs as a technology professional, you need to be familiar with VPN technologies and the features and functions available on Windows 10 for managing VPN connections and ensuring security.
Windows 10 includes a built-in VPN plug-in for managing VPN connections, which you learned about previously in this chapter for setting up a VPN
connection. It also includes a UWP VPN plug-in platform, which you have seen at work previously in Figure 15-8 and Figure 15-9. These plug-ins are built on top of the Windows VPN platform. In this section you learn more about the VPN platform clients and some additional features that you can configure.
Table 15-4 summarizes some of the general aspects and capabilities of VPN technologies used on Windows 10. The built-in plug-in and the UWP VPN plug-in platform are both built on top of the Windows VPN platform.
Table 15-4. VPN Platforms for Windows 10 Computers
Characteristics Built-in Plug-in UWP VPN Plug- in Platform
Third-Party Win32 App
Description
Uses desktop
Windows and control panel applets for management and configuration.
Based on UWP APIs. Third parties can create app- containerized plug- ins.
Win32 NDIS kernel.
Protocols
Native protocols:
L2TP, PPTP, SSTP, IKEv2.
Native protocols:
L2TP, PPTP, IKEv2.
May use native protocols or third-party or proprietary
protocols.
Platform Windows 10 desktop or laptop computer.
Available on all Windows 10 devices.
Only for desktop.
Features All Windows 10 VPN features.
All Windows 10 VPN features.
Does not take advantage of new VPN features.
App-Triggered VPN
There are a number of new features in Windows 10 to auto-trigger VPN.
With auto-triggered VPN, users do not have to manually connect when VPN is needed to access organizational resources. There are three types of auto- trigger rules:
• App trigger: You can configure VPN profiles in Windows 10 to connect to VPN automatically whenever one of the apps you specify is launched.
Desktop or UWP apps can be configured to automatically trigger a VPN connection.
• Name-based trigger: You can configure a name-based rule so that if a request for a resource using a specific domain name is detected, it triggers a VPN connection.
• Always on: If you configure a VPN connection as Always On, the VPN profile will make a connection based on any of three events: user sign-in, a network change, or the device screen is turned on or activated.
For any of these trigger types, you can also configure the trusted network detection feature, which will tell the VPN profile not to connect if the device is already on a trusted network. Using the combination of a VPN trigger and