IAS Best Practices
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
IAS Best Practices
This topic provides best practices for implementing and configuring IAS and is based on recommendations from Microsoft Product Support Services.
Installation suggestions
Before installing IAS, do the following:
Install and test each of your access servers using local authentication methods before making them RADIUS clients.
After you install and configure IAS, save the configuration by using the netsh aaaa show config > path**\file.txt command. For more information, see Netsh commands for AAAA. Save the IAS configuration with the netsh aaaa show config > path\**file.txt command each time a change is made.
Do not install Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition on the same partition as Windows 2000. These operating systems use common files in the systemroot\Program Files folder to access the IAS database. If you decide to install Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition on the same partition as Windows 2000, IAS in Windows 2000 can no longer access remote access policies or remote access logging.
Do not configure a server running IAS or Routing and Remote Access and Windows Server 2003 as a member of a Windows NT Server 4.0 domain if your user accounts database is stored on a Windows Server 2003 domain controller in another domain. Doing this will cause Lightweight Directory Access Protocol (LDAP) queries from the IAS server to the Windows Server 2003 domain controller to fail.
Instead, configure your server running IAS or Routing and Remote Access and Windows Server 2003 as a member of a Windows Server 2003 domain. Alternately, you can configure a server running IAS and Windows Server 2003 as a proxy server that forwards authentication and accounting requests to another server running IAS and Windows Server 2003 that can access the user accounts database on the Windows Server 2003 domain controller. For more information, see Deploying IAS as a RADIUS Proxy.
Security issues
When you are administering an IAS server remotely, do not send sensitive or confidential data (for example shared secrets or passwords) over the network in plaintext. There are two recommended methods for remote administration of IAS servers:
Use Terminal Services to access the IAS server.
When you use Terminal Services, data is not sent between client and server. Only the user interface of the server (for example, the operating system desktop and IAS console image) is sent to the Terminal Services client, which is named Remote Desktop Connection in Windows XP. The client sends keyboard and mouse input, which is processed locally by the server that has Terminal Services enabled. When Terminal Services users log on, they can view only their individual client sessions, which are managed by the server and are independent of each other. In addition, Remote Desktop Connection provides 128-bit encryption between client and server. For more information, see Terminal Services.
Use IPSec to encrypt confidential data.
You can use IPSec to encrypt communication between the IAS server and the remote client computer that is being used to administer it. In order to administer the server remotely, the Windows Server 2003 Administration Tools Pack must be installed on the client computer, and the IAS snap-in must be added to the Microsoft Management Console (MMC). For more information, see IPSec Policy Rules.
Your IAS server provides authentication, authorization, and accounting for connection attempts to your organization network. You can protect your IAS server and RADIUS messages from unwanted internal and external intrusion. For more information about how to secure your IAS server, see Securing IAS.
For additional information about securing RADIUS traffic when IAS is used as a RADIUS server, see IAS as a RADIUS server security considerations. For additional information about securing RADIUS traffic when IAS is used as a RADIUS proxy, see IAS as a RADIUS proxy security considerations.
Use the Runas command to administer local IAS servers
You can use the Runas command to perform administrative tasks when you are logged on as a member of a group that does not have the required administrative credentials (such as the Users group or the Power Users group). Logging onto your server without administrative credentials is recommended because it protects the computer from a variety of possible security attacks, such as the accidental installation of a computer virus.
Logging
There are two types of logging in IAS:
Event logging for IAS You can use event logging to record IAS events in the system event log. This is used primarily for auditing and troubleshooting connection attempts.
Logging user authentication and accounting requests You can log user authentication and accounting requests to log files in text format or database format, or you can log to a stored procedure in a SQL Server 2000 database. Request logging is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method of tracking down the activity an attacker.
To make the most effective use of IAS logging:
Turn on logging (initially) for both authentication and accounting records. Modify these selections after you have determined what is appropriate for your environment.
Ensure that event logging is configured with a capacity that is sufficient to maintain your logs.
Back up all log files on a regular basis, since they cannot be recreated when they are damaged or deleted.
Use the RADIUS Class attribute to both track usage and simplify the identification of which department or user to charge for usage. Although the automatically generated Class attribute is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is resent. You might need to delete duplicate requests from your logs to accurately track usage.
To provide failover and redundancy with SQL Server logging, place two computers running SQL Server on different subnets. Use the SQL Server Create Publication Wizard to set up database replication between the two servers. For more information, see SQL Server 2000 documentation.
You can use the Iasparse.exe tool in the \Support\Tools folder on the Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition compact disc to view IAS logs.
For more information, see Remote Access Logging.
Performance-tuning IAS
To optimize IAS authentication and authorization response times and minimize network traffic, install IAS on a domain controller.
When universal principal names (UPNs) or Windows Server 2003 domains are used, IAS uses the global catalog to authenticate users. To minimize the time it takes to do this, install IAS on either a global catalog server or a server that is on the same subnet. For more information, see The role of the global catalog. For more information about domain functionality, see Domain and forest functionality.
When you have remote RADIUS server groups configured and, in IAS Connection Request Policies, you clear the Record accounting information on the servers in the following remote RADIUS server group check box, these groups are still sent network access server (NAS) start and stop notification messages. This creates unnecessary network traffic. To eliminate this traffic, disable NAS notification forwarding for individual servers in each remote RADIUS server group by clearing the Forward network start and stop notifications to this server check box. For more information, see Configure the authentication and accounting settings of a group member and Configure accounting.
Using IAS in large organizations
If you are using remote access policies to restrict access for all but certain groups, create a universal group for all of the users for whom you want to allow access, and then create a remote access policy that grants access for this universal group. Do not put all of your users directly into the universal group, especially if you have a large number of them on your network. Instead, create separate groups that are members of the universal group, and add users to those groups. For more information about universal groups, see Group scope. For more information about restricting or granting access to a group, see Allow dial-up connection using group membership.
Use a user principal name to refer to users whenever possible. A user can have the same user principal name regardless of domain membership. This practice provides scalability that might be required in organizations with a large number of domains.
If the IAS server is on a computer other than a domain controller and it is receiving a very large number of authentication requests per second, you can improve performance by increasing the number of concurrent authentications between the IAS server and the domain controller.
To do this, edit the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. Add a new value named MaxConcurrentApi and assign to it a value from 2 through 5.
Caution
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Notes
If you assign a value to MaxConcurrentApi that is too high, your IAS server might place an excessive load on your domain controller.
To effectively balance the load of either a large number of authorizations or a large volume of RADIUS authentication traffic (such as a large wireless implementation using certificate-based authentication), install IAS as a RADIUS server on all of your domain controllers. Next, configure two or more IAS proxies to forward the authentication requests between the access servers and the RADIUS servers. Next, configure your access servers to use the IAS proxies as RADIUS servers. For more information, see Using IAS proxy for load balancing.
You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.