Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices

Previous Topic/Section
3.1.5  Modems
Previous Page
Pages in Current Topic/Section
Next Page
3.1.7  Telecom / PBX (Private Branch Exchange)
Next Topic/Section

3.1.6  RAS (Remote Access Server)

RAS, an acronym for “Remote Access System” or “Remote Access Services”, authenticates users connecting to a network and then allows them access to the network. In most corporate networks, it refers to the RAS function available in Windows, though it can also apply to any technology allowing remote access to a system. Other possibilities include PPP dial-in servers on Linux and UNIX machines, remote access packages like PC Anywhere, and network services that allow remote access to a computer’s desktop from across the Internet, such as WebEx276 or GoToMyPC277.

How does RAS work on Windows? One or more Windows computers (or boxes implementing the same protocols) can be set up as “RAS servers” which accept modem connections via incoming telephone lines.

Any user with a modem and the correct authentication information can access your RAS network, so you might want to consider additional levels of security such as utilizing the callback feature (in your modem, or in RAS itself), as mentioned in section 3.1.5. Typical RAS servers allow controlling access by user ID, time of day, and other factors. You can also set parameters such as the maximum number of incorrect logins per day per user ID (after which, that user will be locked out until the administrator resets their account). RAS can use a variety of communication protocols, some of which offer encryption. If you are using the most recent versions of Windows (Windows 2000 SP2 or higher), you can configure your RAS server to require that connections use strong 128-bit encryptio278n in order to minimize the chances of data sniffing or man-in-the-middle attacks.

Since RAS gives users’ access to the corporate LAN as if they were another local user, you might worry that your entire network is wide open to any RAS users, but this is not entirely true. One interesting feature of RAS is that you can block certain protocol families from use over RAS. For example, if there are certain applications you want to be run ONLY by users who are physically in the office, you might design them to run under a protocol that you don’t pass through RAS, such as IPX.

RAS can use a variety of authentication techniques during user login, including Password Authentication Protocol (PAP), Shiva PAP (SPAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP).

Of these, CHAP and MS-CHAP are more secure than PAP and SPAP, because the challenge approach does not require an encrypted (SPAP) or unencrypted (PAP) password to be sent over the wire from client to server. The benefits of the challenge approach are covered in more detail in the section on CHAP. Also, Windows 2000 and later versions support EAP, the Extensible Authentication Protocol, which is an extension to PPP that enables the use of third-party modules to authenticate RAS users. For instance, smart cards, Kerberos or S/Key mechanisms can authenticate users, if the appropriate module is installed and configured.

A handy feature of most RAS servers is that they can be configured to log incoming connections, giving you a record of when your network was accessed and by whom. If suddenly someone who never accesses the network via RAS hits it four times in the middle of the night, you might want to verify with that user that they did indeed call in, to make sure that an outsider didn’t just guess their password and log in with false credentials.


RAS, or Remote Access Services, authenticates users connecting to a remote network (via dial-up or the Internet) and allows them access to network resources.

It can use many different types of authentication. If using a standard user/password authentication method, CHAP and MS-CHAP are more secure options than PAP and SPAP.

Because a RAS login can be attempted by anyone who knows the phone number (in the case of a dial-in server) or remote desktop IP address (in the case of a remote desktop accessible via the net), make sure that you log all login attempts and if possible, lock out accounts after a small number of unsuccessful attempts.




278. Worsham, Michael, “Beef up RAS security,”,289483,sid20_gci788334,00.html, Dec 21, 2001.

Previous Topic/Section
3.1.5  Modems
Previous Page
Pages in Current Topic/Section
Next Page
3.1.7  Telecom / PBX (Private Branch Exchange)
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.