Securing RAS Servers
The Remote Access Service (RAS) allows a connection across a phone dial-up, so a user can use resources such as a printer in a remote location. Because these connections are made through unsecured telephone lines, many potential security breaches exist. This is particularly true if the RAS is provided with a server that is not otherwise protected. A number of actions can be taken to protect the domain from potential RAS abuses, including these:
RAS connections should allow only dial-in accounts to access the RAS server.
The RAS server should have its own domain, and maintain separate user accounts.
There should be a one-way trust between the rest of the network and the RAS server. (Users can put data on the RAS server for remote access, but the server is buffered from the rest of the network.)
Strong passwords to RAS accounts should be enforced.