How to secure the server running RRAS role after doing upgrade or fresh install of Windows server 2008
As you know in Windows server 2008 (WS08) we have removed “Basic Firewall” functionality in RRAS which exist in Windows Server 2003 (WS03).
This leads to following security implications which you should be carefully consider when configuring RRAS on WS08:
1) If you were running WS03 enabled for RRAS as a VPN server with inbound/outbound filters and you upgrade to WS08, after update:
a. You don’t need to do anything extra in terms of RRAS inbound/outbound filter configuration (i.e. all your RRAS inbound/outbound filter settings will get migrated from WS03 to WS08)
b. WS08 will be turned on with Windows firewall. Now you have two packet filtering engines that are enabled (RRAS inbound/outbound filters AND Windows Firewall). Read  to understand the differences between the two and in which scenario to use which one.
2) If you were running WS03 enabled for RRAS as a NAT router with “Basic Firewall” and you upgrade to WS08, after upgrade:
a. Manually turn on Windows Firewall (Note: This happens because in WS03, Windows firewall will be turned off as RRAS was enabled with Basic Firewall; and Basic firewall is removed in WS08). Open Windows Firewall clicking on Start->Control Panel->Windows Firewall->Change Settings. Click on “On”
b. Validate all the “exemptions” that are added inside Windows firewall. As Windows firewall settings are global to the machine, all the ports that are opened as exemptions will be visible from pubic as well as private NICs of RRAS.
In case of RRAS, following ports are opened to allow traffic from remote access users using different forms of VPN tunnels:
TCP Port 1723: PPTP control traffic
IP Protocol 47: PPTP data (GRE) traffic
UDP Port 1701: L2TP traffic
UDP Port 500 and 4500: L2TP/IPSec IKE traffic
IP Protocol 50: L2TP/IPSec data (ESP) traffic
TCP Port 443: SSTP control and data traffic
Additionally, following ports are opened to allow remote manageability of VPN servers
TCP Port 135: RPC Endpoint mapper service
Dynamic RPC port: Dynamic ports opened by RPC service for DCOM traffic
c. If you will like to block ports from the public side (let us say the remote manageability ports), you can do so in “Windows Firewall with advanced security”.
1) Click on Start->Administrative Tools->Windows Firewall with Advanced security.
2) Go under Inbound rules. Search for the two rules with names starting with “Routing and remote access remote management”. View the properties of the rules.
3) Add two new rules by clicking on “New Rule” under Action tab. Give all the properties of this rule same as “Routing and remote access management” rules, but add it with specific “Local Address” equal to public NIC IP address AND action as “Block the connections” (i.e. block remote manageability to RRAS public NIC’s address).
OR alternate way is to disable both the rules with names starting “Routing and remote access remote management” and create new rules with properties similar to the disabled rules and in addition set the local address to the IP address of the private NIC and set remote address to specific subnet from which to accept remote manageability requests.
4) Repeat steps 2 and 3 for Outbound rules
3) If you do a fresh install of WS08, install RRAS role via server manager and configures the RRAS role.
a. If you have configured RRAS wizard with inbound/outbound filters that drops all traffic except VPN traffic - you don’t need to do anything extra (because RRAS opens only VPN traffic on the public interface which anyways is required as a VPN server role)
b. If you have configured RRAS without inbound/outbound filters (let us say enabled for NAT scenario and inbound/outbound filters don’t co-exist with NAT), you need to follow steps 2b) and 2c) as given above.
For any queries, feel free to write to us at the email address given above
Senior Program Manager
Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]