Understanding the Windows NT Remote Access Service

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By Brien M. Posey, MCSE for TechRepublic.com


Imagine it's 3:00 A.M. and you're sound asleep. All of a sudden, you're startled by a loud noise. The alarm already? No, it's the phone. You answer the phone expecting the inevitable bad news that one would expect when the phone rings at 3:00 A.M. It's your office; something has gone horribly wrong with your network. They want you to come in and fix it. Half asleep, you stagger outside into the cold and begin the 45-minute drive to the office, all the while wishing that you were still in bed asleep.

If you've been a network administrator for any length of time, this nightmare probably sounds all too familiar. As companies become more dependent on their computer systems, the network administrator loses freedom. That 3:00 A.M. problem simply can't wait until 9:00 A.M. anymore.

Although everyone knows that a network could crash at any given time, this situation doesn't have to be quite so terrible. If you have Microsoft® Windows NT® Remote Access Service (RAS) loaded on your network, you can diagnose and possibly fix the problem from the comfort of your own home and then go back to bed. Think of that hour and a half round trip drive that you wouldn't have to make if the problem turned out to be something simple.

In this article, I'll explain the concept behind RAS. I'll also describe how to install RAS on your server and how to configure RAS on the workstation end.

On This Page

What is RAS?
Installing RAS
Configuring the RAS Server
RAS Security
Managing a RAS Server
Other RAS Tools
Configuring the RAS Client on Windows NT Workstation
Configuring the RAS Client on Windows 98

What is RAS?

As the name implies, Remote Access Service enables you to log on to your network via a dial-up connection. Once you're logged on, you can do anything that you could do if you were logged on to a computer that's physically attached to the network. This includes tasks such as running User Manager, Server Manager, or Event Viewer. Unless you need physical access to the server for some reason (such as inserting a floppy disk), you can accomplish anything with RAS that you could if you were physically at the server.

Installing RAS

To install RAS, your server must have a modem, and it must be correctly configured. Once your modem is functional, open Control Panel and double-click the Network icon. When you see the Network properties sheet, go to the Services tab and click Add. When you do, you'll see the Select Network Service dialog box. Select Remote Access Service from the Network Service pane and click OK.

Windows will now ask for the location of your Windows NT installation CD. Insert the CD, specify the correct path, and click OK. Windows NT will copy the necessary files. When the files have finished copying, you'll see a dialog box similar to the one shown in Figure A, which asks which communications device RAS should use.


Figure A: The Add RAS Device dialog box asks which communications device RAS should use.

Select your modem from the drop-down list box and click OK. When you do, the communications device that you selected will appear in the Remote Access Setup dialog box, as shown in Figure B.


Figure B: The Remote Access Setup dialog box lets you configure the RAS service.

Configuring the RAS Server

The next step is to configure the intended use for RAS. To do so, click Configure. When you do, you'll see the Configure Port Usage dialog box. As you can see in Figure C, by default the port is set to Receive Calls Only. Unless you plan to use RAS for a different purpose than I've described, stick with the default option, and click OK.


Figure C: The Configure Port Usage dialog box enables you to control how RAS may be used.

Once you've set RAS to accept incoming calls, you must decide how RAS will work with your network. To do so, click Network. When you do, you'll see the Network Configuration dialog box, as shown in Figure D.

Figure D: The Network Configuration dialog box enables you to determine how RAS will interact with the network.

Figure D: The Network Configuration dialog box enables you to determine how RAS will interact with the network.

Notice that the Dial Out Protocols section is unavailable. If you decide to enable dial-out sessions later, you'll have to return to this dialog box and select a protocol.

By default, TCP/IP is the protocol of choice for inbound clients. This is usually a good choice since it's the protocol of the Internet and practically everyone uses it. To use TCP/IP, select the TCP/IP check box and click Configure.

When you do, you'll see the RAS Server TCP/IP Configuration dialog box, shown in Figure E. The Allow Remote TCP/IP Clients To Access section of this dialog box controls what remote clients may access. By default, a remote client has access to the entire network. However, this setting shouldn't alarm you—it only grants the potential to access the entire network. In reality, a user's account controls what he or she may access. By selecting This Computer Only, you limit the remote user to accessing resources located on the server that's running RAS.


Figure E: The RAS Server TCP/IP Configuration dialog box enables you to configure TCP/IP and dictate the behavior of the connection.

The next section of the RAS Server TCP/IP Configuration dialog box lets you set up an IP address to be used by inbound clients. By default, the inbound RAS client will search for a RAS server on your network and obtain an address from the RAS server. If you plan to use this option, don't limit inbound clients with This Computer Only unless the RAS server is also running DHCP (Dynamic Host Configuration Protocol).

An alternative to DHCP is to establish a pool of static IP addresses that will be automatically assigned to the RAS client. To do so, simply select Use Static Address Pool and specify a beginning and ending address. You can provide exclusion addresses if necessary. When you're done configuring TCP/IP, click OK to return to the Network Configuration dialog box.

The final section of the Network Configuration dialog box is Encryption Settings. Notice the default choice is Require Microsoft Encrypted Authentication. Only Microsoft operating systems are capable of logging on with this setting. Therefore, if you're planning on accessing the RAS server via UNIX, a dumb terminal, or some other type of non-Microsoft client, you should select Allow Any Authentication Including Clear Text.

When you've set the encryption settings, click OK. At this point, you'll return to the Network properties sheet. Click Close to close the Network properties sheet. Windows NT will now update the bindings and ask you to reboot the server. You must reboot the server before you'll be able to use RAS.

RAS Security

Congratulations, you have enabled your RAS server and opened a huge security hole! Even with the popularity of the Internet, many attacks against corporate computer systems still take place through "back doors" or dial-up portals.

Fortunately, Windows NT tends to be more secure than other dial-up platforms. Keep in mind that when a user dials into a RAS server, they are actually logging on to your network, just as they would if they were physically connected to it. Therefore, all of the usual Windows NT permissions are still in effect. If a user doesn't have rights to a file when logged on locally, he or she won't have access to the file when logged on remotely.

Windows NT further enhances security by not enabling just anyone with a user account to dial in. Before a user may use a dial-up networking session, you must grant that user permission to do so.

To grant dial-up privileges, open User Manager For Domains, and double-click the account of a user who you wish to grant dial-in privileges. When you see the User Properties window, notice that Windows NT has added a Dialin button, as shown in Figure F.


Figure F: The Dialin button enables you to grant dial-up privileges to a user.

At this point, click Dialin. When you do, you'll see the Dialin Information dialog box shown in Figure G. Before Windows NT will enable the user to dial in, you must select the Grant Dialin Permission To User check box.


Figure G: Select the Grant Dialin Permission To User check box.

Another security feature is the Call Back section. The default setting is No Call Back. This setting enables the user to simply dial in to the server, log on, and begin working.

However, if you select Set By Caller, the server will prompt the dial-in user for the phone number that they are calling from. The server will then terminate the dial-up session and call the user back, thus billing any long distance charges to the server.

If security is a major concern, you may want to use the Preset To option. The Preset To option enables you to specify the phone number that the user should be calling from. That way, if a hacker attempts a remote log on with the user's account, the server will hang up on the hacker and attempt to call the owner of the account at a predetermined phone number, thus leaving the hacker out in the cold.

Although the Set By Caller and Preset To options are nice, you should be careful when setting them. If the server's modem lines run through certain types of switchboards, these options cause problems. You should also avoid using these options if the user requires multilink capabilities (the ability to connect simultaneously with two or more modems for higher speed than a single modem can deliver).

Managing a RAS Server

Another important topic is your ability to manage RAS. For example, for security reasons, you'll occasionally want to check to see who is logged on via remote access. There are also times when you'll need to see who is online before performing various server maintenance tasks that may affect users who are logged on. Finally, you'll need management capabilities so that you can start and stop RAS and reset hung modem ports.

The primary tool for remote access management is Remote Access Admin, found on the Administrative Tools (Common) menu. When you launch Remote Access Admin, you'll see a window similar to the one shown in Figure H.


Figure H: The primary tool for remote access management is Remote Access Admin, found on the Administrative Tools (Common) menu.

Notice in Figure H that you can easily see which server contains RAS, whether the service is running or not, how many total communications ports are configured to work with the service, and how many of those ports are currently in use.

Basic RAS functionality can be obtained through Remote Access Admin's Server menu, which enables you to start and stop RAS. You can also use this menu's Select Domain Or Server option to manage RAS on other servers.

To see this tool's capabilities in action, select Communication Ports from the Server menu. When you do, you'll see the Communication Ports dialog box, shown in Figure I.


Figure I: The Communication Ports dialog box displays the status of each communication port that's configured for use with RAS.

This dialog box shows who's logged on and also offers the capability to send a pop-up message to any or all users. You can also disconnect any dial-up user as needed. These features are very handy for those situations in which you need to perform maintenance on the server.

The Communications Port dialog box also offers diagnostic features. If you suspect a particular port is malfunctioning, select the port and click Port Status. When you do, you'll see a Port Status dialog box similar to the one shown in Figure J. This dialog box enables you to view information about the current connection such as speed, protocols, and errors. If necessary, you can reset the port by clicking Reset.


Figure J: The Port Status dialog box enables you to observe the connection statistics and reset the port.

Other RAS Tools

While I'm examining the Remote Access Admin tool, it's worth pointing out the features of the Users menu. The Users menu contains two very handy tools. When you select Permissions from the Users menu, you'll see the Remote Access Permissions dialog box, shown in Figure K. This dialog box enables you to grant everyone dial-up privileges simultaneously or to set individual dial-up permissions without going through the User Manager for domains.


Figure K: The Remote Access Permissions dialog box enables you to grant dial-up privileges simultaneously.

Selecting Active Users from the Users menu enables you to use another handy tool. When you select this command, you'll see a window similar to the one shown in Figure I. The difference in this window is that it shows all users connected to any RAS server in the entire domain. When you consider that large organizations may have dozens of RAS servers, you'll realize how this can be extremely handy.

Configuring the RAS Client on Windows NT Workstation

So far I've shown you how to install the RAS service, how to configure the service, and how to monitor the RAS server's performance. However, none of that does any good if no workstations can dial into the server. Now I'll show you how to configure Windows NT Workstation for dial-up access.

Configuring Windows NT for dial-up access is a little tricky to say the least. Therefore, you must have a general idea of how you plan to approach the problem before you begin.

When you set up Windows NT, by default it's set up as if it were a member of a workgroup. What you must do is make Windows NT Workstation a member of the domain that the RAS server resides in. Only the administrator has this ability.

Therefore, you should begin by logging on to the workstation with the administrator account. Next, select Dial-Up Networking from the Accessories menu. Follow the prompts to assign a name to the connection, and provide the phone number of your RAS server.

When you're done configuring your dial-up connection, close any open windows and select Dial-Up Networking from the Accessories menu. Select the dial-up session that you created from the Phonebook Entry To Dial drop-down list and click More. Now select Edit Entry And Modem Properties.

At this point, you'll see the Edit Phonebook Entry dialog box. Select the Server tab. Now select PPP: Windows NT, Windows 95 Plus, Internet from the Dial-Up Server Type drop-down list, as shown in Figure L. You should also select the protocol that you wish to connect with from the Network Protocols section. If you're planning to use TCP/IP, you may need to configure TCP/IP by clicking TCP/IP Settings.


Figure L: The Edit Phonebook Entry dialog box enables you to configure your connection to the RAS server.

Click OK to close any open dialog boxes, and then dial the connection that you've set up. When you connect to the network, open Control Panel and double-click Network. Next, select the Identification tab and click Change. Change from running a workgroup configuration to running the domain configuration. Supply the name of the domain that your RAS server is a member of. You'll also have to create a computer account within the domain. To do so, select the Create Computer Account For This Domain check box and provide the domain administrator's logon name and password. Click OK and you'll see a message welcoming you to the domain. Close Network Properties and reboot the workstation.

When the workstation has rebooted, you'll find that the logon screen looks a bit different. You'll have a drop-down list that contains domain names. If you select the domain name that matches the workstation's computer name, you'll be logged on to the machine using the local accounts database. However, if you want to use the network, select the domain name that contains the RAS server and select the Log On Using Dial-Up Networking check box. Follow the on-screen prompts until you're logged on.

Keep in mind that a user's desktop may appear different than he or she is used to because Windows NT treats a domain user and a local user as two completely different users, even if they have the same logon name. Remember that Windows NT uses SIDs (Security IDs) rather than logon names.

Configuring the RAS Client on Windows 98

If you're planning to log on with Windows 98, it isn't nearly as complicated as logging on with Windows NT. To log on with Windows 98, select Dial-Up Networking from the Start | Programs | Accessories | Communications menu. If you don't have a dial-up networking command, you can add it by opening Control Panel and double-clicking Add/Remove Programs.

At this point, double-click Make New Connection. Follow the prompts to assign a name and phone number to the connection. When you're done, right-click the icon that's beside the connection you've made and select Properties from the shortcut menu.

As with Windows NT, go to the Server Types tab of the connection's properties sheet and select PPP: Internet, Windows NT Server, Windows 98 from the Type of Dial-Up Server drop-down list box. You'll also have to select the Log On To Network check box and the check box that corresponds to the protocols you wish to use.

Click OK to close the Properties sheet. If you wish, you can drag a shortcut for the newly created icon to the desktop for easy access.

Before you use the dial-up connection, open Control Panel and double-click the Network icon. In the The Following Network Components Are Installed drop-down list box, you should see Client for Microsoft Networks, Dial-Up Adapter, and at least one protocol bound to the Dial-Up Adapter, as shown in Figure M.


Figure M: Client for Microsoft Networks, Dial-Up Adapter, and at least one protocol bound to the Dial-Up Adapter should be visible.

Double-click the Client for Microsoft Networks icon in the drop-down list box. When you see the Client For Microsoft Networks dialog box, select the Log On To Windows NT Domain check box and specify the domain name. Click OK twice to close the dialog boxes and reboot the computer. Your dial-up connection is now ready to use.

Brien M. Posey is an MCSE and a freelance technical writer. He is the director of information systems for a large healthcare company. Brien has also worked as a network engineer for the Department of Defense. You can contact him at Brien_Posey@xpressions.com. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)

The above article is courtesy of TechRepublic.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.