Module 11: Supporting

Remote Users

Contents

Overview 1
Lesson: Establishing Remote Access
Connections 2
Lesson: Connecting to Virtual Private
Networks 13
Lesson: Configuring Authentication
Protocols and Encryption 20
Lab A: Configuring a VPN Connection 28
Lesson: Using Remote Desktop 31
Lab B: Configuring and Using Remote
Desktop 35
Lesson: Storing User Names and
Passwords to Facilitate Remote
Connections 38
Lab C: Storing User Names and
Passwords 42
Course Evaluation 45
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links are provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2005 Microsoft Corporation. All rights reserved.

Microsoft, Active Desktop, Active Directory, ActiveX, DirectX, MS-DOS, MSN, Outlook,
PowerPoint, Windows, Windows Media, Windows NT, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
 Module 11: Supporting Remote Users 1

Overview

Introduction In many organizations, employees often need to share work and resources from
different locations. Many workers perform their jobs at remote sites, including
their homes and satellite offices away from their normal work place. These
employees need the same access to resources and the ability to collaborate with
colleagues as if all of the employees were working in a central location. By
using Microsoft® Windows® XP Professional, you can provide remote users full
access to organizational resources.
Module objectives After completing this module, you will be able to:
! Create and configure an outbound remote connection on a computer running
Windows XP Professional.
! Connect a computer running Windows XP Professional to a virtual private
network (VPN).
! Configure authentication protocols and encryption for remote access
sessions.
! Configure computers to use Remote Desktop.
! Store user names and passwords to facilitate remote connections.
2 Module 11: Supporting Remote Users

Lesson: Establishing Remote Access Connections

Introduction To establish a remote access connection, you must first establish an outbound
connection on the remote computer. Outbound connections are dial-up,
broadband, or direct cable connections to another computer.
There are several connection options, each of which uses a different type of
hardware. Understanding the relative advantages and disadvantages of each
connection option is important to planning and implementing remote access
connections.
After the hardware and software are configured for remote access, you can
establish a remote access session. A remote access session connects the remote
client computer to the remote access server, also known as a gateway. Each
remote connection uses data transport protocols. Understanding these protocols
is important to understanding how data is protected and delivered during a
remote session.
Multilink connections enable users to combine multiple physical links, such as
modems and ISDN (Integrated Services Digital Network) lines, to increase the
communication bandwidth available to a remote computer. This is important to
remote users who may not have access to broadband or other high-bandwidth
means of communication.
Lesson objectives After completing this lesson, you will be able to:
! Establish outbound connections.
! Explore hardware options.
! Create a direct cable connection.
! Create dial-up and broadband connections.
! Establish a remote access session.
! Examine data transport protocols.
! Configure Multilink connections.
 Module 11: Supporting Remote Users 3

Establishing Outbound Connections

Introduction To establish a remote access connection, you must first configure the outbound
connection. Outbound connections are connections that are made from a remote
access client to a remote access server.
Routing and Remote The remote access server runs the Routing and Remote Access Service, which
Access Service supports various data transport protocols and virtual private network (VPN)
protocols to enable remote connections. By being familiar with the benefits and
limitations of various types of connections and the protocols that each of them
employ, you will be able to effectively configure remote connections on
computers running Windows XP Professional.
Types of outbound There are three basic types of outbound connections:
connections
! Internet connections. Connections to an Internet service provider (ISP) can
be configured as dial-up connections or broadband connections that use a
cable modem, ISDN line, or DSL (digital subscriber line) modem.
! Connections to private networks. Connections to a private network can be
configured as dial-up or VPN connections.
! Advanced connections. Advanced connections are used to configure a
connection directly to another computer by using a cable.

You configure all outbound connections in Windows XP Professional by using

the New Connection Wizard. Much of the work of configuring protocols and
services is automated when you use the wizard. By understanding the options in
this wizard and the protocols that those options configure, you will be able to
configure connections efficiently.
4 Module 11: Supporting Remote Users

Exploring Hardware Options

Introduction You can connect remote access clients to a remote access server by using any of
several types of connections. Windows XP Professional supports connections
over the Public Switched Telephone Network (PSTN), ISDN lines, cable
modems, an X.25 network, or direct cable connections.
Connection-type When selecting a connection type to use for remote access, you should consider
considerations the advantages and disadvantages of each type of connection, which are
explained in the following table.
Hardware type Advantages Disadvantages

PSTN Universal availability; Toll charges; low speeds

inexpensive modems; higher unless using DSL; DSL is not
speeds available with DSL available in all locations
ISDN Faster than most PSTN Low speeds compared to
connections; dedicated lines; DSL or cable modems
wide availability in urban areas
Cable modem Very fast connections Shared bandwidth; not so
available as other connection
types
X.25 Secure, dedicated network Not widely used in the U. S.
Direct connection Simple, secure, dedicated Distance between computers
(parallel cables, connection; inexpensive cables limited to length of cable or
serial cables, or infrared sensor range
infrared sensors)
 Module 11: Supporting Remote Users 5

Creating a Direct Cable Connection

Introduction You can use the New Connection Wizard to create a direct cable connection to
another computer. Although a direct connection is the easiest and most secure
way to connect to a computer to which you need to gain access, this option is
not feasible if the client and the server are not located at the same physical
location. The type of cable determines the maximum length for the cable before
communication degradation occurs.
Procedure to create a To create a direct connection to a remote server or another computer from a
direct connection remote client:
1. Click Start, click Control Panel, click Network and Internet
Connections, click Network Connections, and then click Create a new
connection.
2. On the Welcome page, click Next.
3. On the Network Connection Type page, select Set up an advanced
connection, and then click Next.
4. On the Advanced Connection Options page, select Connect directly to
another computer, and then click Next.
5. On the Host or Guest? page, select Guest, and then click Next.
6. On the Connection Name page, in the Computer name box, type a name
for the connection.
7. On the Select a Device page, select Communications Port COM1, and
then click Next.
8. If you want this connection to be available to all users of this computer, on
the Connection Availability page, click Anyone’s use, and then click Next.
If you want to reserve the connection for yourself, select My use only, and
then click Next.
9. On the Completing the New Connection Wizard page, click Finish.
6 Module 11: Supporting Remote Users

Creating Dial-up and Broadband Connections

Introduction You can use the New Connection Wizard to create and configure dial-up and
broadband outbound connections to an ISP, through which you connect to a
private network. You can also create a dial-up connection directly to a private
network. A dial-up connection is one in which the remote computer uses the
PSTN phone line to dial the number of the ISP server. A broadband connection,
which can transport many times more data than an ordinary phone line, uses a
broadband device such as a cable modem, a DSL modem, or an ISDN phone
line.
Connecting through the To create an Internet connection to an ISP, start the New Connection Wizard,
Internet and on the Network Connection Type page, select Connect to the Internet.
There are two reasons that organizations sometimes prefer to have employees
gain access to secure and nonsecure resources by using the Internet. First, using
the Internet does not require an organization to use a large pool of modems; and
second, long-distance charges are not incurred if the ISP has a local number that
the user can dial to make a connection. Using an ISP to gain access to the
organization’s network is a good solution for organizations that want to use the
Internet as a part of their network infrastructure.
Creating dial-up You can create a dial-up connection directly to a computer or private network
connections to private by using the New Connection Wizard. To connect to the network by using dial-
networks up remote access, a remote access client uses a communications network, such
as the PSTN, to create a physical connection to a port on a remote access server
on the private network. This is typically done by using a modem or ISDN
adapter to dial in to the remote access server.
 Module 11: Supporting Remote Users 7

Dial-up remote access Dial-up remote access enables an organization to keep users connected to its
network when the users are working remotely. However, if your organization
has a large number of users traveling to many locations, the expense of long-
distance telephone charges will become significant. An alternative to increasing
the size of a dial-up remote access network is to use a VPN solution for remote
connectivity.
Procedure to create a To create a dial-up connection to a private network:
dial-up connection to a
private network 1. Start the New Connection Wizard, and on the Welcome page, click Next.
2. On the Network Connection Type page, select Connect to the network at
my workplace, and then click Next.
3. On the Network Connection page, select Dial-up connection and then
click Next.
4. On the Connection Name page, type a name for the connection, and then
click Next.
5. On the Phone Number to Dial page, type the applicable phone number
information, click Next, and then complete the wizard.

Note The Connect to the network at my workplace option also enables you
to create a connection through a VPN. Creating VPN connections is covered in
the Configuring a Virtual Private Network Connection topic in this module.
8 Module 11: Supporting Remote Users

Establishing a Remote Access Session

Introduction After configuring the outbound remote access connections, you can establish a
remote access connection.
Users run remote access software and initiate a connection to the remote access
server. This connection uses a remote access protocol, such as the Point-to-
Point (PPP) Multilink Protocol.
Remote access server The remote access server to which a remote client connects runs the Routing
runs protocols and Remote Access Service. Routing and Remote Access uses both remote
access protocols and local area network (LAN) protocols to enable clients to
connect to remote access servers. Remote access protocols control transmission
of data over wide area network (WAN) links, whereas LAN protocols control
transmission of data within the LAN.
By using this connection, the client sends data to and receives data from the
remote access server. The data is encoded by a protocol such as Transmission
Control Protocol/Internet Protocol (TCP/IP) and is then encapsulated in a
remote access protocol.
All services are enabled All services typically available to a LAN-connected user are enabled for a
for remote user remote user through the remote access connection. These services include file
and print sharing, Web server access, and messaging.
 Module 11: Supporting Remote Users 9

Examining Data Transport Protocols

Introduction Windows XP Professional uses a remote access protocol to establish a

connection between the remote access devices, which are usually modems.
Windows XP Professional then uses LAN protocols to establish communication
between the two computers. When a remote access client communicates with a
server, the client encapsulates the packet in a remote access protocol packet for
transport across the remote access connection to the server. Routing and
Remote Access strips the remote access protocol and encapsulates the data in a
LAN protocol packet for transport on the LAN.
Remote access Windows XP Professional supports several remote access protocols to provide
protocols clients using a dial-up connection with access to a variety of remote access
servers.
PPP PPP (Point to Point Protocol) enables remote access clients and servers to
operate together in a network. For example, clients running Windows XP
Professional can connect to remote networks through any server that uses PPP.
Similarly, computers running other remote access software can also use PPP to
dial in to a computer running Windows XP Professional that is configured with
an incoming connection. This is the most commonly used remote access
protocol.
10 Module 11: Supporting Remote Users

Serial Line Internet Serial Line Internet Protocol (SLIP) enables Windows XP Professional–based
Protocol computers to connect to a SLIP server. SLIP is most commonly used with
Telnet and is not suitable for most modern remote access applications.
Windows XP Professional does not include a SLIP server component.
Microsoft RAS protocol The RAS protocol is an older protocol that is used by Microsoft. Client
computers running Windows XP Professional use the RAS protocol to connect
to remote access servers running Microsoft Windows 3.1, Microsoft Windows
for Workgroups, Microsoft MS-DOS®, or LAN Manager.
LAN protocols When Windows XP Professional is configured for incoming connections, it
supports the following LAN protocols:
! TCP/IP
! NWLink
 Module 11: Supporting Remote Users 11

Configuring Multilink Connections

Introduction Multilink enables users to combine analog modem paths, ISDN paths, and even
mixed analog and digital communications links on client and server computers.
Multilinking combines multiple physical links into a logical bundle to increase
the bandwidth available to the client computer.
Multiple Multilink enables your computer to use two or more communications ports as if
communications ports they were a single port of greater bandwidth. Therefore, if you use two modems
to connect to the Internet, you can connect at double the speed of a single
modem. For example, a computer that has four modems operating at 56 kilobits
per second (Kbps), and a telephone line for each modem, can connect to a
remote access server that has multiple modems and maintains a sustained
transfer rate of 224 Kbps. Four 128-Kbps ISDN lines would return a throughput
rate of 512 Kbps. To dial multiple devices, your connection and your remote
access server must both have Multilink enabled.
The Multilink feature in Routing and Remote Access uses the PPP Multilink
protocol. Windows XP Professional also supports the Bandwidth Allocation
Protocol (BAP) for dynamic multilinking.
PPP Multilink protocol The PPP Multilink protocol combines the bandwidth of two or more
communication lines to create a single virtual data connection, providing
scalable bandwidth based on the volume of data. Routing and Remote Access
can use Multilink over multiple modems, ISDN, or X.25 cards. Both the client
and remote access server must have Multilink enabled.
Bandwidth Allocation Protocol (BAP) enhances Multilink by dynamically
adding or dropping links on demand. BAP is especially valuable to operations
that have carrier charges based on bandwidth utilization. BAP is a PPP control
protocol that works with PPP to provide bandwidth on demand.
12 Module 11: Supporting Remote Users

Configuring Multilink on To configure an outbound connection that uses multiple devices, you must have
the Remote Access selected multiple devices when you created the connection. If you did not select
client multiple devices, you will need to re-create the connection and select multiple
devices. If you did select multiple communication devices, you can then add or
change devices by using the following procedure:
Procedure to add or To add or change devices:
change devices
1. Right-click the connection on which you want to enable the dialing of
multiple devices, and then click Properties.
2. On the General tab, select the check boxes for all of the devices that you
want the connection to use, and then select All devices call same numbers.
3. On the Options tab, in Multiple devices, do one of the following:
a. If you want Windows XP Professional to dial only the first available
device, click Dial only first available device.
b. If you want Windows XP Professional to use all of your devices, click
Dial all devices.
c. If you want Windows XP Professional to dynamically dial and hang up
devices as needed, click Dial devices only as needed, click Configure,
and then perform the following actions.
i. In the Automatic Dialing and Hanging Up dialog box, under
Automatic Dialing, select the Activity at least percentage and the
Duration at least time that you want to set. Another line is dialed
when connection activity reaches this level for the amount of time
that you specify.
ii. Under Automatic hangup, select the Activity no more than
percentage and the Duration at least time that you want to set. A
device is disconnected when connection activity decreases to this
level for at least the amount of time that you specify.
4. Click OK twice.
 Module 11: Supporting Remote Users 13

Lesson: Connecting to Virtual Private Networks

Introduction A VPN provides a virtual network across an existing physical network, such as
the Internet. VPNs work by putting normal data packets inside PPP packets.
Most VPN connections start with a connection to an ISP.
Lesson objectives After completing this lesson, you will be able to:
! Describe the methods that clients can use to connect to a network.
! Configure a VPN connection.
! Configure VPN protocols.
! Configure inbound connections.
14 Module 11: Supporting Remote Users

Examining Client Connections

Introduction VPN protocols encapsulate data packets inside PPP data packets. The VPN
creates a tunnel across the existing network infrastructure to send and receive
the data. In this context, a tunnel is a secure communication route within the
existing network.
Client connections to a There are multiple ways that a client can connect to a network by using a VPN.
network
Typically, users will connect to the VPN by first connecting to an ISP and then
connecting to the VPN gateway (which is the remote access server) through that
Internet connection. In this case, the virtual tunnel extends from the client
computer to the remote access server. The connection to the ISP and then the
VPN can be configured to be a single-step process for the client.
The ISP can also create the tunnel on behalf of the client. When this occurs, the
client connects to the ISP and provides a network logon. Then the ISP creates
the tunnel and forwards the logon request to the client’s network. In this case,
the tunnel extends from the ISP to the remote access server. The connection
from the client to the ISP is not part of the VPN tunnel; rather, it is a standard
dial-up connection.

Note A VPN does not require a dial-up connection. It requires only

connectivity between the client and the server. If the client is directly attached
to a LAN that uses IP, and it can reach a server through the LAN, you can
establish a tunnel across the LAN.
 Module 11: Supporting Remote Users 15

Configuring a Virtual Private Network Connection

Introduction A VPN provides a virtual network across an existing physical network, such as
the Internet. By using the Internet in this way, organizations can reduce their
long-distance telephone expenses and rely on existing infrastructure instead of
managing their own infrastructures. Traveling employees can dial the local ISP
and then make a VPN connection back to the corporate network. Dialing the
local ISP eliminates the long-distance charges or toll calls associated with a
dial-up connection.
Procedure to create a To create a VPN connection:
VPN connection
1. Start the New Connection Wizard and on the Welcome page, click Next,
select Connect to the network at my workplace, and then click Next.
2. On the Network Connection page, click Virtual Private Network
connection, and then click Next.
3. Type a name for the connection, and then click Next.
4. On the Public Network page, choose whether to have a connection
automatically started, and then click Next.
The Public Network page appears only if you have already created a
connection. If this is the first connection that you create, the page will not
appear.
5. Type the name or address of the VPN server, and then click Next.
6. If you want this connection to be made available to all users of this
computer, click Anyone’s use, and then click Next. If you want to reserve
the connection for your use only, click My use only, click Next, and then
click Finish.
16 Module 11: Supporting Remote Users

Configuring Virtual Private Network Protocols

Introduction The protocols that can be used for a VPN have different capabilities and
features. VPNs use either the Point-to-Point Tunneling Protocol (PPTP) or the
Layer Two Tunneling Protocol (L2TP) to establish connections. Windows XP
Professional enables you to specify which protocol to use when you create an
outgoing VPN connection.
PPTP and L2TP Both PPTP and L2TP use PPP to provide an initial envelope for data and to
append additional headers for transport through an existing network. Some of
the key differences between PPTP and L2TP are listed in the following table.
Feature PPTP L2TP

Connectivity PPTP requires an IP- Performs over a wide range of WAN

based internetwork. connection media, such as IP, frame
relay, or asynchronous transfer mode
(ATM). Requires that tunnel media
provide packet-oriented, point-to-point
connectivity.
Header Does not support header Supports header compression. When
Compression compression. Operates header compression is enabled, operates
with six-byte headers. with headers of four bytes.
Authentication Does not support tunnel Supports tunnel authentication. VPN
authentication or IPSec. connections using L2TP can use IPSec.
Encryption Automatically uses PPP If encryption is configured, provides a
encryption. secure tunnel by using IPSec. No
automatic encryption.
 Module 11: Supporting Remote Users 17

Configuring the VPN You can configure the remote client to automatically choose which VPN
Protocol on the remote protocol to use, or to use only PPTP or L2TP.
client
Procedure to configure To configure the client VPN protocol:
client VPN protocol
1. Right-click the VPN connection that you want to configure, and then click
Properties.
2. On the Networking tab, under Type of VPN, select Automatic, PPTP
VPN or L2TP IPSec VPN and then click Settings.
3. In the PPP Settings dialog box, select or clear the following options:
• Enable LCP extensions. Specifies whether Link Control Protocol
(LCP) extensions are enabled. LCP extensions may cause an inability to
connect when you call servers by using older versions of PPP software.
If consistent problems occur, clear this check box. If you clear the check
box, LCP cannot send Time-Remaining and identification packets or
request callback during LCP negotiation of PPP.
• Enable software compression. Offers software data compression in
addition to support for modem compressions. Therefore, when this
option is enabled, you do not need to turn on modem compression to
benefit from faster throughput.
• Negotiate Multilink for single link connections. Specifies whether
Multilink negotiation is enabled for a single-link connection. If your
remote access server supports this feature, you may notice improved
audio quality. If you enable this option, you may not be able to connect
to remote access servers that do not support this feature.
4. Click OK twice.
18 Module 11: Supporting Remote Users

Configuring Inbound Connections

Introduction You can also use the New Connection Wizard to configure a computer running
Windows XP Professional to accept incoming dial-up or VPN connections. You
configure a computer to accept incoming connections so that users can gain
remote access to resources on that computer and the network to which it is
connected. When configuring the computer, you determine which hardware and
protocols to use and which users can use the inbound connections.
Procedure to configure To configure an inbound connection on a computer running Windows XP
an inbound connection Professional:
1. Start the New Connection Wizard and on the Welcome page, click Next,
select Setup an advanced connection, and then click Next.
2. Select Accept incoming connections, and then click Next.

The wizard will lead you through a series of pages, described in the following
sections, which enable you to configure the computer and user permissions.
Configuring devices You can configure the computer to accept incoming connections through the
Internet, a phone line, or a direct cable connection. On the Devices for
Incoming Connections page, you select the devices that you want to accept
incoming connections. Only those devices currently installed will appear; you
cannot add devices in this wizard.
To configure settings for the Connection device, select the check box for the
device, and then click Properties. On the Advanced tab of the Properties
dialog box, you can configure Hardware Settings and Terminal Window
settings for any device. If you are configuring a modem, on the General tab,
you can configure Call preferences (such as timeout settings) and Data
Connection Preferences (such as port speed and data protocol).
 Module 11: Supporting Remote Users 19

Enabling VPN On the Incoming Virtual Private Network (VPN) Connection page, you can
connections choose whether to allow inbound VPN connections to the computer. If you
want to accept inbound VPN connections over the Internet, the computer must
have a known IP address or computer name on the Internet. If you choose to
accept inbound VPN connections, Windows XP Professional will modify the
Internet Connection Firewall (ICF) to enable your computer to send and receive
VPN packets.
Configuring user On the User Permissions page, you can specify which users or groups can
permissions connect to the computer, and you can configure properties for each user or
group. The configurable properties are passwords and callback methods.
Choosing and The Network Software page displays the default protocols, services, and
configuring networking clients configured for inbound connections, which are:
software
! TCP/IP
! File and Printer Sharing for Microsoft Networks
! Quality of Service (QoS) Packet Scheduler
! Client for Microsoft Networks

You may want to configure the TCP/IP properties. The options include
allowing callers to gain access to the LAN in addition to resources on the
computer, and specifying TCP/IP address assignment. You can choose to have
IP addresses automatically assigned by the Dynamic Host Configuration
Protocol (DHCP), specify a range of addresses to use, or enable the calling
computer to specify its own address.
You can also add clients, services, and protocols to enable the computer to
accept inbound connections from computers that use networking software other
than the defaults listed in this section.
20 Module 11: Supporting Remote Users

Lesson: Configuring Authentication Protocols and

Encryption

Introduction Remote access servers use authentication to determine the identity of users who
are attempting to connect to the network remotely. After a user is authenticated,
the user receives the appropriate access permissions and is allowed to connect
to the network.
The correct and secure authentication of user accounts is critical for the security
of a network. If your user accounts lack authentication, unauthorized users can
gain access to your network.
Running on the remote access server, Routing and Remote Access uses several
protocols to perform authentication and also allows for the use of Extensible
Authentication Protocols (EAPs), through which you can load non-Microsoft
protocols.
Data encryption can also be important when you are connected to network.
Some data, for instance medical records, product plans, or trade secrets, are as
sensitive in nature as passwords. Windows XP Professional enables you to
encrypt the data that the authenticated user sends.
As an Information Technology (IT) professional supporting remote users, you
may need to configure the remote client computers to use the same
authentication and encryption protocols that the remote server is using.
Lesson objectives After completing this lesson, you will be able to:
! Describe standard authentication protocols.
! Describe extensible authentication protocols.
! Configure client authentication protocols.
! Configure client data encryption.
 Module 11: Supporting Remote Users 21

Standard Authentication Protocols

Introduction Windows XP Professional supports many different authentication protocols that

have varying levels of security. Only those protocols that you enable can be
used to authenticate users to the remote access server.
PAP The Password Authentication Protocol (PAP) uses clear-text passwords, which
are unencrypted. If the passwords match, the server grants access to the remote
access client. This protocol provides little protection against unauthorized
access.
SPAP The Shiva Password Authentication Protocol (SPAP) is a two-way reversible
encryption mechanism employed by Shiva, a hardware manufacturer. SPAP
encrypts the password data that is sent between the client and server and is,
therefore, more secure than PAP.
CHAP The Challenge Handshake Authentication Protocol (CHAP) is a challenge-
response authentication protocol that negotiates a secure form of encrypted
authentication by using Message Digest 5 (MD5). CHAP uses the industry-
standard MD5 one-way encryption scheme to encrypt the response, providing a
high level of protection against unauthorized access. By encrypting the
response, you can prove to the server that you know your password without
actually sending the password over the network. The authentication process
works as follows:
1. The remote access server sends a challenge, consisting of a session
identifier and an arbitrary challenge string, to the remote access client.
2. The remote access client sends a response that contains the user name and a
one-way encryption of the challenge string, the session identifier, and the
password.
3. The remote access server checks the response, and if the response is valid,
the server allows the connection.
22 Module 11: Supporting Remote Users

MS-CHAP Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a one-

way, encrypted password authentication protocol. If the server uses MS-CHAP
as the authentication protocol, it can use Microsoft Point-to-Point Encryption
(MPPE) to encrypt data to the client or server.
MS-CHAP v2 A newer version of MS-CHAP, Microsoft Challenge Handshake Authentication
Protocol version 2 (MS-CHAP v2), is available. This new protocol provides
mutual authentication, stronger initial data encryption keys, and different
encryption keys for sending and receiving data.
For VPN connections, Microsoft Windows 2000 Server offers MS-CHAP v2
before offering MS-CHAP. Windows XP Professional dial-up and VPN
connections can use MS-CHAP v2. Computers running Microsoft
Windows NT® 4.0 or Microsoft Windows 98 can use MS-CHAP v2
authentication for VPN connections only.
 Module 11: Supporting Remote Users 23

Extensible Authentication Protocol

Introduction The Extensible Authentication Protocol (EAP), an extension of PPP, allows for
customized authentication to remote access servers. The client and the remote
access server negotiate the exact authentication method to be used.
EAP authentication EAP supports authentication by using:
! MD5-CHAP. The Message Digest 5 Challenge Handshake Authentication
Protocol (MD5-CHAP) encrypts user names and passwords by using an
MD5 algorithm.
! Additional non-Microsoft authentication methods. Vendors can use EAP to
add their own authentication methods, such as smart cards. Smart cards are
physical cards that provide passwords and may use several authentication
methods, including the use of codes that change with each use.
! Transport Layer Security. Transport Layer Security (TLS) is used for smart
cards and other intermediary security devices. Smart cards require a card
and reader. The smart card electronically stores the user certificate and
private key.

Procedure to configure To configure EAP on the client computer:

EAP
1. Right-click the network connection that you want to configure, and then
click Properties.
2. On the Security tab, under Validate my identity as follows, select Use
smart card from the drop-down list, and then click OK.

Through the use of the EAP application programming interfaces (APIs),

independent software vendors can supply new client and server authentication
methods for technologies such as smart cards, biometric hardware such as retina
or fingerprint scanners, and authentication technologies that are not yet
developed. Smart cards are the most widely adopted technology that uses the
EAP protocol.
24 Module 11: Supporting Remote Users

Smart card description A smart card is a credit card–sized device that you can use for storing sign-on
and features passwords and other personal information. Smart cards provide tamper-resistant
and portable security solutions for tasks such as securing e-mail and logging on
to a domain.
Support for smart cards is a feature of the public key infrastructure (PKI) that
Microsoft has integrated into Windows XP. Smart cards provide:
! Tamper-resistant storage for protecting passwords and other forms of
personal information.
! Isolation of security-critical computations involving authentication, digital
signatures, and key exchange.
! A way to take logon information and other private information with you for
use on computers at work, home, or on the road.

Smart card A Smart Card can be used to authenticate users in a Windows 2000 network in
authentication methods two ways.
Interactive log on Interactive log on with a smart card begins when the user inserts the smart card
reader, which signals the Windows XP Professional operating system to prompt
for a personal identification number (PIN) instead of a user name, domain, and
password.
Remote access A remote log on involves two separate authentications. The first authentication
is to the remote access server and results in remote access policies being applied
to the client. The second authentication is to the network and uses
EAP-Transport Level Security (EAP-TLS) protocols for authentication.
 Module 11: Supporting Remote Users 25

Configuring Client Authentication Protocols

Introduction Client authentication protocols determine the servers with which a remote
access client can communicate. If a client and server use different
authentication protocols, they may not be able to establish a remote access
session.
Procedure to configure To configure authentication protocols on a client computer running
authentication protocols Windows XP Professional:
1. Right-click the outbound VPN connection for which you want to configure
protocols, and then click Properties.
2. In the VPN_connection_name Properties dialog box (where
VPN_connection_name is the name of your VPN connection), click the
Security tab, select Advanced (custom settings), and then click Settings.
3. In the Advanced Security Settings dialog box, under Logon security, do
one of the following:
To use EAP, select Use Extensible Authentication Protocols (EAP), select
a type of EAP in the drop-down list, click OK, and then click OK to close
the dialog box.
To use other protocols, select Allow these protocols, select the protocols to
use, click OK, and then click OK to close the dialog box.

EAP protocol options When you choose EAP protocols, you have the option of choosing to use a
smart card, an encrypted certificate, or MD5 Challenge Handshake
Authentication Protocol (MD5-CHAP). If you choose to use one of these
options, you can configure additional configurable settings by clicking the
Properties button.
26 Module 11: Supporting Remote Users

Configuring Client Data Encryption

Introduction Data encryption provides security by encrypting, or encoding, data that is sent
between a remote access client and a remote access server. For situations that
require the highest degree of security, the administrator can set the server to
force encrypted communications. Clients attempting to connect to that server
must encrypt their data, or the server will refuse their connection.

Important Data encryption is available only if you use MS-CHAP, MS-CHAP

v2, or TLS (an EAP protocol) as the authentication protocol.

Procedure to configure To configure data encryption rules:

data encryption rules
1. Right-click the VPN connection that you want to configure, and then click
Properties.
2. On the Security tab, select Advanced (custom settings), click Settings,
and then select a rule from the Data encryption drop-down list.
The following four data encryption rules are available:
• No encryption allowed (server will disconnect if it requires
encryption). Use this option only when you are transmitting data that
does not need to be protected.
• Optional encryption (connect even if no encryption). Use this option
when some data need encryption, but encryption is not required for all
data.
• Require encryption (disconnect if server declines). Use this option
when all communications must be encrypted.
• Maximum strength encryption (disconnect if server declines). Use
this option when you require the highest level of encryption for all
communications. The server will not accept a lower level of encryption.
 Module 11: Supporting Remote Users 27

Encrypting data by MPPE encrypts data that moves between a PPTP connection and the VPN
using MPPE server. It has three levels of encryption: strongest (128-bit), strong (56-bit), and
basic (40-bit) schemes. When a remote access server uses a level of encryption
higher than the level of encryption used by the client, the two computers cannot
communicate.
Encrypting data by IP Security (IPSec) provides computer-level authentication, in addition to
using IPSec data encryption, for L2TP-based VPN connections. IPSec negotiates a
secure connection between the remote client and the remote tunnel server
before the L2TP connection is established. This connection secures user names,
passwords, and data.
IPSec is a framework of open standards for ensuring secure private
communications over IP networks. It does so by using authentication and
encryption. IPSec provides aggressive protection against private network and
Internet attacks. IPSec is transparent to the user. Clients negotiate a security
association that functions as a private key to encrypt the data flow.
The typical IPSec policy is configured as a computer-based Group Policy.
Therefore, when the computer connects to the network, the Group Policy
setting is applied to the computer before the user logs on.
28 Module 11: Supporting Remote Users

Lab A: Configuring a VPN Connection

Objectives After completing this lab, you will be able to:

! Configure Microsoft Windows XP Professional to allow incoming VPN
connections.
! Configure and test an outgoing VPN connection by using the Network
Connection Wizard.

Prerequisites Before working on this lab, you must have:

! A computer running Microsoft Windows XP Professional with Service
Pack 2.
! Microsoft Virtual PC 2004 installed.

Scenario Your organization has employees who travel to remote locations. You do not
have the resources to set up a worldwide network that would allow dial-up
connections to these locations. Instead, you will need to configure a VPN server
on the Internet and allow your staff to connect to your network through the
VPN connection.
Estimated time to
complete this lab:
30 minutes
 Module 11: Supporting Remote Users 29

Exercise
Configuring Inbound VPN Connections

Scenario
The sales staff in your organization has started traveling to remote locations. Although the traveling
sales force will have access to the Internet at all of the remote locations, they still need access to
your network for demonstration purposes. You need to enable secure remote access to your network
over the Internet for these traveling users.
Perform this exercise from the Denver and Perth virtual machines. This exercise also requires the
London virtual machine. London must be running before you start Denver and Perth.

Tasks Detailed Steps

1. From the Perth virtual a. From Perth, log on as Bob, with a password of P@ssw0rd.
machine, log as Bob, and b. Click Start, and then click Control Panel.
configure an inbound VPN
connection. c. In Control Panel, click Network and Internet Connections, and then
click Network Connections.
d. Under Network Tasks, click Create a new connection.
e. On the Welcome page of the Network Connections Wizard, click
Next.
f. On the Network Connection Type page, select Set up an Advanced
Connection, and then click Next.
g. On the Advanced Connection Options page, verify that Accept
incoming connections is selected, and then click Next.
h. On the Device for Incoming Connections page, click Next.
i. On the Incoming Virtual Private Network (VPN) Connection page,
select Allow virtual private connections, and then click Next.
j. On the User Permissions page, select Administrator, Bob, and Jim,
and then click Next.
k. On the Networking Software page, click Internet Protocol (TCP/IP),
and then click Properties.
l. On the Incoming TCP/IP Properties page, verify that Assign TCP/IP
addresses automatically using DHCP is selected, and then click OK.
m. On the Networking Software page, click Next.
n. On the Completing the Network Connection Wizard page, click
Finish.
o. Close Network Connections.
p. Click Start, and then click Run. In the Open box, type cmd and then
click OK.
q. In the command prompt window, type ipconfig and then press ENTER.
r. Note the IP address here: _________________________________.
s. Close the command prompt window.
t. Log off as Bob.
u. Switch to Denver.
30 Module 11: Supporting Remote Users

(continued)

Tasks Detailed Steps

2. From the Denver virtual a. From Denver, log on as Bob, with a password of P@ssw0rd.
machine, log on as Bob, and b. Click Start, and then click Control Panel.
create an outbound VPN
connection. c. In Control Panel, click Network and Internet Connections, and then
click Network Connections.
d. Under Network Tasks, click Create a new connection.
e. On the Welcome to the Network Connection Wizard page, click
Next.
f. On the Network Connection Type page, click Connect to the
network at my workplace, and then click Next.
g. On the Network Connection page, click Virtual Private Network
connection, and then click Next.
h. On the Connection Name page, type NWTraders and then click Next.
i. On the VPN Server Selection page, in the Host name or IP address
box, type IP_Address_of_Perth (the IP Address noted on previous
task), and then click Next.
j. On the Completing the Network Connection Wizard page, click
Finish.
k. In the Logon window, click Cancel.
l. In the Network Connections window, right-click Virtual Private
Connection, and then click Properties.
m. On the Virtual Private Connections Properties dialog box, verify
that Show icon in notification area when connected is selected, and
then click OK.

3. From Denver, test the VPN a. From Denver, in Network Connections, double-click Virtual Private
connection. Connection.
b. Log on as Jim, with a password of P@ssw0rd.
c. Close the Virtual Private Network is now connected message box
when it appears.
d. Open a command prompt, and type IPCONFIG /ALL and then press
ENTER.
You will have two adapters listed: the Local Area Connection,
which is the LAN adapter with the DHCP-assigned address, and a
PPP adapter VPN.
e. In the Notification Area, right-click Virtual Private Connection, and
then click Disconnect.
f. Close all open windows, and then log off.
 Module 11: Supporting Remote Users 31

Lesson: Using Remote Desktop

Introduction The Remote Desktop feature of Windows XP Professional enables you to

remotely gain access to your Windows XP Professional desktop from another
computer on your network. This means that you can connect to your computer
from another location and have access to all of your applications, files, and
network resources as though you were located in front of your work computer.
While you are operating the computer remotely, no one may use your work
computer locally. However, an administrator may log on to the computer while
you are connected remotely, in which case your remote session will be
terminated.
Lesson objectives After completing this lesson, you will be able to:
! Describe the Remote Desktop feature.
! Configure a computer to use Remote Desktop.
32 Module 11: Supporting Remote Users

Examining the Remote Desktop Feature

Introduction The Remote Desktop feature of Windows XP Professional enables you to gain
access to a Windows session that is running on your computer when you are
located at another computer.
Remote Desktop Remote Desktop enables remote users to participate in a variety of scenarios,
scenarios including:
! Working at home or another site. Gain access to work in progress on your
office computer from your home computer, including full access to all local
and remote devices.
! Collaborating with a colleague. Gain access to your desktop from a
colleague’s office to perform a variety of tasks, such as debugging code,
updating a Microsoft Office PowerPoint® presentation, or proofreading a
document, just as if you were working on your desktop in your own office.

To use the Remote Desktop feature, you need the following:

! A computer to which you want to gain access that is running Windows XP
Professional and is connected to a LAN or the Internet.
! A second computer with access to the LAN through a network connection,
modem, or VPN connection. This computer must have the Remote Desktop
Connections program or the Terminal Services client installed.
! Proper user accounts and permissions. To gain access to a computer’s
desktop remotely, you must be either an administrator or a member of the
Remote Users group on that computer.
 Module 11: Supporting Remote Users 33

Configuring Computers to Use Remote Desktop

Introduction To enable Remote Desktop, you need to configure the computer to which you
want to gain remote access, which will be the remote computer. Next, configure
the computer from which you will connect, which will be the local computer.
Procedure for To configure the local computer to enable Remote Desktop, you need the
configuring a computer following:
to use Remote Desktop
! Access to the remote computer, which is the computer running
Windows XP Professional, by way of a LAN, modem, or VPN connection.
! Remote Desktop Connections or a Terminal Services client installed on
the remote computer.

To configure the remote computer to enable Remote Desktop:

1. Click Start, right-click My Computer, and then click Properties.
2. On the Remote tab, select the Allow users to connect remotely to this
computer check box.
3. Ensure that you have the proper permissions to connect to your computer
remotely. You must be an administrator or a member of the Remote
Desktop Users group on the computer. If you are not a member of one of
those groups, add yourself to one of the groups.
4. Click OK.

Connecting to a remote If the computer that you will use to connect to your remote desktop is running
desktop Windows XP Professional, you can configure the Remote Desktop Connection
on the Remote Desktop Connection page.
34 Module 11: Supporting Remote Users

Procedure to connect to To connect to the remote desktop of a computer that is running Windows XP
a remote desktop Professional:
1. Open the Remote Desktop Connection page, and click Start.
2. From the Start menu, click All Programs, click Accessories, click
Communications, and then click Remote Desktop Connection.

The only information that you must enter on the Remote Desktop Connection
page is the name of the computer to which you will connect. However, if you
click Options, the page will display five tabs, each of which contains
configurable settings.
Security best practices Because Remote Desktop enables remote connection to your computer, you
for Remote Desktop should configure the computer to be as secure as possible, thus preventing your
data from being seen by others who could try to connect to your computer
remotely.
The following list contains best practices to increase security:
! To increase security, add yourself to the Remote Desktop Users group for
your computer, rather than to the Administrators group. As a member of the
Remote Desktop Users group, you do not need to log on as an administrator
to gain access to your computer remotely. Therefore, if the security of your
remote connection is compromised, the intruder will not have administrative
privileges. Moreover, you should avoid logging on as an administrator,
unless you are doing tasks that require administrator-only privileges.
! Require all Remote Desktop users to log on by using a strong password.
This password level is especially important if your computer is connected
directly to the Internet by way of a cable modem or DSL connection. Strong
passwords are at least eight characters long and must contain a capital or a
special character in position two through seven.
 Module 11: Supporting Remote Users 35

Lab B: Configuring and Using Remote Desktop

Objectives After completing this lab, you will be able to:

! Configure Remote Desktop on a computer running Microsoft Windows XP
Professional.
! Connect to a computer running Remote Desktop.

Prerequisites Before working on this lab, you must have:

! A computer running Windows XP Professional with Service Pack 2.
! Virtual PC 2004 installed.

Scenario The organization that you support has a custom-developed application that the
users would like to be able to run from their homes. However, many of their
home computers do not have the resources, such as memory, processor, or disk
space, to be able to run the application. You need to configure the Remote
Desktop feature that is now available on their computers running Windows XP
Professional.
Estimated time to
complete this lab:
15 minutes
36 Module 11: Supporting Remote Users

Exercise
Configuring and Using Remote Desktop
Perform this exercise from the Denver and Perth virtual machines. This exercise also requires the
London virtual machine. London must be running before you start Denver and Perth.

Tasks Detailed steps

1. From the Denver virtual a. From Denver, log on as Bob, with a password of P@ssw0rd.
machine, log on as Bob, and b. Click Start, right-click My Computer, and then click Properties.
configure the Allow users
to connect remotely to this c. In the System Properties sheet, click Remote.
computer option. d. On the Remote tab, select Allow users to connect remotely to this
computer.
e. If a Remote Sessions message box appears, read the information, and
then click OK.
f. On the Remote tab, click Select Remote Users.
g. In the Remote Desktop Users dialog box, click Add.
h. In the Select Users dialog box, in the Enter the object names to select
box, type Bob; Jim. Click Check Names, and then click OK.
i. In the Remote Desktop Users dialog box, verify that both users appear
in the Name box, and then click OK.
j. Click OK to close the System Properties sheet.
k. Click Start, and then click Run. In the Open box, type cmd and then
click OK.
l. In the command prompt window, type ipconfig and then press ENTER.
m. Note the IP address here: _________________________________.
n. Close the command prompt window.
o. Do not log off as Bob.
p. Switch to Perth.

2. From the Perth virtual a. From Perth, log on as Jim, with a password of P@ssw0rd.
machine, log on as Jim, and b. Click Start, click All Programs, point to Accessories, point to
establish a remote desktop Communications, and then click Remote Desktop Connection.
connection to your partner’s
computer. c. In the Remote Desktop Connection dialog box, in the Computer box,
type IP_Address_of_Denver, and then click Connect.
d. Verify that Jim is in the User Name box, type P@ssw0rd for the
password, and then click OK.
The Remote Desktop Connection will start. Notice the taskbar on
the top of the screen. This is the taskbar for your partner’s
computer.
e. A Logon Message message box will appear, stating that Bob is
currently logged on to the computer. Click Yes.
Logon will take a minute or so to complete. When the desktop
appears, you will see your partner’s computer desktop. To view
your desktop, move the cursor to the top edge of the display, and
then click the minimize button on the taskbar.
.
 Module 11: Supporting Remote Users 37

(continued)

Tasks Detailed Steps

2. (continued) f. Start an application on Denver. The application appears on the taskbar.

g. Move the cursor to the top edge of the display, and minimize the
remote desktop.
h. When the taskbar shows 192.168.1.x – Remote Desktop, (where x is
the last octet of the IP address of Denver) you are looking at Perth’s
desktop.
i. Restore 192.168.1.x – Remote Desktop (where x is the last octet of the
IP address of Denver).
j. Move the cursor to the top of the screen, and then close Remote
Desktop.
The Disconnect Windows session message box appears, telling
you that disconnecting the session does not close any programs
that are running.
k. Click Cancel to close the Remote Desktop Connection message box.
l. Close the application that is running.
m. Do not log off the computer.

3. From Denver, log on as a. From Denver, log on as Bob, using P@ssw0rd for the password.
Bob. b. If a Virtual PC message box appears, click OK
c. Restore Perth, and note that the Remote Desktop Connection has been
terminated.
Remote Desktop allows only a single interactive session. If a user
is logged on the computer, the Remote Desktop session will be
disconnected.
d. From Perth, click OK to close the Remote Desktop Disconnected
message box.
e. Click Close to close the Remote Desktop Connection dialog box.
f. From Perth log off as Jim.
g. From Denver log off as Bob.
38 Module 11: Supporting Remote Users

Lesson: Storing User Names and Passwords to Facilitate

Remote Connections

Introduction When you log on to a computer running Windows XP Professional, you

provide a user name, password, and security database to be authenticated
against. On a stand-alone computer, the database is the Security Accounts
Manager (SAM). In a domain, the database is the Active Directory® directory
service. The supplied credentials become your security context for connecting
to other computers on networks or over the Internet.
In this lesson, you will learn how to use Stored User Names and Passwords.
Lesson objectives After completing this lesson, you will be able to:
! Describe how the Stored User Names and Passwords feature is used to
facilitate remote connections.
! Add credentials to Stored User Names and Passwords.
 Module 11: Supporting Remote Users 39

Introduction to Stored User Names and Passwords to Facilitate

Remote Connections

Introduction When Windows XP Professional attempts to connect to a new resource on a

network, it supplies to the target resource the set of credentials used to log on. If
these credentials are not sufficient to provide the level of access requested, the
user is prompted to enter new credentials on the Logon Information
Properties dialog box that appears. The user can choose to have the credentials
that they enter apply to the current logon session only, to the user account on
the current computer only, or to the user account on any computer. If the user
applies the credentials to the user account on any computer, the credentials are
stored in that user’s profile.
Benefits of Stored User Users who need to be authenticated using various sets of credentials benefit
Names and Passwords from Stored User Names and Passwords in the following ways:
! It requires users to log on only once, without needing to log off and on to
supply multiple credentials.
! It stores any number of credentials for later use.
! It stores credentials in the user’s profile to provide portability of the
credentials to any computer on the network.

Best practices for The following are best practices to observe when you are using the Stored User
Stored User Names and Names and Passwords feature:
Passwords
! Use different passwords for individual credentials.
Having different passwords for each resource helps to ensure that one
compromised password does not compromise all security.
! Use strong passwords for all credentials.
The Stored User Names and Passwords feature does not remove the
vulnerability of using weak passwords. Use strong passwords for all
credentials.
40 Module 11: Supporting Remote Users

Important Often, a user’s e-mail address is in the form of

user_name@organization_name, for example jon@[Link]. For this
reason, users should never use a network password as a password for an
Internet site that also requires, or reads through a “cookie,” their e-mail
addresses. A cookie is a program that is placed on the client computer and
reads information such as e-mail addresses. As a result, the site will be
supplied with their user names, passwords, and company name, which
constitutes a high security risk.

! Change passwords regularly.

Although strong passwords help to protect resources, it is possible for an
intruder to eventually determine a password given sufficient time, technical
expertise, and determination. Because of the potential for intrusion, it is
important to periodically change passwords to help minimize damage if a
password is compromised without the user’s knowledge.
! Use the This logon session only option when appropriate.
Some credentials may be used infrequently. Other credentials may be used
only for extremely sensitive resources that the user wants to protect very
carefully. In these cases, the user should store the credentials for This logon
session only by selecting that option in the Logon Information Properties
dialog box.
 Module 11: Supporting Remote Users 41

Adding Credentials to Stored User Names and Passwords

Introduction There may be times when you want to use different user names and passwords
to connect to different resources. A remote user may need to log on by using
one set of credentials, and then connect to several secure remote access servers,
each of which requires a different user name and password. Windows XP
Professional enables users to store multiple sets of credentials for future use.
Stored credentials can be specific to a unique server, or generic so that they will
be supplied to all secure servers to which the user attempts to gain access.
The Stored User Names and Passwords feature enables stored credentials to be
stored as a part of a user’s profile. Therefore, these credentials will travel with
the user from computer to computer, anywhere on the network.
Procedure to add To add credentials to Stored User Names and Passwords:
credentials
1. Click Start, click Control Panel, and then click User Accounts.
2. On the Advanced tab of the User Accounts page, click Manage
Passwords, and then on the Stored User Names and Passwords page,
click Add.
3. Enter a server name or network location, user name, and password for the
resources to which you want to gain access. Select when to use these
credentials, and then click OK.
42 Module 11: Supporting Remote Users

Lab C: Storing User Names and Passwords

Objectives After completing this lab, you will be able to:

! Store user names and passwords.
! Use the Stored User Names and Passwords feature.

Prerequisites Before working on this lab, you must have:

! A computer running Windows XP Professional with Service Pack 2.
! Virtual PC 2004 installed.

Scenario You work on-site, providing customer support. The customer organization has
created a vendor account on its network for you to log on and be authenticated.
You have additional accounts, including one for your own organization’s
domain. You want to use the Stored User Names and Passwords feature to
simplify logging on to these different networks and resources.
Perform this lab from the Denver virtual machine. This lab also requires the
London virtual machine. London must be running before you start Denver.
Estimated time to
complete this lab:
15 minutes
 Module 11: Supporting Remote Users 43

Exercise
Storing User Name and Passwords

Tasks Detailed steps

1. From the Denver virtual a. From Denver, log on as Bob, with a password of P@ssw0rd.
machine, log on as Bob. b. Click Start, right-click My Computer, and then click Map Network
Attempt to gain access to Drive.
the shared folder called
Lab10 on the London virtual c. In the Map Network Drive dialog box, in the Folder box, type
machine. \\London\Lab10
d. Clear the Reconnect at logon check box if selected, and then click
Finish.
e. When prompted for a user name and password, click Cancel.
Because your computer is part of a workgroup and not the
domain, you logged on by using a local account. When you tried
to access London, the Security Accounts Manager checked share
permissions to see if your account existed. Because it did not
exist, it prompted you for a user name and password.
f. In the Map Network Drive dialog box, click Cancel.

2. From User Accounts in a. Click Start, click Control Panel, and then click User Accounts.
Control Panel, configure b. From User Accounts, click Bob.
your stored passwords.
c. Under Related Tasks, click Manage my network passwords.
d. In the Stored User Names and Passwords dialog box, click Add.
e. In the Logon Information Properties dialog box, in the Server box,
type London

Note: You could have also typed *.[Link] in place of London. This would have allowed you
to connect to any computer in the [Link] domain.

2. (continued) f. In the User name box, type nwtraders\RyanCal and in the Password
box, type P@ssw0rd
g. Click OK to close the Logon Information Properties sheet.
h. In the Stored User Names and Passwords dialog box, click Close.
i. Close User Accounts, and then close Control Panel.

3. Map a network drive to a. Click Start, right-click My Computer, and then click Map Network
\\London\RA. Drive.
b. In the Folder box, type \\London\Lab10 and then click Finish.
44 Module 11: Supporting Remote Users

(continued)

Tasks Detailed Steps

Note: This time, you were connected without being prompted for a user name or password, because you had
stored a user name and password for gaining access to the London server.

3. (continued) c. In the Lab10c on London window, under Other Places, right-click My

Network Places, click Disconnect Network Drive, select
\\London\Lab10, and then click OK.
d. In the Disconnect Network Drive message box, select
Z: \\London\Lab10, and then click Yes.