You are looking at this from a technology problem, when in fact it's a HR and procurement issue.

You say "Because I do not, and cannot trust the machines they are connecting in from. I cannot risk a keystroke logger on an Internet kiosk in a Kinkos. Or a web access workstation at an airport. Or a pay-as-you-go Internet system at a local coffee shop."

And neither do I. In our remote access instructions and manual I specifically state, and I have verbally discussed this with the people at the office that they CANNOT use any of these devices EVER to connect to the firm.

Now mind you I do have an office full of 'information workers' that can be taught and trained but the reality is that when someone travels "I" give them a firm laptop that I have patched and scanned before they go on the road. "I" make sure the firewall is in place.

For home connectivity either "I" have been to their houses or I know them well enough that they too are geeks to know that they have the proper protection.

In my office "we" buy antivirus/XP operating systems, anti spyware and install it on the systems and state that "I" have the right to examine their machines.

While I agree that RWW 'should' have two factor authentication for reasons that a good case of paranoia teaches us, your reasons for not using it virtually are a bit flawed.

Lay down the policy first, then the technology.

Hey Susan,

Good points here. But your primary premise onto why you don't completely agree with me is actually why I think its even MORE paramount.

Although I talk about technology in my post, I am not looking at this as a technology problem. My reasons are the fact that this is a PEOPLE problem. The weakest link in security is the human factor, and no amount of written policy will prevent a user, in dire needs to access a company resource, from surrendering to their better judgement and connect to the server from a 'buddies' computer that is infested with spyware catching keystrokes. Or accessing that sales forecast while in the airport talking to a customer. It can very well happen. Even with the greatest of policy and the greatest of education and training.

At least, that is what my risk management strategy includes. Although you can never actually treat the end user like this, you must expect that they will do things against the given policy. It is only then when the technical safeguards you deploy to match your corporate information security policy will actually prove to work... or not.

In the face of this risk, the mitigation strategies I weigh show it is better to use other forms of access authentication than to open RWW if I cannot control the way in which they connect. In my case it would be better to allow them in via VPN from a machine I can trust and control. (NAP/NAC will be so nice when its finally deployed)

Every corporation will have their own tolerance levels for risk. In my case I don't believe that RWW offers enough protection for what it opens access to. I can simply offer the level of assurance I have by only allowing them access to OWA and TS through two-factor auth. If they want to access other resources, they will have to be combined with strong access policies (through static IPs or trusted VPN tunnels) and traditional auth. Nope, its not perfect... but its at a tolerance level I am willing to accept.

Of course, I haven't given up on RWW just yet. Hopefully I will find a way to get radius plugged in! Let your fellow MVPs know about my issue... maybe they have some suggestions on how to plug it in!

I can't say I am familiar with SBS or RWW.

But the problem you're talking about is a very real one, and I agree it is difficult at best to actually *enforce* any HR policy one might set in this area. And unenforceable policies are, in my view, basically a waste of everyone's time.

Can't say I know how to hack around your issue. But I've been pretty interested in VMware's new ACE product (http://www.vmware.com/products/desktop/ace_features.html) - essentially the idea is that you create virtual machines for extranet use. ACE adds features to the basic VMware idea which makes such virtual machines pretty manageable.

I haven't actually tried it out. But what I'm wondering is, could a person build an ACE virtual machine image small enough to fit on a DVD, then configure MS' Network Access Quarantine Control (http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_aosh.asp) in such a way that only the ACE images you built could access your VPN?

It's a longshot, I know. And I'm not too sure about the overall costs involved.

Is the risk that is mentioned in the blog about lack of support for radius, only a concern for RWW, or for OWA as well?

In today's environment, we're caught in the middle. People are going to demand the ability to access their email and files from wherever and whenever. All the employee procedures and policies in the world will still not prevent someone from using a computer at a friend's or parent's home on a holiday to check email via OWA or use RWW -- especially if there's an emergency at work.

Shoot, I've done it myself.

I had not even considered that radius was not available for RWW/OWA. So, now that the light has been turned on, and now I am concerned about how exactly how safe (or unsafe) my servers may actually be.

Radius is available for OWA if you use the Forms Based Auth (FBA) available in ISA 2004. (Which will come native in SBS2003 SP1, the latest service pack I am currently beta testing). Further to this, many Two-factor Auth vendors have specific OWA solutions. In my case, I am currently evaluating SecureComputing's Premier Access, and they seem to support it both ways.

There is a knowledge base article about setting it up (http://support.microsoft.com/?kbid=884560), and there is also a good post by tristank over at: http://blogs.technet.com/tristank/archive/2005/02/08/368988.aspx

So in short Kevin, yes Radius can be supported for OWA indirectly. And if you didn't want to use Radius, you can still apply two-factor auth directly to OWA if need be. My trick is I want to auth to RWW, and seamlessly connect to OWA. (Right now RWW passes credentials directly to OWA so you don't have to log on twice.)