T 3.42 Insecure configuration of RAS clients

The security of the RAS system depends both on the secure configuration of the RAS server and also on the RAS client. Even if the configuration of the server is under the full control of an administrator, the RAS clients will often be outside of the organisation. This means that the computer can only loosely be included in administrative processes. Especially where mobile RAS clients are used, users can also be given certain administrative rights to enable them to resolve problems with RAS access by changing the RAS configuration parameters, either by themselves or by being guided over the telephone.

The limited ability of the system administrators to exercise control over RAS clients may result in these being insecurely configured. Examples are:

• Browsers are frequently not at all straightforward to configure, and often this results in incorrect settings. If security mechanisms are disabled (e.g. Java, JavaScript and/or ActiveX are activated), it is possible for unreliable software to get onto the client.

• Another problem is the installation of non-permitted software on the RAS client, as this may contain security loopholes or allow the introduction of computer viruses or Trojan horses.

• Often RAS users will fail to make proper use of the available security mechanisms are or else they will make the wrong settings (see also T 5.91 Disabling of RAS access security mechanisms).

• Other problems may arise if incompatible authentication mechanisms are used between RAS client and RAS server. Thus, for example, the authentication protocol MS-CHAP of a Windows 3.11 RAS client is incompatible with the MS-CHAP protocol of a Windows NT 4.0 server. The result is that the client cannot establish a connection with the server