Dial-up remote access security

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Dial-up remote access security

You can enhance dial-up remote access security through:

• Strong authentication

• Data encryption

Strong authentication

For authentication, use the strongest authentication scheme that is possible for your dial-up remote access configuration. The strongest authentication is the use of EAP-TLS with smart cards. For more information, see Using smart cards for remote access.

Otherwise, use MS-CHAP v2 authentication and enforce the use of strong passwords on your network. For more information, see MS-CHAP version 2.

Data encryption

For encryption, you can use either link encryption or end-to-end encryption:

• Link encryption encrypts the data only on the link between the remote access client and the remote access server, or the two servers running Routing and Remote Access. For dial-up remote access connections, you must use Microsoft Point-to-Point Encryption (MPPE) in conjunction with either MS-CHAP or EAP-TLS authentication.

• End-to-end encryption encrypts the data between the source host and its final destination. You can use IPSec to encrypt data from the remote access client to the destination host after the remote access connection is made.

To require encryption, clear the No Encryption option and select the appropriate encryption strengths on the Encryption tab of the remote access policy profile that is used by your dial-up remote access clients. For more information, see Configure encryption.