VPN best practices

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices

  • Use the virtual private network (VPN) server to allocate IP address leases to remote access clients.

    If your VPN server handles more than 20 concurrent remote access connections, then use the VPN server to allocate IP address leases to remote access clients. When you create the IP address pool on the VPN server, be certain not to allocate addresses already in use by DHCP servers on your network.

    If you did not install a DHCP server, and you have a single subnet with computers configured with static IP addresses, configure the VPN server with an IP address pool that is a subset of addresses for the subnet to which the VPN server is attached. For more information, see Create a static IP address pool.

  • Use strong authentication.

    • Use strong passwords that are more than 8 characters long and that contain a mixture of uppercase and lowercase letters, numbers, and permitted punctuation. Do not use passwords based on names or words. Strong passwords are more resistant to a dictionary attack, where an unauthorized user attempts to determine a password by sending a series of commonly used names and words.

    • Although EAP-TLS works with registry-based user certificates, it is highly recommended that you use only EAP-TLS with smart cards for remote access VPN connections. Because smart cards are distributed to trusted users and require a personal identification number (PIN), they are more secure than registry-based user certificates.

    • If you are using password-based user authentication, then use MS-CHAP version 2. You can obtain the latest MS-CHAP updates for VPN clients running Windows NT 4.0, Windows 95, or Windows 98 from Microsoft. For more information, see MS-CHAP version 2.

  • Use strong encryption.

    Use the strongest level of encryption that your situation allows. The levels of encryption that are available when configuring the profile properties of a remote access policy are: Basic, Strong, and Strongest. For more information, see Configure encryption and Elements of a remote access policy.