Force VPN clients to use strongest encryption

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Force VPN clients to use strongest encryption

In this example, the network administrator is managing authorization by using groups. All user accounts have the Remote Access Permission (Dial-in or VPN) option set to Control access through Remote Access Policy.

The network administrator wants all virtual private network (VPN) clients (members of the group VPNClients) to use strong encryption. For PPTP connections, 128-bit Microsoft Point-to-Point Encryption (MPPE) must be used. For L2TP over IPSec connections, Triple DES (3DES)must be used. After remote access permission is set for all user accounts, the administrator completes the following steps:

1. Use the New Remote Access Policy Wizard to create a common VPN policy with the following settings:

   • Policy name: VPN access with strongest encryption

   • Access Method: VPN access

   • User or Group: Select Group, and then specify the VPNClients group (example).

   • Authentication methods: Select Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication.

   • Policy Encryption Level: Select the Strongest encryption (IPSec triple DES or MPPE 128-bit) check box, and then clear all other check boxes.

     For more information, see Add a remote access policy.

2. Delete the default policies.

   For more information, see Delete a remote access policy.