Remote Access Data encryption

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Data encryption

You can use data encryption to protect the data that is sent between the remote access client and the remote access server. Data encryption is important for anyone who wants or needs secure data transfer, including financial institutions, law-enforcement and government agencies, and corporations. For installations where data confidentiality is required, the network administrator can set the remote access server to require encrypted communications. Users who connect to that server must encrypt their data or the connection attempt is denied.

For dial-up networking connections, you can protect your data by encrypting it on the communications link between the remote access client and the remote access server. You should use data encryption when there is a risk of unauthorized interception of transmissions on the communications link between the remote access client and the remote access server. For dial-up networking connections, Routing and Remote Access uses Microsoft Point-to-Point Encryption (MPPE).

For virtual private networking connections, you can protect your data by encrypting it between the ends of the virtual private network (VPN). You should always use data encryption for VPN connections when private data is sent across a public network such as the Internet, where there is always a risk of unauthorized interception. For VPN connections, Routing and Remote Access uses MPPE with the Point-to-Point Tunneling Protocol (PPTP) and IP Security (IPSec) encryption with the Layer Two Tunneling Protocol (L2TP).

Because data encryption is performed between the VPN client and VPN server, it is not necessary to use data encryption on the communication link between a dial-up client and its Internet service provider (ISP). For example, a mobile user uses a dial-up networking connection to dial in to a local ISP. Once the Internet connection is made, the user creates a VPN connection with the corporate VPN server. If the VPN connection is encrypted, there is no need to use encryption on the dial-up networking connection between the user and the ISP.

MPPE and IPSec are configured on the Encryption tab on the properties of a remote access policy to use 40-bit (the Basic setting), 56-bit (the Strong setting), or 128-bit (the Strongest setting) encryption keys. You should use 40-bit encryption keys to connect with older operating systems that do not support 56-bit or 128-bit encryption keys. Otherwise, use 56-bit encryption keys. Encryption keys are determined at the time of the connection. MPPE requires the use of the MS-CHAP (v1 or v2) or EAP-TLS authentication protocols.

Notes

  • Data encryption for PPP or PPTP connections is available only if MS-CHAP (v1 or v2) or EAP-TLS is used as the authentication protocol. Data encryption for L2TP connections relies on IPSec, which does not require any specific authentication protocol.

  • Remote access data encryption does not provide end-to-end data encryption. End-to-end encryption is data encryption between the client application and the server that hosts the resource or service being accessed by the client application. To get end-to-end data encryption, use IPSec to create a secure connection after the remote access connection has been made.