Enhanced security through VPN

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Enhanced security through VPN

Virtual private network (VPN) connections that are enabled with Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are authenticated by using Point-to-Point Protocol (PPP) user-level authentication methods. For PPTP connections, you can use only the Microsoft Challenge Authentication Protocol (MS-CHAP), MS-CHAP version 2 (MS-CHAP v2) or Extensible Authentication Protocol-Transport Level Security (EAP-TLS). For L2TP connections, you can use any PPP authentication protocol because the PPP authentication message exchange is encrypted with Internet Protocol Security (IPSec); however, MS-CHAP, MS-CHAP v2, or EAP-TLS is recommended.

For the most secure PPTP VPN connections, do the following:

  • Use EAP-TLS with user certificates or smart cards.

  • Require the use of the strongest possible encryption.

  • Use a remote access policy to define who can make a PPTP connection based on group membership (if you are using the Routing and Remote Access service).

  • Configure PPTP packet filters on your firewall interfaces and VPN server interfaces.

For security reasons, you should use PPTP with either MSCHAPv2 or EAP-TLS with PPTP connections. If using EAP-TLS is not feasible, use MSCHAP v2 for secure connections.

For the most secure L2TP VPN connections, do the following:

  • Use EAP-TLS with user certificates or smart cards.

  • Require the use of the strongest possible encryption.

  • Use a remote access policy to define who can make a L2TP connection based on group membership (if you are using the Routing and Remote Access service).

  • Configure IPSec or L2TP packet filters on your firewall interfaces and VPN server interfaces.

In some environments, data is so sensitive that it needs to be hidden from the majority of corporate users. Finance data or human resources data are examples of this type of data. Corporations can store extremely sensitive data servers on a separate network segment that is connected to the corporate network by a VPN server. Authorized users use a VPN connection to connect to the VPN server, and then they can access the protected resources. All communication across the VPN connection is encrypted in order to ensure data confidentiality. Users who do not have authorization to establish a VPN connection with the VPN server cannot see the hidden server or its resources.

For information about creating a VPN connection, see Make a virtual private network (VPN) connection.