Any suggestions? Export (0) Print
Expand All

Planning Security for a VPN

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Because a dial-up networking solution provides a secure data path over a circuit-switched connection, security is not a critical issue in your design for a dial-up remote access solution. In contrast, a VPN remote access solution routes data over a packet-switched connection that does not intrinsically provide the same level of security. Therefore, security is an important part of your VPN remote access server design.

The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol.

In designing security for your VPN remote access server solution, perform the following tasks:

  • Select a VPN protocol.

  • Select authentication protocols.

  • Select the scope and level of encryption.

  • If needed, plan a certificate infrastructure to support client authentication for remote access.

  • Optionally, plan for Network Access Quarantine Control.

  • Optionally, enhance security by using remote access account lockout.


  • You can increase the security and manageability of your remote access server solution by using IAS to centralize VPN or dial-up networking authentication, authorization, and accounting. In operating systems in the Windows 2000 Server family, IAS is an implementation of a RADIUS server; in Windows Server 2003, IAS is an implementation of a RADIUS server and proxy. For information about designing and deploying Internet Authentication Service (IAS), see "Deploying Internet Authentication Service (IAS)" in this book.

Community Additions

© 2015 Microsoft