Peer-to-Peer Questions #3: PPTP and Drafting Security Policy

  • Article

Monday, May 10, 1999

Editors Note This article, culled from the TechNet Web site (https://www.microsoft.com/technet), answers the most interesting questions received on the peer -to-peer discussion groups over the past few weeks. To post your own questions, visit the TechNet discussion groups at https://www.microsoft.com/technet/community/newsgroups/default.mspx.

Greetings and welcome back to the TechNet Peer Forum column, where I answer the most frequently asked discussion group questions. I am writing to you from my office in the heart of Microsoft's campus, where I have been sipping a cup of northwest Joe and pondering network security. You may decide that this piece should be sub-titled "Devon Does Security," but I feel this has important implications on the future of Information Technology. So here goes:

Point-to-Point Tunneling Protocol (PPTP) isn't exactly a term that rolls off the tongue. So what exactly is it? And how do you get started? As telecommuting grows, so does the need for IT professionals to implement this technology. But don't fear -- Devon is here.

Q: My company wants to support PPTP for dialup connections to our network. I have never worked with PPTP before and I am wondering what resources are available to help me resolve the common difficulties I might encounter while setting it up.

A: First, a definition. Point-to-Point Tunneling Protocol (PPTP) enables the secure transfer of data from a remote client to a private enterprise server, thus creating a virtual private network (VPN) by using TCP/IP-based data networks. PPTP supports multiple network protocols (IP, IPX, and NetBEUI) and can be used for virtual private networking over public and private networks. You can use PPTP to provide secure, on-demand, virtual networks by using dial-up lines, local area networks (LANs), wide area networks (WANs), or the Internet and other public, TCP/IP-based networks.

If you're looking for great information on PPTP, you've come to the right place. Here are four great articles:

  • Chapter 11 - Point-To-Point Tunneling Protocol (PPTP) : An introduction to the applications, benefits and security considerations of using PPTP to create a VPN via the Internet. Also contains instructions on the setup of PPTP on a RAS server.

  • Point-to-Point Tunneling Protocol (PPTP) FAQ: Contains some valuable nuggets of information specific to PPTP and its implementation, as well as security and interoperability.

  • Q162847: Troubleshooting PPTP Connectivity Issues in Windows NT 4.0: A gem from Microsoft's exhaustive Knowledge Base (KB), this article offers tips on troubleshooting PPTP Connections on Windows NT 4.0 machines (as the name implies). In addition to providing a detailed outline of PPTP setup, it also includes links to several other PPTP-specific troubleshooting articles in the KB.

  • From Support Online check out: Install the PPTP Protocol at https://www.microsoft.com/ntserver/support/faqs/top10.asp and How to: Set up a private network (VPN) over the Internet with PPTP at https://www.microsoft.com/ntserver/support/faqs/top10.asp .

Q: I have just been assigned the task of compiling the end-user security policies and procedures for all of the users of our corporate Intranet. Are there any resources at Microsoft or somewhere on the Web that I can use to help me create this document?

A: Let me begin by suggesting The Computer Security Resource Clearinghouse (CSRC) [ https://csrc.nist.gov/publications/welcome.html ], where such resources can be downloaded.

Two recently conducted studies report that losses experienced by Fortune 100 companies as a result of computer break-ins were higher last year than ever before, despite increased spending on computer security measures. A study by the Computer Security Institute and the FBI estimates 1997 losses from computer crime at $136 million, up 36% from 1996. About half the respondents cited the Internet as a frequent point-of-attack, with the remainder citing internal corporate networks as the favored break-in point. Given this, I would highly suggest the three user guides listed below for individuals tasked with development of user guides on the topic of information security. Go to https://csrc.nist.gov/nistpubs/ and look for the following:

  • Computer Users' Guide to the Protection of Information Resources (SP 500-171)

  • Management Guide to the Protection of Information Resources (SP 500-170)

  • Executive Guide to the Protection of Information Resources (SP 500-169)

Written by the National Institute of Standards and Technology (NIST), these guides address the specifics of end user policies and procedures for Federal IT users, managers and executives. NIST is responsible for developing standards, providing technical assistance, and conducting research for computers and related systems – activities that provide technical support to government and industry in the effective, safe, and economical use of computers. NIST's mission also includes the development of standards and guidelines needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems.

The CSRC homepage (https://csrc.nist.gov/) can help you become acquainted with computer security standards as compiled by the U.S. Federal Government. Some of the information may be well known to individuals who work in the field of IT, but it still makes a handy refresher. The CSRC homepage includes links to the The Federal Computer Incident Response Capability (https://www.fedcirc.gov/) , the centralized coordinating facility that unites common security and incident response elements from the Federal government, law enforcement, academia and private industry to address threats to components of their critical infrastructures.

Computer system integrity and security should be a paramount concern not only for those who dwell in the world of IT, but also to those whose only connection with the world of computer security is the password(s) they use on every single system they access. PPTP and VPN's do not guarantee that the user of the enterprise system understands the sensitivity of the data he or she is able to access, unless end user policies and procedures are clearly in place.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.