Certificates...Pre Shared or Not

[Bryan Dearlove]

Good Morning!

Got a (hopefully) easy one. If I setup a Windows 2003 VPN using pre-shared
keys, can more than Windows 2003 and XP Clients connect to it? The website I
read said that, but it can't be the truth.

If it is, is their a way to give individuals a certificate they can install
without having to do web registration or MMC installation? I need about 300
Physicians to use this VPN but if anyone knows a doctor they wont be able to
install through these convoluted ways. I would love to integrate it in an
install or something.

Any help regarding these two questions would be GREATLY appreciated!

Thanks All!

Bryan Dearlove

 

[Herb Martin]

You could issue the certificates (with exportable private keys) and
then export them to media (e.g. floppy) and snail mail or courier them
to the remote users. (Theoretically you could email them too, but that
opens another window of compromise with which you would need to
deal.)

[I would enjoy further clarification on the follow but this is what I
currently know or believe we can presume....]

In Win2000 it was clearly documented that 'pre-shared secrets' were
only suitable for AUTHENTICATING data in IPSec (not encrypting)
but I have had difficulty finding a clear statement to confirm that this
limitation continues in Win2003 (I presume it does but there is no
technical reason why that must be true.)

From the Win2003 Server Help (search [ipsec "preshared secret"]):
"The use of preshared key authentication is not recommended because
it is a relatively weak authentication method. Preshared key authentication
creates a master key that is less secure (that might produce a weaker
form of encryption) than certificates or the Kerberos V5 protocol. "

The above implies some data encryption but they could mean the encryption
of the authentication.