G
Guest
Incoming Connection in XP allows clients to use both MS-CHAP and MS-CHAP V2.
How can I force using MS-CHAP V2 only?
How can I force using MS-CHAP V2 only?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
S
Steven L Umbach
You do that using Remote Access Policies for your VPN server in the rras
Management Console where you select edit profile and select the
authentication methods you will allow. Every W2003 VPN server has at least
one Remote Access Policy enabled or no user could access the VPN. The link
below has more info in editing a Remote Access Policy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;816522
Management Console where you select edit profile and select the
authentication methods you will allow. Every W2003 VPN server has at least
one Remote Access Policy enabled or no user could access the VPN. The link
below has more info in editing a Remote Access Policy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;816522
G
Guest
Yes, in W2003 (and W2K) you can use Remote Access Policies in RRAS Management
Console. My question was about the RAS/VPN server in XP.
Console. My question was about the RAS/VPN server in XP.
S
Steven L Umbach
For when XP is acting as a single connection PPTP VPN server I have never
seen, heard, or read a way of doing such from MS documentation. There was a
securevpn registry key that was used in NT4.0 per the article below that you
could try to implement on a test XP computer [not there by default] and you
never know it just may work. Be default XP/2000/2003 when acting as a VPN
server will always use the strongest common authentication method supported
between client and server and every OS from MS since I believe Windows ME is
mschapv2 capable with default install while Windows 98 requires a DUN
upgrade.. --- Steve
http://www.governmentsecurity.org/archive/t6526.html
allow only MS CHAP v2.0 for VPN connections
CODE
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001
seen, heard, or read a way of doing such from MS documentation. There was a
securevpn registry key that was used in NT4.0 per the article below that you
could try to implement on a test XP computer [not there by default] and you
never know it just may work. Be default XP/2000/2003 when acting as a VPN
server will always use the strongest common authentication method supported
between client and server and every OS from MS since I believe Windows ME is
mschapv2 capable with default install while Windows 98 requires a DUN
upgrade.. --- Steve
http://www.governmentsecurity.org/archive/t6526.html
allow only MS CHAP v2.0 for VPN connections
CODE
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001
G
Guest
Interesting information there. Unfortunately RAS things don’t work in XP, at
least using the specified keys and values. Thanks for info anyway. AFAIK,
difference between MS-CHAP V1 and V2 is that V2 is better during initial
challenge /acknowledge handshake. Then if all clients are configured with V2
only then it doesn’t matter that server would accept V1 because an
interceptor would only see V2 anyway. Or is it worse than that?
least using the specified keys and values. Thanks for info anyway. AFAIK,
difference between MS-CHAP V1 and V2 is that V2 is better during initial
challenge /acknowledge handshake. Then if all clients are configured with V2
only then it doesn’t matter that server would accept V1 because an
interceptor would only see V2 anyway. Or is it worse than that?
Steven L Umbach said:For when XP is acting as a single connection PPTP VPN server I have never
seen, heard, or read a way of doing such from MS documentation. There was a
securevpn registry key that was used in NT4.0 per the article below that you
could try to implement on a test XP computer [not there by default] and you
never know it just may work. Be default XP/2000/2003 when acting as a VPN
server will always use the strongest common authentication method supported
between client and server and every OS from MS since I believe Windows ME is
mschapv2 capable with default install while Windows 98 requires a DUN
upgrade.. --- Steve
http://www.governmentsecurity.org/archive/t6526.html
allow only MS CHAP v2.0 for VPN connections
CODE
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001
Mikael H said:Yes, in W2003 (and W2K) you can use Remote Access Policies in RRAS
Management
Console. My question was about the RAS/VPN server in XP.
S
Steven L Umbach
Thanks for letting us know that the registry mod did not work but too bad it
does not. I can't think of anything else to force mschapv2 only on XP as a
VPN server. Mschapv2 has a couple of advantages including mutual
authentication and a different encryption key for the user at each logon
even with the same password. The link below explains more. Like I said the
VPN server will always use the strongest authentication method possible
based on what the server and client can support which minimizes risk of
mschap being used assuming you are not using old legacy operating systems.
The clients that you can control can be configured to use mschapv2 only in
the VPN connectoid properties which us probably what you are referring to
when you say "if all clients are configured with V2 only". For PPTP it is
particualry important the the VPN user use a very strong password. With L2TP
the encryption tunnel is built via ipsec before the user tries to
authenticate but that is not the case for PPTP. --- Steve
http://technet2.microsoft.com/WindowsServer/en/Library/13b8cd89-4d40-4d8a-a6ab-6e193eb8f4381033.mspx
does not. I can't think of anything else to force mschapv2 only on XP as a
VPN server. Mschapv2 has a couple of advantages including mutual
authentication and a different encryption key for the user at each logon
even with the same password. The link below explains more. Like I said the
VPN server will always use the strongest authentication method possible
based on what the server and client can support which minimizes risk of
mschap being used assuming you are not using old legacy operating systems.
The clients that you can control can be configured to use mschapv2 only in
the VPN connectoid properties which us probably what you are referring to
when you say "if all clients are configured with V2 only". For PPTP it is
particualry important the the VPN user use a very strong password. With L2TP
the encryption tunnel is built via ipsec before the user tries to
authenticate but that is not the case for PPTP. --- Steve
http://technet2.microsoft.com/WindowsServer/en/Library/13b8cd89-4d40-4d8a-a6ab-6e193eb8f4381033.mspx
Mikael H said:Interesting information there. Unfortunately RAS things don't work in XP,
at
least using the specified keys and values. Thanks for info anyway. AFAIK,
difference between MS-CHAP V1 and V2 is that V2 is better during initial
challenge /acknowledge handshake. Then if all clients are configured with
V2
only then it doesn't matter that server would accept V1 because an
interceptor would only see V2 anyway. Or is it worse than that?
Steven L Umbach said:For when XP is acting as a single connection PPTP VPN server I have never
seen, heard, or read a way of doing such from MS documentation. There was
a
securevpn registry key that was used in NT4.0 per the article below that
you
could try to implement on a test XP computer [not there by default] and
you
never know it just may work. Be default XP/2000/2003 when acting as a
VPN
server will always use the strongest common authentication method
supported
between client and server and every OS from MS since I believe Windows ME
is
mschapv2 capable with default install while Windows 98 requires a DUN
upgrade.. --- Steve
http://www.governmentsecurity.org/archive/t6526.html
allow only MS CHAP v2.0 for VPN connections
CODE
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001
Mikael H said:Yes, in W2003 (and W2K) you can use Remote Access Policies in RRAS
Management
Console. My question was about the RAS/VPN server in XP.
:
You do that using Remote Access Policies for your VPN server in the
rras
Management Console where you select edit profile and select the
authentication methods you will allow. Every W2003 VPN server has at
least
one Remote Access Policy enabled or no user could access the VPN. The
link
below has more info in editing a Remote Access Policy. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;816522
Incoming Connection in XP allows clients to use both MS-CHAP and
MS-CHAP
V2.
How can I force using MS-CHAP V2 only?