Wireless security and VPN

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a Windows Server 2000 domain and XP Pro clients. I have set up VPN
through RRAS (PPTP) and it works fine. My question is: Should I be
concerned about security when remote users (using their own laptops) log in
using a public wireless access point (hotspot)? My userstanding of MS-CHAP
is that passwords never travel in the clear during the challenge-handshake
process and it is also my understanding that the VPN data stream is fully
encrypted. Am I missing anything? Should I be concerned about someone
"sniffing" these remote users' packets?
 
Actually you should be using mschapv2 which would be default and is a strong
authentication protocol. Just make sure the users are forced to use strong
passwords. I would suggest that you enable password complexity and have a
minimum password length of eight characters. This will make pptp very
secure. If users balk at complex passwords train them to think pass phrases
and to use spaces between the words. A pass phrase such as A spoonful of
sugar! is a very very strong password as far as the operating system is
concerned. --- Steve
 
I do enforce 8+ character alphanumeric passwords and lock out the accounts
after three unsuccessfull attempts. Do I need to enable Certificate
Services? I am not clear on what exactly it does.
 
No you do not need to issue certificates for pptp. Another vulnerability of
VPN connections is that users will often save their password for their VPN
connectoid which could allow an attacker who obtained/stole their laptop to
access your network as that user if the account had not been disabled for
dial in. There is a registry entry that can prevent that and be distributed
via a Group Policy custom .adm or smart cards are used in situations where
high security is needed. Smart cards do require a Certificate Authority
however and an investement in hardware for the smart cards and
ders. --- Steve

http://is-it-true.org/nt/atips/atips20.shtml --- disable VPN connectoid
password storage.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\RasMan\Parameters
Name: DisableSavePassword
Type: REG_DWORD
Value: 1
 
I should add that the risk of stored credentials for a VPN connectoid is
much less if the user logs onto their computer with cached domain
credentials instead of a local user account. --- Steve
 
Back
Top