Summary

To secure VPN connections and their data, Windows Server 2003 and Windows XP support a wide array of security features. Basic elements of security are authentication security (the use of MS-CHAP v2 or EAP-TLS), authorization security (dial-in properties of a user account and remote access policies), encryption security (MPPE for PPTP and DES/3DES for L2TP/IPSec), and packet filtering (for PPTP and L2TP/IPSec traffic). Advanced security features include EAP-TLS for certificate- based authentication, Network Access Quarantine Control to verify the configuration of the remote access client computer, remote access account lockout to prevent online dictionary attacks, and remote access policy profile packet filtering to define the traffic that is allowed over the VPN connection.

There are obviously a lot of choices to make here, but the best method to use is to default to the highest security levels that are appropriate for your design: use MS- CHAP v2 or EAP-TLS, use L2TP/IPSec and IP filters as much as possible, and use machine and user certificates to enable two-factor authentication with smart cards or other EAP devices. Don’t go overkill on it–make it secure enough to mitigate your needs. The more security you enable, the more you increase the amount of administration and user support you will have to deal with–weigh both sides of security vs. supportability to meet your company’s constraints on support resources.