knowplace.org

Microsoft 128-bit PPTP Upgrade Hints

(11/08/2000)

WHO? This document is for anyone who is interested in making their PPTP VPN RAS connection more secure (Notice: Due to U.S. encryption export restrictions, you have to be an U.S./Canadian citizen residing in the U.S./Canada in order to use these upgrades).

WHAT? This document gives you a few hints on making your PPTP VPN RAS connections more secure (hopefully). This document is also for anyone who has gone to Microsoft's Q article - Q244214 and wondered how on Earth one is supposed to obtain the "Microsoft Windows 98 Second Edition Dial-Up Networking 128-Bit Security Upgrade". Notice: Due to U.S. encryption export restrictions, you have to be an U.S./Canadian citizen residing in the U.S./Canada in order to use the upgrade mentioned in Q article - Q244214. This document is not meant as a detailed PPTP security howto and does not discuss (important) topics such as password strength/secuirty/auditing, or general network security.

WHY? If you're one of the unlucky users (or admin) who has to use Microsoft's exploit-frought PPTP RAS service for VPN, you should do everything you can to improve the security (including download and installing the 128-bit security DUN upgrade). If you aren't using 128-bit encryption or are restricted by the law of your country to use 40-bit encryption, you may as well not bother.

WHERE? The absolute newest version of this HOWTO can always be found at http://www.knowplace.org/pptp-hints.html. Although, to be honest, I have no intention on updating this document unless it's to correct errors.

HOW? I'll give an overview first, so you'll have some idea what's going on. Even though Microsoft has tried to fix problems in their original PPTP/CHAP v1 implementation by releasing PPTP/CHAP v2 (Q189771 & Q189595), in order to maintain backward compatibility, Microsoft also retained the old exploits/problems with PPTP/CHAP v1. It is not enough that you install the latest service packs (up to NT4 SP6a); the default installation will still leave you open to rollback attacks. Therefore, if you are running a Microsoft PPTP VPN RAS server or client, follow the suggestions below to secure your PPTP VPN RAS server or client.

  • Windows NT4 server: If the server doesn't support 128-bit encryption, having the client won't help you much. Go to http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/128bitX86/ to download and install the high encryption service pack. After the high encryption service pack is installed, you will need to modify several registry keys to prevent rollback attacks against your RAS server. You can find the more information about the registry keys below at Q189595 and Q172215.
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP - Add a DWORD: SecureVPN Value: 0x00000001. This forces your NT RAS server to use MSCHAP v2 only.
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\Chap - Add a DWORD: UseLmPassword Value: 0x00000000. This prevents your NT RAS from sending lanman hashes of the passwords.
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\COMPCP - Add a DWORD: ForceStrongEncryption Value: 0x00000001. This forces the use of 128-bit encryption when the high-encryption service pack is installed.
    • You will also need to set your RAS server to require encrypted password and data encryption.
  • Windows 98se client: This is the ~easier part. You will basically download the "Microsoft Windows 98 Second Edition Dial-Up Networking 128-Bit Security Upgrade" by going the the "Windows Update" option in your start menu. If you are an admin, and need to install this update on to multiple machines, you can download it from here. Note: Please do not download this file unless you are an U.S./Canadian citizen residing in the U.S./Canada.
    • After the download has completed, unzip the files into a temp directory. After reading and agreeing to the Microsoft EULA (license.txt), right-click on the dun128.inf file and select 'Install'.
    • After the install, reboot (may not be necessary but can't hurt - you are running windows after all).
    • Check the properties of c:\windows\system\pppmac.vxd under the version tab in 'Internal name'. If the value does not say 'PPPMAC (US/Canada Only, Not for Export), then uninstall this (in Add/Remove Programs in the control) and repeat the first step.
    • The installation should have created the appropriate (matching) registry entries for the client. Just in case, they are:
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess - DWORD: SecureVPN Value: 0x00000001
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess - DWORD: UseLmPassword Value: 0x00000000
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess - DWORD: ForceStrongEncryption Value: 0x00000001
    • To test, once you're connected to a PPTP server, check the detailed connection properties. It should say:
      • Microsoft mutual challenge handshake authentication
      • Microsoft strong encryption.
  • I've neglected Win2k and Win95. Does anyone still run win95?
  
Shane Tzen © 2008
 
brought to you by the number 9 and the letter L