XP PRO: Secure remote access

There are times when you want to connect to hosts or networks across the big bad Internet, where crackers and script kiddies lurk behind every corner. Luckily, Windows XP Professional offers several options to do just this, in a safe and secure manner, using encrypted tunnels.

Connecting hosts and networks to each other via encrypted tunnels is often referred to as Virtual Private Networking; Windows XP Professional can act as both a client and a server in this respect.

Easy VPN with PPTP

Point To Point Tunnelling Protocol has been around since Windows 95 and is probably the easiest way to set up secure remote access with Windows XP Professional. It encapsulates standard Point-To-Point (PPP) frames, the same protocol as used for Internet dial-up connections, and offers up to 128-bit encryption.

PPTP authenticates users with a variety of methods. They range from the weak and insecure Password Authentication Protocol (PAP) that sends usernames and passwords in clear text, to stronger methods such as CHAP (Challenge Handshake Authentication Protocol). The latter doesn't send passwords across the Internet, but rather responds only to Message Digest 5 hashes calculated from the passwords.

Other RAS authentication protocols include MS-CHAP (Microsoft CHAP) versions 1 and 2 (the former is used only for connecting to older RAS servers running Windows 95), SPAP (Shiva PAP, for Shiva Remote Access Servers), and the more flexible and advanced Extensible Authentication Protocol (EAP).

EAP can be used with a great number of authentication mechanisms, including Smart Cards, digital certificates, public key authentication and more. Windows XP supports two types - EAP-MD5 CHAP (the same as CHAP) and EAP-TLS (Transport Level Security), for authenticating users with certificates.

Setting up a PPTP connection is easy: open My Network Places, and click View network connections in the Network Tasks pane. In the same pane, click Create a new connection and in the wizard that pops up, pick the Connect to the network at my workplace and the Virtual Private Network connection options.

Name the connection, give it the right IP address and you are ready to log in to the remote server. To pick any of the different authentication protocols mentioned above, simply click the Properties button in the Connect dialogue box, and select the Security tab. On the Security page you can tick the Advanced Security Settings radio button, and pick which protocols are allowed, including EAP. You can also select whether or not to require encryption of data for the connection - this enables (or disables) the Microsoft Point To Point Encryption (MPPE) protocol for the connection. Note that MPPE isn't available with all authentication methods, so take care to choose the right one if you wish to encrypt the data traffic.

If you are behind a firewall or a Network Address Translation (NAT) router, make sure you allow traffic through TCP port 1723, and that your equipment can pass Generic Routing Encapsulation (GRE) traffic (sometimes referred to as IP type 50).

To set up Windows XP Professional to act as a VPN dial-in server, click Create a new connection as above but this time click Set up an advanced connection in the New Connection wizard. Pick Accept incoming connections, with your modem as the device, and, next, Allow virtual private connections.

Specify which users are allowed to connect to the computer over the incoming line, and check that settings for TCP/IP are correct (e.g., whether or not to use DHCP to assign IP addresses for hosts connecting to your one, if the dial-in server should route incoming traffic to the LAN), and you are set. A small caveat here is that the system that acts as a dial-in RAS server should have a fully-qualified domain name and IP address for VPN connections to work; as you are not allowing connections over the Internet to the dial-in server, only over the public telephone network, you could get away with not running a VPN dial-in RAS, if encrypted connections aren't tantamount.

Coming up: boosting VPN security with L2TP and IPsecMicrosoft's PPTP implementation has been criticised for not being secure, despite the improved authentication and encryption methods. While PPTP will keep casual crackers at bay, determined attackers with the ability to run dictionary attacks are able to get through most challenge-response authentication schemes.

If you need it, Windows XP Professional offers two other VPN RAS protocols with stronger security than plain PPTP, namely Layer 2 Tunnelling Protocol (L2TP) and IP security (IPsec). Setting up a VPN using these is more involved than PPTP, and I'll cover it in the next instalment of this column.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?