XP PRO: Secure remote access

There are times when you want to connect to hosts or networks across the big bad Internet, where crackers and script kiddies lurk behind every corner. Luckily, Windows XP Professional offers several options to do just this, in a safe and secure manner, using encrypted tunnels.

Connecting hosts and networks to each other via encrypted tunnels is often referred to as Virtual Private Networking; Windows XP Professional can act as both a client and a server in this respect.

Easy VPN with PPTP

Point To Point Tunnelling Protocol has been around since Windows 95 and is probably the easiest way to set up secure remote access with Windows XP Professional. It encapsulates standard Point-To-Point (PPP) frames, the same protocol as used for Internet dial-up connections, and offers up to 128-bit encryption.

PPTP authenticates users with a variety of methods. They range from the weak and insecure Password Authentication Protocol (PAP) that sends usernames and passwords in clear text, to stronger methods such as CHAP (Challenge Handshake Authentication Protocol). The latter doesn't send passwords across the Internet, but rather responds only to Message Digest 5 hashes calculated from the passwords.

Other RAS authentication protocols include MS-CHAP (Microsoft CHAP) versions 1 and 2 (the former is used only for connecting to older RAS servers running Windows 95), SPAP (Shiva PAP, for Shiva Remote Access Servers), and the more flexible and advanced Extensible Authentication Protocol (EAP).

EAP can be used with a great number of authentication mechanisms, including Smart Cards, digital certificates, public key authentication and more. Windows XP supports two types - EAP-MD5 CHAP (the same as CHAP) and EAP-TLS (Transport Level Security), for authenticating users with certificates.

Setting up a PPTP connection is easy: open My Network Places, and click View network connections in the Network Tasks pane. In the same pane, click Create a new connection and in the wizard that pops up, pick the Connect to the network at my workplace and the Virtual Private Network connection options.

Name the connection, give it the right IP address and you are ready to log in to the remote server. To pick any of the different authentication protocols mentioned above, simply click the Properties button in the Connect dialogue box, and select the Security tab. On the Security page you can tick the Advanced Security Settings radio button, and pick which protocols are allowed, including EAP. You can also select whether or not to require encryption of data for the connection - this enables (or disables) the Microsoft Point To Point Encryption (MPPE) protocol for the connection. Note that MPPE isn't available with all authentication methods, so take care to choose the right one if you wish to encrypt the data traffic.

If you are behind a firewall or a Network Address Translation (NAT) router, make sure you allow traffic through TCP port 1723, and that your equipment can pass Generic Routing Encapsulation (GRE) traffic (sometimes referred to as IP type 50).

To set up Windows XP Professional to act as a VPN dial-in server, click Create a new connection as above but this time click Set up an advanced connection in the New Connection wizard. Pick Accept incoming connections, with your modem as the device, and, next, Allow virtual private connections.

Specify which users are allowed to connect to the computer over the incoming line, and check that settings for TCP/IP are correct (e.g., whether or not to use DHCP to assign IP addresses for hosts connecting to your one, if the dial-in server should route incoming traffic to the LAN), and you are set. A small caveat here is that the system that acts as a dial-in RAS server should have a fully-qualified domain name and IP address for VPN connections to work; as you are not allowing connections over the Internet to the dial-in server, only over the public telephone network, you could get away with not running a VPN dial-in RAS, if encrypted connections aren't tantamount.

Coming up: boosting VPN security with L2TP and IPsecMicrosoft's PPTP implementation has been criticised for not being secure, despite the improved authentication and encryption methods. While PPTP will keep casual crackers at bay, determined attackers with the ability to run dictionary attacks are able to get through most challenge-response authentication schemes.

If you need it, Windows XP Professional offers two other VPN RAS protocols with stronger security than plain PPTP, namely Layer 2 Tunnelling Protocol (L2TP) and IP security (IPsec). Setting up a VPN using these is more involved than PPTP, and I'll cover it in the next instalment of this column.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments





Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?