XP PRO: Secure remote access

There are times when you want to connect to hosts or networks across the big bad Internet, where crackers and script kiddies lurk behind every corner. Luckily, Windows XP Professional offers several options to do just this, in a safe and secure manner, using encrypted tunnels.

Connecting hosts and networks to each other via encrypted tunnels is often referred to as Virtual Private Networking; Windows XP Professional can act as both a client and a server in this respect.

Easy VPN with PPTP

Point To Point Tunnelling Protocol has been around since Windows 95 and is probably the easiest way to set up secure remote access with Windows XP Professional. It encapsulates standard Point-To-Point (PPP) frames, the same protocol as used for Internet dial-up connections, and offers up to 128-bit encryption.

PPTP authenticates users with a variety of methods. They range from the weak and insecure Password Authentication Protocol (PAP) that sends usernames and passwords in clear text, to stronger methods such as CHAP (Challenge Handshake Authentication Protocol). The latter doesn't send passwords across the Internet, but rather responds only to Message Digest 5 hashes calculated from the passwords.

Other RAS authentication protocols include MS-CHAP (Microsoft CHAP) versions 1 and 2 (the former is used only for connecting to older RAS servers running Windows 95), SPAP (Shiva PAP, for Shiva Remote Access Servers), and the more flexible and advanced Extensible Authentication Protocol (EAP).

EAP can be used with a great number of authentication mechanisms, including Smart Cards, digital certificates, public key authentication and more. Windows XP supports two types - EAP-MD5 CHAP (the same as CHAP) and EAP-TLS (Transport Level Security), for authenticating users with certificates.

Setting up a PPTP connection is easy: open My Network Places, and click View network connections in the Network Tasks pane. In the same pane, click Create a new connection and in the wizard that pops up, pick the Connect to the network at my workplace and the Virtual Private Network connection options.

Name the connection, give it the right IP address and you are ready to log in to the remote server. To pick any of the different authentication protocols mentioned above, simply click the Properties button in the Connect dialogue box, and select the Security tab. On the Security page you can tick the Advanced Security Settings radio button, and pick which protocols are allowed, including EAP. You can also select whether or not to require encryption of data for the connection - this enables (or disables) the Microsoft Point To Point Encryption (MPPE) protocol for the connection. Note that MPPE isn't available with all authentication methods, so take care to choose the right one if you wish to encrypt the data traffic.

If you are behind a firewall or a Network Address Translation (NAT) router, make sure you allow traffic through TCP port 1723, and that your equipment can pass Generic Routing Encapsulation (GRE) traffic (sometimes referred to as IP type 50).

To set up Windows XP Professional to act as a VPN dial-in server, click Create a new connection as above but this time click Set up an advanced connection in the New Connection wizard. Pick Accept incoming connections, with your modem as the device, and, next, Allow virtual private connections.

Specify which users are allowed to connect to the computer over the incoming line, and check that settings for TCP/IP are correct (e.g., whether or not to use DHCP to assign IP addresses for hosts connecting to your one, if the dial-in server should route incoming traffic to the LAN), and you are set. A small caveat here is that the system that acts as a dial-in RAS server should have a fully-qualified domain name and IP address for VPN connections to work; as you are not allowing connections over the Internet to the dial-in server, only over the public telephone network, you could get away with not running a VPN dial-in RAS, if encrypted connections aren't tantamount.

Coming up: boosting VPN security with L2TP and IPsecMicrosoft's PPTP implementation has been criticised for not being secure, despite the improved authentication and encryption methods. While PPTP will keep casual crackers at bay, determined attackers with the ability to run dictionary attacks are able to get through most challenge-response authentication schemes.

If you need it, Windows XP Professional offers two other VPN RAS protocols with stronger security than plain PPTP, namely Layer 2 Tunnelling Protocol (L2TP) and IP security (IPsec). Setting up a VPN using these is more involved than PPTP, and I'll cover it in the next instalment of this column.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?