XP PRO: Secure remote access

There are times when you want to connect to hosts or networks across the big bad Internet, where crackers and script kiddies lurk behind every corner. Luckily, Windows XP Professional offers several options to do just this, in a safe and secure manner, using encrypted tunnels.

Connecting hosts and networks to each other via encrypted tunnels is often referred to as Virtual Private Networking; Windows XP Professional can act as both a client and a server in this respect.

Easy VPN with PPTP

Point To Point Tunnelling Protocol has been around since Windows 95 and is probably the easiest way to set up secure remote access with Windows XP Professional. It encapsulates standard Point-To-Point (PPP) frames, the same protocol as used for Internet dial-up connections, and offers up to 128-bit encryption.

PPTP authenticates users with a variety of methods. They range from the weak and insecure Password Authentication Protocol (PAP) that sends usernames and passwords in clear text, to stronger methods such as CHAP (Challenge Handshake Authentication Protocol). The latter doesn't send passwords across the Internet, but rather responds only to Message Digest 5 hashes calculated from the passwords.

Other RAS authentication protocols include MS-CHAP (Microsoft CHAP) versions 1 and 2 (the former is used only for connecting to older RAS servers running Windows 95), SPAP (Shiva PAP, for Shiva Remote Access Servers), and the more flexible and advanced Extensible Authentication Protocol (EAP).

EAP can be used with a great number of authentication mechanisms, including Smart Cards, digital certificates, public key authentication and more. Windows XP supports two types - EAP-MD5 CHAP (the same as CHAP) and EAP-TLS (Transport Level Security), for authenticating users with certificates.

Setting up a PPTP connection is easy: open My Network Places, and click View network connections in the Network Tasks pane. In the same pane, click Create a new connection and in the wizard that pops up, pick the Connect to the network at my workplace and the Virtual Private Network connection options.

Name the connection, give it the right IP address and you are ready to log in to the remote server. To pick any of the different authentication protocols mentioned above, simply click the Properties button in the Connect dialogue box, and select the Security tab. On the Security page you can tick the Advanced Security Settings radio button, and pick which protocols are allowed, including EAP. You can also select whether or not to require encryption of data for the connection - this enables (or disables) the Microsoft Point To Point Encryption (MPPE) protocol for the connection. Note that MPPE isn't available with all authentication methods, so take care to choose the right one if you wish to encrypt the data traffic.

If you are behind a firewall or a Network Address Translation (NAT) router, make sure you allow traffic through TCP port 1723, and that your equipment can pass Generic Routing Encapsulation (GRE) traffic (sometimes referred to as IP type 50).

To set up Windows XP Professional to act as a VPN dial-in server, click Create a new connection as above but this time click Set up an advanced connection in the New Connection wizard. Pick Accept incoming connections, with your modem as the device, and, next, Allow virtual private connections.

Specify which users are allowed to connect to the computer over the incoming line, and check that settings for TCP/IP are correct (e.g., whether or not to use DHCP to assign IP addresses for hosts connecting to your one, if the dial-in server should route incoming traffic to the LAN), and you are set. A small caveat here is that the system that acts as a dial-in RAS server should have a fully-qualified domain name and IP address for VPN connections to work; as you are not allowing connections over the Internet to the dial-in server, only over the public telephone network, you could get away with not running a VPN dial-in RAS, if encrypted connections aren't tantamount.

Coming up: boosting VPN security with L2TP and IPsecMicrosoft's PPTP implementation has been criticised for not being secure, despite the improved authentication and encryption methods. While PPTP will keep casual crackers at bay, determined attackers with the ability to run dictionary attacks are able to get through most challenge-response authentication schemes.

If you need it, Windows XP Professional offers two other VPN RAS protocols with stronger security than plain PPTP, namely Layer 2 Tunnelling Protocol (L2TP) and IP security (IPsec). Setting up a VPN using these is more involved than PPTP, and I'll cover it in the next instalment of this column.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?