Microsoft Deprecates Legacy VPN Protocols

It’s long overdue, but Microsoft has finally announced the formal deprecation of the Point-to-Point Tunnel Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP) in Windows Server Routing and Remote Access (RRAS) Servers. Both protocols have long since been replaced with more secure alternatives such as the Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEV2). However, many organizations have RRAS servers configured using these legacy protocols to support ad-hoc, on-demand access for non-managed users and devices.

Deprecated Protocols

There are a few reasons why Microsoft has deprecated these legacy protocols. Consider the following.

PPTP

It’s been widely known for many years that PPTP is broken and terribly insecure. Using this VPN protocol today is tremendously risky.

L2TP

L2TP is still considered secure, for the most part. However, it has been replaced with IKEv2, which is more secure and efficient.

Future Support

Although Microsoft made the announcement recently, the protocols will still be included in Windows Server 2025 when released later this year. However, Microsoft may remove these protocols from future Windows Server releases.

Always On VPN

Those who have deployed Microsoft Always On VPN are likely already using modern, secure VPN protocols, so this deprecation announcement won’t impact them. Although PPTP and L2TP are technically supported with Always On VPN, they are not commonly configured.

Recommendations

Administrators using Windows Server RRAS for VPN access using PPTP are encouraged to migrate to another protocol immediately. Those continuing to use L2TP should consider migrating soon.

Additional Information

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN April 2023 Security Updates

Heads up, Always On VPN administrators! This month’s patch Tuesday includes fixes for critical security vulnerabilities affecting Windows Server Routing and Remote Access Service (RRAS). Crucially there are remote code execution (RCE) vulnerabilities in the Point-to-Point Tunneling Protocol (PPTP) (CVE-2023-28232), the Layer Two Tunneling Protocol (L2TP) (CVE-2023-28219, CVE-2023-28220), the Point-to-Point over Ethernet (PPPoE) protocol (CVE-2023-28224), and the Internet Key Exchange (IKE) protocol (CVE-2023-28238). The vulnerabilities in PPTP and L2TP are especially urgent as they allow an unauthenticated attacker to exploit them. There is also a denial-of-service (DoS) vulnerability (CVE-2023-28234) in the Secure Socket Tunneling Protocol (SSTP) protocol.

Exposure and Risk

The RCEs in PPTP, L2TP, and PPPoE should present limited risk as these protocols aren’t commonly used for Always On VPN (PPPoE and PPTP aren’t supported for Always On VPN, in fact). However, organizations may be using these protocols for other purposes. In addition, improperly configured edge firewalls could allow these connections even though administrators may not be actively using them. An attacker could also exploit these vulnerabilities with access to the RRAS server from the internal network.

Attack Surface Reduction

Always On VPN administrators are advised to ensure that only protocols and ports for VPN protocols in use are allowed through the edge firewall. Also, administrators should disable any unused protocols and services in RRAS to reduce the attack surface on their RRAS servers. To do this, open an elevated PowerShell command window on the RRAS server and run the following commands to disable support for the PPTP, L2TP, and PPPoE protocols.

netsh.exe ras set wanports device = “WAN Miniport (L2TP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0

netsh.exe ras set wanports device = “WAN Miniport (PPTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 1

netsh.exe ras set wanports device = “WAN Miniport (PPPOE)” ddoutonly = disabled

Restart-Service RemoteAccess -PassThru

Additional Vulnerabilities

This month’s update also includes fixes for other vulnerabilities that may impact Always On VPN deployments. Specifically, there are RCEs in Windows Network Address Translation (NAT) (CVE-2023-28217) and Windows Network Load Balancing (NLB) (CVE-2023-28240), and a DoS vulnerability in Windows Transport Layer Security (TLS) (CVE-2023-28234).

Update Now

Administrators should patch their RRAS servers as soon as possible to avoid potential compromise of the RRAS server in their environments.

Additional Information

Always On VPN SSTP Security Configuration

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)Windows 10 Always On VPN is infrastructure independent and can be implemented using third-party VPN devices. It is not necessary to deploy any Windows servers at all to support an Always On VPN solution. However, in a recent blog post I outlined some compelling reasons to consider using Windows Server’s Routing and Remote Access Service (RRAS) feature to terminate VPN connections. RRAS supports both modern and legacy VPN protocols, each with their own advantages and disadvantages. The choice of which protocols to support will be determined by many factors, but it is important to understand the capabilities of each to make an informed decision.

RRAS VPN Protocols

Windows RRAS supports the following VPN protocols.

  • Internet Key Exchange version 2 (IKEv2) – RFC7296
  • Secure Sockets Tunneling Protocol (SSTP) – Microsoft
  • Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) – RFC2661
  • Point-to-Point Tunneling Protocol (PPTP) – RFC2637

There are pros and cons associated with each of these VPN protocols. Here’s a breakdown of each.

IKEv2

This IPsec-based VPN protocol is the preferred choice for deployments where the highest level of security is required. The latest version of IKE (v2) features streamlined messaging during connection establishment and enhanced session management that reduce protocol overhead and improve performance.

Advantages: Best security options.
Disadvantages: Firewalls may block required UDP ports.

SSTP

SSTP is an excellent alternative to IKEv2 and is recommended for most deployments. It uses industry standard Transport Layer Security (TLS), making it widely accessible from most locations. It provides good security out of the box but can be improved upon with additional configuration. SSTP lends itself well to load balancing, making it much easier to scale out than IKEv2. Optionally, TLS can be offloaded to an Application Delivery Controller (ADC) to reduce resource utilization on the RRAS server and further improve performance.

Advantages: Easy to configure with firewall friendly access.
Disadvantages: Fewer security options than IKEv2.

L2TP

While technically supported for Always On VPN, L2TP is a legacy VPN protocol that offers no real advantages over IKEv2. Its use is unnecessary and should be avoided.

Advantages: None.
Disadvantages: Firewalls may block required UDP ports.

PPTP

PPTP is considered an obsolete VPN protocol with many known security vulnerabilities. Its use should be avoided at all costs.

Advantages: None.
Disadvantages: Insecure.

Summary

The recommendation is to use SSTP for user-based VPN connections to ensure operational reliability and optimum performance. Use IKEv2 only when the highest level of security is required. Avoid the use of L2TP/IPsec and PPTP at all costs.

Additional Resources

Frequently Asked Questions about Microsoft’s PPTP Implementation

Always On VPN and Windows Server Routing and Remote Access Services (RRAS)

Windows 10 Always On VPN and the Future of DirectAccess 

5 Things DirectAccess Administrators Should Know about Always On VPN 

3 Important Advantages of Windows 10 Always On VPN over DirectAccess 

Windows 10 Always On VPN Hands-On Training Classes