All posts tagged PPTP

Always On VPN April 2023 Security Updates

Heads up, Always On VPN administrators! This month’s patch Tuesday includes fixes for critical security vulnerabilities affecting Windows Server Routing and Remote Access Service (RRAS). Crucially there are remote code execution (RCE) vulnerabilities in the Point-to-Point Tunneling Protocol (PPTP) (CVE-2023-28232), the Layer Two Tunneling Protocol (L2TP) (CVE-2023-28219, CVE-2023-28220), the Point-to-Point over Ethernet (PPPoE) protocol (CVE-2023-28224), and the Internet Key Exchange (IKE) protocol (CVE-2023-28238). The vulnerabilities in PPTP and L2TP are especially urgent as they allow an unauthenticated attacker to exploit them. There is also a denial-of-service (DoS) vulnerability (CVE-2023-28234) in the Secure Socket Tunneling Protocol (SSTP) protocol.

Exposure and Risk

The RCEs in PPTP, L2TP, and PPPoE should present limited risk as these protocols aren’t commonly used for Always On VPN (PPPoE and PPTP aren’t supported for Always On VPN, in fact). However, organizations may be using these protocols for other purposes. In addition, improperly configured edge firewalls could allow these connections even though administrators may not be actively using them. An attacker could also exploit these vulnerabilities with access to the RRAS server from the internal network.

Attack Surface Reduction

Always On VPN administrators are advised to ensure that only protocols and ports for VPN protocols in use are allowed through the edge firewall. Also, administrators should disable any unused protocols and services in RRAS to reduce the attack surface on their RRAS servers. To do this, open an elevated PowerShell command window on the RRAS server and run the following commands to disable support for the PPTP, L2TP, and PPPoE protocols.

netsh.exe ras set wanports device = “WAN Miniport (L2TP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0

netsh.exe ras set wanports device = “WAN Miniport (PPTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 1

netsh.exe ras set wanports device = “WAN Miniport (PPPOE)” ddoutonly = disabled

Restart-Service RemoteAccess -PassThru

Additional Vulnerabilities

This month’s update also includes fixes for other vulnerabilities that may impact Always On VPN deployments. Specifically, there are RCEs in Windows Network Address Translation (NAT) (CVE-2023-28217) and Windows Network Load Balancing (NLB) (CVE-2023-28240), and a DoS vulnerability in Windows Transport Layer Security (TLS) (CVE-2023-28234).

Update Now

Administrators should patch their RRAS servers as soon as possible to avoid potential compromise of the RRAS server in their environments.

Additional Information

Always On VPN SSTP Security Configuration

Leave a comment
by Richard M. Hicks on April 12, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, authentication, Enterprise, enterprise mobility, Hotfix, Infrastructure, Microsoft, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, SSL, SSL and TLS, SSTP, TLS, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 12, 2023

https://directaccess.richardhicks.com/2023/04/12/always-on-vpn-april-2023-security-updates/

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)Windows 10 Always On VPN is infrastructure independent and can be implemented using third-party VPN devices. It is not necessary to deploy any Windows servers at all to support an Always On VPN solution. However, in a recent blog post I outlined some compelling reasons to consider using Windows Server’s Routing and Remote Access Service (RRAS) feature to terminate VPN connections. RRAS supports both modern and legacy VPN protocols, each with their own advantages and disadvantages. The choice of which protocols to support will be determined by many factors, but it is important to understand the capabilities of each to make an informed decision.

RRAS VPN Protocols

Windows RRAS supports the following VPN protocols.

  • Internet Key Exchange version 2 (IKEv2) – RFC7296
  • Secure Sockets Tunneling Protocol (SSTP) – Microsoft
  • Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) – RFC2661
  • Point-to-Point Tunneling Protocol (PPTP) – RFC2637

There are pros and cons associated with each of these VPN protocols. Here’s a breakdown of each.

IKEv2

This IPsec-based VPN protocol is the preferred choice for deployments where the highest level of security is required. The latest version of IKE (v2) features streamlined messaging during connection establishment and enhanced session management that reduce protocol overhead and improve performance.

Advantages: Best security options.
Disadvantages: Firewalls may block required UDP ports.

SSTP

SSTP is an excellent alternative to IKEv2 and is recommended for most deployments. It uses industry standard Transport Layer Security (TLS), making it widely accessible from most locations. It provides good security out of the box but can be improved upon with additional configuration. SSTP lends itself well to load balancing, making it much easier to scale out than IKEv2. Optionally, TLS can be offloaded to an Application Delivery Controller (ADC) to reduce resource utilization on the RRAS server and further improve performance.

Advantages: Easy to configure with firewall friendly access.
Disadvantages: Fewer security options than IKEv2.

L2TP

While technically supported for Always On VPN, L2TP is a legacy VPN protocol that offers no real advantages over IKEv2. Its use is unnecessary and should be avoided.

Advantages: None.
Disadvantages: Firewalls may block required UDP ports.

PPTP

PPTP is considered an obsolete VPN protocol with many known security vulnerabilities. Its use should be avoided at all costs.

Advantages: None.
Disadvantages: Insecure.

Summary

The recommendation is to use SSTP for user-based VPN connections to ensure operational reliability and optimum performance. Use IKEv2 only when the highest level of security is required. Avoid the use of L2TP/IPsec and PPTP at all costs.

Additional Resources

Frequently Asked Questions about Microsoft’s PPTP Implementation

Always On VPN and Windows Server Routing and Remote Access Services (RRAS)

Windows 10 Always On VPN and the Future of DirectAccess 

5 Things DirectAccess Administrators Should Know about Always On VPN 

3 Important Advantages of Windows 10 Always On VPN over DirectAccess 

Windows 10 Always On VPN Hands-On Training Classes

31 Comments
by Richard M. Hicks on January 22, 2018  •  Permalink
Posted in ADC, Always On VPN, AOVPN, application delivery controller, Encryption, Load Balancing, Remote Access, Security, SSL and TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 22, 2018

https://directaccess.richardhicks.com/2018/01/22/always-on-vpn-protocol-recommendations-for-windows-server-routing-and-remote-access-service-rras/

Always On VPN and Windows Routing and Remote Access Service (RRAS)

Always On VPN and Windows Routing and Remote Access Service (RRAS)

As I’ve written about in the past, Windows 10 Always On VPN has many advantages over DirectAccess. One of the most important features is that Always On VPN is completely infrastructure independent. Always On VPN is implemented entirely on the client side, so there is no reliance on Windows infrastructure servers at all. In theory, you could deploy an Always On VPN solution using an entirely third-party backend infrastructure. This is crucial because many organizations already have security infrastructure in place today. However, there are still some compelling reasons to choose Windows Server 2016 as the VPN server to support Windows 10 Always On VPN.

Considerations for Windows Server

Windows Server 2016 includes a very capable VPN server in the Routing and Remote Access Service (RRAS) role. Using Windows Server 2016 RRAS will meet the requirements for many deployment scenarios. RRAS also provides some unique advantages too. The following are some important considerations for choosing RRAS for VPN.

Easy to Deploy

The RRAS role in included in all Windows server network operating systems and can be enabled easily using the GUI or PowerShell. RRAS is mature and well-documented, making installation and configuration simpler. In fact, all of the Microsoft Windows 10 Always On VPN documentation guidance references RRAS.

Reduced Costs

No investment in proprietary hardware is required, because RRAS runs on Windows Server 2016 and can be deployed on existing virtual infrastructure. Deploying additional RRAS virtual machines enables quick and efficient scaling up of the solution without the need to deploy additional expensive hardware. Importantly, RRAS requires no additional per-client or per-device licensing. In addition, RRAS can be managed using existing Windows administration skill sets and does not require dedicated, and often expensive solution-specific expertise.

Modern Protocol Support

RRAS includes support for modern VPN protocols such as Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP). IKEv2 is the protocol of choice or most deployments, and is required for supporting the device tunnel. SSTP is a firewall-friendly protocol that ensures remote Windows clients can connect from anywhere. Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) and Point-to-Point Tunneling Protocol (PPTP) are also supported for legacy client compatibility.

Summary

Although Windows 10 Always On VPN can be implemented using third-party VPN servers, it’s important not to overlook Windows server either. Windows Server 2016 RRAS has some important advantages over third-party infrastructure. RRAS is mature and well understood, with an abundance of published documentation available. Leveraging RRAS eliminates the need for costly proprietary hardware and client licensing, while at the same time reducing administrative overhead and streamlining support. RRAS also includes native support for modern VPN protocols, ensuring reliable client connectivity from any location.

Additional Resources

3 Important Advantages of Windows 10 Always On VPN over DirectAccess 

Windows 10 Always On VPN and the Future of DirectAccess 

5 Things DirectAccess Administrators Should Know About Always On VPN 

21 Comments
by Richard M. Hicks on January 2, 2018  •  Permalink
Posted in Always On VPN, AOVPN, PowerShell, Remote Access, VPN, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 2, 2018

https://directaccess.richardhicks.com/2018/01/02/always-on-vpn-and-windows-routing-and-remote-access-service-rras/

« Older Posts
%d bloggers like this: