PPTP VPN SECURITY CONCERNS

PPTP VPN SECURITY RISKSPPTP VPN

PPTP VPN Security Risks

PPTP is Microsoft’s VPN implementation that has been around since Windows NT.  Users tend to like using PPTP as it’s typically configured on Windows Desktops with a shortcut that remembers username and password for quick access.   When coupled with proper name resolution (historically WINS) and now DNS, users can easily browse the network for shares and printers.   On the back-end, Windows Server PPTP is configured by the system administrator with the Routing and Remote Access role (RRAS).   While the tools used to manage and deploy PPTP Systems have changed with each new version of Windows it’s universally agreed that PPTP is insecure as compared to modern alternatives and adds additional indirect support costs even when upgraded to support SSTP.

The PPTP protocol itself is no longer considered secure as cracking the initial MS-CHAPv2 authentication can be reduced to the difficulty of cracking a single DES 56-bit key, which with current computers can be brute-forced in a very short time (making a strong password largely irrelevant to the security of PPTP as the entire 56-bit keyspace can be searched within practical time constraints).

The attacker capture the handshake (and any PPTP traffic after that), do an offline crack of the handshake and derive the RC4 key.   Once the RC4 key is derived the attacker will be able to decrypt and analyze the traffic carried in the PPTP VPN.   PPTP does not support forward secrecy, so just cracking one PPTP session is sufficient to crack all prior PPTP sessions using the same credentials.

PPTP provides weak protection to the integrity of the data being tunneled.  The RC4 cipher, while providing encryption, does not verify the integrity of the data as it is not an Authenticated Encryption with Associated Data (AEAD) cipher.  PPTP also doesn’t do additional integrity checks on its traffic and is vulnerable to bit-flipping attacks, e.g. the attacker can modify the PPTP packets with little possibility of detection. Various discovered attacks on the RC4 cipher (such as the Royal Holloway attack) make RC4 a bad choice for securing large amounts of transmitted data, and VPNs are a prime candidate for such attacks as they typically transmit sensitive and large amounts of data.

PPTP Vulnerabilities

Security experts have reviewed PPTP and listed numerous known vulnerabilities including:

MS-CHAP-V1 is Fundamentally Insecure

Tools exist that can easily extract the NT Password hashes from MS-CHAP-V1 authentication traffic. MS-CHAP-V1 is the default setting on older Windows Servers

MS-CHAP-V2 is Vulnerable

MS-CHAP-V2 is vulnerable to dictionary attacks on captured challenge response packets. Tools exist to crack  these exchanges rapidly

Brute Force Attack Possibilities

It has been demonstrated that the complexity of a brute-force attack on a MS-CHAP-v2 key is equivalent to a brute-force attack on a single DES key.

Additional Support Costs

Beware of the additional support costs commonly associated with PPTP & Microsoft VPN Client.

  • By default, an end user’s Windows network is routed through the office VPN network. As a result, this leaves the internal network open to Malware and slows down all internet for all users at the office.
  • PPTP is typically blocked at many locations due to the known security issues resulting in calls to the help desk to resolve connectivity issues.
  • Conflicts with office internal subnets at remotes sites can block Microsoft VPN routing resulting in no connectivity and again leading to additional support costs.
  • Minor network fluctuations can disconnect the Microsoft VPN client while in use corrupting files leading to restores and lost work.
  • The IT Department will need to maintain an additional fleet of corporate laptops with Microsoft VPN preconfigured for each potential remote user.
  • Crypto Locker type malware are free to encrypt files over the VPN tunnel.

MyWorkDrive as a Solution

MyWorkDrive acts as the perfect VPN Alternative solution

In contrast with MyWorkDrive, the security risks of supporting Microsoft PPTP or SSTP VPN’s are eliminated:

  • Users get an elegant easy to use Web File Manager client accessible from any browser.
  • IT Support costs are eliminated – users simply log on with their existing Windows Active Directory credentials or use ADFS or any SAML provider to access company shares, home drives, and edit/view documents online.
  • Mobile Client’s for Android/iOS and MyWorkDrive Desktop Mapped Drive clients are available.
  • Unlike VPN block file types and receive alerts when file changes exceed set thresholds to block ransomware.
  • For security, all MyWorkDrive clients support DUO Two Factor authentication.

 

 

 

10 Reasons why SharePoint is not a File Server

sharepoint file server

Many companies are migrating to Office 365.   SharePoint Online is included with most subscriptions for free. Often, IT professionals are asked to evaluate moving their company file servers to SharePoint Online.  While SharePoint is great for collaborating on documents with teams inside or outside of the company, can it completely replace an on-premise file server for larger firms?

Here’s the list of the top 10 reasons we compiled on why SharePoint is not a file file server:

 

  1. Speed – Nothing can beat the speed of local network file server access. While Internet speeds are measured in Megabits, local network speeds are measured in Megabytes.  A local network connection is at least 10 times faster than any Internet connection.  For example, a fast 100 Mbp/s home Internet connection only equates to 12.2 MB/S.   In the office, networks are typically 1GB – a whopping 125 MB/s!!  For large files access, nothing beats a local area network connection.

 

  1. Simplicity – Users are trained to easily grab their files from a mapped drive. With SharePoint, files are stored in libraries that are accessed using a web-based interface. The interface looks nothing like Windows File Explorer.  Alternatively user can access file using the OneDrive for Business client which requires user training and  intervention to sync and to locate the shares they need.

 

  1. Storage Capacities – Even the smallest companies have easily terabytes of data. SharePoint Online has a 1TB limit on each library, a  5000 item display limit, a 15GB file size limit and a maximum 100,000 file sync limit.   Even if you did store this much data, or files this large, accessing them over the Internet may be unworkable (see Reason #1).

 

  1. Migration – Migrating to SharePoint from legacy file shares takes careful planning. All permissions must be manually recreated on the SharePoint sites along with equivalent folder structures.  File names on local shares allow special characters that are not allowed in SharePoint (#%&) that must all be renamed before migrating them.

 

  1. Backups and Disaster Recovery – With traditional file shares, they can easily be replicated to multiple sites, backed up and archived for compliance going back many years. With SharePoint, restoring old data involves multiple databases and entire SharePoint farms that may be no longer supported.   SharePoint Online only keeps the latest 90 days of deleted files – backups requires additional 3rd party subscription services that charge for ongoing backups and retrieval.
  1. Total Cost of Ownership (TCO) – Sharing files using traditional file shares can be deployed to users in minutes or made available using VPN or SSL VPN products like MyWorkDrive.com with a simple File Explorer-type web page. With SharePoint Online deployments are complex, data is scattered across libraries and scripting tools and services come with high price tags.  Users must also be trained on how to share and access data.  This all leads to additional IT support and training costs.

 

  1. Ownership of Data – Many firms have compliance regulations preventing them from moving files to the Cloud or legal concerns as to who has access to their company data. Moving data to Sharepoint Online requires careful compliance and legal review.

 

  1. Fragility – SharePoint systems are complicated and fragile.  Any Windows update can take down the entire SharePoint farm.  File Servers and Network Attached Storage (NAS) devices are dead simple to manage, patch and restore in an emergency.  Even with Sharepoint Online, syncing issues on a single PC can corrupt or remove data across multiple users.

 

  1. File Locking – Databases, Engineering CAD files and Accounting applications are designed to run locally at Gigabit speeds and have the ability to lock files in a multi-user network environment. These types of files cannot be stored or accessed using SharePoint.

 

  1. Archiving – Traditional file shares can be easily encrypted and stored offsite indefinitely, then easily restored at any time in the future regardless of any technology changes. With SharePoint, entire systems must be restored, or with SharePoint Online additional archiving services must be purchased and paid for perpetually which store SharePoint into long-term archives leading to additional support and subscription costs.

 

Bottom line – SharePoint is not a file server, it’s a collaboration portal.  Microsoft has a great support article here on this topic and they recently released File Share Syncing to Azure at the 2017 Ignite Conference (see our earlier blog article here) which makes it clear Microsoft will be supporting File Servers for many years into the future.

With MyWorkDrive our customers get the best of both worlds, local file access and secure remote access with cloud features – learn more..

 Sign-up for a 15 Day Free Trial

Windows FileShare Remote Access