PPTP VPN SECURITY CONCERNS
PPTP is Microsoft’s VPN implementation that has been around since Windows NT. User’s tend to like using PPTP as it’s typically configured on Windows Desktops with a shortcut that remembers username and password for quick access. When coupled with proper name resolution (historically WINS) and now DNS, users can easily browse the network for shares and printers. On the back-end Windows Server PPTP is configured by the system administrator with the Routing and Remote Access role (RRAS). While the tools used to manage and deploy PPTP Systems have changed with each new version of Windows it’s universally agreed that PPTP is insecure as compared to modern alternatives and adds additional indirect support costs even when upgraded to support SSTP.
Security experts have reviewed PPTP and listed numerous known vulnerabilities including:
- MS-CHAP-V1 is fundamentally insecure. Tools exist that can easily extract the NT Password hashes from MS-CHAP-V1 authentication traffic. MS-CHAP-V1 is the default setting on older Windows Servers
- MS-CHAP-V2 is vulnerable to dictionary attacks on captured challenge response packets. Tools exist to crack these exchanges rapidly
- It has been demonstrated that the complexity of a brute-force attack on a MS-CHAP-v2 key is equivalent to a brute-force attack on a single DES key.
Additional Support Costs Associated with PPTP & Microsoft VPN Client include:
- By default, an end user’s Windows network is routed through the office VPN network. As a result, this leaves the internal network open to Malware and slows down all internet for all users at the office.
- PPTP is typically blocked at many locations due to the known security issues resulting in calls to the help desk to resolve connectivity issues.
- Conflicts with office internal subnets at remotes sites can block Microsoft VPN routing resulting in no connectivity and again leading to additional support costs.
- Minor network fluctuations can disconnect the Microsoft VPN client while in use corrupting files leading to restores and lost work.
- The IT Department will need to maintain an additional fleet of corporate laptops with Microsoft VPN preconfigured for each potential remote user.
- Crypto Locker type malware are free to encrypt files over the VPN tunnel
In contrast with MyWorkDrive the security risks of supporting Microsoft PPTP or SSTP VPN’s are eliminated: User’s get an elegant easy to use Web File Manager client accessible from any browser. IT Support costs are eliminated – user’s simply logon with their existing Windows Active Directory credentials or use ADFS SSO to access company shares, home drives and edit/view documents online. Additionally, Mobile Client’s for Android/iOS and MyWorkDrive Desktop Mapped Drive clients are available. For security all MyWorkDrive clients support DUO Two Factor authentication.