Article ID: 189771 - View products that this article applies to.
This article was previously published under Q189771
NOTE: This article is for informational use only. It does not contain any troubleshooting information. If you are searching for troubleshooting information that is not mentioned in this article, search the Microsoft Knowledge Base again by using keywords that are listed in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/242450/EN-US/ )How to Query the Microsoft Knowledge Base Using Keywords
This article contains a copy of the Windows 98 Dial-Up Networking Security Upgrade Release Notes from August 1998.
Microsoft(r) Windows(r) 98 Dial-Up Networking Security Upgrade Release Notes 1. INTRODUCTION =============== This security upgrade for Windows 98 Dial-up Networking is designed to enhance the protection of both dial-up and VPN connections by strengthening several aspects of password management and data encryption. 1.1 INSTALLATION NOTES ====================== Execute the Dun40.exe file and follow the instructions it displays. At the end of the installation process you will be required to reboot your PC. 1.2 MSCHAP V2 ============= A new MSCHAP secure mode (MSCHAP V2) has been implemented, providing mutual authentication, stronger initial data encryption keys, and different encryption keys for the transmit and receive paths. To minimize the risk of password compromise during MSCHAP exchanges, MSCHAP V2 drops support for the MSCHAP password change V1, and will not transmit the LM password response. For VPN connections, a Windows NT 4.0 server (updated as described below) will negotiate MSCHAP V2 before negotiating the original MSCHAP. An updated Windows 98 client will accept this offer and use MSCHAP V2 as the authentication method. To ensure that no VPN clients authenticate using MSCHAP, the server can be set to require MSCHAP V2. This will prevent legacy clients from presenting their credentials in an MSCHAP or PAP or CHAP exchange, and is a likely configuration for networks that require the most secure authentication method. 1.3 SECURE VPN MODE =================== If there are special circumstances in which you wish to ensure that your PC uses only the new MSCHAP V2 for all VPN connection attempts, a new client-side registry flag, SecureVPN, can be used to force this behavior. When this flag is set, your PC will only accept MSCHAP V2 authentication for any VPN connections. In addition, this flag will require data encryption for all VPN connections. Dial-up connections are not affected. NOTE: Most users will not need to use the Secure VPN flag. This flag should be used with care because it will affect the behavior of all VPN connections from your machine. In general, the required use of MSCHAP V2 and data encryption can be enforced more easily on the server. The registry setting which will force a Windows 98 client to use only the new MSCHAP V2 secure mode and require data encryption for PPTP connections is defined below. By default, this registry variable is absent, meaning "do not force secure mode on PPTP connections". The value of this variable is checked just before a connection is attempted. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess DWORD: SecureVPN Value: 0x00000001 == Force secure mode (MSCHAP V2 plus data encryption) on all PPTP connections Value: 0x00000000 == Do not force secure mode on PPTP connections (default) 1.4 LM RESPONSE SUPPRESSION =========================== This release also provides a new registry variable which prevents the client from sending the LM response to a legacy MSCHAP challenge, as defined below. By default, this variable is absent, meaning that the client should send the LM response (in order to maintain compatibility with legacy servers). This variable affects both dial-up and VPN connections; its value is checked just before a connection is attempted. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess DWORD: UseLmPassword 0x00000001 == Send LM challenge response (default) 0x00000000 == Do not send LM challenge response (send only NT challenge response) 1.5 FORCING STRONG ENCRYPTION ============================= Windows 98 Dial-up Networking already supports a checkbox to require encryption for a specific connection. Clients which support 128-bit encryption will accept any level of encryption (128-bit or 40-bit) offered by the server. This upgrade provides a new registry flag, ForceStrongEncryption. When set, this flag will require 128-bit encryption for any connection which has already been set to require encryption. (In other words, setting the new registry flag essentially changes the meaning of the existing checkbox from "require encryption" to "require strong encryption".) NOTE: As originally installed, Windows 98 Dial-up Networking supports 40-bit encryption. An optional upgrade will be available to users in North America which adds the ability to support 128-bit encryption as well. The registry flag which forces strong encryption is defined below. By default, the flag is absent. The value of this flag is checked just before a connection is attempted. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess DWORD: ForceStrongEncryption 0x00000001 == Requires 128-bit encryption for any connection which already requires encryption 0x00000000 == No effect; does not force strong encryption (default) 1.6 SERVER UPDATES ================== This upgrade is fully compatible with legacy Dial-up and PPTP systems. However, in order to benefit from MSCHAP V2, both the client and server must support this new mode. Server support for MSCHAP V2 is included in Windows NT 4.0 Service Pack 4. For more information, please see the following article in the Microsoft Knowledge Base. ARTICLE-ID: Q152734 TITLE : How to Obtain the Latest Windows NT 4.0 Service Pack Servers running the Routing and Remote Access Upgrade should first apply the above, and then also apply rras30-fix from the same location. NOTE: RAS and PPTP servers must be maintained to current Windows NT Service Pack levels. A Windows 98 client machine may not connect to a Windows NT Server that has not been updated to Service Pack 3 or above. 1.7 OTHER CHANGES ================= The details section of the connection status display has been modified to identify the specific form of CHAP that was used in the connection. Standard CHAP is displayed as "Challenge Authentication Protocol"; legacy MSCHAP is displayed as "Microsoft Challenge Authentication Protocol"; and MSCHAP V2 is displayed as "Microsoft Mutual Challenge Authentication Protocol". 1.8 REMOVING THIS UPDATE ======================== IMPORTANT: This section is different from the same section in the Release Notes that is available with the Windows 98 Dial-Up Networking Security Upgrade. This security upgrade does not provide its own uninstall program. If you wish to remove the upgrade, you can accomplish this by removing and re-installing Dial-up Networking as a whole. If you installed Windows 98 as an upgrade, this process may ask for your original Windows 98 CD. If you have defined connections in the Dial-up Networking folder, these will not be lost. However, all information regarding ISDN devices (including switch type and spid) will be lost, so you should record this information before proceeding. (ISDN information can be created or reviewed by running the ISDN Setup Wizard which can be found in the Start -> Programs -> Accessories -> Communications menu.) Perform the following steps to uninstall Dial-Up Networking: 1. In Control Panel, double-click the Add/Remove Programs tool, click the Windows Setup tab, click Communications (do not click the check box, click the word "communications"), and then click Details. 2. Click the Dial-Up Networking check box so that it is no longer selected, click OK, and then click OK again. Please note that this removes VPN as well. 3. When prompted to restart your computer, click No. 4. Click the Start button, point to Find, click Files or Folders, and then click the Name And Location tab. 5. In the Named field, find and delete the following files from the Windows\System folder: Pppmac.vxd Rasapi32.dll Rnaapp.exe 6. Close the Find dialog box. 7. In Control Panel, double-click the Add/Remove Programs tool, click the Windows Setup tab, click Communications (do not click the check box, click the word "communications"), and then click Details. 8. Add Dial-Up Networking and VPN, click OK, and then click OK again. 9. Restart your computer when prompted.