Windows 98 のダイヤルアップ ネットワークのセキュリティ アップグレード リリース ノート (1998年 8 月)

文書翻訳 文書翻訳
文書番号: 189771 - 対象製品
: この資料では、情報だけを使用します。 この資料で触れられていないトラブルシューティング情報をお探しの場合は、次の「サポート技術情報」 (Microsoft Knowledge Base) の資料に掲載されているキーワードを使って、さらに検索してください。 この資料に記載されていないトラブルシューティング情報が必要な場合は、以下の「サポート技術情報」 (Microsoft Knowledge Base) の資料に掲載されているキーワードを使用して、もう一度検索してください:
242450Microsoft Knowledge Baseをキーワードを使用してクエリする方法
すべて展開する | すべて折りたたむ

概要

この資料では、Windows 98 ダイヤルアップ ネットワーク セキュリティのアップグレード リリース ノート 1998年 8 月からのコピーを説明します。

詳細

Microsoft(r) Windows(r) 98 Dial-Up Networking Security Upgrade
Release Notes

1. INTRODUCTION
===============

This security upgrade for Windows 98 Dial-up Networking is designed to
enhance the protection of both dial-up and VPN connections by strengthening
several aspects of password management and data encryption.

1.1 INSTALLATION NOTES
======================

Execute the Dun40.exe file and follow the instructions it displays. At the
end of the installation process you will be required to reboot your PC.

1.2 MSCHAP V2
=============

A new MSCHAP secure mode (MSCHAP V2) has been implemented, providing mutual
authentication, stronger initial data encryption keys, and different
encryption keys for the transmit and receive paths.

To minimize the risk of password compromise during MSCHAP exchanges, MSCHAP
V2 drops support for the MSCHAP password change V1, and will not transmit
the LM password response.

For VPN connections, a Windows NT 4.0 server (updated as described below)
will negotiate MSCHAP V2 before negotiating the original MSCHAP. An updated
Windows 98 client will accept this offer and use MSCHAP V2 as the
authentication method. To ensure that no VPN clients authenticate using
MSCHAP, the server can be set to require MSCHAP V2. This will prevent
legacy clients from presenting their credentials in an MSCHAP or PAP or
CHAP exchange, and is a likely configuration for networks that require the
most secure authentication method.

1.3 SECURE VPN MODE
===================

If there are special circumstances in which you wish to ensure that your PC
uses only the new MSCHAP V2 for all VPN connection attempts, a new
client-side registry flag, SecureVPN, can be used to force this behavior.
When this flag is set, your PC will only accept MSCHAP V2 authentication
for any VPN connections. In addition, this flag will require data
encryption for all VPN connections. Dial-up connections are not affected.

   NOTE: Most users will not need to use the Secure VPN flag. This flag
   should be used with care because it will affect the behavior of all VPN
   connections from your machine. In general, the required use of MSCHAP V2
   and data encryption can be enforced more easily on the server.

The registry setting which will force a Windows 98 client to use only the
new MSCHAP V2 secure mode and require data encryption for PPTP connections
is defined below. By default, this registry variable is absent, meaning "do
not force secure mode on PPTP connections". The value of this variable is
checked just before a connection is attempted.

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess

      DWORD: SecureVPN
      Value: 0x00000001 == Force secure mode (MSCHAP V2 plus data
                           encryption) on all PPTP connections
      Value: 0x00000000 == Do not force secure mode on PPTP connections
                           (default)

1.4 LM RESPONSE SUPPRESSION
===========================

This release also provides a new registry variable which prevents the
client from sending the LM response to a legacy MSCHAP challenge, as
defined below. By default, this variable is absent, meaning that the client
should send the LM response (in order to maintain compatibility with legacy
servers). This variable affects both dial-up and VPN connections; its value
is checked just before a connection is attempted.

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess

      DWORD: UseLmPassword
      0x00000001 == Send LM challenge response (default)
      0x00000000 == Do not send LM challenge response (send only NT
                    challenge response)

1.5 FORCING STRONG ENCRYPTION
=============================

Windows 98 Dial-up Networking already supports a checkbox to require
encryption for a specific connection. Clients which support 128-bit
encryption will accept any level of encryption (128-bit or 40-bit) offered
by the server. This upgrade provides a new registry flag,
ForceStrongEncryption. When set, this flag will require 128-bit encryption
for any connection which has already been set to require encryption. (In
other words, setting the new registry flag essentially changes the meaning
of the existing checkbox from "require encryption" to "require strong
encryption".)

   NOTE: As originally installed, Windows 98 Dial-up Networking supports
   40-bit encryption. An optional upgrade will be available to users in
   North America which adds the ability to support 128-bit encryption as
   well.

The registry flag which forces strong encryption is defined below. By
default, the flag is absent. The value of this flag is checked just before
a connection is attempted.

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess

      DWORD: ForceStrongEncryption
      0x00000001 == Requires 128-bit encryption for any connection which
                    already requires encryption
      0x00000000 == No effect; does not force strong encryption (default)

1.6 SERVER UPDATES
==================

This upgrade is fully compatible with legacy Dial-up and PPTP systems.
However, in order to benefit from MSCHAP V2, both the client and server
must support this new mode. Server support for MSCHAP V2 is included in
Windows NT 4.0 Service Pack 4. For more information, please see the
following article in the Microsoft Knowledge Base.

   ARTICLE-ID: Q152734
   TITLE     : How to Obtain the Latest Windows NT 4.0 Service Pack

Servers running the Routing and Remote Access Upgrade should first apply
the above, and then also apply rras30-fix from the same location.

   NOTE: RAS and PPTP servers must be maintained to current Windows NT
   Service Pack levels. A Windows 98 client machine may not connect to a
   Windows NT Server that has not been updated to Service Pack 3 or above.

1.7 OTHER CHANGES
=================

The details section of the connection status display has been modified to
identify the specific form of CHAP that was used in the connection.
Standard CHAP is displayed as "Challenge Authentication Protocol"; legacy
MSCHAP is displayed as "Microsoft Challenge Authentication Protocol"; and
MSCHAP V2 is displayed as "Microsoft Mutual Challenge Authentication
Protocol".

1.8 REMOVING THIS UPDATE
========================

IMPORTANT: This section is different from the same section in the Release
Notes that is available with the Windows 98 Dial-Up Networking Security
Upgrade.

This security upgrade does not provide its own uninstall program. If you
wish to remove the upgrade, you can accomplish this by removing and
re-installing Dial-up Networking as a whole. If you installed Windows 98 as
an upgrade, this process may ask for your original Windows 98 CD. If you
have defined connections in the Dial-up Networking folder, these will not
be lost. However, all information regarding ISDN devices (including switch
type and spid) will be lost, so you should record this information before
proceeding. (ISDN information can be created or reviewed by running the
ISDN Setup Wizard which can be found in the Start -> Programs ->
Accessories -> Communications menu.)

Perform the following steps to uninstall Dial-Up Networking:

1. In Control Panel, double-click the Add/Remove Programs tool, click the
   Windows Setup tab, click Communications (do not click the check box,
   click the word "communications"), and then click Details.

2. Click the Dial-Up Networking check box so that it is no longer selected,
   click OK, and then click OK again. Please note that this removes VPN as
   well.

3. When prompted to restart your computer, click No.

4. Click the Start button, point to Find, click Files or Folders, and then
   click the Name And Location tab.

5. In the Named field, find and delete the following files from the
   Windows\System folder:

      Pppmac.vxd
      Rasapi32.dll
      Rnaapp.exe

6. Close the Find dialog box.

7. In Control Panel, double-click the Add/Remove Programs tool, click the
   Windows Setup tab, click Communications (do not click the check box,
   click the word "communications"), and then click Details.

8. Add Dial-Up Networking and VPN, click OK, and then click OK again.

9. Restart your computer when prompted.
				

プロパティ

文書番号: 189771 - 最終更新日: 2007年1月23日 - リビジョン: 1.3
この資料は以下の製品について記述したものです。
  • Microsoft Windows 98 Standard Edition
キーワード:?
kbinfo kbreadme kbmt KB189771 KbMtja
機械翻訳の免責
重要: このサポート技術情報 (以下「KB」) は、翻訳者による翻訳の代わりに、マイクロソフト機械翻訳システムによって翻訳されたものです。マイクロソフトは、お客様に、マイクロソフトが提供している全ての KB を日本語でご利用いただけるように、翻訳者による翻訳 KB に加え機械翻訳 KB も提供しています。しかしながら、機械翻訳の品質は翻訳者による翻訳ほど十分ではありません。誤訳や、文法、言葉使い、その他、たとえば日本語を母国語としない方が日本語を話すときに間違えるようなミスを含んでいる可能性があります。マイクロソフトは、機械翻訳の品質、及び KB の内容の誤訳やお客様が KB を利用されたことによって生じた直接または間接的な問題や損害については、いかなる責任も負わないものとします。マイクロソフトは、機械翻訳システムの改善を継続的に行っています。
英語版 KB:189771
Microsoft Knowledge Base の免責: Microsoft Knowledge Baseに含まれている情報は、いかなる保証もない現状ベースで提供されるものです。Microsoft Corporation及びその関連会社は、市場性および特定の目的への適合性を含めて、明示的にも黙示的にも、一切の保証をいたしません。さらに、Microsoft Corporation及びその関連会社は、本文書に含まれている情報の使用及び使用結果につき、正確性、真実性等、いかなる表明・保証も行ないません。Microsoft Corporation、その関連会社及びこれらの権限ある代理人による口頭または書面による一切の情報提供またはアドバイスは、保証を意味するものではなく、かつ上記免責条項の範囲を狭めるものではありません。Microsoft Corporation、その関連会社 及びこれらの者の供給者は、直接的、間接的、偶発的、結果的損害、逸失利益、懲罰的損害、または特別損害を含む全ての損害に対して、状況のいかんを問わず一切責任を負いません。(Microsoft Corporation、その関連会社 またはこれらの者の供給者がかかる損害の発生可能性を了知している場合を含みます。) 結果的損害または偶発的損害に対する責任の免除または制限を認めていない地域においては、上記制限が適用されない場合があります。なお、本文書においては、文書の体裁上の都合により製品名の表記において商標登録表示、その他の商標表示を省略している場合がありますので、予めご了解ください。

フィードバック

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com