Applies ToWindows 7 Service Pack 1 Windows 7 Enterprise Windows 7 Professional Windows 7 Ultimate Windows 7 Home Premium Windows 7 Home Basic Windows 7 Enterprise Windows 7 Professional Windows 7 Ultimate Windows 7 Home Premium Windows 7 Home Basic Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Datacenter Windows Server 2008 Service Pack 2 Windows Server 2008 for Itanium-Based Systems Windows Server 2008 Datacenter Windows Server 2008 Enterprise Windows Server 2008 Standard Windows Server 2008 Web Edition Windows Vista Service Pack 2 Windows Vista Business Windows Vista Enterprise Windows Vista Home Basic Windows Vista Home Premium Windows Vista Starter Windows Vista Ultimate Windows Vista Enterprise 64-bit Edition Windows Vista Home Basic 64-bit Edition Windows Vista Home Premium 64-bit Edition Windows Vista Ultimate 64-bit Edition Windows Vista Business 64-bit Edition Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Service Pack 3 Microsoft Windows XP Home Edition Microsoft Windows XP Professional

INTRODUCTION

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol which is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs. Microsoft cautions that any organizations that use MS-CHAP v2 without encapsulation in conjunction with PPTP tunnels for VPN connectivity are running in a potentially nonsecure configuration. 

Recommendations

Microsoft suggests that organizations using MS-CHAP v2/PPTP implement the Protected Extensible Authentication Protocol (PEAP) in their networks. This mitigates this technique by encapsulating the MS-CHAP v2 authentication traffic in TLS.

Configure PPTP to use PEAP-MS-CHAP v2 for authentication

PEAP-MS-CHAP v2

PEAP with MS-CHAP v2 as the client authentication method is one way to help secure VPN authentication. To enforce the use of PEAP on client platforms, Windows Routing and Remote Access Server (RRAS) servers should be configured to allow only connections that use PEAP authentication, and to refuse connections from clients that use MS-CHAP v2 or EAP-MS-CHAP v2. Administrators must check the corresponding authentication method options on the RRAS server and the Network Policy Server (NPS) server. Administrators must also confirm the following:

  • Server certificate validation is turned ON. (The default behavior is ON.)

  • Server Name validation is turned ON. (The default behavior is ON.) The correct server name must be specified.

  • The root certificate from which the Server certificate was issued is installed correctly on the client system’s store and is turned ON. (Always ON).

  • On Windows 7, Windows Vista, and Windows XP, the Do not prompt user to authorize new servers or trusted certification authorities check box in the PEAP properties window should be enabled. By default, it is disabled.

Configure the RRAS Server for the PEAP-MS-CHAP v2 authentication method

The procedure for configuring the PEAP-MS-CHAP v2 authentication method for the RRAS server and for turning off the less secure methods MS-CHAP v2 and EAP-MS-CHAP v2 is briefly described in the following steps. Configure the authentication method for RRASTo do this, follow these steps:

  1. In the RRAS Server Management window, open the Server Properties dialog box, and then click the Security tab.

  2. Click Authentication Methods.

  3. Make sure that the EAP check box is selected and that the MS-CHAP v2 check box is not selected.

Configure connections for NPSConfigure the Network Policy Server (NPS) to only allow connections from clients that use the PEAP-MS-CHAP v2 authentication method. To configure NPS, follow these steps:

  1. Open the NPS UI, click Policies, and then click Network Policies.

  2. Right-click Connections to Microsoft Routing and Remote Access Server, and then select Properties.

  3. On the Properties UI, click the Constraints tab.

  4. In the left Constraints pane, select Authentication Methods, and then click to clear the check boxes for the MS-CHAP and MS-CHAP-v2 methods.

  5. Remove EAP-MS-CHAP v2 from the EAP Types list.

  6. Click Add, select PEAP authentication method, and then click OK.Note A valid Server certificate must be installed in the "Personal" store, and a valid root certificate must be installed in the "Trusted Root CA" store of the server before configuring the NPS connection.

  7. Click Edit, and then select EAP-MS-CHAP v2 as the authentication method.

Configure the RRAS Client for PEAP-MS-CHAP v2 authentication method

Windows VPN clients can be configured to use the PEAP-MS-CHAP v2 authentication method by selecting the corresponding method from the VPN connection properties UI and by installing the appropriate root certificate on the client system.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.