|
|
|
|||
|
|
||||
1) How can I get an external PPTP client to browse
the internal network in the network neighborhood?
2) What is the magic load sequence?
3) How do I prevent timeouts?
4) How do I enable strong authentication with the
LMhash vulnerability?
5) How can I speed up PPTP?
1) How can I get an external PPTP client to browse the internal network in the network neighborhood?
1) Make sure the client workgroup name is the same as the domain
name you want to browse
2) Make sure the PPTP IP addresses given to clients have the
same subnet as the PPTP server.
3) Make sure the PPTP server has a WINS server specified on
its TCP/IP control panel interface screen
2) What is the magic load sequence?
1) NT4.0 standalone or PDC, make sure it is tied into domain
2) Install PPTP
3) Install SP3
4) Install Routing and Remote Ras
5) Install RAS fix
QUESTION:
How do I change the default timeout? I have searched the Registry
and all other files
and found nothing. Also, what do you define as idle, as I have had a
24-hour connection established,
with absolutely no processing?
ANSWER:
You can change the idle timeout value in the Registry at
HKEY_LOCAL_MACHINE on Local
Machine\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Autodisconnect.
By default this value will be 0x14 (20 minutes). Change it to
something like 0x5.
Idle is defined as no significant traffic over the link. You can
have a computer
connected with no visible processes running, but keep in mind things
like the browser,
replication, etc. that run on the system without any user
intervention. These processes
can keep the RAS link alive.
4) How do I enable strong authentication with the LMhash vulnerability?
A new registry key, SecureVPN, has been defined to force use of MSCHAP V2. When this variable is absent it has a default value of zero. When set to one on a Windows NT server, this registry key causes the server to drop any VPN connections that do not authenticate using MSCHAP V2. This will prevent legacy VPN clients from presenting their credentials in an MSCHAP (or CHAP or PAP) exchange, and is a likely configuration for networks that require a more secure authentication method for VPN connections.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP
DWORD: SecureVPN
Value: 0x00000001 == force MSCHAP V2 for VPN connections
Value: 0x00000000 == do not force secure MSCHAP V2 (default)
When set to one on a Windows NT 4.0 client, the SecureVPN registry key forces the client to use MSCHAP V2 for all VPN (PPTP) connections. Dial-up connections are not affected by this registry setting.
Please note: Most users will not need to use the Secure VPN flag.
This flag should be used with care because it will affect the
behavior of all VPN connections from a client. In general, the
required use of MSCHAP V2 can be enforced more easily on the server.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\Chap
DWORD: UseLmPassword
Value: 0x00000001 == send LMHash of the password (default)
Value: 0x00000000 == do not send LMHash of the password
Setting this variable to zero on a server will cause the server to drop any connection request which uses the LM response in an MSCHAP exchange. Setting this variable to zero on a client will prevent the client from using LM responses in MSCHAP exchanges. This variable affects BOTH dial-up and VPN connections.
A new historyless mode for encryption & compression over PPTP connections has been enabled. This new mode will dramatically improve performance using PPTP in high latency networks, or networks that commonly experience significant packet loss like the Internet. This upgrade is fully compatible with legacy PPTP systems. However, in order to negotiate historyless mode, both the PPTP client and server must support the upgrade. If either client or server refuses the new mode, normal MPPE compression and encryption will be negotiated to insure communication capabilities are not lost. To experience the full benefit of the PPTP performance update, this update must be installed on both Windows NT clients and servers. A corresponding release Microsoft Dial-Up Networking 1.3 is available for Windows 95 clients, while the new release of Windows 98 already includes the appropriate client code.
Please note: RAS Servers that terminate compulsory PPTP connections
from an FEP (Front End Processor) must disable historyless
compression/encryption in order for legacy Windows 95 clients to
receive data properly. An FEP is a dial-up server which can create a
PPTP tunnel on behalf of its dial-up clients. This feature is
available from several Access Server vendors, including Compaq
(Microcom), Ascend, and 3com.
The value to set in the registry to enable/disable historyless encryption/compression is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan\Parameters
DISCLAIMER: This support site is provided as a FREE service to our customers. Every effort is made to ensure it is complete and accurate. However, due to changing versions, typos, different environments, etc. information may be inaccurate for your site. Note that we do not assume responsibility for any problems you might encounter using information provided in these pages. Please inform us of any problems you encounter we will make every effort to correct this information. Thank you.
Home | Services | Training | Support | Contact Us | Search
Copyright 2006, Security Evolution, Inc.