PPTP VPN Security Concerns – MyWorkDrive
PPTP VPN Security Risks
PPTP is a Microsoft VPN application that has been around since Windows NT. Users tend to use PPTP as it is usually configured on Windows desktop computers with a shortcut that remembers username and password for quick access. When combined with proper name resolution (historically WINS) and now DNS, users can easily browse the network for shares and printers. On the back end, Windows Server PPTP is configured by the system administrator with the Routing and Remote Access (RRAS) role. While the tools used to manage and deploy PPTP systems have changed with each new version of Windows, it is universally agreed that PPTP is insecure compared to modern alternatives and adds additional indirect support costs even when upgrading to SSTP support.
PPTP itself is no longer secure because breaking MS-CHAPv2’s initial authentication can be reduced to the difficulty of cracking a single 56-bit DES key, which with today’s computers can be massively enforced in a very short time (making a strong password largely irrelevant Great with PPTP security since the entire 56-bit keyspace can be searched within practical time constraints).
The attacker captures the handshake (and any PPTP traffic after that), decodes the offline connection and derives an RC4 key. Once the RC4 key is derived, the attacker will be able to decrypt and analyze the traffic transmitted in the PPTP VPN. PPTP does not support routing secrecy, so it is enough to just break one PPTP session to hack all previous PPTP sessions with the same credentials.
PPTP provides poor protection for the integrity of the data being tunneled. RC4 cipher, while providing encryption, does not check the integrity of the data because it is not an Certified with Encryption Associated Data (AEAD) cipher. PPTP also does not perform additional integrity checks on its traffic and is vulnerable to bit-flipping attacks, for example, an attacker can modify PPTP packets with little chance of detection. Many of the attacks discovered on RC4 ciphers (such as the Royal Holloway attack) make RC4 a poor choice for securing large amounts of transmitted data, and VPNs are prime candidates for such attacks because they typically transmit sensitive and large amounts of data.
PPTP security experts reviewed and listed several known vulnerabilities including:
MS-CHAP-V1 is fundamentally insecure
There are tools that can easily extract NT password hashes from MS-CHAP-V1 authentication traffic. MS-CHAP-V1 is the default on older Windows servers
MS-CHAP-V2 is vulnerable to dictionary attacks on captured challenge response packets. The tools are there to quickly break these exchanges
Brute force attack possibilities
It has been shown that the complexity of a brute force attack on an MS-CHAP-v2 key is equivalent to a brute force attack on a single DES key.
Additional support costs
Beware of the additional support costs typically associated with PPTP and Microsoft VPN Client.
- By default, the end user’s Windows network is routed through the office VPN. As a result, this leaves the internal network open to malware and slows down all the Internet for all users in the office.
- PPTP is usually blocked in many locations due to known security issues which lead to calls to the help desk to resolve connection issues.
- Conflicts with internal office subnets at remote control locations can block Microsoft VPN routing resulting in no connectivity and again result in additional support costs.
- Minor network fluctuations can disconnect the Microsoft VPN client while using corrupt files resulting in restores and loss of work.
- The IT department will need to maintain an additional fleet of corporate laptops with Microsoft VPN pre-configured for each potential remote user.
- Crypto Locker malware is free to encrypt files via VPN tunnel.
MyWorkDrive as a solution
MyWorkDrive acts as the perfect alternative to a VPN
Unlike MyWorkDrive, the security risks of supporting Microsoft PPTP or SSTP VPN are eliminated:
- Users get Web File Manager client that is easy to use and can be accessed from any browser.
- IT support costs are eliminated – Users simply sign in with their existing Windows Active Directory credentials or use ADFS or any SAML provider to access company shares and home drives and edit/view documents online.
- Mobile Clients are available for Android/iOS devices and MyWorkDrive Desktop Mapped Drive.
- Unlike VPN block file types and receive alerts when file changes exceed the specified ransomware blocking limits.
- For security, all MyWorkDrive clients support DUO Two Factor Authentication.
Daniel, founder of MyWorkDrive.com, has worked in various technology management roles serving enterprise, government, and education in the San Francisco Bay Area since 1992. Daniel writes about IT, security, and strategy.