You want your RASers to be secure? Give them 128-bit encryption.
If you have the 128-bit version of Service Pack 3 or higher, your RAS server can be configured to use it:
- Control Panel / Network / Services / Remote Access Service / Properties.
- Click Network and Require Microsoft encrypted authentication.
- Click Require data encryption, OK, Continue, and Close.
- When prompted to restart, click No.
- Edit HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices RasManPPPCOMPCP and Add Value name ForceStrongEncryption as a type REG_DWORD and set it to 1.
- Shutdown and restart.
If a RAS client supports 128-bit encrytion, the event log will contain:
Event ID: 20107
Description: The user RAS connected to port COM1 using strong encryption.
If the RAS client does not support 128-bit RAS encryption, you will see the following
Event ID: 20077
Description: An error occurred in the Point to Point Protocol module on port COM1. The remote computer does not support the required encryption type. The client will receive a message 629, indicating the that they have been disconnected.
This was first published in December 2001