Home > Forefront TMG 2010, Networking, Security, Threat Management Gateway > Addressing Security Issues with PPTP VPN in Forefront TMG 2010

Addressing Security Issues with PPTP VPN in Forefront TMG 2010

August 22, 2012

At the recent DEFCON hacking conference, security researchers demonstrated a method to crack the MS-CHAPv2 authentication protocol with a 100% success rate. MS-CHAPv2 is used as the default authentication method for remote access VPN in Forefront TMG 2010.

With the public availability of tools to automate the cracking process, PPTP communication using MS-CHAPv2 should be considered unencrypted. There are two options available to mitigate this concern: disable MS-CHAPv2 and enable EAP with PPTP, or disable PPTP and switch to a more secure remote access VPN protocol such as L2TP/IPsec or SSTP. Enabling EAP requires the use of smart cards or certificates for authentication which makes implementation more challenging. SSTP is an excellent option as it leverages SSL/TLS to protect the MS-CHAPv2 authentication process. However, SSTP is only supported on Windows Vista SP1 and later clients. L2TP/IPsec is another good choice, and although it does support certificates it can also be configured using a pre-shared key. If long, complex passwords are used and care is taken to ensure that the password is well protected, it can provide a secure remote access solution.

  1. August 22, 2012 at 10:32 am


    Good post pointing out the potential risk in PPTP VPNs, but the fact that MS-CHAPv2 has been cracked is a scary one.
    There are so many things dependent on this technology like wireless authentication, dailin connectivity, 802.1x implementations etc. etc.

    I guess we are going to see lots of interesting hacks over the next couple of months as a result of this.

  2. August 22, 2012 at 10:55 am

    Hi Richard,
    i think SSTP is allready available with Windows Vista SP1?!
    Greets from Germany,
    Jens Mander…

  3. August 22, 2012 at 11:27 am

    Agreed. Remote access is especially troublesome here because the traffic is passed over untrusted networks. I’d say that any wireless authentication relying on MS-CHAPv2 would be next in order of importance. Certainly we’ll have to deal with other technologies that leverage MS-CHAPv2 soon enough.

  4. August 22, 2012 at 11:28 am

    You are correct. I’ve updated the article accordingly. 🙂 Thanks!

  5. August 22, 2012 at 12:17 pm

    Great post! I´m sharing at my company!

  6. Mike
    November 2, 2012 at 7:04 am

    What would be required to carry out this attack? From what I understand you would need to do a packet capture over the physical wire, or an unencrypted wireless connection, correct? You can’t just attack a server outright, you have to be able to capture a login process as it is happening?

  7. November 2, 2012 at 7:21 am

    Yes, this attack would involve the attacker capturing network traffic between the client and the VPN server during the connection setup. The most obvious scenario for this would be when a user was connected to an open wireless network, which is quite common these days unfortunately.

  8. Maximo Patino
    November 7, 2012 at 6:12 am

    Hi Richard,

    Its there a way to configure a custom L2TP port for TMG 2010?? instead of using the default VPN L2TP port.

  9. November 7, 2012 at 7:27 am

    Not to my knowledge…

  1. No trackbacks yet.
Comments are closed.