Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security.
For over 20 years, the enterprise has used the PPTP and L2TP VPN protocols to provide remote access to corporate networks and Windows servers.
However, as cybersecurity attacks and resources have grown more sophisticated and powerful, the protocols have become less secure.
For example, PPTP is vulnerable to offline brute force attacks of captured authentication hashes, and L2TP provides no encryption unless coupled with another protocol, like IPsec. However, if L2TP/IPsec is not configured correctly, it can introduce weaknesses that make it susceptible to attacks.
Due to this, Microsoft is now recommending users move to the newer Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) protocols, which provide better performance and security.
“The move is part of Microsoft’s strategy to enhance security and performance by transitioning users to more robust protocols like Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2),” Microsoft announced in a post this week.
“These modern protocols offer superior encryption, faster connection speeds, and better reliability, making them more suitable for today’s increasingly complex network environments.”
Microsoft shared the following benefits of each protocol:
Benefits of SSTP
- Strong encryption: SSTP uses SSL/TLS encryption, providing a secure communication channel.
- Firewall traversal: SSTP can easily pass through most firewalls and proxy servers, ensuring seamless connectivity.
- Ease of use: With native support in Windows, SSTP is simple to configure and deploy.
Benefits of IKEv2
- High security: IKEv2 supports strong encryption algorithms and robust authentication methods.
- Mobility and multihoming: IKEv2 is particularly effective for mobile users, maintaining VPN connections during network changes.
- Improved performance: With faster establishment of tunnels and lower latency, IKEv2 offers superior performance compared to legacy protocols.
Microsoft stresses that when a feature is deprecated, it does not mean it is being removed. Instead, it is no longer in active development and may be removed from future versions of Windows. This deprecation period could last months to years, giving admins time to migrate to the suggested VPN protocols.
As part of this deprecation, future versions of Windows RRAS Server (VPN Server) will no longer accept incoming connections using the PPTP and L2TP protocols. However, users can still make outgoing PPTP and L2TP connections.
To aid admins in migrating to SSTP and IKEv2, Microsoft released a support bulletin in June with steps on how to configure these protocols.
Source: www.bleepingcomputer.com