Send your Windows question to Mitch today! | See other Windows tips



If you're planning on deploying Windows Vista on mobile computers that remotely access your company network using a virtual private network (VPN) connection, you must be aware that support for weak or non-standard cryptographic algorithms has now been removed from Windows Vista. This can result in compatibility issues with certain VPN servers and the result is that some clients may not be able to connect to your corporate network after upgrading them to Windows Vista.

Here's an explanation from the Windows Vista Resource Kit concerning why this change was implemented, plus a workaround you can use if you can't upgrade your VPN servers or don't have access to high-crypto for regulatory reasons:

This initiative is based on a desire by Microsoft to move customers toward stronger crypto algorithms to increase VPN security, based on recommendations by the National Institute of Standards and Technology (NIST) and the Internet Engineering Task Force (IETF) as well as mandates toward stronger crypto algorithms from different industry standards bodies and regulators.



The following crypto algorithms are no longer supported on either Windows Vista or Windows Server Code Name "Longhorn":
• 40- and 56-bit RC4 encryption, formerly used by the Microsoft Point-To-Point Encryption Protocol (MPPE) for PPTP-based VPN connections
• DES encryption, formerly used by IPsec policy within L2TP/IPsec-based VPN connections
• MD5 integrity checking, formerly used by IPsec policy within L2TP/IPsec-based VPN connections



The removal of support from the default configuration for 40- and 56-bit RC4 encryption means that PPTP-based VPN connections in Windows Vista now only support 128-bit RC4 for data encryption and integrity checking. This means that if your existing VPN server does not support 128-bit encryption and only supports incoming PPTP-based VPN connections, Windows Vista clients will not be able to connect.



And here's the tip:



If you are unable to upgrade your existing VPN servers to support 128-bit for PPTP, or if 128-bit encryption is unavailable to you because of export restrictions, you can enable weak crypto for PPTP by editing the following registry value:



HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowPPTPWeakCrypto



The default value of this DWORD registry value is 0, and by changing it to 1 you can enable 40- and 56-bit RC4 encryption on the computer for both outgoing and incoming PPTP-based VPN connections. You must restart the computer for this registry change to take effect. As an alternative to restarting the computer, you can restart the Remote Access Connection Manager service by opening a command prompt and typing net stop rasman followed by net start rasman.



Over the next few weeks I'll be posting some tips like this that have been excerpted (with the permission of Microsoft Press) from the Windows Vista Resource Kit in order to whet your appetite for this terrific book that is just hitting the presses and will soon be available in bookstores everywhere. Don't wait though - order it now!

 

ITworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine