How secure is the vanilla Server 2003 VPN?

I've got a Server 2003 Standard box running with the built-in VPN server.
I'm wondering exactly how secure IS it against unwanted visitors?
Has anyone here had much experience of using this service, or does everyone
use ISA Server instead?

"Tim Wiser" <(E-Mail Removed)> wrote in message
news:5ACD3A7B-45E6-4504-90D0-(E-Mail Removed)...
> I've got a Server 2003 Standard box running with the built-in VPN server.
> I'm wondering exactly how secure IS it against unwanted visitors?
> Has anyone here had much experience of using this service, or does everyone
> use ISA Server instead?

I have never known any instance of anyone "getting in" over RRAS/VPN by "hacking
it".

When you ask if something is "secure",...it has to be in the context of "secure
from what?". If I were to get in to someones VPN the most direct way to do
that is to gain a user's credentials,...most likely by social engineering, or
maybe by getting the cached password out of their IE on their laptop since
people tend to use the same credentials for everything.

That is simple enough,...the person leaves it unattended for a little bit in an
accessable place,...have a copy of Protected Storage PassView from Nirsoft on a
thumbdrive. Insert it, run the tool, "screenshot" the results (can't remember if
it has a means to save the results) , paste into Wordpad, save to the
thumbdrive. Close everything, remove the stick.

Lessons here:
1. Don't leave laptops unattended
2. Don't use the same credentials on websites that you use on the LAN

Then I would just simply log in to the VPN in the normal way,..no hacking,..no
breaking into anything. It isn't going to matter what you use for the VPN
device whether it be RRAS/VPN, ISA/VPN, Watchgaurd, Cisco VPN, whatever.

I use ISA Server for VPN.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

Yeah, sorry.. my question was just a lil' bit vague! When I refer to
"secure" I'm thinking of the technical sides of things, eg: have there been
many cases of the service being vulnerable to DDoS, buffer underruns and so
forth.
With regards the social engineering side of things, that's something that
should be solved by training. I have also built a customised version of the
VPN client using the connection manager tool so users can't cache their
password, etc... something that concerned me when I first saw the standard
VPN client.


"Phillip Windell" wrote:

> "Tim Wiser" <(E-Mail Removed)> wrote in message
> news:5ACD3A7B-45E6-4504-90D0-(E-Mail Removed)...
> > I've got a Server 2003 Standard box running with the built-in VPN server.
> > I'm wondering exactly how secure IS it against unwanted visitors?
> > Has anyone here had much experience of using this service, or does everyone
> > use ISA Server instead?
>
> I have never known any instance of anyone "getting in" over RRAS/VPN by "hacking
> it".
>
> When you ask if something is "secure",...it has to be in the context of "secure
> from what?". If I were to get in to someones VPN the most direct way to do
> that is to gain a user's credentials,...most likely by social engineering, or
> maybe by getting the cached password out of their IE on their laptop since
> people tend to use the same credentials for everything.

"Tim Wiser" <(E-Mail Removed)> wrote in message
news:E9FAD389-7FEB-421F-AD36-(E-Mail Removed)...
> Yeah, sorry.. my question was just a lil' bit vague! When I refer to
> "secure" I'm thinking of the technical sides of things, eg: have there been
> many cases of the service being vulnerable to DDoS, buffer underruns and so
> forth.

Anything can be DoS'ed. There is nothing that has been invented that can't be
DoS'ed. All you have to do is overload the bandwidth on the line connecting to
the thing to do that,..there is nothing the device can do about that for the
most part.

I don't know of anything in the other catagory that will "let someone
in",....generally all that type of stuff does is attempt to do damage to the OS,
install viruses, worms, etc.
Most of those are eliminated by just not having anything bound to the external
Nic that isn't needed and not running any internet facing "services" that don't
have a reason to be there. For the most part the only thing that should be
bound to the external facing Nic is TCP/IP. No File&Print Sharing, no Client
for MS Networks, and maybe not even QoS. The primary defense, other than the
above, for this stuff is to keep the machine fully patched and have a quality AV
protection running on it.

> With regards the social engineering side of things, that's something that
> should be solved by training. I have also built a customised version of the
> VPN client using the connection manager tool so users can't cache their
> password, etc... something that concerned me when I first saw the standard
> VPN client.

It isn't the VPN Connectiod I am talking about there. It is the gathering of
the credentials used on web sites from IE that caches them (Hotmail, Yahoo Mail,
any site requiring a login). Since people tend to reuse the same credentials
everywhere, there is a good chance that one set of the credentials would I get
would be also their Domain credentials. That, at least in my opinion, is how
most "real", successful, productive hacking really happens. It does not
typically happen by kicking the front door down at the Firewall. Even simple
Home User firewall boxes (broadband routers) does a somewhat reasonable job of
protection.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

In news:E9FAD389-7FEB-421F-AD36-(E-Mail Removed),
Tim Wiser <(E-Mail Removed)> typed:
> Yeah, sorry.. my question was just a lil' bit vague! When I refer to
> "secure" I'm thinking of the technical sides of things, eg: have
> there been many cases of the service being vulnerable to DDoS, buffer
> underruns and so forth.
> With regards the social engineering side of things, that's something
> that should be solved by training. I have also built a customised
> version of the VPN client using the connection manager tool so users
> can't cache their password, etc... something that concerned me when I
> first saw the standard VPN client.

Maybe something a little more "secure" (in your context), would be to use a
Pix, Netscreen, Watchguard, etc, that allow the use of IPSec L2TP VPNs. What
makes it more secure beside the IPSec and L2Tp, is the fact you need to
install the VPN client software from the vendor, and create a PCF file
(Cisco's version, others have their own) that you must provide and install
into the venfor's VPN client software on the client machine. You can also
configure it to use IAS (no ISA) for RADIUS authentication to allow users to
authenticate against AD.


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain