RRAS: Use authentication protocols that are considered more secure than PAP, CHAP, or MS-CHAPv2

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Storage Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2

Product/Feature

Routing and Remote Access Service (RRAS)

Severity

Warning

Category

Configuration

Issue

The RRAS server is configured to accept remote access connections that are not authenticated, or that are authenticated with an authentication protocol that is no longer considered secure.

Impact

PAP and CHAP are no longer considered secure for protecting sensitive data. MS-CHAP v2 is better than PAP or CHAP, but we recommend EAP or computer certificates.

Important

PAP and CHAP do not adequately protect the password of the account being authenticated. We recommend that you use a stronger protocol.

Resolution

Use 'Routing and Remote Access' in Server Manager to select a secure authentication method on the Routing and Remote Access Properties page.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To specify the authentication methods supported by RRAS

  1. Start Server Manager. Click Start, click Administrative Tools, and then click Server Manager.

  2. In the navigation tree, expand Roles, expand Network Policy and Access Services, then right-click Routing and Remote Access and then click Properties.

  3. On the Security tab, click Authentication Methods, and then select the authentication methods that you want to support. We recommend for maximum security that you select only Extensible Authentication Protocol (EAP) or Allow machine certificate authentication for IKEv2

Additional references

For more about the Routing and Remote Access role service, see Routing and Remote Access (https://go.microsoft.com/fwlink/?linkid=153482) on TechNet, and Routing and Remote Access Service in the Windows Server Technical Library.