A Windows PPTP server is vulnerable to denial of service attacks via the PPTP control channel.
I have scripted PPTPOnly.bat to force the PPTP protocol to only accept calls from client IP address that you specify.
The syntax for using PPTPOnly.bat is:
PPTPOnly IPAddress1 Mask1 \[IPAddress2 Mask2 ... IPAddressN MaskN\]
where each IPAddress(i) and Mask(i) pair specifies a valid client IP address, with mask, that is allowed to be authenticated by the PPTP server. No octet should have extraneous leading zeros.
The PPTPOnly.bat script works by locating the registry sub-key of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318\} that defines the WAN Miniport (PPTP) driver, displaying the sub-key, and setting its' AuthenticateIncomingCalls Value Name, a REG_DWORD data type, to 1. It them sets the ClientIpAddresses and ClientIpMasks Value Names, both REG_MULTI_SZ data types, with the IPAddress(i) and Mask(i) values that you specify, maintaining the one-to-one mapping between IP address and mask that is required.
NOTE: If AuthenticateIncomingCalls is set to 1 and you remove all the IP addresses from ClientIpAddresses, no client will be able to connect.
NOTE: Each time that you run PPTPOnly.bat, it adds the specified parameters to the existing entries.
Running PPTPOnly IPAddress1 Mask1 and PPTPOnly IPAddress2 Mask2 is equivalent to
running PPTPOnly IPAddress1 Mask1 IPAddress2 Mask2.
PPTPOnly.bat contains:
@echo off if \{%2\}\{\} @echo Syntax: PPTPOnly IPAddress1 Mask1 \[IPAddress2 Mask2 ... IPAddressN MaskN\]&goto :EOF setlocal call :tstparm %1 %2>nul 2>&1 if "%parmok%" EQU "Y" goto doit @echo First IP address and Mask pair is invalid. PPTPOnly will not run. @echo PPTPOnly %* endlocal goto :EOF :doit set fnd=FINDSTR /L /I /C: set qry=reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318\}" /S set sub=\{4D36E972-E325-11CE-BFC1-08002bE10318\} for /f "Tokens=*" %%a in ('%qry%^|%fnd%"%sub%"') do ( set line=%%a call :parse %* ) endlocal goto :EOF :tstparm set parmok=Y set parm=%1 for /f "Tokens=1-4 Delims=." %%i in ('@echo %parm%') do ( set /a p1=1000%%i%%1000 set /a p2=1000%%j%%1000 set /a p3=1000%%k%%1000 set /a p4=1000%%l%%1000 ) if "%parm%" NEQ "%p1%.%p2%.%p3%.%p4%" set parmok=N set parm=%2 for /f "Tokens=1-4 Delims=." %%i in ('@echo %parm%') do ( set /a p1=1000%%i%%1000 set /a p2=1000%%j%%1000 set /a p3=1000%%k%%1000 set /a p4=1000%%l%%1000 ) if "%parm%" NEQ "%p1%.%p2%.%p3%.%p4%" set parmok=N goto :EOF :parse if "%line:~0,18%" NEQ "HKEY_LOCAL_MACHINE" goto :EOF if "%line:~96,1%" NEQ "\" goto :EOF if "%line:~101,1%" EQU "\" goto :EOF set key=%line% set skey=%key:HKEY_LOCAL_MACHINE=HKLM% set okkey= for /f "Tokens=1,2*" %%b in ('reg query %skey%^|%fnd%"DriverDesc"^|%fnd%"REG_SZ"^|%fnd%"WAN Miniport (PPTP)"') do ( set okkey=%skey% ) if not defined okkey goto :EOF @echo The WAN Miniport (PPTP) sub-key is %key% reg add %okkey% /V AuthenticateIncomingCalls /T REG_DWORD /D 1 /F for /f "Tokens=1,2*" %%x in ('reg query %okkey% /V ClientIpAddresses^|%fnd%"REG_MULTI_SZ"') do ( set CIA=%%z ) if defined CIA set CIA=%CIA:\0\0=% if "%CIA%" EQU "\0" set CIA= for /f "Tokens=1,2*" %%x in ('reg query %okkey% /V ClientIpMasks^|%fnd%"REG_MULTI_SZ"') do ( set CIM=%%z ) if defined CIM set CIM=%CIM:\0\0=% if "%CIM%" EQU "\0" set CIM= :loop if \{%2\}
\{\} goto :loopend call :tstparm %1 %2>nul 2>&1 if "%parmok%" EQU "Y" goto loop1 @echo The following IP address and Mask pair is invalid, and will NOT be added: %1 %2 goto loop2 :loop1 if defined CIA set CIA=%CIA%\0 set CIA=%CIA%%1 if defined CIM set CIM=%CIM%\0 set CIM=%CIM%%2 :loop2 shift shift goto loop :loopend reg add %okkey% /V ClientIpAddresses /T REG_MULTI_SZ /D "%CIA%" /F reg add %okkey% /V ClientIpMasks /T REG_MULTI_SZ /D "%CIM%" /F