I'm considering using the Windows 2000 dial-in server to host PPTP VPNs. How can I prevent savvy users from creating a dial-up connection on a machine at their home and connecting to the office network? Can I allow access based on a media access control (MAC) address? We're using Windows NT 4.0 domains, as we haven't yet fully migrated to Win2K.
Using MAC addresses isn't an option, because the workstation's MAC address is long gone by the time packets reach your VPN server across the Internet. Your concern is appropriate, but I don't know of any good way to address it through PPTP.
You can use Layer Two Tunneling Protocol (L2TP) to solve your problem, however. L2TP requires a workstation to have a client side certificate before connecting to an L2TP server. Without a client certificate, users can't connect no matter how savvy they are. Support for L2TP is available on most client systems, thanks to the Microsoft L2TP/IPSec VPN Client for NT Workstation 4.0, Windows Me, and Windows 98, all of which you can download from http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp.
Because L2TP requires a Certificate Authority (CA) and certificate distribution, L2TP takes more work to set up than does PPTP, but L2TP is also much more secure. L2TP requires strong computer-to-computer authentication and sets up an IP Security (IPSec) tunnel before allowing user-level password authentication, thus protecting your VPN server from direct password-guessing attacks. PPTP leaves your internal network vulnerable to password attacks, especially if users select passwords that are easy to guess. L2TP provides significant protection for your internal network even if your users select weak passwords.
