JSI Tip 8890. How can I configure my Windows XP SP2 PPTP server or Windows Server 2003 SP1 PPTP server to only authenticate specified IP addresses?

A Windows PPTP server is vulnerable to denial of service attacks via the PPTP control channel.

I have scripted PPTPOnly.bat to force the PPTP protocol to only accept calls from client IP address that you specify.

The syntax for using PPTPOnly.bat is:

PPTPOnly IPAddress1 Mask1 \[IPAddress2 Mask2 ... IPAddressN MaskN\]

where each IPAddress(i) and Mask(i) pair specifies a valid client IP address, with mask, that is allowed to be authenticated by the PPTP server. No octet should have extraneous leading zeros.

The PPTPOnly.bat script works by locating the registry sub-key of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318\} that defines the WAN Miniport (PPTP) driver, displaying the sub-key, and setting its' AuthenticateIncomingCalls Value Name, a REG_DWORD data type, to 1. It them sets the ClientIpAddresses and ClientIpMasks Value Names, both REG_MULTI_SZ data types, with the IPAddress(i) and Mask(i) values that you specify, maintaining the one-to-one mapping between IP address and mask that is required.

NOTE: If AuthenticateIncomingCalls is set to 1 and you remove all the IP addresses from ClientIpAddresses, no client will be able to connect.

NOTE: Each time that you run PPTPOnly.bat, it adds the specified parameters to the existing entries.
Running PPTPOnly IPAddress1 Mask1 and PPTPOnly IPAddress2 Mask2 is equivalent to
running PPTPOnly IPAddress1 Mask1 IPAddress2 Mask2.

PPTPOnly.bat contains:


@echo off
if \{%2\}\{\} @echo Syntax: PPTPOnly IPAddress1 Mask1 \[IPAddress2 Mask2 ... IPAddressN MaskN\]&goto :EOF
setlocal
call :tstparm %1 %2>nul 2>&1
if "%parmok%" EQU "Y" goto doit
@echo First IP address and Mask pair is invalid. PPTPOnly will not run.
@echo PPTPOnly %*
endlocal
goto :EOF
:doit
set fnd=FINDSTR /L /I /C:
set qry=reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318\}" /S
set sub=\{4D36E972-E325-11CE-BFC1-08002bE10318\}
for /f "Tokens=*" %%a in ('%qry%^|%fnd%"%sub%"') do (
 set line=%%a
 call :parse %*
)
endlocal
goto :EOF
:tstparm
set parmok=Y
set parm=%1
for /f "Tokens=1-4 Delims=." %%i in ('@echo %parm%') do (
 set /a p1=1000%%i%%1000
 set /a p2=1000%%j%%1000
 set /a p3=1000%%k%%1000
 set /a p4=1000%%l%%1000
)
if "%parm%" NEQ "%p1%.%p2%.%p3%.%p4%" set parmok=N
set parm=%2
for /f "Tokens=1-4 Delims=." %%i in ('@echo %parm%') do (
 set /a p1=1000%%i%%1000
 set /a p2=1000%%j%%1000
 set /a p3=1000%%k%%1000
 set /a p4=1000%%l%%1000
)
if "%parm%" NEQ "%p1%.%p2%.%p3%.%p4%" set parmok=N
goto :EOF
:parse
if "%line:~0,18%" NEQ "HKEY_LOCAL_MACHINE" goto :EOF
if "%line:~96,1%" NEQ "\" goto :EOF
if "%line:~101,1%" EQU "\" goto :EOF
set key=%line%
set skey=%key:HKEY_LOCAL_MACHINE=HKLM%
set okkey=
for /f "Tokens=1,2*" %%b in ('reg query %skey%^|%fnd%"DriverDesc"^|%fnd%"REG_SZ"^|%fnd%"WAN Miniport (PPTP)"') do (
 set okkey=%skey%
)
if not defined okkey goto :EOF
@echo The WAN Miniport (PPTP) sub-key is %key%
reg add %okkey% /V AuthenticateIncomingCalls /T REG_DWORD /D 1 /F
for /f "Tokens=1,2*" %%x in ('reg query %okkey% /V ClientIpAddresses^|%fnd%"REG_MULTI_SZ"') do (
 set CIA=%%z
)
if defined CIA set CIA=%CIA:\0\0=%
if "%CIA%" EQU "\0" set CIA=
for /f "Tokens=1,2*" %%x in ('reg query %okkey% /V ClientIpMasks^|%fnd%"REG_MULTI_SZ"') do (
 set CIM=%%z
)
if defined CIM set CIM=%CIM:\0\0=%
if "%CIM%" EQU "\0" set CIM=
:loop
if \{%2\}\{\} goto :loopend
call :tstparm %1 %2>nul 2>&1
if "%parmok%" EQU "Y" goto loop1
@echo The following IP address and Mask pair is invalid, and will NOT be added: %1 %2
goto loop2
:loop1
if defined CIA set CIA=%CIA%\0
set CIA=%CIA%%1
if defined CIM set CIM=%CIM%\0
set CIM=%CIM%%2
:loop2
shift
shift
goto loop
:loopend
reg add %okkey% /V ClientIpAddresses /T REG_MULTI_SZ /D "%CIA%" /F
reg add %okkey% /V ClientIpMasks /T REG_MULTI_SZ /D "%CIM%" /F

Comments

Plain text