14.3 Authentication and Encryption Protocols

Windows Server 2003 supports a number of authentication and encryption protocols, which are designed to support a wide range of remote access clients. Selecting the strongest possible protocols that your clients support provides the best security for your remote access infrastructure.

14.3.1 Authentication Protocols

Windows Server 2003 supports several remote access authentication protocols. You can use remote access policies to determine which protocols your server will accept, as shown in Figure 14-3.

Figure 14-3. Selecting remote access authentication protocols in a remote access policy

The three basic protocols that Windows Server 2003 supports are:

Extensible Authentication Protocol (EAP)

EAP is primarily used to support advanced authentication mechanisms such as smart cards and requires additional configuration settings depending on how your environment is set up to handle those mechanisms.

Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)

MS-CHAP is an older authentication protocol used by client operating systems like Windows 95.


Version 2 of the MS-CHAP protocol is native to Windows 2000 and Windows Server 2003 (and is included in Windows NT 4.0 Service Pack 4 and later) and provides more secure authentication than the older MS-CHAP.

Be sure your remote access policies will accept older authentication protocols if your remote access clients need them. However, always allow your policies to accept connections on the strongest protocols as well. Newer clients like Windows XP will attempt to use MS-CHAP v2 first, if your server permits it.

Your remote access clients must be configured to use the same authentication protocols as your server. Figure 14-4 shows the dial-up configuration for a typical Windows client. Selecting the strongest authentication method will cause the client to disconnect if the server does not support that method.

Figure 14-4. Typical Windows client dial-up configuration

By selecting the Advanced configuration on the client's dial-up properties, you can manually select the protocols that the client will attempt to use. The Advanced configuration dialog box is shown in Figure 14-5.

Figure 14-5. Advanced Windows client dial-up configuration

14.3.2 Encryption Protocols

Windows Server 2003 also allows you to restrict remote access connections to those that use specific levels of data encryption. As with authentication protocols, dial-up clients must be configured to use data encryption. Figure 14-6 shows a Windows client configured to use the strongest possible data encryption and to disconnect if the server does not support that level of encryption.

Figure 14-6. Configuring encryption in a remote access policy