Initial dial-in authentication may be required by an ISP network access server. If this authentication is required, it is strictly to log on to the ISP network access server; it is not related to Windows NT-based authentication. Check with your ISP for their authentication requirements. You apply these requirements in the Dial-Up Networking configurationfor that ISP.
On the other hand, the PPTP tunnel server controls all access to your private network. That is, the PPTP server is a gateway to your private network. The PPTP server requires a standard Windows NT-based logon. All PPTP clients must supply a user name and password. Therefore, remote access logon using a computer running Windows NT Server version 4.0, Windows NT Workstation version 4.0, or Windows 95 is as secure as logging on from a Windows-based computer connected to the local LAN.
Authentication of remote PPTP clients is done by using the same PPP authentication methods used for any RAS client dialing directly to a RAS server. Microsoft’s implementation of RAS supports the Challenge Handshake Authentication Protocol (CHAP), the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and the Password Authentication Protocol (PAP) authentication schemes.
Note MS-CHAP authentication supports the MD4 hash as well as the earlier authentication scheme used in Microsoft LAN Manager.
As with all user accounts, the user accounts of remote users reside in the Windows NT Server version 4.0 directory and are administered through User Manager for Domains. This provides centralized administration that is integrated with the private network’s existing user accounts. Only accounts that have been granted specific access to the network through a trusted domain are permitted. Careful management of user accounts is necessary to reduce security risks.
Having a secure password model in place is critical to successful deployment of PPTP because Internet connections are more susceptible to speed or “demon dialer” programs, which can literally crunch through thousands of password and username combinations.
The only way to minimize this type of attack is to implement secure password policies. Passwords should be difficult to guess. For example, you can require that passwords contain uppercase letters, lowercase letters, numbers, and special characters. It is recommended that you require at least three different types of characters to ensure password uniqueness.