Remote Access Protocols

Windows 2000 Professional supports the ability to create both outgoing and incoming remote access connections. Types of connections supported include dialup, VPN, and direct cable connection (including infrared). The list below outlines the protocols supported and their associated features and limitations under Windows 2000.

Point-to-Point protocol – PPP is the de facto standard for dialup connections, and supports numerous transport protocols including TCP/IP, NetBEUI, IPX/SPX, AppleTalk and a range of others. PPP also support the assignment of client IP addresses via DHCP. Windows 2000 can act as both a PPP client and server.

Serial Line Internet Protocol – SLIP is an older dialup standard that can only be used with IP and does not allow for dynamic allocation of IP addresses. Windows 2000 can only function as a SLIP client and not as a SLIP server.

Point-to-Point Tunneling Protocol – PPTP is a virtual private networking (VPN) protocol used to create a secure connection over an untrusted network (such as the Internet) by encrypting all data sent between a PPTP client and PPTP server. PPTP is supported by a variety of operating systems, including Windows NT 4.0, Window 95, 98, etc.

Layer 2 Tunneling Protocol – L2TP is another VPN protocol that provides a similar function to PPTP. However, L2TP’s responsibility is tunnel creation and tunnel management. L2TP does not actually encrypt data. Instead, it works in conjunction with the IPSec protocol, which is actually responsible for the encryption. L2TP in an open standard developed jointly by Microsoft and Cisco to ultimately replace PPTP and Cisco’s Layer 2 Forwarding (L2F) protocol.

IPSec – In a VPN environment, IPSec is responsible for encrypted data sent between the VPN client and server, as well as negotiating encryption related parameters such as encryption level (56-bit, 128-bit, etc) and so forth.

Note that so far, the only Microsoft OS to natively support L2TP / IPSec is Windows 2000. As such, protocol choice is often based on client systems making the connection.

Windows 2000 Professional also supports a few new authentication protocols for the purposes of remote access connections. These include EAP and BAP, which are looked at below.

EAP – The Extensible Authentication Protocol is an extension to PPP that allows for a greater degree of choice in terms of the authentication mechanism used. Support is built into Windows 2000 for the use of generic token cards, the MD5-CHAP protocol, and Transport Layer Security (TLS), which is used for authentication via smart card. EAP also allows vendors to create additional authentication modules that can be used in Windows 2000, such a biometric hardware such as a thumbprint reader or retinal scanner, for example.

BAP – The Bandwidth Allocation Protocol is a protocol that enhances the capabilities of multilink in Windows 2000. Multilink is the ability to aggregate the bandwidth from multiple dialup connections (modem or ISDN) for a single user. BAP works to manage bandwidth usage more efficiently. For example, you can use BAP to automatically drop one line of a multilink connection should utilization fall below a certain level.

Windows 2000 also continues to support a variety of authentication protocols that included in NT 4.0. These include:

PAP – Password Authentication Protocol. Uses plaintext passwords.

SPAP – Shiva Password Authentication Protocol. Authentication protocol that allows Windows 2000 clients to be authenticated by Shiva servers, or Shiva clients to be authenticated by Windows 2000 Servers.

CHAP – Challenge Handshake Authentication Protocol. An MD-5 based authentication protocol that is supported in a variety of OSes.

MS-CHAP – Microsoft’s version of CHAP. When this option is chosen, you can choose to encrypt all data using MPPE (Microsoft point-to-point encryption).

MS-CHAP version 2 – supports many of the same features as MS-CHAP, but is a stronger version. For example, while MS-CHAP uses a single cryptographic key for all data sent and received, MS-CHAP v2 uses separate keys for each function. Also supports password changes during the authentication process.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.