How to permit only authorized users to connect to your PPTP server in Microsoft Windows XP Service Pack 2 (878457)


The information in this article applies to:

  • Microsoft Windows XP Home Edition Service Pack 2 (SP2)
  • Microsoft Windows XP Professional Service Pack 2 (SP2)
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

INTRODUCTION

When an unauthorized user makes multiple connections to your server through the PPTP control channel, your Microsoft Windows XP Service Pack 2 (SP2)-based Point-to-Point Tunneling Protocol (PPTP) server may stop responding to service requests.

To prevent unauthorized users from connecting to your PPTP server, you can configure three registry keys in Microsoft Windows XP SP2. By doing this, you can permit connections only from known Internet Protocol (IP) addresses.

MORE INFORMATION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To permit connections to your PPTP server only from known source addresses, follow these steps:
  1. Open Registry Editor.
  2. Expand the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\


  3. Right-click the {4D36E972-E325-11CE-BFC1-08002bE10318} entry, and then click Find.
  4. Type wan miniport in the Find what box, click to select the Keys check box, click to select the Values check box, click to select the Data check box, and then click OK.
  5. When a 000x subkey is found, where x is a numeric value, verify that the following information appears in the right pane:

    Name: DriverDesc
    Value: WAN Miniport (PPTP)
    .

    Note The WAN Miniport (PPTP) value indicates that this 000x is where PPTP protocol entries are registered.
  6. If you have to, press F3 to repeat the find operation. Do this until you find the correct subkey.
  7. After you find the correct 000x subkey in the registry tree, right-click AuthenticateIncomingCalls in the right pane, and then click Modify.

    Note The default value for this entry is 0. This value permits connections from any client. If this value is set to 1, and no IP addresses are entered in the ClientIPAddresses entry, no clients are permitted to connect through PPTP.
  8. Type 1 in the Value data box, and then click OK.
  9. Right-click ClientIpAddresses, and then click Modify.
  10. Type a valid IP address
  11. Right-click ClientIpMasks, and then click Modify.
  12. Type a valid subnet mask that has the following format in the Value data box, and then click OK:

    xxxx.xxxx.xxxx.xxxx

  13. Restart the computer.

The PPTP server will now accept connections only from a client that has an IP address that is included in the ClientIPAdresses registry entry. The ClientIPAddresses registry entry is relevant only if the value for the AuthenticateIncomingCalls entry is set to 1.
Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbClient kbprb kbConfig kbadmin kbSecurity kbnetwork kbtshoot kbDownload KB878457 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.