Network Interfaces - Demand-dial - Security Tab - Advanced Settings

Applies To: Windows Server 2008

Dialog box element Description

Data Encryption

Lists the available levels of data encryption that you can enforce. You can prohibit encryption, allow users to connect even if their data is not encrypted, or require encryption.

Use Extensible Authentication Protocol (EAP)

Specifies that Extensible Authentication Protocol (EAP) is used with this connection. EAP authenticates remote access users in conjunction with other security devices. These devices include smart cards and certificates.

Lists the Extensible Authentication Protocol (EAP) authentication types that are installed on your computer. If the EAP type that you need is not on the list, then you must install it.

Unencrypted password (PAP)

Specifies whether to use the Password Authentication Protocol (PAP). PAP uses plaintext passwords and is the least secure authentication protocol. PAP is typically used if your connection and the server cannot negotiate a more secure form of validation. You may need to use this protocol if you are calling a server that is not running Windows.

Challenge Handshake Authentication Protocol (CHAP)

Specifies whether to use the Challenge Handshake Authentication Protocol (CHAP). CHAP negotiates a secure form of encrypted authentication. Message Digest 5 (MD5), an industry standard, transforms data (for example, a password) in such a way that the result is unique and cannot be changed back to its original form. CHAP uses challenge-response with one-way MD5 hashing on the response. In this way, you can prove to the server that you know your password without actually sending the password over the network. By supporting CHAP, Network Connections is able to securely connect to almost all other PPP servers.

Microsoft CHAP Version 2 (MS-CHAP v2)

Specifies whether to use a new version of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2). This protocol provides mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving. To minimize the risk of password compromise during MS-CHAP exchanges, MS-CHAP v2 drops support for the MS-CHAP password change and does not transmit the encoded password.

For VPN connections, MS-CHAP v2 is offered before the legacy MS-CHAP. Updated Windows clients accept MS-CHAP v2 when it is offered. Dial-up connections are not affected.

Smart Card or other Certificate Properties

Dialog box element Description

Use my smart card

Specifies that the certificate that resides on your smart card is presented to your server for authentication.

Use a certificate on this computer

Specifies that the certificate that resides in the certificate store on your computer is presented to your server for authentication.

Use simple certificate selection

Simplifies certificate selection for the user by grouping certificates with the same subject and selecting the most recently issued certificate in each group. If only one group exists, then the most recent certificate in this group is automatically selected for authentication.

Validate server certificate

Specifies whether to verify that the server certificate presented to your computer has not expired and is still valid. In the certificate authentication process, your computer presents its certificate to the server, and the server presents its certificate to your computer.

Connect to these servers

Specifies the server or servers to which your computer will automatically connect. The server name specified must exactly match the server name on the certificate. You can specify multiple server names, but you must separate them with semicolons.

Type the name of the server as it appears in the certificate properties. This could be a short name or a fully qualified domain name (FQDN), for example,

Trusted Root Certification Authorities

Lists the available trusted root certification authorities. Trusted root certification authorities have passed through multiple layers of verification and are considered the most secure.

Use a different user name for the connection

Specifies whether to use a different user name when the user name in the smart card or certificate is not the same as the user name in the domain that you are logging on to.

Do not prompt user to authorize new servers or trusted certification authorities

Specifies whether to notify that the server certificate presented to your computer is not trusted. Untrusted certificate authentication attempts will silently fail.