Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) for future versions of Windows Server and advised administrators to adopt more secure VPN protocols.
The company recommends transitioning to Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) for better security and performance.
For over two decades, enterprises have relied on PPTP and L2TP for remote access to corporate networks. However, as cyber threats become more sophisticated, these legacy protocols are now considered vulnerable. PPTP, for example, is susceptible to offline brute force attacks, while L2TP lacks encryption unless paired with IPsec, which can still introduce vulnerabilities if not configured properly.
Microsoft’s strategy to enhance security includes promoting SSTP and IKEv2, which offer stronger encryption, faster connections, and improved reliability. SSTP uses SSL/TLS encryption, making it firewall-friendly and easy to deploy, while IKEv2 supports strong encryption and excels in mobility, and maintaining VPN connections during network changes.
Although PPTP and L2TP will no longer be supported for incoming connections on future versions of Windows RRAS Server, outgoing connections will still be allowed. Microsoft has also provided a support bulletin to guide admins in configuring SSTP and IKEv2 during the transition.
