How can I ensure home VPN users don't save connection password?

Question

We are using a PPTP VPN, on Windows RAS/Server 2003.

We have users verify anti-virus patching, and then after verification grant access to the VPN. We don't use a CMAK applet, we just provide users with instructions on configuring their home device to connect to the VPN.

My question is how can we ensure that they do not save the VPN password when they save the connection? Is there any method to audit it? We can remind users, but if they've already set up VPN it's not too likely that they'll actually follow through and change the settings.

A method that works for XP is most important, but also support OS X and Windows 7/Vista would be nice. I would be willing to switch our VPN to a new solution and distribute a connectoid if that's the only real way to do it.

---

Edit: I should point out two things: we can't really afford to use 2-factor authentication. Also, I understand that there's probably not a perfect way to ensure it. Our users aren't malicious, but they are lazy. If I can identify even 90% of users that are saving the password and then deny them access until they fix it, that's enough for me.

Answer 1

I also run a VPN with Windows Server and RRAS. My recommendation is to use CMAK (Connection Manager Administration Kit) to create VPN client installers. It's not a lot of work and it does what you want - lets you customize the VPN screen options and, among other things, allows you to remove the ability to save/remember the user's password. I do this myself.

CMAK covers XP, Vista, and Windows 7 (though they are separate installers based on both architecture (32/64-bit) and OS version and must be created from the appropriate server version corresponding to each client. (For XP, Server 2003, Vista would be Server 2008, Windows 7 would be Server 2008 R2). It's somewhat of a pain, but once they're created they don't generally change often.

As for existing users, tell them to maintain the ability to VPN from their home PCs, you have a new VPN client that they need to start using.

It's not bulletproof (a user could still manually create a PPTP connection in Windows), but it's still an improvement over each user having the save password checkbox directly in front of them. It should also save you the manual work of having to walk users through configuration of a new vpn connection each time in the future. They just need the right installer, type their username and password, and connect.

This doesn't solve the OS X case, and is not a true guarantee, but it does at least improve the situation. I would consider using CMAK if you stick with Windows RRAS. If you decide to switch to another technology, please leave a comment on it - I'd be curious.

uSlackr's comment holds true - if you don't control the hardware, there is no guarantee.

Answer 2

Similar to Bryan's answer the YubiKey has a low cost per device($25 for one, less in bulk) and the YubiRadius software is free (they only charge for support). Just set up the radius server and have your VPN use that to authenticate the users.

This will work in the same way the RSA Secure ID token works so that they have a physical device that generates a one time password and if they do not have the device with them they can not log in.

Answer 3

Strictly speaking this doesn't answer your question, however I believe this alternative approach should be a suitable solution for you.

Implment a system that requires two factor authentication for your VPN connections, using a device such as an RSA secureID.

The user might still leave their SecureID at next to their home PC, but these devices usually require a PIN to be entered (that the user memorises and can't be cached), plus the digits displayed on the device.

There is a youtube video that demonstrates this.