I have created a VPN service using Routing And Remote Services on Windows Server 2008 (standalone). i have created a test user in Local Users & Groups and haven't add it to any Group and the permission for dial-in granted through NPS. The credentials of this test user somehow taken by a malicious user and i get some reports of session hijacking from other VPN users. is it possible that attacker somehow monitor the VPN traffic because of some bad server configuration ? Thanks

Hi khafancoder, Thanks for posting here. Which tunneling protocol was been used in you environment ? have you also set encryption yet ? We’d suggest to choose some more secure VPN tunneling protocol in order to prevent the situation you encountered: VPN Tunneling Protocols http://technet.microsoft.com/en-us/library/dd469817(WS.10).aspx VPN Security http://technet.microsoft.com/en-us/library/cc779580(WS.10).aspx Actually you should disable or change password for that account immediately if you can ensure that it had been hijacked. Thanks. Tiger Li Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Li, We are using PPTP and MS-CHAP V2. all of configuration has set by using Network Policy Server. We have changed the testuser's password, but since it's a test account it would be available to many company members very soon again. so we except that malicious user once again would gain access to this test account. The problem here is why anyone which could use this VPN would be able to sniff other's communication ? Does this testuser has some unwanted permissions, or is there some unwanted services which allow the malicious user to monitor server's traffic ?

A VPN user can not sniff other VPN users or the VPN server traffic. It is impossible because of the nature of VPN protocols when traffic is tunneled through a virtual layer 2 protocol. The only possible place where to be able to sniff traffic for other users is the VPN server itself or beyond that in the network. What kind of session hijacking are the other users experiencing and for what protocols? /Hasain

Thanks for your info Hasain, What kind of session hijacking are the other users experiencing and for what protocols? it happened on http and the attacker gained access to their session cookies (facebook, gmail and so on)

HTTP session hijacking does not necessarily require the attacker to be on the same network segment. The attacker only needs to redirect HTTP traffic to his/her host and extract the required session cookies and that can be done using many methods where network sniffing is just one, another more probable and easier attack is ARP spoofing. ARP spoofing can sometimes be used to avoid some layer 2 restrictions. /Hasain

Thanks Hasain, Is it possible to do ARP spoofing on a VPN ? how could i identify and block that kind of attack ?

PPTP uses Proxy ARP to allow PPTP connected client to reach each over the PPTP server and you do not have direct access to ARP over PPTP making it not possible to conduct ARP poisoning over PPTP. Detecting ARP poisoning is about detecting gracious ARPs and not completely blocking but setting a threshold because gracious ARPs are normally used to announce layer 2 address changes, virtual/alias IP and duplicate IP address detection. /Hasain