Microsoft® Windows® Security Resource Kit, Second Edition

Allow only MS-CHAPv2 or EAP-TLS for remote client authentication. Only these forms of authentication provide maximum protection of user credentials as well as mutual authentication of the remote client and the remote access server.
Implement RADIUS authentication for all remote access authentication. By implementing RADIUS authentication, you ensure that remote access policy is applied centrally from the IAS server, rather than by each remote access server.
If implementing L2TP/IPSec as your VPN protocol, use certificates to authenticate the remote access client computer and the remote access server. Using pre-shared keys for IPSec authentication of L2TP/IPSec connections is considered a security weakness and should be avoided. ...

Get Microsoft® Windows® Security Resource Kit, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Microsoft® Windows® Security Resource Kit, Second Edition by Ben Smith, Brian Komar, The Microsoft Security Team