Is the Windows VPN secure?

Solution 1:

Like all things security, it depends on how you configure it.

It can be setup to be very secure. At one point in time (Circa Win98) it had problems. Since then MS has fixed it (Circa 1999). There's a cryptanalysis of it available here; bottom line, user passwords are the weakest link (as it should be).

Some of the user password issue can be mitigated by using client authentication certificates. If you already have a good PKI infrastructure, you probably already automatically issue client (computers) certificates. PPTP can use these to prove that the computer should be allowed to try a username and password pair. Certificates aren't required however, and PPTP will still be as secure as your passwords.

MS provides articles on how to setup PPTP (Including EAP/TLS) as well as L2TP (L2TP does require Certs/PKI). Both of these are for Win2003, but they're plenty enough to get an idea of what's required; and there are documents around for 2008. As noted in the comments, any variation of PAP and CHAP are insecure (because they can be brute forced with trivial resources).

If your IT is telling you that PPTP is insecure they either haven't kept up with the issues (since <1999) or they're using "insecure" as a cop-out for some other reason.

Solution 2:

Meanwhile, Chris' answer is outdated. PPTP is insecure as proven by Moxie Marlinspike. Therefore, only L2TP/IPSec, IPSec with IKEv2 or OpenVPN should be used.