Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunnelling Protocol (L2TP) in future versions of Windows Server. The company is advising administrators to transition to more secure alternatives for remote access to corporate networks and Windows servers.
For over two decades, PPTP and L2TP have been widely used in enterprise environments; however, as cyber threats have evolved, the vulnerabilities of these protocols have become apparent. PPTP, for instance, is susceptible to offline brute force attacks on captured authentication hashes, while L2TP provides no encryption on its own and can be compromised if not configured correctly with additional protocols like IPsec.
In response to these security concerns, Microsoft recommends migrating to the newer Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2). These protocols are designed to deliver enhanced performance and security features that are increasingly necessary in today’s complex network landscape.
“The move is part of Microsoft’s strategy to enhance security and performance by transitioning users to more robust protocols like Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2),” Microsoft stated in a recent announcement. “These modern protocols offer superior encryption, faster connection speeds, and better reliability.”
The benefits of SSTP include strong encryption via SSL/TLS, seamless firewall traversal, and ease of use with native support in Windows. IKEv2, on the other hand, offers high security through strong encryption algorithms, maintains VPN connections during network changes—making it ideal for mobile users—and provides improved performance with faster tunnel establishment and lower latency.
Microsoft clarified that deprecation does not equate to immediate removal; rather, it indicates that these protocols will no longer receive active development and may be excluded from future Windows versions. The deprecation period could extend from months to years, giving administrators ample time to migrate to the recommended protocols.
In the upcoming iterations of Windows RRAS Server (VPN Server), incoming connections using PPTP and L2TP will be disallowed, although users will still be able to initiate outgoing connections using these protocols. To assist administrators in this transition, Microsoft released a support bulletin in June featuring detailed steps for configuring SSTP and IKEv2.
As organisations continue to prioritise cybersecurity, moving towards these modern protocols will be essential for maintaining secure and efficient remote access to networks.
Original story: https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-and-l2tp-vpn-protocols-in-windows-server/
