Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


December 2007

Windows Vista’s Wireless Security

Let your users go wireless without worries
From the December 2007 Edition
of Windows IT Pro
Damir Dizdarevic
Feature
InstantDoc #97336
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Using Group Policy to Manage Wireless Networks
Having a consistent policy for wireless connectivity in a corporate environment is important for maintaining a secure network. Using Group Policy is the easiest method for enforcing wireless and other policies. You can use Group Policy to block access to nearby wireless networks managed by different organizations, to disable the built-in support for wireless auto configuration, and to configure wireless clients to automatically connect to your organization’s protected wireless networks.

In Windows 2003 and XP, you can use a Group Policy Object (GPO) to configure wireless settings. However, Windows 2003’s GPO wireless options are limited to those available in XP. Vista greatly extends those capabilities, so the GPO now covers all the new features of wireless connections.

To use Group Policy for managing Vista wireless clients on a corporate level, you must first extend Windows 2003’s AD schema with the proper attributes. The Microsoft article “Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements” (www.microsoft.com/technet/ network/wifi/vista_ad_ext.mspx) includes detailed instructions for this procedure, as well as the required script. After you extend the AD schema, you can use Vista’s Group Policy Management Console (GPMC—connected to the corporate forest) to configure wireless policies. Create a new GPO, then navigate to Computer Configuration, Windows Settings, Security Settings, Wireless Network (IEEE 802.11) Policies. Because Vista has a new set of wireless options, you must create separate policies for XP and Vista. Fortunately, you don’t have to create a separate GPO for each OS and deal with WMI. You can simply right-click the GPO Wireless Network Policies item and create a new XP or Vista policy. If both types of wireless policies are configured, XP wireless clients will use only their own policy settings, and Vista wireless clients will use only their own policy settings. If no Vista policy settings exist, Vista wireless clients will use the XP settings, because they’re a subset of the settings available for Vista. Note that wireless policies intended for Vista, created from Vista’s GPMC and linked somewhere in the domain, aren’t visible from Windows 2003’s GPMC (unlike XP policies). However, this doesn’t mean that the policies won’t be applied.

Wireless policies have many configuration options, such as preventing users from connecting to ad-hoc networks, preventing users from creating new wireless profiles, and enforcing only preconfigured wireless profiles. By using these options in Group Policy, administrators can create wireless profiles for some or all users that contain information about the SSID, authentication and encryption methods, and some advanced 802.1x options. For example, if you want to preconfigure a wireless network profile for a client so that he doesn’t have to enter any settings, open a new policy window, select the General tab, click Add, and select the network type (infrastructure or ad-hoc). Then, enter all the data for the desired wireless network in the new profile properties window that opens (which Figure 4 shows an example of). If you want to restrict users to connect only to networks that you explicitly specify, select the Network Permissions tab rather than the General tab.

Using Group Policy is the only method for configuring Vista’s Enterprise Single Sign-On feature. Enterprise Single Sign-On options in Group Policy let you configure when 802.1x authentication will occur in relation to user logon, as well as let you integrate user logon and 802.1x authentication credentials on the DC. You can choose between performing wireless authentication immediately before or after user logon, and you can specify the number of seconds of delay for connectivity before the process begins. You can also configure options to prompt the user to fill in additional fields if necessary, and you can specify whether your wireless networks will use a different Virtual LAN (VLAN) for computer and user authentication. To configure these options, open a new policy window, select the General tab, click Add, and select Infrastructure. In the new profile properties window that opens, select the Security tab and click Advanced.

If you’re using WPA2-Enterprise authentication, Group Policy offers a set of options for configuring the caching of 802.1x authentication results, as Figure 5 shows. In the Fast Roaming section, you can configure Pairwise Master Key (PMK) caching and preauthentication options. Wireless clients and wireless APs can both cache the results of 802.1x authentications. Caching those results makes subsequent access much faster when a wireless client roams back to a wireless AP to which the client already authenticated. You can configure a maximum time to keep an entry in the PMK cache and the maximum number of entries. With preauthentication, a wireless client can perform an 802.1x authentication with other wireless APs in its range while it’s still connected to its current wireless AP. You can also configure the maximum number of times to attempt preauthentication with a wireless AP.

Wireless Networks and NAP
Network Access Protection (NAP), which is Windows Server 2008’s and Vista’s new feature for controlling network access (from the client health aspect), can also be applied to wireless networks. Vista can declare its health state while trying to connect to 802.1x-enabled wireless networks. For NAP to work on a wireless network, the current domain environment must include Server 2008 Network Policy Server (NPS). On the client side, Vista must be configured with the proper enforcement agent for 802.1x (i.e., the EAP Quarantine Enforcement Client). To configure this enforcement agent, open the NAP Client Configuration console (napclcfg.msc) and go to the Enforcement Agents node. Start the Services applet from the Control Panel’s Administrative Tools, and configure the Network Access Protection service to start automatically.

When a client that doesn’t comply with company security requirements (e.g., doesn’t have all updates installed) tries to connect to the corporate wireless network, NAP will deny access and will place the client in quarantine (on a separate VLAN). The client will be able to access only remediation servers (e.g., Windows Server Update Services— WSUS) that will provide the necessary updates to make the client compliant. For more information about NAP, including configuring NAP with 802.1x (which is beyond the scope of this article), go to technet.microsoft.com/en-us/network/bb545879.aspx.

Unplug Safely
Vista’s new wireless features can help enhance wireless security in both home and corporate environments. Implementing WPA2 in ad-hoc networks can improve home network security. For corporate implementations, Vista can work with the latest security technologies to boost wireless security.

End of Article

   Previous  1  [2]  Next  


Reader Comments
It is useful if the mixup between this article and "LDAP Authentication" clears up. The second page of this article is identical to the second page of "LDAP Authentication".

ts67 December 07, 2007 (Article Rating: )

I think we've got this fixed now. Our apologies for the error.

Renee Munshi, Windows IT Pro senior editor

rmunshi December 10, 2007 (Article Rating: )

Its really useful information...
Thanks alot

Kumar Abhimanyu June 27, 2008 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Learning Path WINDOWS IT PRO RESOURCES:
"Getting Vista to Recognize Internet Connections"

"Network Access Protection in Windows Server 2008"

"Security UPDATE--IE 7.0 and Windows Vista Bring More Secure Communications--November 2, 2005"


MICROSOFT RESOURCES
"Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements"

"Windows Vista Networking"

"Wireless Networking in Windows Vista"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Related Articles Network Access Protection in Windows Server 2008

Getting Vista to Recognize Internet Connections

Security UPDATE--IE 7.0 and Windows Vista Bring More Secure Communications--November 2, 2005
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events WinConnections and Microsoft® Exchange Connections

Deep Dive into Windows Server 2008 R2 presented by John Savill

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement