Subscribe to Windows IT Pro
November 28, 2007 12:00 AM

Windows Vista’s Wireless Security

Let your users go wireless without worries
Damir Dizdarevic
Windows IT Pro
InstantDoc ID #97336
Rating: (3)

Using Group Policy to Manage Wireless Networks
Having a consistent policy for wireless connectivity in a corporate environment is important for maintaining a secure network. Using Group Policy is the easiest method for enforcing wireless and other policies. You can use Group Policy to block access to nearby wireless networks managed by different organizations, to disable the built-in support for wireless auto configuration, and to configure wireless clients to automatically connect to your organization’s protected wireless networks.

In Windows 2003 and XP, you can use a Group Policy Object (GPO) to configure wireless settings. However, Windows 2003’s GPO wireless options are limited to those available in XP. Vista greatly extends those capabilities, so the GPO now covers all the new features of wireless connections.

To use Group Policy for managing Vista wireless clients on a corporate level, you must first extend Windows 2003’s AD schema with the proper attributes. The Microsoft article “Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements” (www.microsoft.com/technet/ network/wifi/vista_ad_ext.mspx) includes detailed instructions for this procedure, as well as the required script. After you extend the AD schema, you can use Vista’s Group Policy Management Console (GPMC—connected to the corporate forest) to configure wireless policies. Create a new GPO, then navigate to Computer Configuration, Windows Settings, Security Settings, Wireless Network (IEEE 802.11) Policies. Because Vista has a new set of wireless options, you must create separate policies for XP and Vista. Fortunately, you don’t have to create a separate GPO for each OS and deal with WMI. You can simply right-click the GPO Wireless Network Policies item and create a new XP or Vista policy. If both types of wireless policies are configured, XP wireless clients will use only their own policy settings, and Vista wireless clients will use only their own policy settings. If no Vista policy settings exist, Vista wireless clients will use the XP settings, because they’re a subset of the settings available for Vista. Note that wireless policies intended for Vista, created from Vista’s GPMC and linked somewhere in the domain, aren’t visible from Windows 2003’s GPMC (unlike XP policies). However, this doesn’t mean that the policies won’t be applied.

Wireless policies have many configuration options, such as preventing users from connecting to ad-hoc networks, preventing users from creating new wireless profiles, and enforcing only preconfigured wireless profiles. By using these options in Group Policy, administrators can create wireless profiles for some or all users that contain information about the SSID, authentication and encryption methods, and some advanced 802.1x options. For example, if you want to preconfigure a wireless network profile for a client so that he doesn’t have to enter any settings, open a new policy window, select the General tab, click Add, and select the network type (infrastructure or ad-hoc). Then, enter all the data for the desired wireless network in the new profile properties window that opens (which Figure 4 shows an example of). If you want to restrict users to connect only to networks that you explicitly specify, select the Network Permissions tab rather than the General tab.

Using Group Policy is the only method for configuring Vista’s Enterprise Single Sign-On feature. Enterprise Single Sign-On options in Group Policy let you configure when 802.1x authentication will occur in relation to user logon, as well as let you integrate user logon and 802.1x authentication credentials on the DC. You can choose between performing wireless authentication immediately before or after user logon, and you can specify the number of seconds of delay for connectivity before the process begins. You can also configure options to prompt the user to fill in additional fields if necessary, and you can specify whether your wireless networks will use a different Virtual LAN (VLAN) for computer and user authentication. To configure these options, open a new policy window, select the General tab, click Add, and select Infrastructure. In the new profile properties window that opens, select the Security tab and click Advanced.

If you’re using WPA2-Enterprise authentication, Group Policy offers a set of options for configuring the caching of 802.1x authentication results, as Figure 5 shows. In the Fast Roaming section, you can configure Pairwise Master Key (PMK) caching and preauthentication options. Wireless clients and wireless APs can both cache the results of 802.1x authentications. Caching those results makes subsequent access much faster when a wireless client roams back to a wireless AP to which the client already authenticated. You can configure a maximum time to keep an entry in the PMK cache and the maximum number of entries. With preauthentication, a wireless client can perform an 802.1x authentication with other wireless APs in its range while it’s still connected to its current wireless AP. You can also configure the maximum number of times to attempt preauthentication with a wireless AP.

Wireless Networks and NAP
Network Access Protection (NAP), which is Windows Server 2008’s and Vista’s new feature for controlling network access (from the client health aspect), can also be applied to wireless networks. Vista can declare its health state while trying to connect to 802.1x-enabled wireless networks. For NAP to work on a wireless network, the current domain environment must include Server 2008 Network Policy Server (NPS). On the client side, Vista must be configured with the proper enforcement agent for 802.1x (i.e., the EAP Quarantine Enforcement Client). To configure this enforcement agent, open the NAP Client Configuration console (napclcfg.msc) and go to the Enforcement Agents node. Start the Services applet from the Control Panel’s Administrative Tools, and configure the Network Access Protection service to start automatically.

When a client that doesn’t comply with company security requirements (e.g., doesn’t have all updates installed) tries to connect to the corporate wireless network, NAP will deny access and will place the client in quarantine (on a separate VLAN). The client will be able to access only remediation servers (e.g., Windows Server Update Services— WSUS) that will provide the necessary updates to make the client compliant. For more information about NAP, including configuring NAP with 802.1x (which is beyond the scope of this article), go to technet.microsoft.com/en-us/network/bb545879.aspx.

Unplug Safely
Vista’s new wireless features can help enhance wireless security in both home and corporate environments. Implementing WPA2 in ad-hoc networks can improve home network security. For corporate implementations, Vista can work with the latest security technologies to boost wireless security.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • kumar
    4 years ago
    Jun 27, 2008

    Its really useful information...
    Thanks alot

  • Renee
    5 years ago
    Dec 10, 2007

    I think we've got this fixed now. Our apologies for the error.

    Renee Munshi, Windows IT Pro senior editor

  • Thomas
    5 years ago
    Dec 07, 2007

    It is useful if the mixup between this article and "LDAP Authentication" clears up. The second page of this article is identical to the second page of "LDAP Authentication".

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.