Skip navigation

Security UPDATE--WPA2 and WSP IE for Windows XP SP2--May 11, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority

Integrated Help Desk Services Lead to Greater IT Productivity


1. In Focus: WPA2 and WSP IE for Windows XP SP2

2. Security News and Features

- Recent Security Vulnerabilities

- SANS Reports Most Dangerous Vulnerabilities for Q1 2005

- Sobering Worm Inundates Inboxes

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

4. New and Improved

- Server Monitoring Service


==== Sponsor: Akonix Systems ====

Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority

With instant messaging virtually in all corporate environments, and expected to be as prevalent as email in the near future, it has rapidly become an indispensable business communication tool. Yet, IM growth within the enterprise brings an associated increase in security risks to both public and enterprise IM networks. In this free white paper, learn how you can take control of IM use on your network to ensure security and compliance. You'll learn how to protect yourself from Virus & worms attacks, Identity theft, Leakage of confidential information and more. Download now!


==== 1. In Focus: WPA2 and WSP IE for Windows XP SP2 ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

If you use wireless networking in your environment, you'll be interested to learn that Microsoft has released an update to improve wireless network security for users of Windows XP with Service Pack 2 (SP2). The update enhances the XP wireless client software with support for Wi-Fi Protected Access 2 (WPA2), which according to the Wi-Fi Alliance "is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance."

WPA2 offers much stronger security than Wireless Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA). WEP has long been known to be vulnerable. I've read at least one account in which a WEP connection was cracked in only a few minutes. The successor to WEP, WPA, isn't as easy to crack as WPA, and the new WPA2 standard offers even better security. The Wi-Fi Alliance said the primary difference between WPA and WPA2 is that WPA2 uses the Advanced Encryption Standard (AES) to encrypt network traffic and WPA uses the Rivest Cipher 4 (RC-4) algorithm.

WPA2 Personal supports preshared keys, and WPA2 Enterprise uses 802.1x authentication with the Extensible Authentication Protocol (EAP). Like WPA, WPA2 facilitates roaming access between wireless Access Points (APs). Several manufacturers already make WPA2-certified APs and wireless NICs, and many provide WPA2 hardware and drivers that work with several versions of Windows. For example, Broadcom, Cisco Systems, Devicescape Software (formerly Instant802 Networks), Intel, and Realtek Semiconductor all make WPA2-enabled products that can be used on almost any Windows platform. Other vendors make products based on Atheros Communications chipsets, which are also WPA2-certified.

Wireless Provisioning Services Information Element (WPS IE) is also included in the update. Some wireless ISPs are moving from unsecured to secured networks by implementing 802.1x. As the transitions take place, ISPs can configure their APs to broadcast one Service Set Identifier (SSID) for the unsecured network and another SSID for the secure network. The SSIDs for the secured networks aren't visible on systems that don't support WPS IE because of the way some APs broadcast Beacon and Probe Request frames. WPS IE helps computers recognize both types of wireless AP SSIDs.

You can learn more about the new update at the link above. You can also learn more about creating secure wireless hotspots in the MSDN Library article "Securing Public Wi-Fi Hotspots" at

Microsoft TechNet also has a new Cable Guy column, "Wi-Fi Protected Access 2 (WPA2) Overview." The column explains WPA2 in a fair amount of detail, including key caching, fast roaming, pre-authentication, and more.

In addition, Microsoft maintains links to numerous other wireless-related articles on its Windows Server 2003 Wi-Fi Web site.

A new white paper, "Deploying Wi-Fi Protected Access (WPA) and WPA2 in the Enterprise," is available in PDF format at The Wi-Fi Alliance's Web site (first URL below). A 60-minute presentation, "Wi-Fi Protected Access: Locking Down the Link," by Michael Disabato of the Burton Group, reviews WEP, WPA, WPA2, implementation, and more and is also available at the Wi-Fi Alliance Web site (second URL below).


In the Web chat "Reality Check: What to Expect with Windows Server 2003 Service Pack 1," Michael Otey will answer your questions about Windows Firewall, Data Execution Prevention (DEP), boot-time protection, the Security Configuration Wizard (SCW), and much more. Thursday, May 12, 12:00 noon Eastern (9:00 A.M. Pacific).;15179132;6134865;j?


==== Sponsor: HP ====

Integrated Help Desk Services Lead to Greater IT Productivity

As organizations focus on aligning IT infrastructures to support business needs, IT managers must have the processes and tools to ensure that the infrastructure keeps pace with business needs and provides guaranteed levels of service at predetermined costs. This free white paper explores how to meet IT infrastructure's needs and manage crucial support and service processes by implementing Help Desk, problem, change, configuration, and service-level agreement (SLA) management into a single workflow. Improve productivity and service delivery quality while reducing costs, resources, and downtime in your organization. Download now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

SANS Reports Most Dangerous Vulnerabilities for Q1 2005

SANS released a list of what it considers the most dangerous vulnerabilities discovered in first quarter 2005. Affected products include multiple Microsoft products; Computer Associates' License software; multiple Oracle servers; media players Nullsoft Winamp, Apple Computer's iTunes Music Store, and RealNetworks' RealPlayer (and Microsoft Windows Media Player); antivirus products from Symantec, Trend Micro, and McAfee; and DNS services in Symantec security products (and Windows OSs).

Sobering Worm Inundates Inboxes

The latest incarnation of the Sober worm is inundating inboxes in some countries with an enticement to win tickets to the World Cup soccer tournament in Germany. The email message that carries the worm (known as Sober.N, Sober.O, Sober.P, Sober.S, or Sober.V, depending on which antivirus vendor database you check) could also have a different message subject and content.


==== Resources and Events ====

Improve the Availability of Your Exchange Servers

Managing storage growth, providing application resiliency, and handling small errors and problems before they grow are all important aspects of boosting your Exchange uptime. In this free Web seminar, discover how storage and application management techniques for Exchange can be used to improve the resiliency and performance of your Exchange infrastructure. Register now!

Updating Software on Windows Desktops and Servers: WSUS and Beyond

In this free Web seminar, join industry expert Dan Holme as he explores options for implementing and managing WSUS and other automated solutions in your organization. You'll learn how WSUS makes it easy to keep Windows systems and Microsoft applications up-to-date with patches, security rollups, drivers, and updates. Plus, you'll discover alternatives to manage the deployment and patching of non-Microsoft software.

Establish a Manageable Desktop Software Configuration and Control IT Costs

Managing desktop software configurations is a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free Web seminar, find out how you can meet software-package-preparation requirements and increase your desktop reliability, user satisfaction, and IT cost effectiveness. You'll learn about the new application process, issue management during package preparation, historical recording and reporting, and more.

Take the Hack IIS 6.0 challenge now!

Follow along as industry guru Roger Grimes puts IIS 6.0 to the test. The first hacker to succeed will win an Xbox.

Get Ready for SQL Server 2005 Roadshow in a U.S. City Near You--and in Europe

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

For a U.S. city

For Europe


==== Featured White Paper ====

Phishing, Viruses, Bot-Nets and More: How to Prevent the "Perfect Storm" from Devastating Your Email System

Unfortunately, fragmented appliance-based and software-based antispam solutions operating inside the email gateway can't prevent a potentially devastating impact on your email system and users. In this free white paper, learn how you can protect your email boundary and stop attacks with a multilayered approach that effectively prevents the perfect storm from ever reaching your email gateway. Download your copy now!


==== Hot Release ====

Best Practices for Establishing and Enforcing a Security Policy in Your Business

With all the viruses, Trojans, spyware, malware, and malicious attacks out there, is your company as prepared as it can be to fend off these threats? This white paper will provide you with detailed information for establishing and enforcing a security policy so that you have a safety net to fall back on and can ensure that you're making the right decisions at a demanding time. Specifically, you'll go through the process of creating a security policy and creating an incident response plan to prepare your organization for the worst-case scenario. Download this free white paper now!


==== 3. Security Toolkit ====

Security Matters Blog: 20 Security Fixes for Mac OS X

by Mark Joseph Edwards,

Got Mac? If you do, check Apple Computing's download site to see if you need to install the latest security update. The company released Security Update 2005-005 for Mac OS X 10.3.9 (client and server editions), which contains 20 security fixes.


by John Savill,

Q: How can I create a Microsoft Office 2003 installation source that has an integrated service pack and hotfixes?

Find the answer at

Security Forum Featured Thread: Guest User Password Required

A forum participant writes that he has a Windows 2000-based mixed-mode domain. He wants to know if there's a way to use Group Policy to force a password to be required for the Guest user account at the domain level. If not, how can he set the local policies on each system without having to physically visit each computer? Join the discussion at


==== Announcements ====

(from Windows IT Pro and its partners)

SQL Server Magazine Gives DBAs and Developers What They Need

With SQL Server 2005 right around the corner, it's important to note that SQL Server Magazine is on target to deliver comprehensive coverage of all betas of the new product and the final release. If you aren't already a subscriber, now is the time to subscribe. Act now and save 47% off the cover price, plus get the new Reporting Services poster.

Nominate Yourself or a Friend for the MCP Hall of Fame

Are you a top-notch MCP who deserves to be a part of the first-ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Server Monitoring Service

TAB Computer Systems today announced the availability of PatrolDog 2.0, a monitoring and support service for small businesses' file servers. PatrolDog monitors (over the Internet) critical server items such as Windows event logs, daily backups, disk space usage, power issues, hardware failures, and virus and security issues. TAB is currently offering a trial of PatrolDog, in which it will gather and analyze your server information and then email you a server status report. Pricing is per month: $60 for the first server, $40 for the second server, and $20 for each additional server. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Converting a Microsoft Access Application to Oracle HTML DB

Convert MS Access into a Web application for multiple users. Download now!;15956147;8214395;r?


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.