Windows Vista’s Wireless Security

Almost every time I advise someoneto use a wireless rather thanwired networking solution fortheir small office/home office(SOHO) or their home, I get aquizzical look and the inevitablequestion “Is that secure?” Admittedly,security is a big concern on wireless networksbecause wireless networks are more open toanonymous access than physical networks are.However, my typical response is that althoughwireless can be nonsecure, it doesn’t have tobe—it all depends on how much you care aboutsecurity. The reality is that some people simplydon’t care about their computer security, perhapsbecause of lack of knowledge or becausethey think they have nothing to lose even ifsomeone does break into their network. But ifyou’re reading Windows IT Pro, you undoubtedly do care about security.

Windows Vista is a very wireless-friendly, as well as a very secure, OS. In this article, I explainhow to use Vista’s wireless networking features to enhance wireless security from the client side.These features let users configure more secure wireless networks and achieve better wirelessfunctionality than in previous OSs.

Wireless Administration
In previous versions of Windows, hardware vendors typically provided their own tools for managingwireless networks. This method was challenging for both users and support techniciansbecause users needed to learn how to use different vendor-specific wireless software dependingon the type of computer or network adapter they had, and support personnel had to manage thesevarious clients with different tools—mostly in a decentralized manner. Vista includes wirelessclient software by default. This software is hardware-vendor independent, and the interface foradministering wireless networks is the same for both users and administrators. This single point ofadministration offers a new level of consistency for wireless clients and makes managing wirelesssecurity easier than ever before.

For additional functionality, hardware vendors and developers can use Microsoft’s ExtensibleAuthentication Protocol (EAP) architecture, called EAPHost. EAPHost is basically a frameworkfor creating authentication mechanisms that Vista doesn’t support natively. Hardwarevendors or developers can use EAPHost to create a plug-in for an existing Vista wireless client, in order to provide additional authenticationor encryption functionality, insteadof writing a complete software package. Thisadditional authentication functionality is availableto users through the Vista wireless client(rather than in a separate application as withprevious versions of Windows).

Connecting to WirelessNetworks
One of Vista’s most significant improvementsto wireless security is that the wireless clientdiscloses much less information about configuredwireless networks. In previous versionsof Windows, such as Windows XP, the clientperiodically broadcasts the Service Set Identifier(SSID) names of all the configured wirelessnetworks. Malicious users can take advantageof this behavior by catching these broadcasts,then tricking a client into connecting to a falseAccess Point (AP), using an SSID name thatmatches the SSID name of a real wireless networkthat’s configured on the client, in order toobtain private informationsuch as a usernameand password for connectingto a real AP.

In Vista, a wireless clientdoesn’t broadcast allconfigured SSID names.Instead, the client broadcastsonly those SSIDsthat are explicitly configuredas hidden and preferrednetworks, and onlyif necessary (e.g., when auser initiates a connectionto configured wirelessnetworks). If a userdoesn’t have any hiddennetworks configured, nobroadcasts will occur fromthe client side, which greatlyenhances security. (Notethat using hidden SSIDnetworks isn’t a recommendedpractice becausedoing so provides only anillusion of security. Even ifyour AP doesn’t broadcastSSID names, your clientsdo. Because you have manymore clients than APs, andbecause clients are mobilewhereas APs are static, amalicious user will more likely discover a hiddenSSID name by sniffing client broadcast trafficrather than obtaining the name from an AP.)

Vista helps users connect to hidden networksby displaying “unnamed networks” inthe Connect to a network wizard, which Figure1 shows. To access this wizard, right-click thetaskbar’s network icon and select Connectto a network. If you select Wireless from thedrop-down list, you’ll see all the visible, hidden,and configured wireless networks on themachine. If a user attempts to connect to anunnamed (hidden) network, he or she will beprompted for an SSID name before authenticationproceeds. Having to manually enter theSSID name every time you want to connect toa hidden network prevents broadcasting SSIDsfrom the client side when you’re away fromthe network. You can automate this procedureby configuring Vista to connect automaticallyto hidden networks, although this approachrequires broadcasting SSIDs. A better alternativeit to use a semiautomatic approach:Configure the hidden network, deselect theoption for automatically connecting to thenetwork, but select the option to connect tothe network even if it doesn’t broadcast theSSID. To use this approach, select the ManageWireless Networks option from Vista’s ControlPanel Network and Sharing Center applet,then open the wireless network’s properties.This approach saves the network’s SSID andauthentication settings on the computer, butyou still have to connect manually.

If you’re wondering how Vista can discoverhidden networks, then you should know thatAP hardware actually hides SSIDs by sending aframe with the SSID set as NULL. Although XPand Windows Server 2003 can’t display thosenetworks to users, Vista can.

If a user tries to connect to an unsecurednetwork, Vista notifies the user. A networkis considered unsecured if it doesn’t use anauthentication and encryption protocol (or if ituses a weak protocol). A Vista client will neverautomatically connect to an unsecured network.You can use Group Policy to configureclients to prevent all unsecured connections.Automatic connections are possible only forsecured networks that are configured withnetwork profiles on the client side.

In Vista, creating and connecting to ad-hoc(without AP) networks is enhanced from botha security and a functionality standpoint. Amajor security feature for ad-hoc networks isimplementation of the Wi-Fi Protected Access2 (WPA2)–Personal security protocol. As Figure2 shows, this protocol is the default authenticationmethod in the wizard for creatingad-hoc networks. To access this wizard, startthe Network and Sharing Center applet andselect the Set up a connection or networkoption. Before Vista, Wi-Fi Protected Access(WPA) was available only on infrastructurewireless networks, and user-to-user networkswere left with weak security methods suchas static Wired Equivalent Privacy (WEP).

Another useful new feature for connectingVista to wireless networks is Group Policy’sEnterprise Single Sign-On service. This featurelets users authenticate to wireless networksand domain controllers (DCs) in a single logonprocedure. First, the user is authenticated byusing an 802.1x-enabled device (by using acertificate or a username and password). Ifthe logon is successful, the computer’s GroupPolicy is applied, and credentials are passed tothe domain logon procedure. Using the EnterpriseSingle Sign-On feature also lets you joina client to a domain by using only a wireless network, which isn’t possible in XP. In XP, youhave to connect the client to a physical networkfirst, and join the client to the domain—thenyou can start to work on the wireless network.

Available SecurityMethods
Vista supports many security methods forauthentication and encryption, as Figure 3 shows. WEP was the most commonly usedsecurity protocol for securing wireless networksin previous Windows versions. AlthoughWEP is simple to implement, it’s no longerconsidered a viable security method. WEP’smain weakness is that it’s based on a sharedkey for encryption of traffic (as well as for vectorinitialization). In addition, WEP uses aninferior encryption algorithm and has weakkey management. These weaknesses makeWEP an easily breakable solution that’s nolonger recommended.

The most commonly used security protocolin Vista is WPA. WPA has a better design, betterkey management, and a better encryptionalgorithm than WEP has. But WPA’s majoradvantage over WEP is the use of Temporal KeyIntegrity Protocol (TKIP), which dynamicallychanges encryption keys as traffic goes betweentwo hosts. Rather than WEP’s cyclical redundancycheck (CRC), WPA uses a better andmore secure method for maintaining messageintegrity, called Message Authentication Code.

Vista offers two WPA configuration options:personal and enterprise. WPA-Personal is easierto configure because it uses a shared passphrase.This passphrase, which must be known(and configured) to the client and AP, acts as abase for implementing encryption. AlthoughWPA-Personal is much more secure than WEP,sharing a passphrase can still pose a significant risk, so this implementation ofWPA is recommended for smalloffices or home (ad-hoc) networks.WPA-Enterprise is a much moresecure protocol, but it requires theimplementation of 802.1x devices,the Remote Authentication Dial-In User Service (RADIUS) protocol,and an authentication server.WPA-Enterprise is intended foruse in corporate environments.Both WPA-Personal and WPAEnterprisealso exist in version2 (i.e., WPA2). The most importantdifference in version 2 is theimplementation of the Advanced EncryptionStandard (AES)–based algorithm, rather thanWPA’s RC4. Although WPA2 is recommendedfor optimal security, you might experiencelimitations if your AP or client hardware doesn’tsupport it.

IEEE 802.1x authentication is designedfor medium and large wireless LANs withauthentication infrastructure consisting ofRADIUS servers and account databases suchas Active Directory (AD). This authenticationmethod prevents a wireless client from joininga wireless network until it has performeda successful authentication. For authenticationof clients, 802.1x uses EAP, with differentmethods such as those using username andpassword credentials (Protected ExtensibleAuthentication Protocol–Microsoft ChallengeHandshake Authentication Protocol version 2(PEAP-MSCHAPv2) or a digital certificate and/or a smart card (Extensible Authentication Protocol–Transport Layer Security—EAP-TLS).

Using Group Policyto Manage WirelessNetworks

Having a consistent policy for wireless connectivityin a corporate environment is importantfor maintaining a secure network. Using GroupPolicy is the easiest method for enforcing wirelessand other policies. You can use GroupPolicy to block access to nearby wireless networksmanaged by different organizations, todisable the built-in support for wireless autoconfiguration, and to configure wireless clientsto automatically connect to your organization’sprotected wireless networks.

In Windows 2003 and XP, you can use aGroup Policy Object (GPO) to configure wirelesssettings. However, Windows 2003’s GPO wireless options are limited to those availablein XP. Vista greatly extends those capabilities,so the GPO now covers all the new features ofwireless connections.

To use Group Policy for managing Vistawireless clients on a corporate level, you mustfirst extend Windows 2003’s AD schema withthe proper attributes. The Microsoft article“Active Directory Schema Extensions for WindowsVista Wireless and Wired Group PolicyEnhancements” (www.microsoft.com/technet/network/wifi/vista_ad_ext.mspx) includesdetailed instructions for this procedure, as wellas the required script. After you extend the ADschema, you can use Vista’s Group Policy ManagementConsole (GPMC—connected to thecorporate forest) to configure wireless policies.Create a new GPO, then navigate to ComputerConfiguration, Windows Settings, Security Settings,Wireless Network (IEEE 802.11) Policies.Because Vista has a new set of wireless options,you must create separate policies for XP andVista. Fortunately, you don’t have to create aseparate GPO for each OS and deal with WMI.You can simply right-click the GPO WirelessNetwork Policies item and create a new XP orVista policy. If both types of wireless policiesare configured, XP wireless clients will use onlytheir own policy settings, and Vista wirelessclients will use only their own policy settings.If no Vista policy settings exist, Vista wirelessclients will use the XP settings, becausethey’re a subset of the settings available forVista. Note that wireless policies intended forVista, created from Vista’s GPMC and linkedsomewhere in the domain, aren’t visible fromWindows 2003’s GPMC (unlike XP policies).However, this doesn’t mean that the policieswon’t be applied.

Wireless policies have many configurationoptions, such as preventing users fromconnecting to ad-hoc networks, preventingusers from creating new wireless profiles, andenforcing only preconfigured wireless profiles.By using these options in Group Policy,administrators can create wireless profilesfor some or all users that contain informationabout the SSID, authentication and encryptionmethods, and some advanced 802.1xoptions. For example, if you want to preconfigurea wireless network profile for a clientso that he doesn’t have to enter any settings,open a new policy window, select the Generaltab, click Add, and select the network type(infrastructure or ad-hoc). Then, enter all thedata for the desired wireless network in the new profile properties windowthat opens (which Figure4 shows an example of). Ifyou want to restrict users toconnect only to networks thatyou explicitly specify, selectthe Network Permissions tabrather than the General tab.

Using Group Policy is theonly method for configuringVista’s Enterprise SingleSign-On feature. EnterpriseSingle Sign-On options inGroup Policy let you configurewhen 802.1x authenticationwill occur in relation to userlogon, as well as let you integrateuser logon and 802.1xauthentication credentialson the DC. You can choosebetween performing wirelessauthentication immediatelybefore or after user logon, andyou can specify the numberof seconds of delay for connectivity before theprocess begins. You can also configure optionsto prompt the user to fill in additional fields ifnecessary, and you can specify whether yourwireless networks will use a different VirtualLAN (VLAN) for computer and user authentication.To configure these options, open anew policy window, select the General tab,click Add, and select Infrastructure. In the newprofile properties window that opens, selectthe Security tab and click Advanced.

If you’re using WPA2-Enterprise authentication,Group Policy offers a set of optionsfor configuring the caching of 802.1x authenticationresults, as Figure 5 shows. In the FastRoaming section, you can configure PairwiseMaster Key (PMK) caching and preauthenticationoptions. Wireless clients and wireless APscan both cache the results of 802.1x authentications.Caching those results makes subsequentaccess much faster when a wirelessclient roams back to a wireless AP to whichthe client already authenticated. You canconfigure a maximum time to keep an entryin the PMK cache and the maximum numberof entries. With preauthentication, a wirelessclient can perform an 802.1x authenticationwith other wireless APs in its range while it’sstill connected to its current wireless AP. Youcan also configure the maximum number oftimes to attempt preauthentication with awireless AP.

Wireless Networks andNAP

Network Access Protection (NAP), whichis Windows Server 2008’s and Vista’s newfeature for controlling network access (fromthe client health aspect), can also be applied to wireless networks. Vistacan declare its health statewhile trying to connect to802.1x-enabled wirelessnetworks. For NAP to workon a wireless network, thecurrent domain environmentmust include Server2008 Network Policy Server(NPS). On the client side,Vista must be configuredwith the proper enforcementagent for 802.1x(i.e., the EAP QuarantineEnforcement Client). Toconfigure this enforcementagent, open the NAPClient Configuration console(napclcfg.msc) and goto the Enforcement Agentsnode. Start the Servicesapplet from the ControlPanel’s AdministrativeTools, and configure theNetwork Access Protection service to startautomatically.

When a client that doesn’t comply withcompany security requirements (e.g., doesn’thave all updates installed) tries to connectto the corporate wireless network,NAP will deny access and will placethe client in quarantine (on a separateVLAN). The client will be ableto access only remediation servers(e.g., Windows Server Update Services—WSUS) that will provide thenecessary updates to make the clientcompliant. For more informationabout NAP, including configuringNAP with 802.1x (which is beyondthe scope of this article), go to technet.microsoft.com/en-us/network/bb545879.aspx.

Unplug Safely

Vista’s new wireless features can helpenhance wireless security in bothhome and corporate environments.Implementing WPA2 in ad-hoc networkscan improve home networksecurity. For corporate implementations,Vista can work with the latestsecurity technologies to boost wirelesssecurity.