Traditionally, one of the biggest problems with wireless network security is that it must be maintained individually for every client. New features in Windows Server 2003 allow you to control wireless security for Windows XP and Windows 2003 clients via group policy. Here's how it's done.
The Wireless Configuration Service
Windows Server 2003 is designed to interact with your wireless network. But in order to do so, it must have a functional Wi-Fi compatible NIC, and the Wireless Configuration Service must be started. The Wireless Configuration Service enables automatic configuration of Wi-FiNICs. By default, the Wireless Configuration Service is set to start manually.
To do so, click Start l Administrative Tools | Services. You'll then see the Services console appear. Scroll the right pane and double-click the Wireless Configuration Service to open the Wireless Configuration Properties sheet that's shown in Figure A.
|You must start the Wireless Configuration Service.|
Set the Startup type to Automatic and click the Start button to start the service. Click OK to close the properties sheet.
Wireless security and group policies
So far, I've explained that there is a Wireless Configuration Service that allows wireless connections to be automatically configured. What you might not know is that you can actually design a group policy that dictates wireless configuration. Aside from easing the administrative burden, you might want to also look at automatically configuring wireless connections for security reasons.
For example, suppose that your Finance department and your Sales department both had wireless networks. You would probably want to prevent anyone from Sales from using the access point in Finance, and vice versa. This could be easily implemented through group policies.
Remember that group policies can be applied at the local computer, site, domain, and organizational unit levels. Therefore, one way of achieving the desired results would be to create separate domains for Finance and Sales. You could then modify the Default Domain Security Policy for each domain to control the wireless configuration for the domain.
To modify the wireless network policies for a domain, go to a domain controller for the domain and select the Domain Security Policy command from the server's Administrative Tools menu. When you do, Windows will open the Default Domain Security Settings console. Navigate through the console tree to Security Settings | Wireless Network (IEEE 802.11) Policies. When you select this container, the pane on the right will display a New Wireless Network Policy. Double-click on this policy to open the New Wireless Network Policy Properties sheet, shown in Figure B.
|The New Wireless Network Policy Properties sheet allows you to configure the wireless networking portion of the domain level group policy.|
The first thing that I recommend doing is replacing the name New Wireless Network Policy with something more meaningful. For example, I'm creating a wireless network policy for a domain called test.com. Therefore, I'll use the name Wireless Network Policy For Test.Com. You can then enter a meaningful description of the policy's purpose if you want.
The next option on the Properties sheet's General tab is an option to check for policy changes at a predetermined frequency. By default, Windows checks for policy changes every three hours. There is really no reason to change this unless you expect to be making a lot of changes to the policy.
The appropriate setting for the next option, Network To Access, really depends on your environment. The available choices include Any Available Network (Access Point Preferred), Access Point (Infrastructure) Networks Only, and Computer-to-computer (Ad Hoc) Networks Only.
The default setting of Any Available Network will work in just about any situation. However, if security is what you're interested in, keep in mind that if no one in your office has a legitimate use for ad hoc networks, there's no reason to allow ad hoc connections. In such an environment your network would be more secure if you were to set the Network To Access option to Access Point (Infrastructure) Networks Only.
At the bottom of the General tab there are two check boxes that deserve some attention. The first of these check boxes is Use Windows To Configure Wireless Network Settings For Clients. This check box is selected by default and should remain selected unless you have a compelling reason to perform manual client configurations. Keep in mind, though, that only Windows XP and 2003 clients can be configured by Windows Server 2003.
The other check box is Automatically Connect To Non-preferred Networks. This check box is not selected by default. I recommend leaving this check box deselected because this is a very dangerous option. Normally, you would have some access points within your network that you have designated as preferred networks.
However, if someone installed a rogue access point on your network, or if a neighbor installed an access point on their network that was within range of your clients, the network would be recognized as a non-preferred network. If the Automatically Connect To Non-preferred Networks check box were selected, your clients could end up connecting to access points that don't even belong to your network.
The other tab on the New Wireless Network Policy Properties sheet is the Preferred Networks tab. As the name implies, this tab allows you to designate which access points represent your preferred networks. These will receive preferential treatment when clients are determining which access point to use for accessing a network.
To designate an access point, click the Add button and you'll see the New Preferred Settings Properties sheet. Begin filling in this properties sheet by entering the network name in the Network Name (SSID) field on the Network Properties tab. The network name is the SSID of the access point. Once you have entered the access point's SSID, enter a description in the space provided. Your might describe the physical location of the access point or note why the access point is being listed as a preferred network.
The next section of the Network Properties tab, shown in Figure C, contains three check boxes used to reflect the access point's WEP configuration. By default, the options Data Encryption (WEP Enabled) and This Key Is Provided Automatically are selected. Keep in mind, though, that these are not always the most appropriate choices. There are still a lot of wireless networks that use shared keys that are not automatically provided. In such a case, you would deselect the The Key Is Provided Automatically check box, and select the Network Authentication (Shared Mode) check box.
|The Network Properties tab allows you to designate the SSID and WEP settings for the preferred access point.|
The final element of the Network Properties tab is the This Is A Computer-to-computer (Ad Hoc) Network check box. Most of the time you would not select this check box. You'd only use this option if you were actually trying to configure an ad hoc network as a preferred network.
Once you have filled in the Network Properties tab, you need to fill in the IEEE 802.1X tab. This tab allows you to specify all of the parameters that are associated with 802.1X network access control.
The first element on the IEEE 802.1X tab is the Enable Network Access Control Using IEEE 802.1X. This check box is selected by default, as shown in Figure D. If you deselect this check box, all other options on the tab are disabled. Deselecting this check box tells Windows that rather than using 802.1X authentication, you'll use some other authentication method, such as smart cards, certificates, or passwords.
|The IEEE 802.1X tab allows you to configure 802.1X authentication.|
The next field that you must complete is the EAPOL-Start message. The options in the corresponding drop-down list allow you to control the EAPOL-Start message's transmission behavior. Your choices are Transmit, Do Not Transmit, and Transmit per 802.1X. The Transmit option is selected by default.
Next on the IEEE 802.1X tab is the Parameters (Seconds) section. This section allows you to configure the parameters that are used with the EAPOL start message (assuming that EAPOL start messages are being transmitted).
The first field in the Parameters section is the Max Start field. This field allows you to enter the maximum number of start messages that will be generated by a client. Normally, a client will transmit an EAPOL start message and will wait for a response. If no response is received, the client will transmit additional start messages. This parameter defines the maximum number of start messages that a client is allowed to transmit when attempting to connect to the designated network.
Next, you must fill in the Start Period, which is the number of minutes that a client will wait after transmitting a start message before transmitting another one. For example, if the maximum number of start messages is three and the start period is 60, then a client would transmit a start message and wait one minute for a response. If no response is received within a minute, then the client would transmit another message and wait another minute. The cycle would continue until either a response to the message is received or the maximum number of start messages have been used and the start period for the final transmission has expired.
Another value in the Parameters section is the Held Period. The Held Period is the amount of time that a client must wait after it has received an authentication failure error message from the authenticator. This prevents a malfunctioning client from flooding the network with authentication requests.
The final value that must be configured within the Parameters section is the Authentication Period. The Authentication Period works similarly to the Start period in that it tells the client how long to wait before taking additional action. The difference is that the Start period refers to a wait period while the client is initially trying to establish communications. The Authentication period is the amount of time that the client must wait before retransmitting any non-acknowledged 802.1X requests after the initial end-to-end authentication has been established.
The next thing that must be configured on the 802.1X tab is the EAP Type. The EAP refers to the Extensible Authentication Protocol. Your choices are Smart Card Or Other Certificate or Protected EAP (PEAP). Once you have made your selection, you must click the Settings button to specify the actual EAP configuration information.
For example, if you were to select Smart Card Or Other Certificate and click Settings, you would see the Smart Card Or Other Certificate Properties sheet, shown in Figure E. As you can see in the figure, the top portion of this properties sheet gives you a choice of using a smart card or using a certificate.
|You must choose between a smart card and a certificate.|
If you've chosen to use a certificate, you must select the Validate Server Certificate check box. You must then tell Windows which certificate authority it will use. If your company doesn't subscribe to a commercial certificate authority, then select Enterprise CA. This allows you to configure one of the servers on your network to act as a Certificate Authority.
Click OK to return to the IEEE 802.1X tab of the New Preferred Settings Properties sheet. You now have just a couple of check boxes that need to be configured. The first is the Authenticate As Guest When User Or Computer Information Is Unavailable. This option is disabled by default, and should remain disabled. Enabling this check box would allow unauthenticated computers or users to access your wireless network.
You also should take a look at the Authenticate As Computer When Computer Information Is Available check box. This check box is selected by default. It allows a computer to access the wireless network even if the user is not logged on. Doing so allows the computer to receive antivirus updates, operating system patches, and so forth.
The final option on the IEEE 802.1X tab is the Computer Authentication drop-down list. This list allows you to control how computer authentication works with user authentication. The default option is With User Re-authentication. This means that any time the user is not logged on, authentication is performed using the computer's credentials. However, when a user logs on, the user's credentials are used for authentication. When the user logs off, the system goes back to using computer credentials.
Another option is With User Authentication. When this option is used, computer credentials are used until a user logs on. The computer credentials stay in effect unless the user moves to a different access point. At that point the user credentials take over. The only other option is Computer Only. This option means that the user's credentials are never taken into account and the computer's credentials are used for authentication.
When you have finally finished filling in the New Preferred Settings Properties sheet, click OK. The network is now added to the Preferred Network tab found on the New Wireless Network Policy Properties sheet, as shown in Figure F. Click OK to create the new wireless policy.
|The preferred network is added to the list.|
The Wireless Monitor
Another handy new tool included in Windows Server 2003 is the Wireless Monitor. The Wireless Monitor allows you to keep tabs on all of the wireless network connections available near your server. In order to use the Wireless Monitor, your server must have a functional wireless NIC and also must be running the Wireless Configuration Service.
To access the Wireless Monitor, enter the MMC command at the Run prompt. When you do, Windows will open an empty Microsoft Management Console. When the console opens, select the Add/Remove Snap-in command from the console's File menu. When you do, you'll see the Add/Remove Snap-in properties sheet appear. Click the Add button found on the properties sheet's Standalone tab to see a list of all of the available snap-ins. Select Wireless Monitor from the list and click Add, Close, and OK. The Wireless Monitor is now loaded within the console.
Now that the console is loaded, navigate through the console tree to Console Root | Wireless Monitor | Your Server Name. When you expand the container with the same name as your server, there will be about a ten-second delay, and then two additional containers will appear: Access Point Information and Wireless Client Information.
If you select the Access Point Information container, you'll see information related to any wireless access points that the server can see. For example, if you look at Figure G, you can see that there is one access point in the area, named Posey.
|The Access Point Information container gives you information about any access points that the server can see.|
The console displays information related to the network type (which should always be Access Point), the MAC address of the access point, signal strength, data rate, and GUID. You can also look at this screen to see if privacy is enabled. Privacy refers to WEP or WAP encryption. You might notice that Windows provides a column for Radio Channel, as well. In the figure, the channel is blank because my access point is configured to use channel hopping.
The Wireless Client Information container contains information about wireless clients connected directly to the server through an ad hoc connection. You can view information about wireless clients such as the connection type, connection duration, local MAC address, remote MAC address, network name, and even a description of the client.
As you can see, the Wireless Monitor isn't really a security tool. However, it is a good place to get detailed information about all of the server's wireless connections.