Chapter 17: Securing Windows Vista on Wireless Networks | PC Magazine Windows Vista Security Solutions

If ever there was a blessing bestowed upon home and small office users thinking about installing a network, it presented itself in the form of the wireless network. Gone are the days where running unsightly blue cables across floors, through walls, and into an overflowing closet was the only option for computer users with a penchant for sharing. Today, wireless networking makes it possible to share everything from printers to Internet access over nothing more than thin air.

Although there's no question that the latest and greatest wireless technologies make setting up a network easier than ever before, this is one path fraught with peril and security risks. Where wired network users seldom worried about anything more than having a good firewall in place to protect their Internet connection, wireless networks face threats from anyone within range of its signals. Compounding the issue is the fact that in their default configuration, wireless network devices offer no real security at all - any suitably equipped user within range can connect to the network and effectively do as they please.

With this in mind, taking the time to properly secure a wireless network and the Windows Vista systems connecting to it is absolutely critical. In this chapter you learn about wireless networking support in Windows Vista, along with the risks associated with leaving a wireless network unse-cured. Most importantly, you learn about the specific methods and wireless networking features that you can use to secure wireless devices, up to and including using strong encryption to protect all wireless communications on your network.

Windows Vista and Wireless Networking

Windows XP was the first Microsoft operating system to include built-in support for wireless networking, and this native support is continued (and improved) in Windows Vista. When equipped with a wireless network adapter card, a Windows Vista system needs no additional client software installed to connect to wireless networks. As long as the wireless network cards support it, a Windows Vista feature known as Automatic wireless configuration handles all the details of discovering and connecting to available wireless networks within range.

The name associated with this feature is somewhat misleading. Windows Vista automatically detects and prompts you to connect to unsecured wireless networks within range, but in cases where advanced security features like encryption protect a wireless network, at least a small amount of configuration is always required.

Wireless A-B-G's

Wireless devices come in three main flavors - 802.11a, 802.11b, and 802.11g. Based on standards developed by the Institute of Electronics and Electrical Engineers (IEEE) and equipment manufactured by a variety of different companies, all wireless networking devices are not created equal. The letter that trails the 802.11 designation serves an important role in describing how a given wireless device communicates and interoperates with other wireless equipment:

802.11a. These devices use the 5GHz frequency range to communicate at speeds up to 54Mbps, but cannot interoperate with 802.11b or 802.11g equipment.
802.11b. The original wireless networking standard, these devices use the 2.4GHz frequency range to communicate at speeds up to 11Mbps, and can interoperate with newer 802.11g equipment.
802.11g. These devices also use the 2.4GHz frequency range to communicate at speeds up to 54Mbps, and can interoperate with older 802.11b equipment.

802.11b and 802.11g wireless networking devices are much more popular than their 802.11a counterparts, and often considerably less expensive. However, these devices work in the same frequency range as a number of other wireless consumer electronics products (including cordless phones and speakers), making them more prone to interference issues.

Some manufacturers produce multimode wireless networking equipment that adheres to all three 802.11 wireless standards, a great option for users who move between different wireless networks frequently. For most home and small office users, however, choosing 802.11g devices represents the best long-term value in terms of speed, interoperability, and price.

Although Windows Vista makes it easy to detect and connect to wireless networks, this capability is almost equal parts friend and foe. If you're configuring your own wireless network, you'll be happy when Windows Vista automatically discovers it. However, you probably won't be quite as thrilled when your neighbor's computer detects your wireless access point, allowing him to connect to your network, root through your shared files, and "borrow" on your high-speed Internet connection.

Although wireless networks implement little in the way of security or privacy features by default, all is not lost. You can fully secure a wireless network that includes Windows Vista systems to a level that rivals a traditional wired network. To properly secure a wireless network, however, you need to be familiar with the following:

How Windows Vista discovers and attempts to connect to wireless networks
Windows Vista wireless tools and configuration settings
The security risks associated with leaving wireless networks unsecured
How you configure security settings on wireless access points and Windows Vista wireless clients

The following sections outline Windows Vista's wireless networking processes and tools (as well as the security risks associated with unsecured wireless networks) in more detail. The techniques and steps necessary to secure wireless access points and their communications with Windows Vista systems are explored later in this chapter.

Windows Vista Wireless Settings

Windows Vista's wireless tools and configuration settings are effectively hidden from view until you install a wireless network adapter card in your computer. When your wireless network card is detected and installed, an icon for it is available through the Network Center tool in Control Panel and the Automatic wireless configuration service gets down to the business of scanning for wireless networks.

NOTIFICATIONS

Assuming that your wireless network card is installed correctly and that your wireless access point is powered on, Windows Vista almost instantly displays a notification message in your system tray stating that one or more wireless networks have been detected (see Figure 17-1).

image from book
Figure 17-1: Notification about detected wireless networks

When you click the network icon below this message, the Network Center window opens. In the Network Details section, click the Connect To link and available wireless networks within range are displayed. Depending on your proximity to other wireless networks, it is possible that more than one wireless network will appear in the window shown in Figure 17-2.

image from book
Figure 17-2: The Connect to a network window

To connect to your wireless network, select the appropriate network name from this screen, and then click Connect. When prompted with the message stating that this is an unsecured network, click Connect Anyway.

As part of the default connection process, Windows Vista acquires an IP address from your access point, and then displays the screen shown in Figure 17-3.

image from book
Figure 17-3: A connected wireless network

WIRELESS NETWORK CONNECTION PROPERTIES

The majority of the Windows Vista wireless network settings are configured using Network And Sharing Center in Control Panel. To view these settings select Start → Network and click the Network And Sharing Center button. The Network And Sharing Center screen is shown in Figure 17-4.

image from book
Figure 17-4: The Control Panel Network and Sharing Center tool

Some key wireless-related areas that you should be familiar with in the Network and Sharing Center window include:

Connect to a network. As the name suggests, click this link to view (and connect to) available wireless networks within range.
Manage wireless networks. Click this link to manage the order in which Windows Vista will connect to available wireless networks, and change settings associated with different wireless networks manually.
Set up a connection or network. This link, in the left sidebar, creates different types of network connections manually. Examples include setting up ad-hoc wireless networks, normal wireless network connections, Internet connections, VPN connections, and more.
Manage network connections. Use this link to manage settings associated with both wired and wireless network adapter cards installed on your Windows Vista system.
Diagnose and repair. If you're having trouble getting a network connection to function correctly, click this link to have Windows Vista attempt to diagnose and correct the problem.

Note

There are two main types of wireless networks that you need to be familiar with. A wireless network that does not include an access point is known as a computer-to-computer or ad-hoc network. Ad-hoc networks make wireless networking more flexible, in that they enable you to create a network between two or more computers without the need for an access point acting as an intermediary. Networks that include a wireless access point through which all wireless communications occur are known as infrastructure mode networks.

Configuration settings associated with specific wireless networks are explored later in this chapter.

Tip

If your Windows Vista system has a wireless network card installed that you're not using, disable it as a security precaution. To do this, select Control Panel → Network And Sharing Center → Manage Network Connections, right-click your wireless network card, and select Disable.

Security Risks on Wireless Networks

In the same way that you should never leave any computer or network connected to the Internet without the protection of a firewall, you should never leave any wireless network improperly secured. Although there's no question that the Internet - and its millions of users who can potentially connect to any computer anywhere worldwide - presents a bigger security risk overall, it's equally important to think locally. When a wireless user within range connects to your unsecured network, the firewall protecting your network has no say in the matter; the front door may be locked, but the back door is wide open.

Of course, you won't have an entire Internet's worth of users within physical range of your wireless network. In fact, there may only be one or two other wireless users close enough to connect. However, the fact that these users can potentially gain access to your private network by doing nothing more than clicking a button marked Connect presents a very real risk.

Tip

In reality, experienced users and hackers do not typically rely on the built-in wireless networking capabilities of Windows Vista to discover wireless networks within range. More commonly, they employ dedicated wireless network discovery tools that can track, map, and save details about networks as they're encountered. One great example of such a tool is Network Stumbler, available from http://www.netstumbler.com. In addition to being the network discovery tool of choice for those seeking out wireless networks, Network Stumbler is an excellent auditing tool that can help you determine what information your wireless network exposes under different security configurations.

Users within range who can connect to your unsecured wireless network can potentially:

Use or hijack your high-speed Internet connection
Gain access to your personal files and other resources on your private network
Make changes to the configuration of your wireless access point and its security settings
Capture all of your wireless network traffic, and track your communications

Not all users within range of your network are unscrupulous enough to connect to it without your permission, but temptation and curiosity get the best of many people. So, rather than gamble that others aren't using your wireless network, take the time to be sure they're not. After implementing the necessary security settings on your access point and wireless clients, other users within range should never be able to connect to your network.

War Driving

It may sound very spy-versus-spy, but in well-populated areas a pastime known as war drivinghas become popular among those with a passion for wireless networking. With a name derived from an old-school hacking technique known as war dialing- where hackers use software and modems to automatically dial phone numbers in the hope that a computer answers on the other end - war driving (or walking for that matter) is becoming more popular.

A war driveris a wireless user who roams around, looking for wireless networks to connect to. Some look for a high-speed Internet connection to temporarily borrow, while others have more malicious motives aimed at accessing files and information stored on the network's computers. It's been estimated that more than half of all wireless networks are improperly secured, so there's no shortage of networks for these users to stumble upon and through.

Unfortunately, the potential security issues associated with techniques like war driving don't end with the user who just happens upon your network. Quite to the contrary, many of the people engaged in this hobby are well equipped, using laptops, external antennas, and even portable GPS (Global Positioning System) devices to map the precise locations of unsecured wireless networks - information that often ends up being posted (complete with detailed maps) on the Internet.

This isn't to say that everyone engaged in war driving has bad intentions. However, leaving any wireless network improperly secured poses real risks, of which access by war drivers is just another to consider. For more information on the wacky world of war driving, check out http://www.wardriving.com.