NOTE Where do Windows Server 2003 WLAN Policies fit in ? Although the Wireless LAN (WLAN) security functionality provided in Windows Server 2003 is in no way intended to replace a dedicated solution available from a company that specializes in WLAN technologies, it is a good start for smaller organizations and a nice addition to existing security measures in larger organizations.
Plan security for wireless networks. It's an inescapable fact of today's computing environment that users want to be connected while on the move. For users, this means the power to move freely about an office or even an entire building without being wired to the wall anymore. For administrators this usually means headaches , heartaches, and visions of hackers silently sifting through the network. Fortunately, the latter doesn't have to be the case. In Windows Server 2003, administrators can now use Group Policy to design and implement security policies to secure 802.11 Wireless LANs. The use of both Wired Equivalent Privacy (WEP) and 802.1x authentication is supported. The Group Policy options that are configured in a GPO and applied to a computer then take precedence over any user -configured settings, thus ensuring that your configuration is applied. You can create policies for three types of Wireless LANs: -
Access Point (infrastructure) The most common type of Wireless LAN, the infrastructure mode WLAN, consists of wireless clients communicating directly with wireless Access Points (APs). No direct client-to-client communications exist. This is considered to be the most secure type of WLAN. -
Computer-to-computer (ad hoc) Ad hoc WLANs consist of wireless clients communicating directly with each other without the use of an AP in the middle. This type of communication does not provide a direct path to the wired network. -
Any available network Access Point preferred This option configures the policy to attempt a connection to an Access Point first if one is available. If an AP is not available, the client attempts to create an ad hoc connection if possible. This method is least preferred and usually most problematic over time. You can locate the Wireless LAN Group Policy options, shown in Figure 7.13, in the Computer Configuration, Windows Settings, Security Settings node. By default, no policies are defined, meaning that you must create and configure them as your network requires. We examine this process later in this section. Figure 7.13. You can now configure Wireless LAN policies for your Windows Server 2003 and Windows XP Professional computers.  Before creating a policy, you should spend some time planning for it first. Wireless LANs are great when implemented and secured properly. Fail to plan properly for the security of your WLAN, and you should just as well plan to fail. When you are preparing to implement WLAN security policies, consider the following key points in regards to authentication issues: -
Your Access Points must support the authentication method that you intend to use, such as 802.1x. -
Your clients and RADIUS servers must all support the same authentication method, such as EAP-TLS or PEAP over 802.1x. -
Computers should always be authenticated. This setting, by default, is enabled. -
If using EAP-TLS (recommended), you should consider allowing the autoenrollment of certificates for users and computers. Autoenrollment makes the process much simpler. When configuring and implementing WLAN security policies via Group Policy, you need to keep the following points in mind about how they behave: -
Configurations made in Group Policy Objects take precedence over user-configured settings, with the exception of the preferred networks list. The preferred networks lists are merged together from the GPO settings and the user-configured settings to form a composite list. When the network list is merged, infrastructure networks always have higher precedence than ad hoc networks. Also, the user can change the configured Wired Equivalent Privacy (WEP) key that is assigned per Group Policy. -
As with all GPOs, non-administrators cannot remove or disable the policy so that it does not apply to them. This also holds true for administrators. -
When GPO-configured WLAN settings are changed, the client connection is momentarily broken (the client is disassociated) if the new policy takes precedence over the old policy. -
When GPO-configured WLAN settings are removed (when the GPO is deleted or the link is removed), the client is disassociated while the Wireless Configuration service performs a soft reset and clears its cache. When the service restarts, the client reverts to any existing client-configured settings in place. -
When a client is subject to multiple GPOs at various levels that assign WLAN settings, the normal Group Policy processing order applies. The GPO that is closest to the computer object takes precedence and overrides the settings that are assigned to a higher-level Active Directory container. EXAM TIP Authentication methods You should be aware of the various authentication methods afforded you in Windows Server 2003, both for wireless and wired networks. This topic was discussed in more detail in Chapter 4, "Planning, Implementing, and Maintaining Routing and Remote Access."
With your initial planning out of the way, you can begin the process of creating WLAN security policies using Group Policy as outlined in Step by Step 7.3. STEP BY STEP 7.3 Configuring a Wireless Network Policy -
Using either the Group Policy Management Console (GPMC) or Group Policy Editor (GPE), locate the GPO in which you want to create the WLAN security policy. -
Expand the Computer Configuration, Windows Settings, Security Settings nodes in the GPO to locate the Wireless Network (IEEE 802.11) Policies node. Right-click it and select Create Wireless Network Policy from the context menu to start the Wireless Network Policy Wizard. -
Click Next to dismiss the opening page of the wizard. -
Enter a name and description for the new policy on the Wireless Network Policy Name dialog box. Click Next to continue. -
The Completing the Wireless Network Policy Wizard dialog box appears. Ensure that the Edit Properties option is selected and click Finish to exit the wizard and start configuring the policy's properties. -
The policy Properties dialog box opens with the options available as discussed in Table 7.1. Configure your selections as you like per the information in Table 7.1 and switch to the Preferred Networks tab. -
Click the Add button to open the New Preferred Setting Properties dialog box. -
On the Network Properties tab, shown in Figure 7.14, configure the selections as necessary per the information in Table 7.2. When you are done, switch to the IEEE 802.1x tab. Figure 7.14. Creating a new preferred network starts with entering basic configuration items.  -
On the IEEE 802.1x tab, shown in Figure 7.15, configure the selections as necessary per the information in Table 7.3. When you are done, click OK to commit the preferred network to the policy. Figure 7.15. When using 802.1x authentication, you have several configuration options available to you.  -
Back at the Preferred Networks tab of the policy Properties dialog box, you can add another preferred network if you want. You can also remove or edit existing preferred network entries as well as change their relative order by using the Move Up and Move Down buttons . -
Click OK to close the WLAN policy Properties dialog box. -
If you want to force Active Directory replication to occur, thus implementing your new WLAN policies, enter the gpupdate /target: computer command. |
Table 7.1 outlines the configuration options that are available on the General tab of the Wireless LAN Properties dialog box, as discussed in step 6 of the Wireless Network Policy creation process. Table 7.1. Options Available on the General Tab of the WLAN Properties Dialog Box | Option | Description | | Name | Allows you to specify a descriptive name for the policy. | | Description | Allows you to enter a longer description of the policy. | | Check for policy changes every | Configures how often Active Directory should be polled to check for changes to this security policy. The default value is 180 minutes and is acceptable in most instances. | | Network to access | Specifies the types of Wireless LANs that you want to allow clients to make connections to. You have the following available options: -
Any available network (access point preferred) -
Access point (infrastructure) networks only -
Computer-to-computer (ad hoc) networks only | | Use Windows to configure wireless network settings for clients | Configures whether client settings are automatically configured for a client's 802.11 WLAN connections by the Wireless Configuration service. | | Automatically connect to non-preferred networks | Configures whether clients can connect to other 802.11 WLANs for which they are in range. | Table 7.2 outlines the configuration options that are available on the Network Properties tab of the New Preferred Setting Properties dialog box, as discussed in step 8 of the Wireless Network Policy creation process. Table 7.2. Options Available on the Network Properties Tab of the New Preferred Setting Properties Dialog Box | Option | Description | | Network name (SSID) | Specifies the Service Set Identifier (SSID) of the Wireless LAN. This value must exactly match the SSID value being used by your Access Points and wireless clients. | | Description | Allows you to enter a longer description of the WLAN. | | Wireless network key (WEP) | Specifies that a WEP key is required for the available options: -
Data Encryption (WEP enabled) This option specifies that a WEP key is used to encrypt data sent over the WLAN. -
Network authentication (Shared mode) This option specifies that a WEP key is used to perform authentication to the WLAN. -
The key is provided automatically This option specifies that the WEP key is provided automatically to wireless clients by a key server of some sort , typically a RADIUS server. | | This is a computer-to-computer (ad hoc) network; wireless access points are not used. | When selected, configures this network as an ad hoc network. If not selected, configures this network as an infrastructure network. | Table 7.3 outlines the configuration options that are available on the IEEE 802.1x tab of the New Preferred Setting Properties dialog box, as discussed in step 9 of the Wireless Network Policy creation process. Table 7.3. Options Available on the IEEE 802.1x Tab of the New Preferred Setting Properties Dialog Box | Option | Description | | Enable network access control using IEEE 802.1X | Specifies that 802.1x authentication is to be used when connecting to the WLAN. | | EAPOL-Start message | Specifies how Extensible Authentication Protocol over LAN (EAPOL) start messages are to be transmitted. Options include -
Do not transmit -
Transmit (default) -
Transmit per IEEE 802.1X | | Max start | Default Max start value is 3 seconds. | | Held period | Default Held period is 60 seconds. | | Start period | Default Start period is 60 seconds. | | Authentication period | Default Authentication period is 30 seconds. | | EAP type | Specifies what EAP type is to be used from the following options: Smart card or other certificate and Protected Extensible Authentication Protocol (PEAP). Clicking the Settings button allows you to configure additional options, including the following: -
Using a smart card or certificate on the computer -
Validating server certificates -
Specifying which servers to connect to -
Specifying Trusted Root Certification Authorities -
Viewing certificates -
Selecting and configuring an authentication method | | Authenticate as guest when user or computer information is unavailable | Specifies that wireless clients are to attempt to authenticate to the WLAN as a guest when user or computer information is not available. | | Authenticate as computer when computer information is available | Specifies that wireless clients must attempt to authenticate to the WLAN even if a user is not logged on. | | Computer authentication | Specifies how the computer is to authenticate to the WLAN. The following options are available: The recommend setting is With User Reauthentication. This setting forces the computer to authenticate before a user is logged on and then performs authentication using the user's credentials when the user logs on. When the user logs off, authentication is performed again using the computer's credentials. | |
