Lesson 2:Configuring Wireless Security

Although almost anyone can set up a wireless network in a few minutes, configuring a wireless network with security features is significantly more complex. Fortunately, Windows Server 2003 provides all of the software you need to deploy a wireless infrastructure with authentication, encryption, message integrity, and dynamically changing WEP shared secrets. At a high level, you will follow these steps to configure a wireless network infrastructure:

1. Plan wireless access policies.

2. Create a structure for authorizing users and computers to access the wireless network.

3. Plan the certificate infrastructure, and optionally deploy a PKI.

4. Configure IAS servers, including assigning a certificate and creating remote access policies (RAPs).

5. Update and configure wireless clients with the SSID and security settings.

6. Configure WAPs with security settings and the IP addresses of the IAS servers.

After this lesson, you will be able to

• Design an authorization strategy to assign wireless network privileges to users and computers.

• Configure a certificate infrastructure to authenticate wireless clients.

• Configure IAS to authenticate wireless users.

• Configure wireless clients manually and by using GPOs.

• Identify the information required to configure a WAP.

Estimated lesson time: 45 minutes

Planning Wireless Access Policies

There are several aspects to planning wireless access policies. First, it is important to plan wireless access policies to help prevent WAPs from being installed in your organization with insufficient security. You should draft a policy that, at a minimum, defines the following requirements for new WAPs:

• Authentication requirements.Generally, you should require that all wireless users are authenticated and specify whether PEAP or EAP-TLS will be used. If you plan to allow guests to access your wireless network, you should make provisions for creating WAPs providing limited access to your internal network that will be used only by guests.

  Security Alert

  If you allow wireless access to guests and do not force guests to use a different IP subnet, add a policy stating that no application shall rely on the IP source address for authorization.

• Encryption.Some level of encryption should always be required. Unless you have wireless devices that do not support it, your policy should mandate the highest level of encryption available.

• Physical security.Just like any other piece of network equipment, WAPs should be protected by lock and key to prevent attackers from tampering with the hardware.

• SSID broadcast and naming conventions.Your policy should specify whether WAPs are configured to broadcast the SSID, and it should detail naming conventions for SSIDs.

• Actively maintained list of WAPs.You must maintain a list of all WAPs on your network that at a minimum includes the SSID, the security settings, the administrator’s name, and patching requirements.

• Auditing requirements.You should specify how usage information is gathered and how logs are archived.

Besides documenting requirements for the configuration of new WAPs, you should define how users can and cannot use wireless access. Consider restricting the times of day when wireless access is available and physically shutting down WAPs after business hours. To reduce the likelihood of wireless-capable computers being attacked while connected to untrusted wireless networks, consider forbidding users to connect to wireless networks other than your own or restricting access to a list of approved networks.

Another way to use policy to control the risks associated with wireless networks is to specifically state that WAPs managed by end users are not allowed in your organization’s computer usage policy. Existing employees should be notified that the computer usage agreement has been updated and that they are not allowed to connect a WAP to your organization’s network. If you decide not to use wireless networks in your organization, you need to pursue this strategy in an active rather than a passive way. You should back up this decision with a clear, published policy and ensure that all employees are aware of it and of the consequences of violating it. Consider using scanning equipment and network packet monitors to detect the use of unauthorized wireless equipment on your network.

Designing the Authorization Strategy

Although many organizations choose to allow all computers and users in the organization to access the wireless network, other organizations choose to restrict access. On Windows networks, you will restrict access to wireless networks by using domain security groups. Although it is possible to use the dial-in properties of domain user objects to allow and deny access to individuals, this is tedious to administer for more than a few users.

One method for implementing this is to create a three-tiered structure for assigning permissions. At the top level, create a universal group, and grant this universal group access by using a remote access policy in IAS. At the second level, create domain global groups for users and computers that will be granted wireless access. Add to these security groups users and groups that should be granted wireless access. An example of such a hierarchy is shown in Figure 10.2.

Figure 10.2: Sample user and group hierarchy for controlling wireless network authorization

You should strive to have all wireless computers joined to the same domain as your IAS computers. You can have wireless clients that are not members of a domain, but you will have to configure the wireless network client settings manually because GPOs are not applicable. If the user does not log on to the domain, user authentication to the wireless network will require a separate user name and password prompt.

Configuring the Certificate Infrastructure

Regardless of which authentication method you choose, you will need at least one computer certificate to use 802.1X authentication. This certificate must be installed on the IAS servers that will perform RADIUS services. For computer authentication with EAP-TLS, you must also install a computer certificate on the wireless client computers. A computer certificate installed on a wireless client computer is used to authenticate the wireless client computer so that the computer can obtain network connectivity to the enterprise intranet and download computer Group Policy settings prior to user logon. For user authentication with EAP-TLS after a network connection is made and the user logs on, you must use a user certificate on the wireless client computer.

Table 10.1 summarizes the certificates that need to be installed or enrolled for the two types of supported wireless authentication.

If the certificate of the root CA that issued the IAS servers’ certificates is already installed as a root CA certificate on your wireless clients, no other configuration is necessary. If your issuing CA is a Windows 2000 Server or Windows Server 2003 online root enterprise CA, the root CA certificate is automatically installed on each domain member through computer configuration GPO settings. If it is not, you must install the root CA certificates of the issuers of the computer certificates of the IAS servers on each wireless client.

Generally, you should configure Windows Server 2003 Certificate Services to issue the IAS server certificate—even if the only reason you create the CA is to issue a single certificate for the IAS server. Alternatively, you can purchase a certificate from a public CA. Regardless of whether you deploy your own PKI or buy a certificate, the root CA certificate of the CA that issued the IAS server certificate must be installed on each wireless client.

Windows XP includes the root CA certificates of many public CAs. If you purchase your IAS server certificates from a public CA that corresponds to an included root CA certificate, no additional wireless client configuration is required. If you purchase your IAS server certificates from a public CA for which Windows XP does not include a corresponding root CA certificate, you must install the root CA certificate on each wireless client.

If you are using a Windows Server 2003 or Windows 2000 Certificate Services enterprise CA as an issuing CA, you can install a computer certificate on the IAS server by configuring a GPO for the autoenrollment of computer certificates. If you plan to use the EAP-TLS authentication method, you should also configure autoenrollment for computer and user certificates for computers and users that will be accessing the wireless network. User certificate autoenrollment is supported only by Windows XP and Windows Server 2003 wireless clients.

A client computer configured to use EAP-TLS authentication can obtain certificates for the authentication of wireless connections in three ways: autoenrollment, Web enrollment, and importing a certificate file. If you choose to import the certificates, you can either create and distribute certificates individually for each user or distribute a single certificate file to all users. A single certificate used for a group of users is known as a group certificate, which is the least secure certificate deployment, because anyone who obtains the certificate file could use it to successfully authenticate a wireless connection.

Configuring IAS

IAS is a component of Windows Server 2003 that provides RADIUS services capable of authenticating users based on information contained within Active Directory. When configuring the security of a wireless network, you must configure the IAS server to use specific authentication methods and to grant access to authorized users. This configuration is done by using two types of policies: Remote Access Policies (RAP) and Connection Request Policy (CRP).

The RAP controls how or whether a connection is authorized to the network. A RAP contains a set of policy conditions that determine whether that policy applies to a given connection request. When configuring a RAP for wireless network access, you can create policy conditions that specify the Active Directory security group that a client must be a member of, the time of day, or the connection type of the requesting client, as shown in Figure 10.3. A RAP is also configured to allow or deny the connection request. If there are multiple RAPs on an IAS server, each connection request is evaluated against them according to the priority until a matching RAP either allows or denies the request.

Figure 10.3: Configuring policy conditions to apply the policy to wireless connections

A RAP also contains a profile that applies to new connections. When creating a RAP for wireless access, the most important profile settings are the authentication methods and the session timeout. Clicking the Authentication tab on the Edit Dial-In Profile dialog box, as shown in Figure 10.4, allows you to configure the authentication method. Click the EAP Methods button to specify the EAP types that will be available: Protected EAP or Smart Card Or Other Certificate.

Figure 10.4: Configuring authentication methods for a RAP

Regardless of the EAP type you choose, you can select a computer certificate that the IAS server will present to the wireless client. If the IAS server has only one computer certificate, this certificate will automatically be selected. If you choose the PEAP authentication method, you also have the option to enable fast reconnects. Generally, you should select the Enable Fast Reconnect check box on the Protected EAP Properties dialog box to improve performance when wireless clients switch from one WAP to another.

Click the Dial-In Constraints tab to specify the session timeout, which is necessary to enable dynamic WEP. The Minutes Client Can Be Connected (Session-Timeout) value controls the frequency with which WEP encryption keys are regenerated. You should specify a value of 10 minutes for WEP, as shown in Figure 10.5. For WPA, specify a value of 8 hours (480 minutes). Exercise 2 of this lesson guides you step by step through the process of configuring a RAP.

Figure 10.5: Configuring session timeout for WEP

RAPs are not used exclusively for controlling wireless access. As a result, there are several configuration options that you can safely ignore. Specifically, the multilink settings are not useful for wireless connections, and they should always be disabled. Additionally, specifying the Called-Station-ID value is only useful when you are creating a RAP for dial-up users.

Successful and rejected authentication events generated from wireless network devices and users will be recorded in the System event log of the IAS server if you select Rejected Authentication Requests and Successful Authentication Requests in the Internet Authentication Service Properties dialog box, as shown in Figure 10.6. Authentication information is most useful for troubleshooting authentication issues, although this information might also be used for security auditing and alerting purposes.

Figure 10.6: Enabling IAS authentication auditing

Initially, you should keep event logging enabled so that you can verify that authentication is working properly. Unless your organization’s security policy requires you to maintain auditing information, you should disable auditing of successful authentication requests after the system has stabilized. IAS events have IAS as the source and an Event ID of 2. In the text of the event message, look for the remote access policy name next to the Policy-Name box.

Configuring Wireless Clients

The first step to configure a wireless client is to ensure that the computer has the software required to authenticate and connect to your wireless network. Computers running Windows 2000 require the Microsoft 802.1X Authentication Client, available from http://support.microsoft.com/?kbid=313664. Additionally, you must start the Wireless Zero Configuration service and set its startup type to Automatic. If you plan to use WPA with any Windows client, including Windows XP and Windows Server 2003, you must install the Windows WPA client update on all clients. You can download the client from http://support.microsoft.com/?kbid=815485.

Windows XP and Windows Server 2003 wireless clients have an Authentication tab in the properties dialog box for a wireless connection, as shown in Figure 10.7. On this tab, you can enable 802.1X authentication, specify and configure the EAP type, and choose the sets of credentials that the computer will use for the authentication.

Figure 10.7: Windows XP wireless network authentication configuration

Select the Enable Network Access Control Using IEEE 802.1X check box to use 802.1X authentication for the network connection. You can leave this option selected even if you have not yet configured 802.1X. If the check box is selected, the computer will attempt to perform an 802.1X authentication when the network interface is initialized. If the computer does not receive a response to its authentication requests, the computer will behave as though the connection does not require authentication. Therefore, it is always okay to leave this check box selected.

Use the EAP Type list to specify the EAP type to use for IEEE 802.1X authentication. By default, you can choose from Protected EAP (PEAP) and Smart Card Or Other Certificate. However, other options will be listed if an application has installed additional EAP libraries.

If you select Smart Card Or Other Certificate, click the Properties button to configure whether the client certificate is located on a smart card or the client’s certificate store. If there is more than one user certificate installed, the user will be prompted to choose a certificate. You can also choose whether the client will authenticate the RADIUS service by validating that the server’s certificate has not expired, and which root CAs to trust. If the RADIUS service’s root CA is not trusted when the client validates the server’s certificate, the user will automatically be prompted to trust the certificate. You do not need to select the Use A Different User Name For The Connection check box; its only effect is to cause the user to be prompted to select a certificate even if the user has only one certificate installed.

If you select Protect EAP (PEAP) from the EAP Type list, you have the same option to validate the RADIUS service’s certificate. You should also specify the authentication method that you will use—either Secured Password (EAP-MSCHAP v2) or Smart Card Or Other Certificate. If you choose to use EAP-MSCHAP v2, click the Configure button to choose whether to automatically use the current logon credentials or to prompt the user for other credentials. You should usually select the Enable Fast Reconnect check box to allow the RADIUS service to immediately authenticate the client if the computer moves from one WAP to another. If the Enable Fast Reconnect check box is cleared, the client computer will have to perform the complete PEAP authentication process each time it connects to a WAP.

To automate the configuration of wireless network settings for wireless clients running Windows XP (Service Pack 1 and later) and Windows Server 2003, Windows Server 2003 Active Directory domains support a new Wireless Network (IEEE 802.11) Policies Group Policy extension that allows you to configure wireless network settings that are part of Computer Configuration GPO settings. Wireless network settings in the Wireless Network (IEEE 802.11) Policies Group Policy extension include global wireless settings, the list of preferred networks, WEP settings, and IEEE 802.1X settings. These settings encompass all of the items on the Association and Authentication tabs in the properties dialog box for a wireless network on a Windows XP or Windows Server 2003 wireless client, and they also include some additional settings.

To configure wireless network security by using a GPO, follow this procedure:

1. Open a blank Microsoft Management Console (MMC) console, and add the Group Policy Object Editor snap-in. Open the GPO you will use to apply the wireless network configuration settings.

2. Expand the GPO, Computer Configuration, Windows Settings, and then Security Settings. Click Wireless Network (IEEE 802.11) Policies.

3. By default, there are no policies. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create Wireless Network Policy.

   The Wireless Network Policy Wizard appears.

4. Click Next.

5. Type a name for the policy, and then click Next.

6. Select the Edit Properties check box, and then click Finish.

   The properties dialog box appears.

7. Click the General tab, as shown in Figure 10.8. The security-related settings are Networks To Access, which specifies whether the client is allowed to connect to ad hoc networks, and Automatically Connect To Non-Preferred Networks, which you might want to disable to prevent clients from connecting to potentially dangerous, untrusted wireless networks.

   
   Figure 10.8: The General tab of the wireless network policy properties dialog box

8. Click the Preferred Networks tab.

   This tab lists preferred networks, which are networks that Windows XP will automatically connect to. There are no preferred networks by default.

9. Click Add.

   The New Preferred Setting Properties dialog box appears, as shown in Figure 10.9. The Network Properties tab allows you to specify whether WEP encryption will be used. Generally, you should select the Data Encryption and The Key Is Provided Automatically check boxes. Leave the Network Authentication check box cleared to use open network authentication.

   
   Figure 10.9: The Network Properties tab of the New Preferred Setting Properties dialog box

10. Click the IEEE 802.1X tab. Select the Enable Network Access Control Using IEEE 802.1X check box.

11. If you want to be able to manage the computer across a wireless network when no user is logged on, select the Authenticate As Computer When Computer Information Is Available check box.

12. Click the EAP Type list to select either Smart Card Or Other Certificate or Protected EAP. This setting must correspond to the setting specified on the IAS server.

13. Click the Settings button to configure the selected EAP type. This dialog box is exactly the same as the dialog box used to configure wireless clients locally.

14. Click OK three times to return to the MMC console.

Note that you can only create a single wireless network policy for each GPO.

To obtain detailed information about the EAP authentication process for Windows XP, you must enable tracing for the EAPOL and RASTLS components by using the following commands at a command prompt:

netsh ras set tracing eapol enabled
netsh ras set tracing rastls enabled

After these commands are issued, the information about the authentication process will be logged in the Eapol.log and Rastls.log files in the SystemRoot\Tracing folder.

Configuring WAPs

The final step of the wireless network configuration process is to configure and enable your WAPs. Unfortunately, the user interface varies for each WAP. At a minimum, you will need to configure the following settings:

• Select WEP or WPA encryption and the encryption level.

• Specify 802.1X authentication and the authentication method.

• Specify the SSID.

• Specify the IP address of the IAS RADIUS servers.

• Specify a shared key corresponding to the shared secret specified during the IAS configuration.

Figure 10.10 shows the wireless security settings of a common inexpensive WAP.

Figure 10.10: Configuring security on a WAP

Practice: Deploying WEP Encryption with PEAP Authentication

In this practice, you will configure a wireless network environment using PEAP authentication. This practice requires that Computer1 has Windows Server 2003, Enterprise Edition installed, that it has been configured as a domain controller, and that it has Certificate Services installed as an Enterprise Root CA. For more information about how to configure the computer, refer to the “Before You Begin” section of this chapter.

Exercise 1: Configure the Active Directory infrastructure

In this exercise, you will configure the cohowinery.com domain with user, computer, and group accounts that you can use to control access to the wireless network. In the first procedure, you will create groups to contain the wireless users and computers.

1. Log on to the cohowinery.com domain on Computer1 using the Administrator account.

2. Open the Active Directory Users And Computers console.

3. In the console tree, expand cohowinery.com.

4. In the Active Directory Users And Computers console, right-click Users, click New, and then click Group.

5. In the New Object – Group dialog box, type GGWirelessUsers in the Group Name box. Click OK.

6. In the Active Directory Users And Computers console, right-click Users, click New, and then click Group.

7. In the New Object – Group dialog box, type GGWirelessComputers in the Group Name box. Click OK.

In the second procedure, you will configure a computer account for the wireless computer and allow dial-in access. The computer will not literally dial-in, but this permission is required for wireless access. You will then add the account to the GGWirelessUsers group.

1. In the Active Directory Users And Computers console, right-click Computer2, and then click Properties.

2. Click the Dial-In tab.

3. Click Allow Access.

4. Click the Member Of tab, and then click the Add button. In the Enter The Object Names To Select box, type GGWirelessComputers, and then click OK twice.

In the third procedure, you will configure a user account for the wireless user and allow dial-in access. You will then add the account to the GGWirelessComputers group.

1. In the Active Directory Users And Computers console, right-click Users, click New, and then click User.

2. In the New Object – User dialog box, type WirelessUser in the First Name box, and then type WirelessUser in the User Logon Name box.

3. Click Next. Type a password of your choice in the Password and Confirm Password boxes. Clear the User Must Change Password At Next Logon check box.

4. Click Next, and then click Finish.

5. In the Active Directory Users And Computers console, click the Users node. Right- click WirelessUser, and then click Properties.

6. Click the Dial-In tab.

7. Click Allow Access.

8. Click the Member Of tab, and then click the Add button. In the Enter The Object Names To Select box, type GGWirelessUsers, and then click OK twice.

Exercise 2: Configure IAS

In this exercise, you will install IAS and configure RADIUS for authentication of wireless users and computers.

1. Log on to the cohowinery.com domain on Computer1 using the Administrator account.

2. Install IAS by using Add Or Remove Programs in Control Panel. Click Add/ Remove Windows Components. In the Windows Components Wizard, click Networking Services, and then click Details. Select Internet Authentication Service, click OK, and then click Next. After IAS is installed, click Finish.

3. Open the Internet Authentication Service console from the Administrative Tools program group.

4. Right-click Internet Authentication Service, and then click Register Server In Active Directory.

   This ensures that IAS has sufficient permissions to Active Directory to authenticate users.

5. Click OK twice.

6. Expand the Internet Authentication Service tree, right-click RADIUS Clients, and then click New RADIUS Client.

   The New RADIUS Client Wizard appears.

7. In the Friendly Name box, type WirelessAP. In the Client Address box, type the IP address of your WAP. Click Next.

8. On the Additional Information page, type a complex shared secret in both the Shared Secret and Confirm Shared Secret boxes. Click Finish.

9. Right-click Remote Access Policies, and then click New Remote Access Policy.

   The New Remote Access Policy Wizard appears.

10. Click Next. In the Policy Name box, type Wireless Network Access, and then click Next.

11. On the Access Method page, click Wireless, and then click Next.

12. On the User Or Group Access page, click Group, and then click Add. Add both the GGWirelessComputers and GGWirelessUsers groups, and then click OK to return to the wizard.

    Tip

    In the Select Groups dialog box, just type GGWireless. The Multiple Names Found dialog box will appear, and you can select both groups by using the Ctrl key and the mouse button.

13. Click Next. On the Authentication Methods page, notice that Protected EAP is selected by default. Click Configure, and then select the Enable Fast Reconnect check box. Notice that the EAP Types list contains the Secured Password (EAP- MSCHAP v2) EAP type by default, as shown in Figure 10.11. Click OK.

    
    Figure 10.11: Default IAS PEAP properties

14. Click Next. On the Completing The New Remote Access Policy Wizard page, review the conditions that the wizard generated. It should read

    Conditions: NAS-Port-Type matches "Wireless - Other OR Wireless - IEEE 802.11" AND WindowsGroups matches "COHOWINERY\GGWirelessComputers;COHOWINERY \GGWirelessUsers"

    You should understand this syntax so that you can manually update the remote access policy to make changes in the future.

15. Click Finish.

16. Right-click Wireless Network Access, and then click Properties.

17. Click Edit Profile.

18. Select the Minutes Client Can Be Connected (Session-Timeout) check box, and then set the value to 8 minutes.

19. Click the Authentication tab, and then click the EAP Methods button.

20. Click Protected EAP, and then click Edit.

    The Protected EAP Properties dialog box appears. Notice that the Certificate Issued list already has a computer certificate registered because Computer1 is an enterprise CA. Also notice that Secured Password (EAP-MSCHAP v2) is selected in the EAP Types list.

21. Click OK four times to return to the Internet Authentication Service console.

Exercise 3: Configure the WAP

In this exercise, you will configure your WAP to use 802.1X authentication by sending requests to the IAS service on Computer1. Unfortunately, each vendor’s WAP has a different interface for configuring it. Refer to the documentation of the WAPs.

Configure the WAP with the following settings:

• WEP/RADIUS security mode

• An SSID of WEP_TEST

• A RADIUS service address corresponding to Computer1’s IP address

• A shared key corresponding to the shared secret specified during the IAS configuration

• The highest available form of WEP encryption

Exercise 4: Configure the client computer

In this exercise, you will configure the client computer to connect to the wireless network.

1. Log on to the cohowinery.com domain on Computer2 using the WirelessUser account.

2. Open the Network Connections window.

3. Right-click Wireless Network Connection, and then click Properties.

4. Click the Wireless Networks tab. In the Available Networks box, click WEP_TEST, and then click Configure.

5. Click the Association tab. Click the Data Encryption (WEP Enabled) option. Verify that The Key Is Provided For Me Automatically check box is selected.

6. Click the Authentication tab. Select the Enable IEEE 802.1X Authentication For This Network check box. In the EAP Type list, click Protected EAP.

7. Verify that the Authenticate As Computer When Computer Information Is Available check box is selected. This ensures the computer can be managed while connected to the wireless network when a user is not logged on.

8. Click Properties. In the Protected EAP Properties dialog box, select the Connect To These Servers check box, and then select the Enable Fast Reconnect check box, as shown in Figure 10.12.

   Notice that Secure Password (EAP-MSCHAP v2) is the selected authentication method by default.

   
   Figure 10.12: The Protected EAP Properties dialog box

9. Click OK three times.

   Computer2 should now authenticate to the wireless network.

10. Start Internet Explorer. In the Address box, type http://computer1/certsrv/, and then click Go.

    The Microsoft Certificate Services Web page should appear, verifying that Computer2 is connected to the wireless network.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

1. Which of the following can be configured by using a GPO?

   1. A Windows XP Service Pack 1 wireless client with WEP encryption

   2. A Windows XP Service Pack 1 wireless client with WPA encryption

   3. A Windows 98 wireless client with WEP encryption

   4. A Microsoft Windows Mobile 2003 wireless client with WEP encryption

2. Which setting must be enabled to initiate dynamically rekeyed WEP?

   1. Minutes Server Can Remain Idle Before It Is Disconnected

   2. Minutes Client Can Be Connected

   3. Allow Access Only On These Days And At These Times

   4. Allow Access Only To This Number

   5. Allow Access Only Through These Media

3. Which of the following pieces of information is not required when configuring the WPA?

   1. The IP addresses of the wireless clients

   2. The IP address of the RADIUS server

   3. The SSID

   4. The shared key

   5. The encryption level

   6. The authentication method

Lesson Summary

• You should publish policies defining how wireless networks can be used and should be configured in your organization.

• The most efficient way to assign authorization rights for wireless clients is to create groups specifically for wireless users and computers in Active Directory.

• You can use Certificate Services to enroll certificates for the IAS server and, if you use EAP-TLS authentication, for the wireless clients.

• If you use WEP encryption, you can configure Windows XP and Windows Server 2003 wireless clients by using a GPO.