| Windows Server 2003 enables you a great deal of security and flexibility when it comes to the management of wireless networks and clients accessing them. By using Active Directory, DHCP, DNS, and Internet Authentication Services you can secure and audit remote computers as well as wireless users. Group Policies are probably the primary tools for wireless network administrators. The ability to control most, if not all, of the wireless client's settings is a great way to ensure security compliance. Configuring the Wireless Network (IEEE 802.11) Policy Windows Server 2003 Active Directory domains support a new Wireless Network (IEEE 802.11) Policies Group Policy extension. This extension enables you to configure the wireless network settings that are part of the Computer Configuration Group Policy. Wireless network settings in the Wireless Network (IEEE 802.11) Policies Group Policy extension include the global wireless settings, list of preferred networks, WEP settings, and IEEE 802.1x settings. All the settings that are available in the Association and Authentication tabs in the Properties dialog box for a wireless network on a Windows XP (SP1 and later) or Windows Server 2003 wireless client are included in this configuration tool. Wireless Network (IEEE 802.11) Policies The Wireless Network (IEEE 802.11) Policies do not apply to Windows XP clients prior to Service Pack 1. They also will not apply to the Microsoft 802.11x Authentication Client wireless clients.
Wireless Network (802.11) Policies Node The Wireless Network (802.11) Policies node is not available from the Windows Server 2003 Administrators Pack. You must configure this directly on the server or via Terminal Services.
Single Wireless Network Policy Only a single wireless network policy can be created for each Group Policy object.
You can configure wireless policies from the Computer Configuration/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies node in the Group Policy MMC snap-in. Figure 2.1 shows the location of the Wireless Network (IEEE 802.11) Policies node. Figure 2.1. Wireless network (802.11) policies node.  There are no Wireless Network (802.11) policies by default. To create a new policy you must right-click on Wireless Network (IEEE 802.11) Policies in the console tree of the Group Policy Object Editor and then click Create Wireless Network Policy. The Create Wireless Network Policy Wizard will start. The wizard enables you to configure the name and description for the new wireless network policy. After creating the new wireless policy you need to double-click on the name of the new policy in the Details pane to make the necessary modifications to implement their desired settings. Choosing the Proper Wireless Network Policy Properties Now that the new wireless network policy has been created you need to go through each of the options on the General and Preferred Networks tabs and choose the appropriate settings for the wireless network. Figure 2.2 shows the options available on the General tab. Figure 2.2. Wireless network policy General Properties tab.  Within the General tab you can configure the following properties: -
Name. Enables you to specify a friendly name for the wireless network policy. -
Description. Gives a description for the wireless network policy. -
Check for Policy Changes Every. This setting specifies the interval, in minutes, after which clients check for changes to the wireless network policy. -
Networks to Access. Enables you to choose which of the following networks the wireless client is allowed to create connections: Any Available Network (Access Point Preferred) Access Point (Infrastructure) Networks Only Computer-to-Computer (Ad Hoc) Networks Only Use Windows to Configure Wireless Network Settings for ClientsThis check box enables the WZC service. Automatically Connect to Non-preferred NetworksThis check box enables the client to connect to wireless networks that are not configured in the Preferred Networks tab. Within the Preferred Networks tab, shown in Figure 2.3, you can configure the following properties: Figure 2.3. Wireless network policy Preferred Networks properties tab.  -
Networks. This box displays the list of preferred wireless networks -
Add/Edit/Remove. These buttons enable you to create, delete, or modify the settings of a new or selected preferred wireless network. -
Move Up/Move Down. These buttons enable you to move the selected preferred wireless network up or down in the Networks list. By double-clicking on any of the preferred wireless networks listed in the Networks list you can edit the properties of that network. Figure 2.4 shows the options that are available for modification. Figure 2.4. Wireless Network Policy preferred networks options.  WPA As of the writing of this book configuration for Wi-Fi Protected Access (WPA) was not available. Inclusion of WPA authentication and encryption settings is being considered by Microsoft in future Service Packs for Windows Server 2003 and Windows XP clients.
The first tab at the top of the dialog box is Network Properties. This tab has the following options: -
Network name (SSID). This field specifies the wireless LAN network name, also known as the Service Set Identifier (SSID). -
Description. This box enables you to give a short description of this wireless network. -
Data Encryption (WEP Enabled). This check box specifies whether WEP is enabled for this wireless network. -
Network Authentication (Shared Mode). This check box specifies whether 802.11 shared key authentication is used to authenticate the wireless client. If disabled, open system authentication is used. -
The Key Is Provided Automatically. This check box specifies whether a WEP key is provided via some means other than manual configuration. Checked keys are provided either on the wireless network card or through 802.1x authentication provided by an IAS server. -
This Is a Computer-to-Computer (Ad Hoc) Network. This check box specifies whether the client's wireless LAN network is operating in ad hoc mode. The other tab that is available for settings of the preferred wireless networks is the IEEE 802.1x tab. Figure 2.5 shows the available configuration options. Figure 2.5. IEEE 802.1X properties options.  On the IEEE 802.1x tab you can configure the following settings: -
Enable Network Access Control Using IEEE 802.1x. This check box specifies whether you want to use IEEE 802.1x to perform authentication for this wireless network. This box also enables all the other settings on this tab. -
EAPOL-Start Message. This pulldown box enables you to select the transmission behavior of the EAPOL-Start message when authenticating. The following options are available: Do Not Transmit. This option specifies that EAPOL-Start messages are not sent. Transmit. This option sends, if needed, an EAPOL-Start message. Transmit per 802.1x. This option sends an EAPOL-Start message, upon association, to initiate the 802.1x authentication process. -
Max Start. This box specifies the number of successive EAPOL-Start messages that are transmitted when no response is received from the initial EAPOL-Start message. -
Start Period. This box specifies, in seconds, the interval between the retransmission of EAPOL-Start messages when no response to the previously sent message is received. -
Held Period. This box specifies, in seconds, the period that the authenticating client will not perform any 802.1x authentication activity after it has received an authentication failure indication from the authenticator. -
Authentication Period. This box specifies, in seconds, the interval for which the authenticating client will wait before retransmitting any 802.1x after authentication has been initiated. -
EAP Type. This pull-down box lists the EAP types that correspond to EAP DLLs installed on the client computer that are suitable for wireless access. The two main choices are Smart Card or Other Certificate or Protected EAP (PEAP). -
Settings. This button enables you to configure the properties of the selected EAP type. -
Authenticate as Guest When User or Computer Information Is Unavailable. This check box specifies whether the computer will attempt to authenticate as a guest when either user or computer credentials are unavailable. -
Computer Authentication. This pull-down box enables you to specify the way in which computer authentication works with user authentication. Under Computer authentication, the three possible settings are as follows : -
With User Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the client computer authentication is maintained with the computer credentials. When the wireless client travels to a new wireless access point authentication is performed using the user's credentials. -
With User Re-authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the client computer, authentication is performed using the user credentials. When a user logs off the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context (computer credentials when no user is logged on and user credentials when a user is logged on). -
Computer Only. Authentication is always performed by using the computer credentials. User authentication is never performed. Incorporating Certificates into Wireless Security One of the best ways to protect not only the WLAN, but also the whole network is called Private Key Infrastructure (PKI). On Windows Server 2003 this solution is also known as Certificate Services. Certificate Services can either be managed internally or outsourced to a trusted third party. The computer and user certificates can be issued through Group Policies. This is best performed at an Organizational Unit (OU) level. It is recommended that an OU be created for the WLAN users. Automatic computer certificate allocation can be performed. This might be desirable when a large number of users are going to be using your PKI infrastructure. Automatic Computer and User Certificate Allocation Windows Server 2003 Enterprise or Data Center Edition acting as the enterprise CA server is required for the automatic computer and user certificate allocation.
Configuring Certificate Services Administrators of medium to larger Windows 2000 or Windows Server 2003 environments will probably have already deployed a PKI infrastructure. There are several roles involved in a well-managed PKI architecture; they include the Enterprise root Certificate Authority (CA), Issuing CA, and Subordinate CA. If this is the first instance of PKI in the Windows Server 2003 environment perform the following steps: -
In the Control Panel, open Add or Remove Programs, and then click Add/Remove Windows Components. -
In the Windows Components Wizard page, select Certificate Services, and then click Next . -
On the next Windows Components Wizard page, select Enterprise root CA. -
Click Next and then type the desired name in the Common Name for This CA field, and then click Next. -
Accept the default Certificate Database Settings, and then click Next and finally Finish. This will create the very base for the PKI architecture. In a truly secure environment the Enterprise root CA server is removed from the network and physically protected. This is to protect the integrity of the private key. Configuring Internet Authentication Services (IAS) The network's remote and wireless clients need to be authenticated to access the domain. This service is provided by the Remote Access Dial-In User Service (RADIUS) or IAS role in your network. The IAS server is registered with the Active Directory. By having the two services aware of each other, a single sign-on environment can be maintained. The Microsoft IAS-based RADIUS Server provides centralized authentication, authorization, and accounting (AAA). IAS is also a RADIUS Proxy because it can forward RADIUS requests to other RADIUS Servers for AAA. IAS can also be used to authenticate VPN clients, wireless access points, and Ethernet switches that support 802.1x. BEST PRACTICE: Plan Ahead Plan ahead when choosing the version of Windows Server 2003 to build your IAS server. You need to know how many clients and outside RADIUS server groups you are going to be supporting. Windows Server 2003 only supports up to 50 clients and two remote RADIUS server groups. Each RADIUS client must resolve to a single IP address. If the RADIUS client's fully qualified domain name resolves to multiple IP addresses only the first address will be used. Windows Server 2003 Enterprise and Datacenter Editions can support unlimited RADIUS clients and remote RADIUS server groups. You can also configure RADIUS clients by specifying an IP address range. |
Configuring EAP-TLS Authentication EAP-TLS is the method by which the wireless client and the IAS server exchange authentication and certification. On your IAS server perform the following steps: -
Open the Internet Authentication Service snap-in. -
In the console tree, click Remote Access Policies. -
In the details pane, double-click Wireless Access to Intranet. The Wireless Access to Intranet Properties dialog box is displayed. -
Click Edit Profile, and then click the Authentication tab. -
On the Authentication tab, click EAP Methods. The Select EAP Providers dialog box will be displayed. -
Click Add. The Add EAP dialog box will be displayed. -
Click Smart Card or Other Certificate, and then click OK. The smartcard or other certificate type will be added to the list of EAP providers. -
Click Edit. The Smart Card or Other Certificate Properties dialog box will be displayed. -
The properties of the computer certificate issued to the IAS computer will be displayed. Click OK. -
Click OK to save changes to EAP providers. Click OK to save changes to the profile settings. -
Click OK to save changes to the remote access policy. Acceptable Computer Certificate This dialog box verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication.
 | 