Using Windows Vista on a Corporate Mobile Network 1-800-COURSES www.globalknowledge.com Expert Reference Series of White Papers Introduction Can you remember the frustration you felt the last time you needed to work on a document but couldn’t con- nect to the network to use it? What about the last time you wanted to write an email or get some work done on the Internet, but you had to go to a different location where you could use a networked system? Multiply these problems and frustrations by every employee who has every experienced them and you will understand, if you don’t already, why wireless networking is becoming a requirement in many offices. When properly imple- mented and used, wireless networking acts not only as a nice convenience, but as a valid tool for increasing productivity and efficiency . Those who resist the idea of creating a Wi-Fi network will normally acknowledge its advantages, but express valid concerns about expanding the network infrastructure and preventing security problems inherent in the technology. Can you implement this kind of change without unduly impacting the security of the existing net- work infrastructure? Can you enforce security procedures created just for the wireless network on end-users working with laptops? Some of your users might be allowed to use their laptops on public Wi-Fi networks where you have no control. Can you run system checks and prevent computers with security problems from rejoining your network? If you are using an Active Directory domain with Windows Vista clients, the answer to all of these questions is yes. As you will see , this does not have to be a complicated process. Having a basic understanding of the encryp- tion and authentication choices available, related group policy settings, and Windows Vista features will help you narrow down your choices and make the decisions that are best for your environment. We will start of by walking through the process of configuring a wireless connection on a Windows Vista sys- tem manually. This will allow us to view the different features and options available during setup. We will then discuss how to implement configuration changes automatically through Active Directory by using 802.11 group policy settings or script files. Of course, a discussion about wireless networking would not be complete without taking time to discuss the security issues it will raise and how to deal with them, so we will look at that as well. First, let’s connect a Windows Vista laptop to a wireless network. Connecting to a Wireless Network Configuring the client connection can easily be done from the Connect to a Network window (Figure 1.1). You can get to it by clicking on the Connect to option from the Start menu or open it from the shortcut av ailable in the Network and Sharing Center. T he list of networks shown will include all av ailable connec - tions including Dial-up and VPN . To limit the list to only wireless networks, choose “Wireless” from the “Show” drop down box. Neil Tucker, Global Knowledge Instructor, MCT, MCIPT, MCTS, MCDBA, MCSE, MCDST Using Windows Vista on a Corporate Mobile Network Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 2 Figure 1.1: Connect to a Network Window One interesting option you might notice in the list of available networks is the ability to connect networks that have the name “Unnamed Network.” These are wireless access points (APs) that do not advertise their name or Service Set Identifier (SSID). Sometimes called a non-broadcast or hidden network, many take advantage of this feature on their APs in an effort to make the network more secure by “hiding it” from older operating sys- tems like Windows 2000 or XP. Obviously, they are not hidden from Vista systems, but this feature has proved to be a very ineffective security option in any case. If you decide to use it, don’t let it give you a false sense of security. It really shouldn’t be seen as a security feature, especially on a corporate network. T here is also an option showing whether the connection to the AP will be secure or not. If security is enabled, Vista will automatically use the strongest encryption protocol it supports on the access point. If security is not enabled, a warning message will alert you to the dangers of connecting to such a network. You will also have the option to connect to the AP automatically , making it your preferred network. Y ou will also be able to dis- connect from a network or modify your preferred network settings when necessary. If you need to manually configure your network connection settings, from the Connect to a network window use the Set up a connection or network option in the lower left hand corner and choose to open the Manually connect to a wir eless network window (F igure 1.2). F rom here , you can configure a network name and security protocols . Y ou may also choose to start the connection automatically and to connect to the AP, even if it is not broadcasting. Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 3 Figure 1.2: Manually Connect to a Wireless Network Window Which security protocol should you use? You should try to use Wi-Fi Protected Access WPA2 with Advanced Encryption Standard AES encryption as your first choice. Wired Equivalency Privacy WEP is a last resort because of its known security issues. WPA does a good job of dealing with the weaknesses inherent in WEP but might be vulnerable to some of the same security issues because it was designed to be compatible with it. WPA2 was redesigned from the ground up with both eyes on security and little concern for compatibility with WEP hardware . If you are unable to upgrade your APs to support it, your next best bet is, of course, WPA. What do the P ersonal and Enterprise designations mean for WPA and WPA2? Personal connections fall back on using a password or preshared k ey for authentication while Enterprise uses the 802.1X. T his allows an Enterprise con - nection to use Extensible Authentication Protocol – Transport Layer Security EAP-TLS for stronger security and mutual authentication. After clicking next, you will be able to modify other options like the use of other pre- ferred networks, server certificates and smart cards by using the “Change Connection Settings Option.” Once you have verified that all your options are correct, you accept the configuration and start using the wire- less network. Now, unless you have just a few laptops, you probably want to use Active Directory to apply and maintain these settings centrally. How can that be done? Leveraging Active Directory One issue that often comes up when connecting domain laptops through wireless networks is the problem of having to authenticate twice. A secure wireless network will require some form of authentication before con- necting, after which you will need to provide your Active Directory credentials for connecting to the domain. Although not required, it’s a good idea to simplify this process for users by allowing them to connect to the Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 4 n etwork and domain in a single logon process using a bootstrap wireless profile. You do this by modifying the properties of a wireless profile to disable the validation of the RADIUS Server certificate when using PEAP-MS- CHAPv2 authentication and enabling Single Sign On. The network administrator might make the laptop a member of the domain by using a wired connection and configure a new wireless profile with these settings. If the laptop is already a member of the domain, a configuration file can be used to apply the new settings using netsh. When users want to connect, they simply login with their domain credentials. Normally, without cached credentials or an existing network connection, this logon process would fail. Enabling Single Sign On will allow the client to connect to the network and domain in a single step using the domain credentials they provided at logon. A network administrator would normally want to maintain these settings by using group policies to push any configuration changes to laptops. However, a domain running Windows Server 2003 with SP1 does not support some of the new security features available for 802.11 networks on Vista, such as using WPA2. This can be overcome by performing schema modifications that add these features. If you are unable or unwilling to risk such a change to your active directory forest, a simpler solution would be to use script files. Netsh now has a new WLAN parameter than can be used to export and import wireless configuration settings using XML files. It takes three parameters when exporting the configuration: • First, the name of the XML file to export the configuration to • Second, the name of the wireless profile being exported • Third, the name of the wireless adapter used by the profile. The command might look like this: netsh wlan export profile configuration.xml secure_profile secure_adapter . Once you have the file you can import it to another system using the command: netsh wlan add pr ofile configuration.xml local_adapter . A startup script can then be created in a group poli- cy to apply the changes to mobile systems running the same operating system. The unique security issues raised by these systems might also move you to separate them in their own Organizational Unit OU. This would make it easier to apply different group policy settings from other systems and also to administer them separately. A separate domain would not be necessary unless it were decided that wireless users should have different account policy requirements. Smart Card authentication can be enabled or disabled for individual users in the same domain. Securing the Network It is alw ays a good idea to treat the wireless part of your network with the same scrutiny you apply to incom- ing Internet connections. Make sure that due consideration is given to choosing who will be able to use wire- less connections , what encryption and authentication protocols will be required, and how each AP will be secured and accessed. Here are a few other suggestions that should help to prevent security breaches. Cr eate a written security policy . T his part of the process is often overlook ed in the rush to get the net- work up and working. When everyone knows exactly who should or shouldn’t be able to connect, the mini- mum security requirements for clients and APs, what information they will be permitted to access, as well as whom to notify and what actions to tak e in case of a breach, things will go a lot more smoothly in the long run. Also, never forget to have a proper audit policy. This should include what events will be recorded and how often and by whom the information must be reviewed. Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 5 Use a RADIUS Server. Different RADIUS implementations are mostly compatible with one another, so a UNIX-based RADIUS configuration should work with Microsoft’s IAS, which is their implementation of RADIUS services. Having this layer of authentication to centrally manage all wireless connections, regardless of which AP they connect from, might increase the cost of your implementation, but will make security and administra- tion much easier. Limit the Access Point’s broadcast area. If the AP is broadcasting beyond a range where you need it to operate, reduce its signal strength and/or redirect the signal to avoid problems with any casual wardrivers. Use a Honeypot. Some administrators have found it useful to configure less secure APs specifically to catch attempts to breach their network security. You would use audit logs to track not only who is trying to connect, but also how they are doing it, as well. Limit Subnet Access. Do the wireless users really need access to all parts of your network or only to certain applications? If the services they are using can be put on a screened subnet or limited to just a few of them, then access should not be allowed to other parts of the network. Use a Firewall. In line with the idea of treating Wi-Fi connections the same as Internet ones, why not screen and limit their connections through the firewall and audit their network use the way you do for other remote users? Having a single point through which all wireless users must connect to your wired network will help prevent security breaches and give you a good starting point for tracking down how they happened in the first place. Limit and Control the use of IPs. Limiting the number of IP addresses available to wireless clients is a no- brainer. You should also make sure that these clients have a distinct group of IP addresses that only they use. You might also be able to map a specific IP to each laptop by using the MAC address as a further way of tracking down a rogue connection more easily. Network Access Protection. This feature will require the new “longhorn” server, but the idea behind it might move you to upgrade parts of your server infrastructure more quickly than you originally planned. How would you like the ability to automatically remove computers, wired or wireless, that do not meet minimum “health” requirements that you configure? NAP allows you to set these standards (e.g., having the latest anti- virus updates), prevent computers that don’t comply from connecting to the network, or redirect them to a network where they can be quarantined or updated to make them compliant. This would be of special concern for wireless systems that might be tak en off-site where your security rules cannot be enforced. Until you are able to implement “longhorn” on your network you might want to look into different VPN server solutions that provide this functionality. Conclusion Regardless of how you configure your Windows V ista systems to connect to your wireless network, a systemat- ic approach will save you time and money , and lead to a more secure configuration. Understanding the operat- ing system features and group policy options available to you should lead to a configuration that network administrators and end-users will be comfortable to work with. Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 6 Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: Migrating to Windows Vista Implementing and Maintaining Windows Vista For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. About the Author Neil Tuck er has been working in the IT field for more than 14 years and as an instructor for the last seven. As a network administrator, he has supported Active Directory domains and worked with enterprise applications such as SQL Server, Exchange and SMS. As a Microsoft Certified Trainer, he has also bee able to participate in some beta programs including the one for Windows Vista. Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 7 . might also be able to map a specific IP to each laptop by using the MAC address as a further way of tracking down a rogue connection more easily. Network Access. connect a Windows Vista laptop to a wireless network. Connecting to a Wireless Network Configuring the client connection can easily be done from the Connect