The following excerpt is from Chapter 4 of the free e-book "The tips and tricks guide to securing Windows Server 2003" written by Roberta Bragg and available at Realtimepublishers.com. Click for the complete book
Windows .NET Server wireless network (IEEE 802.11) policies
Windows .NET Group Policy provides an opportunity to centrally control configuration of authorized wireless networks. Although it does not and cannot prevent the existence of unauthorized WAPs, use of a policy provides more than and administrative convenience. First, the policy provides a mechanism to present a list of preferred WAPs. The client will seek to connect to these access points first, in the order listed. A user would have to specifically configure his or her system to attempt connection to other systems. For most people, transparent connectivity is desired. The ordinary user just wants to be able to do his or her job, not figure out how to connect to the network. If there is no benefit to independently configuring their systems (users have wireless connectivity that they don't have to mess with), they won't. The determined individual will always find a way around policy. Second, although the attacker will be perfectly capable of configuring his or her computer, the policies that control authorized access points add technology to reduce that threat. By using Group Policy to set them, you can avoid the possibility that misconfiguration will produce a vulnerability.
Wireless policy can be set in the Computer Settings, Windows Settings, Security settings, Wireless Network Access Policy. First, create the wireless policy. In the GPO, right-click Wireless Network (IEEE 80.11) Policies, and select Create wireless network policy. Click Next on the welcome page, then enter a name and description for the policy, and click Next. Click Finish to complete the policy wizard and proceed to editing the policy settings. On the general properties page, the default is to Use windows to configure wireless settings for clients (see Figure 4.18), though you can select the Automatically connect to non-preferred networks. Important to consider are the choices that require client connections to either:
- Any available network (access point preferred)
- Access point (infrastructure networks) only
- Computer-to-computer (ad-hoc networks only)
You allow ad-hoc as well as infrastructure networks with the first choice; otherwise, set restrictions. You might need different policies if you allow a select group of users access to more than one kind of wireless network. Remember that you can create different policies and implement them at either the domain or OU level. What you cannot do is create multiple polices in a single Group Policy Object (GPO) and assign them to specific users or computers.
Figure 4.18: Identify the policy and the type of wireless network authorized.
The Preferred Networks tab, which Figure 4.19 shows, is used to identify configuration for each authorized access point. For each, click Add, then add the network information.
Figure 4.19: Identify and add network information.
On the Network Properties tab (see Figure 4.20), enter the network name, or SSID and a description.
Figure 4.20: Configure WEP.
Choose the WEP key and authentication modes, or ad-hoc designation if appropriate. If IEEE 802.1x is supported, use the IEEE 802.1x tab (see Figure 4.21). Your first choice is to select between the use of EAP or PEAP.
Figure 4.21: Configure 802.1x.
Use the Settings button to configure authentication behavior. You can select whether smart card or computer resident certificates are required and identify which CA(s) are to be trusted. If a Microsoft Enterprise CA is online, it will appear as on option (see Figure 4.22).
Figure 4.22: Select smart card or computer certificate and identify Trusted Root Certification Authorities.
Click for the book excerpt series or visit Realtimepublishers.com to obtain the complete book.