|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Securing corporate wireless laptopsWe are currently running Windows XP SP2 on all of our laptops. Now, of
course laptops travel around connecting to various wireless networks and broadcasting there preferred network list. I would like to stop that, but a way to easy manage this. I have looked at this patch. http://support.microsoft.com/default.aspx/kb/917021 This patch looks good and it sounds like setting up a non-broadcast wireless network is the way to go on this. The only problem I see is that each wireless network you connect to the user would have to do this setting. We are using Windows 2003 servers and we have 0 Vista machines. I'm looking for a way to best secure our laptops from broadcasting there own preferred network list while traveling. Also looking for a tool to shut off wireless networking when connected through an ethernet, patch cable, connection. Any help would be greatly appreciated. Thanks There is, unfortunately, some misleading wording in that KB article.
Consider this sentence: "The Wireless Client Update lets you configure wireless networks as broadcast networks or as nonbroadcast networks." It could be interpreted to mean that if you configure all your clients not to broadcast their network names, then there will be no broadcasts at all. This is not entirely true. Remember, access points also broadcast their names. This setting in XP and Vista makes it easier for your computers to operate in environment where the access points are not broadcasting. However, it is actually a mistake to assume that hiding your network name (the "SSID," as it's called) offers security. SSIDs are names, not passwords, and you can't keep them completely hidden. I explain in full detail here: http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx There is actually very little risk when XP/Vista clients broadcast their configured networks. Here's the statement from the KB: "An observer may monitor these probe requests [of its preferred networks] and configure a wireless network by using a name that matches a preferred wireless network. If the wireless network is not secured, this network could enable unauthorized connections to the computer." Say you have a secured (WPA or WPA2) network in your company and you call it FRAMISTAN. Furthermore, you've left the default enabled, so all the FRAMISTAN access points are happily broadcasting their SSIDs. This is all well and good. Now a client computer is sitting in an airport lounge and the user powers it up. The computer will probe for FRAMISTAN but, of course, won't find it in the lounge. But there's a bad guy there, scanning the air, looking for probes. He sees a probe for FRAMISTAN and quickly sets up an access point. This bad guy won't, of course, be able to configure his access point with the security settings that your computer requires for FRAMISTAN (he can't know your authentication passphrase for WPA(2)-Personal, he can't set up a RADIUS server that authenticates against your domain for WPA(2)-Enterprise). Therefore, your computer won't connect to this other version of FRAMISTAN because your computer has certain security requirements not met by the bad guy in the lounge. So my advice: leave your SSID broadcasts switched on, use WPA or WPA2, and don't worry about your wireless security any more. -- Steve Riley steve.ri***@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com Show quote "lldan" <ll***@discussions.microsoft.com> wrote in message news:FB7558A9-DC20-47BD-B354-4A775156CE54@microsoft.com... > We are currently running Windows XP SP2 on all of our laptops. Now, of > course laptops travel around connecting to various wireless networks and > broadcasting there preferred network list. I would like to stop that, but > a > way to easy manage this. I have looked at this patch. > > http://support.microsoft.com/default.aspx/kb/917021 > > This patch looks good and it sounds like setting up a non-broadcast > wireless > network is the way to go on this. The only problem I see is that each > wireless network you connect to the user would have to do this setting. > We > are using Windows 2003 servers and we have 0 Vista machines. > > I'm looking for a way to best secure our laptops from broadcasting there > own > preferred network list while traveling. Also looking for a tool to shut > off > wireless networking when connected through an ethernet, patch cable, > connection. Any help would be greatly appreciated. > > Thanks Thanks for the explanations. This is a great help and answers my questions.
Show quote "Steve Riley [MSFT]" wrote: > There is, unfortunately, some misleading wording in that KB article. > Consider this sentence: "The Wireless Client Update lets you configure > wireless networks as broadcast networks or as nonbroadcast networks." It > could be interpreted to mean that if you configure all your clients not to > broadcast their network names, then there will be no broadcasts at all. This > is not entirely true. Remember, access points also broadcast their names. > This setting in XP and Vista makes it easier for your computers to operate > in environment where the access points are not broadcasting. > > However, it is actually a mistake to assume that hiding your network name > (the "SSID," as it's called) offers security. SSIDs are names, not > passwords, and you can't keep them completely hidden. I explain in full > detail here: > > http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx > > There is actually very little risk when XP/Vista clients broadcast their > configured networks. Here's the statement from the KB: > > "An observer may monitor these probe requests [of its preferred networks] > and configure a wireless network by using a name that matches a preferred > wireless network. If the wireless network is not secured, this network could > enable unauthorized connections to the computer." > > Say you have a secured (WPA or WPA2) network in your company and you call it > FRAMISTAN. Furthermore, you've left the default enabled, so all the > FRAMISTAN access points are happily broadcasting their SSIDs. This is all > well and good. Now a client computer is sitting in an airport lounge and the > user powers it up. The computer will probe for FRAMISTAN but, of course, > won't find it in the lounge. But there's a bad guy there, scanning the air, > looking for probes. He sees a probe for FRAMISTAN and quickly sets up an > access point. This bad guy won't, of course, be able to configure his access > point with the security settings that your computer requires for FRAMISTAN > (he can't know your authentication passphrase for WPA(2)-Personal, he can't > set up a RADIUS server that authenticates against your domain for > WPA(2)-Enterprise). Therefore, your computer won't connect to this other > version of FRAMISTAN because your computer has certain security requirements > not met by the bad guy in the lounge. > > So my advice: leave your SSID broadcasts switched on, use WPA or WPA2, and > don't worry about your wireless security any more. > > > -- > Steve Riley > steve.ri***@microsoft.com > http://blogs.technet.com/steriley > http://www.protectyourwindowsnetwork.com > > > "lldan" <ll***@discussions.microsoft.com> wrote in message > news:FB7558A9-DC20-47BD-B354-4A775156CE54@microsoft.com... > > We are currently running Windows XP SP2 on all of our laptops. Now, of > > course laptops travel around connecting to various wireless networks and > > broadcasting there preferred network list. I would like to stop that, but > > a > > way to easy manage this. I have looked at this patch. > > > > http://support.microsoft.com/default.aspx/kb/917021 > > > > This patch looks good and it sounds like setting up a non-broadcast > > wireless > > network is the way to go on this. The only problem I see is that each > > wireless network you connect to the user would have to do this setting. > > We > > are using Windows 2003 servers and we have 0 Vista machines. > > > > I'm looking for a way to best secure our laptops from broadcasting there > > own > > preferred network list while traveling. Also looking for a tool to shut > > off > > wireless networking when connected through an ethernet, patch cable, > > connection. Any help would be greatly appreciated. > > > > Thanks > >  |
|||||||||||||||||||||||
Other interesting topics