Search This Blog

Dec 19, 2011

Wi-fi Show Characters

Customer informed when configuring the wireless network for end users the option "show characters"  is enabled to display the password and with this option some end users are sharing this password to other unauthorized people.

Customer would like to know how to disable this option.

Assuming the customer is taking about "Show Characters" in the security tab of  Wireless Profile. This feature is made for administrators be able to recover a forgotten wireless network key. Customer must configure users as non-admin or more robust enterprise authentication method for wireless authentication.

Windows 7 adds the ability to recover a forgotten wireless network key. To accomplish this, open the properties of the wireless network, and from the Security tab check the box next to Show characters. This will show a previously entered wireless network key, so that it can be recovered without resetting the router back to factory defaults. Viewing the wireless network key in this manner requires administrative rights. This feature is protected by UAC prompt.


How to prevent users from viewing the WEP key in plaintext.


Usually the key will be masked in the UI if it is provisioned in the profile. For example below steps can provision the profile with the shared WEP key.

1. On a windows 7 machine, create a new wireless profile and set the WEP authentication method along with the WEP key, save the change.

2. Open a command window with run as administrator and run command, netsh wlan export profile. All of the wireless network profiles will be exported to files in the current directory.

3. Copy the file for the newly defined profile to a new windows 7 machine.

4. Login the new windows 7 machine with local admin credential, open a command window with run as administrator, then run command, netsh wlan add profile <profile file path>

5. Then login the new windows 7 machine with a non-admin user, the password will be hidden for this user.

NOTE: for the local admin user or user with equivalent right will still be able to toggle the show characters option to view/hide the WEP key. 

On windows 7, however, there is an overhaul of WEP KEY UI on windows 7 as opposed to windows XP for users with local administrator right.  Those admin users will be always able to view the keys.

More analysis:

On windows 7, however, there is an overhaul of WEP KEY UI on windows 7 as opposed to windows XP for users with local administrator right.  Those admin users will be always able to view the keys. The thought behind this change is many SOHO/home users tend to forget the shared WEP key and it is a bit difficult to recover it as there is no obvious UI on XP for it. So it is decided to introduced the ability to allow users with admin right to view the key on windows 7 and this behavior cannot be turned off..

Furthermore, OPEN/WEP wireless authentication is often intended for personal/home users and it is proven to be less secure compared with other authentication options.  A cryptanalysis of WEP has been published that exploits the way the RC4 cipher and IV is used in WEP, resulting in a passive attack that can recover the RC4 key after eavesdropping on the network. Depending on the amount of network traffic, and thus the number of packets available for inspection, a successful key recovery could take as little as one minute. As a result, it is recommended to use stronger and more secure authentication method like 802.1X/WPA2 for enterprise environment.  Regarding more options of wireless deployment, please refer to

• Foundation Network Companion Guide: Deploying 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2

Get instructions on how to deploy 802.1X authenticated wireless access by using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).

• 802.1X Authenticated Wireless Access Design Guide

Learn how to plan and design a new end-to-end 802.1X authenticated wireless infrastructure deployment, using features in Windows Server 2008 and 802.1X-capable wireless access points that you deploy on your network.

• IEEE 802.11 Wireless LAN Security with Microsoft Windows

Understand the security issues with 802.11 wireless networks and how Microsoft Windows can be used to make 802.11 wireless networks as secure as the 802.11 standards allow. For a webcast version of this white paper, click here.

• The Advantages of PEAP

Learn about the efforts of the IEEE and the Internet Engineering Task Force (IETF) to address secure wireless access and see how the Protected Extensible Authentication Protocol (PEAP) compares to other standards-based and proprietary schemes.

• July 2010 - Connecting to Wireless Networks with Windows 7  This article describes how to connect to 802.11 wireless networks and manage wireless network profiles with Windows 7.

• May 2005 - Wi-Fi Protected Access 2 (WPA2) Overview The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update for Windows XP with Service Pack 2 is a free download that updates the wireless client components in Windows XP with Service Pack 2 to support WPA2. This article describes the features of WPA2 security and WPA2 support included with the update.

There are more resources on the wireless portal

No comments:

Post a Comment