Customer informed when configuring the wireless network for end users the option "show characters" is enabled to display the password and with this option some end users are sharing this password to other unauthorized people.
Customer would like to know how to disable this option.
Assuming the customer is taking about "Show
Characters" in the security tab of Wireless Profile. This feature is
made for administrators be able to recover a forgotten wireless network key.
Customer must configure users as non-admin or more robust enterprise
authentication method for wireless authentication.
Windows 7 adds the ability to recover a forgotten
wireless network key. To accomplish this, open the properties of the wireless
network, and from the Security tab check the box next to Show characters. This
will show a previously entered wireless network key, so that it can be
recovered without resetting the router back to factory defaults. Viewing the
wireless network key in this manner requires administrative rights. This
feature is protected by UAC prompt.
Problem:
How to prevent users from viewing the WEP key in
plaintext.
Resolution:
Usually the key will be masked in the UI if it is
provisioned in the profile. For example below steps can provision the profile
with the shared WEP key.
1. On a windows 7 machine, create a new wireless
profile and set the WEP authentication method along with the WEP key, save the
change.
2. Open a command window with run as administrator
and run command, netsh wlan export profile. All of the wireless network
profiles will be exported to files in the current directory.
3. Copy the file for the newly defined profile to a
new windows 7 machine.
4. Login the new windows 7 machine with local admin
credential, open a command window with run as administrator, then run command,
netsh wlan add profile <profile file path>
5. Then login the new windows 7 machine with a
non-admin user, the password will be hidden for this user.
NOTE: for the local admin user or user with
equivalent right will still be able to toggle the show characters option to
view/hide the WEP key.
On windows 7, however, there is an overhaul of WEP
KEY UI on windows 7 as opposed to windows XP for users with local administrator
right. Those admin users will be always able to view the keys.
More analysis:
On windows 7, however, there is an overhaul of WEP
KEY UI on windows 7 as opposed to windows XP for users with local administrator
right. Those admin users will be always able to view the keys. The
thought behind this change is many SOHO/home users tend to forget the shared
WEP key and it is a bit difficult to recover it as there is no obvious UI on XP
for it. So it is decided to introduced the ability to allow users with admin
right to view the key on windows 7 and this behavior cannot be turned off..
Furthermore, OPEN/WEP wireless authentication is
often intended for personal/home users and it is proven to be less secure
compared with other authentication options. A cryptanalysis of WEP has
been published that exploits the way the RC4 cipher and IV is used in WEP,
resulting in a passive attack that can recover the RC4 key after eavesdropping
on the network. Depending on the amount of network traffic, and thus the number
of packets available for inspection, a successful key recovery could take as
little as one minute. As a result, it is recommended to use stronger and more
secure authentication method like 802.1X/WPA2 for enterprise environment.
Regarding more options of wireless deployment, please refer to
• Foundation Network Companion Guide: Deploying
802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2
Get instructions on how to deploy 802.1X
authenticated wireless access by using Protected Extensible Authentication
Protocol-Microsoft Challenge Handshake Authentication Protocol version 2
(PEAP-MS-CHAP v2).
• 802.1X Authenticated Wireless Access Design Guide
Learn how to plan and design a new end-to-end 802.1X
authenticated wireless infrastructure deployment, using features in Windows
Server 2008 and 802.1X-capable wireless access points that you deploy on your
network.
• IEEE 802.11 Wireless LAN Security with Microsoft
Windows
Understand the security issues with 802.11 wireless
networks and how Microsoft Windows can be used to make 802.11 wireless networks
as secure as the 802.11 standards allow. For a webcast version of this white
paper, click here.
• The Advantages of PEAP
Learn about the efforts of the IEEE and the Internet
Engineering Task Force (IETF) to address secure wireless access and see how the
Protected Extensible Authentication Protocol (PEAP) compares to other
standards-based and proprietary schemes.
• July 2010 - Connecting to Wireless Networks with
Windows 7 This article describes how to connect to 802.11 wireless
networks and manage wireless network profiles with Windows 7.
• May 2005 - Wi-Fi Protected Access 2 (WPA2) Overview
The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information
Element (WPS IE) Update for Windows XP with Service Pack 2 is a free download
that updates the wireless client components in Windows XP with Service Pack 2
to support WPA2. This article describes the features of WPA2 security and WPA2
support included with the update.
There are more resources on the wireless
portal http://technet.microsoft.com/en-us/network/bb530679.aspx.
No comments:
Post a Comment