Planning for Recommended Security Configurations
Updated: December 19, 2008
Applies To: Windows Server 2008, Windows Server 2008 R2
IEEE 802.11 wireless LANs have a historical reputation of being unsafe. While that may have been true for the original 802.11 standard, the latest developments in wireless standards such as IEEE 802.1X, Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access 2 (WPA2) provide strong protection for wireless traffic in the most rigorous security environments. If you deploy the latest set of wireless standards with a strong authentication method, there are substantial cryptographic barriers to unauthorized wireless clients and passive attackers.
Microsoft recommends that you use one of the following combinations of security technologies. These security technologies are listed in order of most secure to least secure.
- WPA2 with Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) authentication and both user and computer certificates.
PEAP-TLS is the strongest 802.1X authentication method supported by Windows-based wireless clients.
- WPA2 with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication and both user and computer certificates.
EAP-TLS uses digital certificates to provide mutual authentication, in which the wireless client authenticates itself to the authentication server and vice versa. EAP-TLS authentication requires a public key infrastructure (PKI) to issue certificates and keep them current. For the highest security, configure your PKI to issue both user and computer certificates for wireless access.
- WPA2 with PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) authentication and require strong user passwords.
EAP-TLS is a stronger 802.1X authentication method than PEAP-MS-CHAP v2 and is also supported by Windows-based wireless clients. If a PKI deployment is not possible or feasible, you can use PEAP-MS-CHAP v2. PEAP is a one-way authentication scheme. MS-CHAP v2 is an authentication protocol that was originally developed for dial-up and VPN remote access connections and like EAP-TLS performs mutual authentication. PEAP-MS-CHAP v2 can be used to provide strong password-based authentication of wireless clients, but only when used in conjunction with strong user password requirements on your network.
Note If you are deploying PEAP-MS-CHAP v2 authentication, require the use of strong passwords on your network. Strong passwords are longer than 8 characters and contain a mixture of upper and lower case letters, numbers, and punctuation. In an Active Directory domain, use Group Policy settings in Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy to enforce strong user passwords requirements.
- WPA with PEAP-TLS authentication and both user and computer certificates.
If your wireless equipment does not yet support WPA2, use WPA with PEAP-TLS.
- WPA with EAP-TLS authentication and both user and computer certificates.
- WPA with PEAP-MS-CHAP v2 authentication and require strong user passwords.
If your wireless equipment does not yet support WPA2 and a PKI deployment is not possible or feasible, use WPA with PEAP-MS-CHAP v2.
This section describes additional recommendations for security on Microsoft Windows-based 802.11 wireless networks.
Microsoft recommends that you do not use the following:
- Beacon Service Set Identifier (SSID) suppression.
The SSID (also known as a wireless network name) is by default included in the Beacon frames sent by wireless access points (APs). Configuring your wireless APs to suppress the advertising of the SSID information element in Beacon frames does prevent the casual wireless client from discovering your wireless network. However, SSID suppression does not prevent the most unsophisticated malicious user from capturing other types of wireless management frames sent by your wireless AP and determining your SSID.
If you want to use SSID suppression, remember that Windows XP Wireless Auto Configuration connects to the first preferred wireless network that is advertising its SSID, even though it is lower in the preferred networks list than a wireless network that is present but is not advertising its SSID. This behavior can produce confusing results when you introduce a Windows-based wireless client using Wireless Auto Configuration into a wireless environment in which some wireless networks are advertising their SSID and some are not.
- Media access control (MAC) address filtering.
MAC address filtering allows you to configure your wireless APs with the set of MAC addresses for allowed wireless clients. MAC address filtering adds administrative overhead to keep the list of allowed MAC addresses current and does not prevent a malicious user from spoofing an allowed MAC address.
- Static WEP or shared key authentication.
Static Wired Equivalent Privacy (WEP)—in which the WEP key is manually configured and does not change on a per-client or per-authentication basis—is strongly discouraged due to well-documented security weaknesses. The use of shared key authentication is strongly discouraged because it makes a static WEP encryption key much easier to determine.
- VPN connections.
To overcome the weaknesses of WEP, some industry sources recommend the use of a virtual private network (VPN) connection to secure wireless frames sent over a private wireless network. With the proper use of modern 802.11 security standards such as WPA or WPA2, VPN connections are not needed to secure wireless frames. Using VPN connections to secure wireless networks add complexity and can cause problems for roving wireless users.
Microsoft recommends that you do not use the following, except if used temporarily when transitioning to a WPA2 or WPA-based security configuration:
- WEP with 802.1X authentication, PEAP-TLS or EAP-TLS with both user and computer certificates, and periodic reauthentication.
If your wireless equipment does not support WPA2 or WPA, you can use the combination of dynamic WEP (WEP with 802.1X authentication) and either PEAP-TLS or EAP-TLS with both user and computer certificates. To change the per-client WEP encryption key for a wireless client session, force your wireless clients to periodically reauthenticate by configuring your wireless APs or Remote Authentication Dial-In User Service (RADIUS)-based authentication servers.
- WEP with 802.1X authentication, PEAP-MS-CHAP v2, periodic reauthentication, and require strong user passwords.
If your wireless equipment does not support WPA2 or WPA and you are not deploying a PKI, you can use the combination of dynamic WEP and PEAP-MS-CHAP v2. However, you must also require strong user passwords and force your wireless clients to periodically reauthenticate.
The deployment of a secure wireless infrastructure only prevents unauthorized access to your wireless network through managed wireless APs. A secure wireless infrastructure does not prevent an employee from plugging an unmanaged or rogue wireless AP with an unsecured configuration into your intranet. After it is plugged in to your intranet, any wireless client that can connect to the rogue wireless AP can connect to your intranet.
To combat this problem, inform your employees of the security risks and consequences of plugging rogue wireless APs into an intranet network port. To detect rogue wireless APs, some types of network switches allow you to scan for the manufacturer ID portion of the six-byte MAC addresses of known wireless AP vendors. When the switch detects a rogue wireless AP, it can shut down the switch port and send a notification. Alternatively, you can install wireless LAN scanning equipment to listen for rogue wireless APs.