Recommendations for Small Office or Home Office Wireless Networks
Writer: Joe Davies
On This Page
Abstract
Recommendations
Use Authentication and Data Encryption
Change the Wireless AP’s Default Wireless Network Name
Do Not Use Non-broadcast Wireless Networks
Do Not Use MAC Address Filtering
Do Not Use Shared Key Authentication
For More Information
Abstract
This article provides recommendations for configuring a protected wireless network in a small office or home office that does not use a Microsoft® Windows® domain.
Recommendations
The following are the recommendations from Microsoft to protect small office and home office IEEE 802.11 wireless networks:
Use authentication and data encryption
Change the wireless access point’s default wireless network name
Do not use non-broadcast wireless networks
Do not use media access control (MAC) address filtering
Do not use shared key authentication
The following sections describe these recommendations in detail.
Use Authentication and Data Encryption
Protection for IEEE 802.11 wireless networks consists of encryption and authentication. Encryption scrambles the data in wireless frames before they are sent on the wireless network, preventing eavesdroppers from interpreting the contents of wireless data frames. Authentication requires wireless clients to provide security credentials before they are allowed to join the wireless network, preventing unauthorized and possibly malicious users from using the wireless network. A wireless network that does not use authentication and data encryption is vulnerable to malicious users that can attack the computers on your wireless network or use your Internet connection for malicious or illegal activities.
For a small office or home office wireless network that does not use a Windows domain, you should use one of the following combinations of authentication and encryption (in order of most to least protected):
Wi-Fi Protected Access 2 (WPA2)-Personal authentication (also known as Preshared Key [WPA2-PSK]) with Advanced Encryption Standard (AES) encryption
Wi-Fi Protected Access (WPA)-Personal (also known as WPA-PSK authentication) with Temporal Key Integrity Protocol (TKIP) encryption
Open system authentication with Wired Equivalent Privacy (WEP) encryption
You will also need to configure your wireless access point (AP) for the same combination of authentication method, encryption method, authentication key, and encryption key as your wireless clients.
For information about how the different wireless security technologies are supported by different versions of Windows, see Wireless LAN Technologies and Microsoft Windows. For more information about wireless security authentication and encryption methods, see IEEE 802.11 Wireless LAN Security with Microsoft Windows.
WPA2-Personal Authentication with AES encryption
To configure Windows Vista™-based wireless clients, do the following:
On the Manually connect to a wireless network page of the Connect to a network wizard, select WPA2-Personal in Security type and AES in Encryption type. Then, type the WPA2 preshared key in Security Key/Passphrase.
Alternately, you can use the Setup a wireless router or access point option of the Connect to a network wizard to automate the configuration of a WPA2 preshared key.
To configure Windows XP-based wireless clients for WPA2-Personal authentication and AES encryption, do the following:
- On the Association tab of the properties of the wireless network, select WPA2-PSK in Network Authentication and AES in Data encryption. Then, type the WPA2 preshared key in Network key and Confirm network key.
If you are manually typing the WPA2 preshared key, you should create a random sequence of either keyboard characters (upper and lowercase letters, numbers, and punctuation) at least 20 characters long or hexadecimal digits (numbers 0-9 and letters A-F) at least 24 hexadecimal digits long. If you use the Setup a wireless router or access point option of the Connect to a network wizard, Windows Vista automatically creates a random 63-character WPA2 preshared key.
WPA-Personal Authentication with TKIP Encryption
To configure Windows Vista-based wireless clients, do the following:
In the Connect to a network wizard, select WPA-Personal in Security type and TKIP in Encryption type. Then, type the WPA preshared key in Security Key/Passphrase.
Alternately, you can use the Setup a wireless router or access point option of the Connect to a network wizard to automate the configuration of a WPA preshared key.
To configure Windows XP-based wireless clients, do the following:
On the Association tab of the properties of the wireless network, select WPA-PSK in Network Authentication and TKIP in Data encryption. Then, type the WPA preshared key in Network key and Confirm network key.
Alternately, you can use the Wireless Network Setup wizard in Windows XP with Service Pack 2 to automate the configuration of a WPA preshared key. For more information, see The New Wireless Network Setup Wizard in Windows XP Service Pack 2.
If you are manually typing the WPA preshared key, you should create a random sequence of either keyboard characters (upper and lowercase letters, numbers, and punctuation) at least 20 characters long or hexadecimal digits (numbers 0-9 and letters A-F) at least 24 hexadecimal digits long.
Open System Authentication with WEP Encryption
The open system authentication with WEP encryption security configuration is only recommended for temporary use while you are upgrading your wireless hardware to support WPA or replacing it with wireless hardware that supports WPA2. WPA support for wireless hardware has been available since February 2002. If your wireless hardware does not support at least WPA, contact your wireless hardware vendors for the appropriate updates for your wireless AP and wireless network adapters.
Note
Open system authentication is not really authentication. It is included here because without WPA or WPA2, WEP is the only encryption option and using shared key authentication makes WEP encryption more vulnerable to attack. See the "Do Not Use Shared Key Authentication" section of this article for more information. Static WEP—in which the WEP key is manually configured and does not change unless manually reconfigured—is discouraged due to well-documented security weaknesses. However, open system authentication with WEP encryption is better than configuring your wireless network with open system authentication and no encryption. Therefore, Microsoft discourages the use of open system authentication with WEP encryption except as an interim configuration while you are upgrading your wireless hardware to support WPA or WPA2.
Change the Wireless AP’s Default Wireless Network Name
Wireless APs are preconfigured with a wireless network name, also known as a Service Set Identifier (SSID). Microsoft strongly recommends that you change the default wireless network name to a unique name for your small office or home office location. In other words, the name of your wireless network should not be duplicated by other wireless networks that are visible from your small office or home office. If you do not change the default wireless network name and there is another wireless network near your location with the same default name, then it is possible for your wireless clients to connect to the neighboring wireless network, causing wireless connectivity confusion.
Do Not Use Non-broadcast Wireless Networks
Many wireless APs can be configured to not broadcast their wireless network name. A wireless network that does not broadcast its wireless network name is known as a non-broadcast or hidden wireless network. This feature of wireless APs has the goal of preventing unauthorized wireless clients from being able to detect a wireless network. However, a non-broadcast network is not undetectable. Non-broadcast network names are advertised in various messages sent by wireless clients and wireless APs.
Configuring your wireless APs for non-broadcast mode does prevent the casual wireless client from discovering your wireless network. However, even the most unsophisticated malicious user can capture the messages containing the wireless network name sent by wireless clients or your wireless AP and determine your wireless network name.
Besides being a weak form of wireless network name privacy, non-broadcast wireless networks also create problems for authorized wireless clients that want to automatically connect to the non-broadcast wireless network. For example, because the wireless network name is not being advertised, the wireless client must send messages containing the wireless network name in an attempt to locate a wireless AP for the wireless network. These messages advertise the name of the wireless network, reducing the privacy of the wireless configuration of the wireless client. For more information, see Non-broadcast Wireless Networks with Microsoft Windows.
For these reasons, Microsoft strongly recommends that rather than trying to hide your wireless network, you should advertise its presence but protect your wireless network with the strongest possible authentication and encryption option as described in the "Use Authentication and Data Encryption" section of this article.
Do Not Use MAC Address Filtering
Some wireless APs allow you to configure a list of media access control (MAC) addresses of allowed wireless clients. The MAC address is a unique number assigned to your wireless network adapter by its manufacturer. This feature, known as MAC address filtering, has the goal of providing protection by only allowing communication with wireless clients using known MAC addresses.
However, MAC address filtering requires that you configure the wireless AP with the list of allowed MAC addresses and maintain that list for new wireless clients and devices. Additionally, MAC address filtering is a weak form of protection. An unsophisticated malicious user can easily capture data traffic sent to or from allowed wireless clients on your wireless network, determine an allowed MAC address, and then configure their own wireless adapter to use the allowed MAC address.
For these reasons, Microsoft strongly recommends that rather than trying to keep unauthorized wireless users from using your wireless network with MAC address filtering, that you prevent unauthorized access by using the strongest possible authentication and encryption option as described in the "Use Authentication and Data Encryption" section of this article.
Do Not Use Shared Key Authentication
Shared key authentication is another authentication method when using static WEP encryption (the other is open system authentication). For most wireless clients and wireless APs, the shared key authentication key is the same as the static WEP encryption key. A malicious user that captures the messages for a successful shared key authentication can use analysis tools to determine the shared key authentication key, and therefore the static WEP encryption key. After the WEP encryption key has been determined, the malicious user has full access to your network, as if WEP encryption was not enabled.
Although shared key authentication sounds like a stronger authentication method than open system, Microsoft strongly discourages the use of shared key authentication because it makes a static WEP encryption key much easier to determine.
For More Information
For more information about configuring Windows-based wireless clients for a small office or home office wireless network, see the following: