1 6 6 CHAPTER 4 Network Access Security
Before You Begin
To complete the lessons in this chapter, you must have done the following:
n
Installed and confi gured the evaluation edition of Windows Server 2008 Enterprise
Edition in accordance with the instructions listed in the Introduction.
REAL WORLD
Orin Thomas
O
ne of the biggest shifts in thinking that has gone on since I became an IT
professional is the shift in thinking about the LAN as a protected network
environment. When I started out, fi rewalls were placed only at the border between
a protected network environment and the Internet. Today’s thinking is different
in that it recognizes that the LAN is also potentially hostile to the health of sys-
tems. This shift of thinking is evident in the features shipped with Windows Vista
and Windows Server 2008, namely the improved fi rewall and technologies such as
Network Access Protection (NAP). Despite our best intentions, not every host that
connects to the network we are responsible for managing is entirely under our
control. Nothing is stopping a member of the sales team who has been overseas at
trade shows for the past three months from connecting his or her laptop computer
to the company network upon return. This is not problematic if the member of
the sales team has ensured that antivirus protection, antispyware, and Windows
Updates have been applied to that computer while he or she was away from the
network. But what if, when the laptop computer was away from an environment in
which harmful Web content is automatically fi ltered by Microsoft Internet Secu-
rity and Acceleration (ISA) Server 2006, that laptop became infected? Without the
technologies in Windows Server 2008, the act of connecting that computer to the
LAN might activate a virulent worm. As IT professionals, we always need to be able
to shift our thinking. Today, if we want to remain secure, we must consider the local
area network as potentially hostile as we consider the Internet.
REAL WORLD

Orin Thomas
O
ne of the biggest shifts in thinking that has gone on since I became an IT
professional is the shift in thinking about the LAN as a protected network
environment. When I started out, fi rewalls were placed only at the border between
a protected network environment and the Internet. Today’s thinking is different
in that it recognizes that the LAN is also potentially hostile to the health of sys-
tems. This shift of thinking is evident in the features shipped with Windows Vista
and Windows Server 2008, namely the improved fi rewall and technologies such as
Network Access Protection (NAP). Despite our best intentions, not every host that
connects to the network we are responsible for managing is entirely under our
control. Nothing is stopping a member of the sales team who has been overseas at
trade shows for the past three months from connecting his or her laptop computer
to the company network upon return. This is not problematic if the member of
the sales team has ensured that antivirus protection, antispyware, and Windows
Updates have been applied to that computer while he or she was away from the
network. But what if, when the laptop computer was away from an environment in
which harmful Web content is automatically fi ltered by Microsoft Internet Secu-
rity and Acceleration (ISA) Server 2006, that laptop became infected? Without the
technologies in Windows Server 2008, the act of connecting that computer to the
LAN might activate a virulent worm. As IT professionals, we always need to be able
to shift our thinking. Today, if we want to remain secure, we must consider the local
area network as potentially hostile as we consider the Internet.
Lesson 1: Wireless Access CHAPTER 4 167
Lesson 1: Wireless Access
In the past decade, wireless network speeds have grown from painfully slow to fast enough
that wireless technology is an acceptable replacement for traditional cabling. As wireless net-
working technology has matured, so have the methods through which administrators manage
wireless clients in Windows Server network environments. Windows Server 2008 Group Policy
gives you a way to automate the confi guration of wireless network connections, ensuring that

the people who use mobile computers within your organization can do so in a seamless and
secure manner. In this lesson, you learn about the wireless technologies Windows clients and
servers support, how you can confi gure secure authentication and encryption for wireless
network connections, and how to deploy connection information automatically to clients
through Group Policy.
After this lesson, you will be able to:
n
Understand wireless network concepts.
n
Understand the difference between ad hoc and infrastructure modes.
n
Confi gure Group Policy related to wireless networks.
n
Understand the difference between wireless authentication methods.
n
Confi gure wireless local area network (WLAN) authentication, using 802.1x.
Estimated lesson time: 40 minutes
Wireless Network Components
The fi rst part of this lesson covers the basic concepts behind WLANs. If you are an experi-
enced administrator and already know the most commonly used IEEE 802.11 standards, what
a service set identifi er (SSID) does, the difference between ad hoc and infrastructure modes,
and what a wireless access point (WAP) is, you should move forward to the section titled,
“Wireless LAN Authentication.”
IEEE 802.11 Standards
IEEE 802.11 is a collection of standards for WLANs developed by the Institute of Electronic
and Electrical Engineers (IEEE), a professional organization that develops industry standards
related to information technology, electricity, and electronics. The standards you are most
likely to encounter in a modern network environment are as follows:
n
802.11b This is an older wireless networking standard that has a maximum theoreti-

cal network throughput of 11 megabits per second (Mbps) and an approximate range
of 35 meters (about 100 feet).
After this lesson, you will be able to:
n
Understand wireless network concepts.
n
Understand the difference between ad hoc and infrastructure modes.
n
Confi gure Group Policy related to wireless networks.
n
Understand the difference between wireless authentication methods.
n
Confi gure wireless local area network (WLAN) authentication, using 802.1x.
Estimated lesson time: 40 minutes
1 6 8 CHAPTER 4 Network Access Security
n
802.11g This is a newer standard than 802.11b and has a maximum theoretical net-
work throughput of 64 Mbps and an approximate range of 35 meters. WAPs that use
this standard can be configured to work in mixed mode, which supports both 802.11b
and 802.11g clients at the cost of reduced network throughput.
n
802.11n Although this standard is awaiting formal approval, vendors sell prod-
ucts that use a draft version of the standard. It has a maximum theoretical network
throughput of 300 Mbps and an approximate range of 70 meters (about 200 feet) and
is backward compatible with 802.11b and 802.11g. This means that clients that support
the older standards can connect to an 802.11n wireless network.
When considering the purchase of WAPs, remember that access points that support the
802.11n standard will be able support connections from clients that use 802.11b and 802.11g
as well as 802.11n. Purchasing a WAP that is not compatible with existing wireless client hard-
ware will mean that you have to replace that hardware for it to work with the new WLAN.

WAPs
WAPs are hardware devices that allow wireless clients, such as laptop computers, to access
wireless networks directly and, through routing and switching, to access traditional physi-
cal networks, as shown in Figure 4-1. In many small businesses, a single hardware device
functions as an external firewall, internal switch, and wireless access point. In most larger
organizations, WAPs function as a bridge that allows wireless computers, such as laptops
and Tablet PCs, to access resources such as servers that are connected to traditional wired
networks.
Laptop computer
wireless client
Tablet PC
wireless client
Wireless access point
allows wireless clients to
connect to resources
on wire networks
Traditional clients
connected to wired
network
Traditional servers
connected to wired
network
FIGURE 4-1 A basic WLAN.
Lesson 1: Wireless Access CHAPTER 4 169
NOTE 802.11 WIRELESS TO 3G/HSPDA
Although WAPs have been defi ned earlier as connecting to traditional wired networks,
some new-model mobile phones have software that can function as WAPs connecting to
3G/HSPDA data networks. This technology enables multiple 802.11 wireless clients to con-
nect to a mobile phone WAP and to share the mobile phone’s data connection.
SSID

SSID (service set identifi er) is a wireless network name that can be up to 32 characters in
length. You assign SSIDs to WAPs when you run a WAP’s confi guration utility. Some WAPs
enable you to confi gure multiple SSIDs, with each SSID assigned to a different wireless net-
work. It is customary to confi gure access points to broadcast SSIDs so that wireless clients can
detect which wireless networks are available in a particular location. As with creating names
for servers and client workstations, in large organizations it is essential to have a coherent and
meaningful naming scheme for SSIDs. It is far easier for staff to locate a malfunctioning WAP
named “CONTOSO-RM435-WAVERLEY” than it is to locate “ORINS-NEW-WIRELESS-ROUTER.”
With 32 characters, you can be descriptive, so there is no need to be cryptic when deploying
SSIDs in your organization.
Although it is possible to confi gure WAPs not to broadcast SSIDs, Microsoft does not
recommend this as a form of security because even when SSIDs are not broadcast, it is pos-
sible to detect a hidden SSID by using an appropriate set of tools. You should secure wireless
networks by confi guring strong authentication methods, not by hiding the network ID and
hoping that an attacker is not profi cient enough to fi gure it out.
MORE INFO MORE ON NONBROADCAST WIRELESS NETWORKS
To learn more about why Microsoft recommends broadcasting SSIDs, consult the following
article on TechNet:
AD Hoc Mode vs. Infrastructure Mode
Wireless networks in most Windows Server 2008 network environments will function in what
is known as infrastructure mode as opposed to what is termed ad hoc mode. An infra-
structure mode network has a wireless access point that manages communication between
wireless clients. Ad hoc networks are created between wireless clients themselves and do
not pass through a WAP. Infrastructure mode WLANs are more prevalent in business envi-
ronments and typically connect wireless clients to traditional wired networks. Because the
70-648 and 70-649 exams concentrate on the server rather than on client operating sys-
tems, the focus of this lesson is on infrastructure mode rather than on ad hoc mode wireless
networks.
NOTE
802.11 WIRELESS TO 3G/HSPDA

NOTE 802.11 WIRELESS TO 3G/HSPDANOTE
Although WAPs have been defi ned earlier as connecting to traditional wired networks,
some new-model mobile phones have software that can function as WAPs connecting to
3G/HSPDA data networks. This technology enables multiple 802.11 wireless clients to con-
nect to a mobile phone WAP and to share the mobile phone’s data connection.
MORE INFO
MORE ON NONBROADCAST WIRELESS NETWORKS
To learn more about why Microsoft recommends broadcasting SSIDs, consult the following
article on TechNet:
/>.
/> 1 7 0 CHAPTER 4 Network Access Security
NOTE WIRELESS NETWORKING ON WINDOWS SERVER 2008
By default, WLAN service is not installed on Windows Server 2008. You can add it through
the Features node of the Server Manager console.
WLAN Authentication
You can restrict access to a wireless network by confi guring WAPs to authenticate clients
before allowing connections. It is also possible to protect wireless network traffi c through
encryption. The strength of WLAN encryption depends on the wireless standard used,
although it is possible to use other network traffi c encryption technologies in conjunction
with WLAN encryption. Ensure that you encrypt wireless traffi c because anyone within range
of the WAP is able to capture all network communication between the access point and the
client. Windows clients support the following wireless security standards:
n
Unsecured Unsecured wireless access points allow connections from any client with
compatible hardware. When connecting to an unsecured wireless network, Windows
Vista and Windows Server 2008 will warn users that it is possible for third parties to
access transmissions sent to the WAP from the client. SSL and IPsec-encrypted traffi c
transmitted across networks with no security remains encrypted because this encryp-
tion is occurring at a higher layer of the Open Systems Interconnection (OSI) model.
n

Wired Equivalent Protection (WEP) WEP is an older wireless security standard that
has vulnerabilities in its cryptographic design. WEP can be confi gured to use either
64-bit or 128-bit encryption. Tools are available that enable attackers to learn a WAP’s
WEP key by intercepting and analyzing existing wireless traffi c. WEP is often used to
deter people from casually connecting to an access point without authorization but
will not deter a sophisticated attacker who is determined to get access. The WAP per-
forms authentication when WEP is in use.
n
Wi-Fi Protected Access with Preshared Key (WPA-PSK/WPA2-PSK, WPA-Personal
/WPA2-Personal)
This standard uses a preshared key similar to WEP. Although the
cryptography behind WPA-PSK is more sophisticated, making it more diffi cult to
compromise than WEP, it is possible to calculate WPA-PSK preshared keys by using
brute-force techniques, given enough time. With WPA-PSK, the access point performs
authentication. WPA2-PSK (802.11i) uses stronger cryptography and is more secure
than WPA-PSK, but the preshared key can still be calculated, given enough time and
data.
n
Wi-Fi Protected Access with Extensible Authentication Protocol (WPA-EAP/WPA
2-EAP, WPA-Enterprise/WPA2-Enterprise)
When this standard is used, the WAP for-
wards authentication requests to a RADIUS server. On computers confi gured with the
Windows Server 2008 operating system, the Network Policy Server (NPS) role provides
RADIUS authentication functionality. You can learn more about RADIUS by reviewing
Chapter 3, “Network Access Confi guration.” WPA2-Enterprise supports smart-card,
NOTE
WIRELESS NETWORKING ON WINDOWS SERVER 2008
NOTE WIRELESS NETWORKING ON WINDOWS SERVER 2008NOTE
By default, WLAN service is not installed on Windows Server 2008. You can add it through
the

Features
node of the Server Manager console.
Lesson 1: Wireless Access CHAPTER 4 171
certifi cate-based, and password-based authentication. WPA2-Enterprise (802.11i) is
more cryptographically secure than WPA-Enterprise; deploy WPA2-Enterprise if all
clients in your network environment support this protocol.
When comparing these protocols from a security standpoint, Microsoft recommends
deploying the WPA2-Enterprise or WPA-Enterprise authentication methods ahead of others
that are available. These wireless standards are much more diffi cult to compromise than stan-
dards that use preshared keys. If a preshared key is compromised, it is necessary to update all
clients and access points with new preshared keys to re-secure the network. If you are going
to deploy WPA2-Enterprise and WPA-Enterprise in a Windows Server 2008 environment, you
must deploy a Public Key Infrastructure (PKI) as well as enable auto-enrollment within Group
Policy. Chapter 7, “Active Directory Certifi cate Services,” covers these topics in detail.
MORE INFO WIRELESS NETWORKING TECHCENTER
To fi nd out more about wireless networking in Microsoft operating systems, consult the
wireless networking TechCenter on TechNet at: />/network/bb530679.aspx.
Quick Check
1. Which wireless authentication protocol is the most secure out of the following:
WPA2-EAP, WPA-EAP, WPA2-PSK, WPA-PSK, and WEP?
2. Which wireless authentication protocols do not use a preshared key to authenti-
cate the client to the WAP?
Quick Check Answers
1. WPA2-EAP is more cryptographically secure than WPA-EAP, WPA2-PSK, WPA-
PSK, and WEP.
2. WPA2-Enterprise (WPA2-EAP) and WPA-Enterprise (WPA-EAP) do not use pre-
shared keys to authenticate the client to the access point.
Wireless Group Policy
Wireless network (IEEE 802.11) policies enable clients within your organization to connect
to wireless networks with a minimum amount of end-user intervention and enable you

to confi gure properties for specifi c access point identifi ers, called SSIDs, in your organiza-
tion. A wireless network policy consists of a collection of profi les. A profi le addresses how
the client should address specifi c SSIDs in your organization. A single profi le can address
multiple SSIDs, and the specifi c authentication methods and encryption technologies each
access point supports. For example, you might create one profi le for WAP1, WAP2, and WAP3
SSIDs, specifying the WPA2-Enterprise authentication method, the Microsoft PEAP network
MORE INFO
WIRELESS NETWORKING TECHCENTER
To fi nd out more about wireless networking in Microsoft operating systems, consult the
wireless networking TechCenter on TechNet at:
/>/network/bb530679.aspx
.
/network/bb530679.aspx./network/bb530679.aspx
Quick Check
1
. Which wireless authentication protocol is the most secure out of the following:
WPA2-EAP, WPA-EAP, WPA2-PSK, WPA-PSK, and WEP?
2
. Which wireless authentication protocols do not use a preshared key to authenti-
cate the client to the WAP?
Quick Check Answers
1
. WPA2-EAP is more cryptographically secure than WPA-EAP, WPA2-PSK, WPA-
PSK, and WEP.
2
. WPA2-Enterprise (WPA2-EAP) and WPA-Enterprise (WPA-EAP) do not use pre-
shared keys to authenticate the client to the access point.
1
2
1

2
Quick Check
1
1 7 2 CHAPTER 4 Network Access Security
authentication method, and the AES encryption algorithm. You might create another profile
for SSID WAP4 that specifies the WPA2-Personal authentication method and the TKIP encryp-
tion algorithm.
When you select the WPA/WPA2-Enterprise authentication method, you must also
specify a network authentication method, as shown in Figure 4-2. It is necessary to specify
the network authentication method because authentication occurs against an NPS/RADIUS
server rather than against the WAP. Four basic authentication modes are available: Computer
Authentication, User Re-authentication, User Authentication, and Guest Authentication. When
the computer-only authentication mode is selected, the computer account authenticates the
WAP connection prior to logon, allowing users transparent access to the network, similar
to using a wired network. When the User Authentication mode is selected, authentication
occurs after the users log on to their computers. You should not select this option unless the
Single Sign On option is enabled in Advanced Properties because errors can occur during the
authentication process if logon details are not cached.
FIGURE 4-2 Wireless authentication policy.
When you select the User Re-authentication option, authentication is performed using
computer credentials when a user is not logged on and user credentials when a user is logged
on. You can configure this method so that a computer has limited access to the network until
user credentials are provided. It is not necessary for a network authentication method to be
specified when the WPA/WPA2-Personal method is selected because no network authentica-
tion is required, due to the use of preshared keys. The advanced security settings, shown in
Figure 4-3, enable you to enforce advanced cryptography settings, enable Single Sign On,
enable Fast Roaming, and use only cryptography that uses the FIPS 140-2 certified stan-
dard. Enable Single Sign On if you have chosen to implement the User Authentication mode
because this will allow sign-on when a user’s credentials have not been cached.
Lesson 1: Wireless Access CHAPTER 4 173

FIGURE 4-3 Advanced Security Settings.
Wireless network policies are configured on a per-client–operating system basis. You can
configure a wireless network policy for Windows Vista or for Windows XP. It is important to
note that computers running Windows XP are not influenced by the Windows Vista policy
and vice versa. Although you can apply policies for both client operating systems in the same
GPO, many network administrators find it simpler to separate client computers into differ-
ent organizational units (OUs) and to apply separate policies if the settings for one operating
system are significantly different from the settings for the other.
Wireless authentication policies also enable you to restrict wireless clients from connecting
to either infrastructure or ad hoc mode networks. It is also possible to configure policies that
allow users to view networks that they are denied access to, to use Group Policy profiles only
for allowed networks, and to allow any user to create a wireless network profile. You config-
ure some of these settings in the practice at the end of this lesson.
If it is necessary to troubleshoot wireless network policies, the commands available when
netsh is in the wlan context are useful. It is also possible to use the netsh wlan commands to
examine currently applied Group Policy settings. The netsh wlan commands enable you to
configure wireless clients by using commands or scripts rather than through Group Policy.
The command that provides the most information is netsh wlan show all, and you can use this
command as a starting point to debug problems with wireless access policies.
1 7 4 CHAPTER 4 Network Access Security
MORE INFO MORE ON NETSH WLAN
To fi nd more detailed information on using netsh wlan to confi gure wireless connectivity
and security settings, consult the following TechNet document: http://technet2
.microsoft.com/windowsserver2008/en/library/f435edbe-1d50-4774-bae2
-0dda33eaeb2f1033.mspx?mfr=true.
Confi guring Network Policy and Access Services for
Wireless Authentication
You can confi gure the Network Policy and Access Services role in Windows Server 2008 as a
RADIUS server to authenticate WPA2-Enterprise and WPA-Enterprise connections to WAPs.
Although NPS as a RADIUS server for remote access connections is covered in Chapter 3, this

lesson focuses specifi cally on using NPS to support the WPA/WPA2-Enterprise protocols on
WAPs.
You must add each access point as a RADIUS client. Confi guring an access point as a
RADIUS client involves setting up a shared secret password that you confi gure on both the
access point and the RADIUS server. This shared secret can be generated automatically, as
shown in Figure 4-4. The practice at the end of this lesson involves setting up a hypothetical
access point as a RADIUS client.
FIGURE 4-4 Configuring an access point as a RADIUS client.
After you add each WAP in your organization as a RADIUS client, you can select from the
following authentication methods:
MORE INFO
MORE ON
NETSH WLAN
To fi nd more detailed information on using
netsh wlan
to confi gure wireless connectivity
and security settings, consult the following TechNet document:
http://technet2
.microsoft.com/windowsserver2008/en/library/f435edbe-1d50-4774-bae2
-0dda33eaeb2f1033.mspx?mfr=true
.
Lesson 1: Wireless Access CHAPTER 4 175
n
Microsoft: Smart Card Or Other Certifi cate This method requires a user to provide
a certifi cate by using a smart card. The user is prompted to insert the smart card when
he or she attempts to connect to the wireless network.
n
Microsoft: Protected EAP (PEAP) This method requires the installation of a com-
puter certifi cate on both the RADIUS/NPS server and the installation of a computer
or user certifi cate on all wireless clients. Clients must trust the certifi cation authority

(CA) that issued the certifi cate on the RADIUS/NPS server, and the RADIUS/NPS server
must trust the CA that issued the client certifi cates. You accomplish this most easily by
deploying certifi cates issued by Active Directory Certifi cate Services (AD CS).
n
Microsoft: Secured Password (EAP-MSCHAP v2) This method requires a computer
certifi cate to be installed on the RADIUS/NPS server and the issuing CA to be trusted
by all wireless clients. Clients authenticate by using domain logon and password.
These authentication methods should be the same as those you specifi ed in the profi les
for each access point’s SSID when confi guring 802.11 wireless access Group Policy. Check the
WAP documentation for details on how to confi gure the device to forward authentication
information to a RADIUS server.
MORE INFO WINDOWS SERVER 2008 AND 802.1X
To learn more about Windows Server 2008 and 802.1x wireless authentication, consult
the following article on TechNet: />/library/710a912a-0377-414a-91d1-47698e4629361033.mspx?mfr=true.
EXAM TIP
Remember that if an authentication method relies on a preshared key, you will not need a
RADIUS server, but if you are pairing an access point with a RADIUS server, you will need a
shared secret.
PracticE Confi guring Wireless Access
In this practice, you perform tasks similar to those you would perform when confi guring a
Windows Server 2008 network environment to support wireless access by client computers
running Windows Vista. The fi rst exercise confi gures NPS for wireless access; the second exer-
cise confi gures Group Policy to support wireless access.
ExErcisE 1 Confi gure NPS for Wireless Access
In this exercise, you confi gure server Glasgow to function as a Network Policy/RADIUS server
so that it is able to process WPA2-Enterprise authentication traffi c. You also confi gure a hypo-
thetical access point named wap1.contoso.internal with a shared secret that will pair it with the
RADIUS server.
MORE INFO
WINDOWS SERVER 2008 AND 802.1X

To learn more about Windows Server 2008 and 802.1x wireless authentication, consult
the following article on TechNet:
/>/library/710a912a-0377-414a-91d1-47698e4629361033.mspx?mfr=true
.
1 7 6 CHAPTER 4 Network Access Security
1. Log on to server Glasgow with the Kim_Akers user account.
2. Open the Server Manager console, right-click the Roles node. If you have already
installed the Network Policy and Access Services role in a prior practice, proceed to
step 8; otherwise, select Add Roles.
This starts the Add Roles Wizard.
3. Click Next on the Before You Begin page.
4. Select the Network Policy And Access Services check box and click Next.
5. Click Next on the Introduction To Network Policy And Access Services page.
6. On the Role Services page, ensure that the Network Policy Server and Routing And
Remote Access Services check boxes are selected, as shown in Figure 4-5, and then
click Next.
7. On the Confirm Installation Selections page, click Install. When the installation process
finishes, click Close.
FIGURE 4-5 Selecting roles.
8. Open a command prompt and issue the command:
dnscmd /recordadd contoso.internal wap1 A 10.50.0.1
9. Close the command prompt.
10. Open the Network Policy Server console from the Administrative Tools menu.
11. Select the NPS (Local) node. Use the drop-down menu in the Standard Configuration
section of the Getting Started pane to select RADIUS Server For 802.1X Wireless Or
Lesson 1: Wireless Access CHAPTER 4 177
Wired Connections, as shown in Figure 4-6, and then click Configure 802.1X. This will
open the Configure 802.1X Wizard.

FIGURE 4-6

Getting started on configuring wireless authentication.
12. On the Select 802.1X Connections Type page, select Secure Wireless Connections, as
shown in Figure 4-7, and then click Next.
FIGURE 4-7 Configuring NPS wireless authentication.
13. On the Specify 802.1X Switches Or Wireless Access Points (RADIUS Clients) page, click
Add.
This opens the New RADIUS Client dialog box.
1 7 8 CHAPTER 4 Network Access Security
14. In the New RADIUS Client dialog box, enter a friendly name for the access point, such
as WAP-ONE. In the Address (IP or DNS) area, enter wap1.contoso.internal.
15. Select Generate, and then click the Generate button.
This generates the shared secret that is entered on the WAP to bind it to the RADIUS
server.
16. Click OK to close the dialog box. Click Next.
17. On the Configure An Authentication Method page, select Microsoft: Secured password
(EAP-MSCHAP v2) from the drop-down list, and then click Next.
18. On the Specify User Groups page, click Next. On the Configure A Virtual LAN (VLAN)
page, click Next.
19. Click Finish to close the Configure 802.1X Wizard.
20. Expand the RADIUS Clients And Servers node, and then select RADIUS Clients. Verify
that WAP-ONE appears, as shown in Figure 4-8, and then close the Network Policy
Server console.
FIGURE 4-8 Wireless access point configured as RADIUS client.
ExErcisE 2 Configure Wireless Access Policies
In this exercise, you configure Wireless Access Group Policy and apply it to an OU in which
you could then place the computer accounts of computers that have wireless cards.
1. Log on to server Glasgow, using the Kim_Akers user account.
2. From the Administrative Tools menu, open the Group Policy Management console.
Expand the Forest: contoso.internal node and the domain node. Right-click the contoso.
internal domain, and then select New Organizational Unit. Enter the organizational

unit name as Wireless_Computers, and then click OK.
3. Right-click the new Wireless_Computers OU, and then select Create A GPO In This
Domain And Link It Here. In the New GPO dialog box, enter the GPO name as
Wireless_Computer_Policy, and then click OK.
4. Select the Wireless_Computers OU, right-click the Wireless_Computer_Policy GPO, and
then select Edit.
This opens the Group Policy Management Editor.
Lesson 1: Wireless Access CHAPTER 4 179
5. Right-click the Computer Conguration\Policies\Windows Settings\Security Settings
\Wireless network (IEEE 802.11) Policies node, and then select Create A New Windows
Vista Policy.
This opens the New Windows Vista Network Policy Properties dialog box, shown in
Figure 4-9.
FIGURE 4-9 Vista wireless policy.
6. Click Add, and then select Infrastructure.
This opens the New Profile properties dialog box.
7. In the Profile Name area, enter WAP-ONE. In the Network Name(s) (SSID) text box,
enter WAP-ONE, and then click Add.
8. Click the Security tab. Verify that the settings on the Security tab match those of Figure
4-10, and then click OK.
FIGURE 4-10 Authentication and encryption settings.
1 8 0 CHAPTER 4 Network Access Security
9. Click the Network Permissions tab. Ensure that the settings on the Network Permis-
sions tab match those in Figure 4-11, and then click OK.
FIGURE 4-11 Wireless network permissions.
10. Close the Group Policy Management Editor, and then close the Group Policy Manage-
ment console.
Lesson Summary
n
Access points that support the 802.11n standard can support connections from clients

that use 802.11b and 802.11g as well as 802.11n.
n
SSID (service set identifier) is a wireless network name that can be up to 32 characters
in length.
n
An infrastructure mode network has a WAP that manages communication between
wireless clients. Ad hoc networks are created between wireless clients.
n
WEP is an older wireless security standard that uses a preshared key but is vulnerable
to attack. WPA-Personal/WPA2-Personal uses preshared keys. WPA-Enterprise/WPA2-
Enterprise forwards authentication requests to RADIUS servers. It supports smart card-,
certificate-, and password-based authentication.
n
Wireless Network (IEEE 802.11) Group Policy allows clients within your organization
to connect to wireless networks with a minimum of end-user intervention. Wireless
network policies enable you to configure properties for specific access point identifiers.
A single profile can address multiple SSIDs and addresses the specific authentication
methods and encryption technologies each access point supports.
Lesson 1: Wireless Access CHAPTER 4 181
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Wireless Access.” The questions are also available on the companion DVD if you prefer to
review them in electronic form.
NOTE ANSWERS
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
1. Which of the following authentication protocols enables you to deny access to wireless
networks based on an Active Directory user or computer account?
A. WPA2-Enterprise
B. WEP

C. WPA-PSK
D. WPA2-Personal
2. You are confi guring Network Policy and Access Services on a computer running
Windows Server 2008 so that it responds to authentication traffi c forwarded from
WAPs in your organization. Which of the following must you do as part of this process?
A. Confi gure WAPs as RADIUS servers.
B. Confi gure wireless clients as RADIUS clients.
C. Confi gure WAPs as RADIUS clients.
D. Confi gure wireless clients as RADIUS proxies.
3. Which of the following must you ensure when confi guring a wireless access policy that
uses EAP-MSCHAP v2 as an authentication method?
A. That the CA that issued the computer certifi cate to the NPS server is trusted by the
RADIUS server
B. That the CA that issued the computer certifi cates to the clients is trusted by the
NPS server
C. That the CA that issued the computer certifi cate to the NPS server is trusted by the
clients
D. That the CA that issued the computer certifi cates to the WAPs is trusted by the
clients
NOTE
ANSWERS
NOTE ANSWERSNOTE
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
1 8 2 CHAPTER 4 Network Access Security
4. All the clients at your organization use the Windows Vista Enterprise edition operating
system. The Wireless_Clients OU hosts the computer accounts of those computers that
have wireless network adapters. A group of executives is planning to have a weekly
morning informal strategy meeting in the basement, where there is currently no WAP.
The executives want to use the Windows Meeting Space application, included with

Windows Vista, to set up a temporary network so that they can share documents. They
are currently unable to do this. Which of the following configuration changes should
you make to the GPO applied to the Wireless_Clients OU to enable them to meet their
goals?
A. Configure the policy to allow users to view denied networks.
B. Configure the policy to allow connections to infrastructure networks.
C. Configure the policy to allow everyone to create wireless profiles.
D. Configure the policy to allow connections to ad hoc networks.
5. When configuring wireless network Group Policy profiles for specific SSIDs, which of
the following WAP authentication protocols require you also to specify a network
authentication method?
A. WEP
B. WPA2-Personal
C. Open
D. WPA2-Enterprise
Lesson 2: Windows Firewall with Advanced Security CHAPTER 4 183
Lesson 2: Windows Firewall with Advanced Security
Windows Server 2008 ships with a fi rewall enabled by default. In this lesson, you learn about
Windows Firewall with Advanced Security and the features it includes that differentiate it
from earlier fi rewall software included with Microsoft Windows operating systems such as
Microsoft Windows Server 2003. You learn how to create inbound and outbound fi rewall
rules, confi gure rule scope, and confi gure connection security rules, a technology that is new
to Windows Vista and Windows Server 2008.
After this lesson, you will be able to:
n
Confi gure incoming and outgoing traffi c fi ltering.
n
Confi gure Active Directory account integration.
n
Identify common ports and protocols.

n
Understand the difference between Microsoft Windows Firewall and Windows
Firewall with Advanced Security.
n
Confi gure fi rewalls by using Group Policy.
n
Manage isolation policies.
Estimated lesson time: 40 minutes
Windows Firewall and Windows Firewall with Advanced
Security
Windows Server 2008 uses two fi rewalls that work in concert, Windows Firewall and Windows
Firewall with Advanced Security. The primary difference between these two fi rewalls is the
complexity of the rules you can apply. Windows Firewall, accessible through Control Panel
and shown in Figure 4-12, allows the application of only basic rules. When creating a rule,
you can specify an exception based on program or port, but you cannot create advanced
exceptions that work based on network location awareness, individual network interfaces, or
specifi c incoming or outgoing addresses. With its limited ability to allow for the refi nement
of exceptions, Windows Firewall is a blunt instrument when compared to Windows Firewall
with Advanced Security. As a server administrator, you are more likely to be interested in the
expanded functionality of Windows Firewall with Advanced Security, and the rest of this
lesson concentrates on this more complicated technology.
After this lesson, you will be able to:
n
Confi gure incoming and outgoing traffi c fi ltering.
n
Confi gure Active Directory account integration.
n
Identify common ports and protocols.
n
Understand the difference between Microsoft Windows Firewall and Windows

Firewall with Advanced Security.
n
Confi gure fi rewalls by using Group Policy.
n
Manage isolation policies.
Estimated lesson time: 40 minutes
1 8 4 CHAPTER 4 Network Access Security
FIGURE 4-12 The Exceptions tab of Windows Firewall.
Network Location Awareness
Before covering Windows Firewall with Advanced Security, it is important to come to terms
with the concept of network location awareness. Network location awareness, also known
as network profiles, is a technology included in Windows Vista and Windows Server 2008
that enables network-aware applications and services to alter behavior, depending on how a
computer is connected to the network. Whenever you connect a computer running Windows
Server 2008 to a new network, you are queried as to whether the network is public, private,
or domain based. Depending on how you classify the network, Windows Server 2008 will
assign the following network location categories:
n
Public The public network category is set by default. When set or configured, all
inbound traffic is dropped. Outgoing connections are allowed when the public profile
is active. Any untrusted network, including the Internet, should be classified as a public
network.
n
Private A user can select the private network category manually and use it for a
network that is not directly accessible to public networks such as the Internet. Private
networks are segmented from public networks by firewall or NAT devices. This does
not include Windows Firewall or Windows Firewall with Advanced Security on the
host itself. If a computer running Windows Server 2008 is configured as a standalone
server on a protected network, assign the network connection the private network
designation.

n
Domain Select the domain network category when a computer has authenticated
to an Active Directory domain. This category is selected automatically after domain
authentication through a network interface has occurred and a domain controller is
available.
Lesson 2: Windows Firewall with Advanced Security CHAPTER 4 185
When multiple interfaces are connected to network locations that have different cat-
egories, the least secure category will be assigned to the computer. Hence, if one network
interface is connected to the Internet and another connects to a protected network with a
domain controller, the Public category will be set, and the fi rewall will block incoming net-
work connections.
MORE INFO NETWORK LOCATION AWARENESS
For more information about network location awareness, consult the following TechNet
Article.
Confi guring WFAS Rules
Windows Firewall with Advanced Security (WFAS) enables you to confi gure fi rewall rules that
are applied based on which network location-awareness profi le is active (Domain, Public, or
Private) and whether a connection is a secure network interface. You can also confi gure fi re-
wall rules based on a protocol, port, source, and destination IP address as well as apply rules
based on specifi c user and computer accounts. The WFAS console can import and export
fi rewall confi gurations. This is very useful if you are responsible for managing a large number
of standalone computers running Windows Server 2008 and need to replicate the same WFAS
confi guration quickly.
Confi guring Inbound Rules
Inbound rules allow a specifi c type of traffi c specifi ed by the rule. When the fi rewall intercepts
an incoming packet, it evaluates the packet against the list of inbound rules. If the packet
matches any one of those inbound rules, it is processed according to that rule. If it matches
no inbound rules, the packet is dropped. Windows Server 2008 automatically enables
appropriate inbound rules when you install or enable a role or feature that requires incom-
ing connections. For example, if you enable the Web Server (IIS) role, WFAS is automatically

confi gured to allow inbound HTTP traffi c on port 80 and inbound HTTPS traffi c on port 443.
Windows Server 2008 ships with a set of preconfi gured inbound rules, or you can use the
Inbound Rules Wizard to create your own.
The fi rst page of the Inbound Rules Wizard, shown in Figure 4-13, enables you to select
which type of rule you create. Your options are Program, Port, Predefi ned, and Custom. The
list of predefi ned rules is extensive and covers almost every type of feature or role service
you can install on a computer running Windows Server 2008. Custom rules enable you to
defi ne all aspects of a rule, and you can add both programs and ports as well as scope. If you
want to block connections on a specifi c port to a specifi c program from a particular range
of IP addresses, you confi gure a custom rule. In general, it is not necessary to specify both a
program and a port because a single port can be bound to only one program or service. If
you want to create a rule for a specifi c service, rather than for a program, you must create a
custom rule. Confi guring scope for fi rewall rules is covered later in this lesson.
MORE INFO
NETWORK LOCATION AWARENESS
For more information about network location awareness, consult the following TechNet
Article.
1 8 6 CHAPTER 4 Network Access Security
FIGURE 4-13 Inbound Rules Wizard.
If you decide to create a rule for a program, you must specify the path of the program on
the server. If multiple versions of the program are installed on the server, you must create a
separate program rule for each location. If you create a port rule, you must specify whether
the rule applies to TCP or UDP connections and the specifi c ports the rule covers. You can
specify multiple ports, separating each port by a comma. You create an inbound rule in one
of the exercises at the end of this lesson.
Port Numbers
A
s a holder of the MCSA certifi cation, MCSE certifi cation, or both, it is likely that
you are already familiar with the TCP port numbers of the most common net-
working protocols. In case you have forgotten some, remember that FTP uses ports

20 and 21, SSH uses port 22, Telnet uses port 23, SMTP uses port 25, DNS uses port
53, HTTP uses port 80, Kerberos uses port 88, POP3 uses port 110, IMAP uses port
143, LDAP uses port 389, and HTTPS uses port 443. You can fi nd a list of all regis-
tered port numbers at
The Action page of the New Inbound Rule Wizard enables you to confi gure how WFAS
responds after a traffi c match is found. As Figure 4-14 shows, the options are to allow the
connection, to allow the connection if it is secure, and to block the connection. Allowing the
connection is straightforward. If the traffi c matches the rule, the traffi c passes across WFAS.
When you select the Allow The Connection If It Is Secure option, an extra page is added—on
which you can specify users and computers using Active Directory—to the wizard. It is also
Port Numbers
A
s a holder of the MCSA certifi cation, MCSE certifi cation, or both, it is likely that
you are already familiar with the TCP port numbers of the most common net-
working protocols. In case you have forgotten some, remember that FTP uses ports
20 and 21, SSH uses port 22, Telnet uses port 23, SMTP uses port 25, DNS uses port
53, HTTP uses port 80, Kerberos uses port 88, POP3 uses port 110, IMAP uses port
143, LDAP uses port 389, and HTTPS uses port 443. You can fi nd a list of all regis-
tered port numbers at
/>.
Lesson 2: Windows Firewall with Advanced Security CHAPTER 4 187
possible to require that the connection be encrypted using IPsec and to override any existing
block rules. By default, block rules have precedence over allow rules. Enabling the Override
Block Rules option is the only way to bypass an existing block rule.
FIGURE 4-14 Configuring a rule action.
Although you can confi gure an inbound rule to block a specifi c sort of traffi c, this is gener-
ally not necessary because Windows Firewall with Advanced Security automatically blocks any
traffi c that does not match an allow rule by default anyway. The main reason to implement
block rules is to allow a certain type of traffi c from specifi c hosts but block it from all other
hosts. You can accomplish the same thing by confi guring the scope of a rule. Confi guring rule

scope is covered later in this lesson.
After you have specifi ed a rule action, you must specify to which profi les the rule will
apply. You can apply the rule to one, two, or all available domain profi les. The last step in the
New Inbound Rule Wizard is to provide a rule name and description. The information that
you enter here should be meaningful because another administrator might need to inspect
your confi guration in the future; that administrator should not have to examine each custom
rule’s properties to fi gure out exactly what the rule is supposed to do.
Quick Check
1. How is Windows Firewall limited compared to Windows Firewall with Advanced
Security?
2. Under what conditions is the domain network location awareness profi le set?
Quick Check
1
. How is Windows Firewall limited compared to Windows Firewall with Advanced
Security?
2
. Under what conditions is the domain network location awareness profi le set?
1
2
Quick Check
1
1 8 8 CHAPTER 4 Network Access Security
Quick Check Answers
1. Windows Firewall enables you to specify exceptions based on program or port,
but you cannot specify exceptions based on network location awareness, indi-
vidual network interfaces, specifi c incoming or outgoing addresses, or protocol.
2. The domain network location profi le is set when a computer’s network interface
is connected to an Active Directory domain and a domain controller is accessible.
Confi guring Outbound Rules
Outbound rules apply to traffi c leaving the computer for a remote host. The default con-

fi guration of WFAS allows all outbound traffi c. Blocking all outbound traffi c will stop many
built-in Windows features and applications from communicating with other hosts on the net-
work. This can have unintended side effects; for example, a computer cannot retrieve updates
from a local WSUS server when all outbound communication is blocked unless a rule related
to this type of traffi c is enabled. If you do decide to block all outbound traffi c and then create
exceptions for approved programs and services, you must carefully test your deployment
prior to putting the server into a production environment because you might miss one or
more vital services and applications you should allow.
Outbound Rules and Viruses
A
common argument for applying outbound rules is that it can stop worms
and viruses from replicating out from an infected computer. Unfortunately,
if a virus or worm has infected a computer, it most likely has enough privileges
in the operating system to confi gure its own fi rewall rules, hence bypassing any
outbound fi lters. If fi rewalls are properly implemented on other computers in your
environment, malicious worm traffi c from an infected host will have minimal impact
anyway. Where outbound rules can be useful is in specifi cally blocking unapproved
programs that users might install on their computers, such as instant messaging cli-
ents or peer-to-peer programs. In a controlled desktop environment, ordinary users
would not be able to install these programs in the fi rst place.
To create an outbound rule, perform the following steps:
1. Open the Windows Firewall With Advanced Security console, and then select and
right-click the Outbound Rules node. Select New Rule.
The New Outbound Rule Wizard starts.
Quick Check Answers
1
. Windows Firewall enables you to specify exceptions based on program or port,
but you cannot specify exceptions based on network location awareness, indi-
vidual network interfaces, specifi c incoming or outgoing addresses, or protocol.
2

. The domain network location profi le is set when a computer’s network interface
is connected to an Active Directory domain and a domain controller is accessible.
1
2
Outbound Rules and Viruses
A
common argument for applying outbound rules is that it can stop worms
and viruses from replicating out from an infected computer. Unfortunately,
if a virus or worm has infected a computer, it most likely has enough privileges
in the operating system to confi gure its own fi rewall rules, hence bypassing any
outbound fi lters. If fi rewalls are properly implemented on other computers in your
environment, malicious worm traffi c from an infected host will have minimal impact
anyway. Where outbound rules can be useful is in specifi cally blocking unapproved
programs that users might install on their computers, such as instant messaging cli-
ents or peer-to-peer programs. In a controlled desktop environment, ordinary users
would not be able to install these programs in the fi rst place.
Lesson 2: Windows Firewall with Advanced Security CHAPTER 4 189
2. Select the Rule type from Program, Port, Predefined Or Custom, and then click Next.
3. If you select Program, browse to the program’s path. If you select Port, select the pro-
tocol type (TCP/UDP) and type the appropriate port or port range.
4. On the Action page, choose between Allow The Connection, Allow The Connection If It
Is Secure, and Block The Connection.
5. On the Profile page, select the network profile or profiles to which th e rule should
apply.
6. Finish the wizard by entering a name for the rule.
Rule Scope
When you configure an inbound or an outbound firewall rule, you are unable to configure the
scope of the rule. The scope of the rule enables you to apply a rule based on the IP address of
the source or destination host. For example, in Figure 4-15, a firewall rule is given the scope
of 10.0.0.1–10.10.10.254. Scope can enable you to fine-tune a rule. For example, you might

use the scope option to configure a rule to block outbound SMTP traffic except to a specific
SMTP server’s IP address. When applying multiple rules to the same type of traffic, remember
that a block rule always overrides an allow rule. Hence, if you wanted to block access to all
Web servers except those on subnet 10.10.10.0 /24, you would need to configure the scope
of the rule to apply to remote IP addresses 0.0.0.1-10.10.9.255 and 10.10.11.0-255.255.255.255
rather than configuring a block of all port 80 traffic and another rule allowing it for subnet
10.10.10.0 /24.
FIGURE 4-15 Configure Rule Scope.
1 9 0 CHAPTER 4 Network Access Security
Connection Security Rules
Connection security rules define how and under what conditions computers are able to com-
municate with each other. Connection security rules generally involve a list of computers,
whether the connection will request or require authentication, and the methods of authen-
tication the connection can use. Each category of connection security rule is appropriate to
a specific type of scenarios. As with Inbound and Outbound rules, you can apply connection
security rules by using the WFAS console, netsh in the advfirewall firewall context, or Group
Policy. The next few pages cover the different types of connection security rules.
Isolation Policies
Through isolation policies, you can partition sets of computers on the network by using
network authentication and encryption policies. Only computers that meet a specific set of
criteria are able to communicate with computers subject to isolation policies. Although it is
possible to configure isolation policies on a computer-by-computer basis, using either the
WFAS console or netsh in the advfirewall consec context because isolation policies usually
apply to multiple computers, it is best to configure and enforce them through the application
of Group Policy.
The simplest form of isolation policy is the server isolation policy, which requires all
communication with a server to be authenticated and encrypted. As shown in Figure 4-16,
authentication can occur, using Kerberos V5, for computer and user accounts if the server is a
member of a domain, through a computer certificate or a system health certificate issued by
a trusted certificate authority (CA). By selecting Advanced Authentication, it is also possible to

enable authentication by using the NTLMv2 protocol or a preshared key.
FIGURE 4-16 Isolation rule authentication options.