Using Windows Vista
on a Corporate
Mobile Network
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
Can you remember the frustration you felt the last time you needed to work on a document but couldn’t con-
nect to the network to use it? What about the last time you wanted to write an email or get some work done
on the Internet, but you had to go to a different location where you could use a networked system? Multiply
these problems and frustrations by every employee who has every experienced them and you will understand,
if you don’t already, why wireless networking is becoming a requirement in many offices. When properly imple-
mented and used, wireless networking acts not only as a nice convenience, but as a valid tool for increasing
productivity and efficiency
.
Those who resist the idea of creating a Wi-Fi network will normally acknowledge its advantages, but express
valid concerns about expanding the network infrastructure and preventing security problems inherent in the
technology. Can you implement this kind of change without unduly impacting the security of the existing net-
work infrastructure? Can you enforce security procedures created just for the wireless network on end-users
working with laptops? Some of your users might be allowed to use their laptops on public Wi-Fi networks
where you have no control. Can you run system checks and prevent computers with security problems from
rejoining your network? If you are using an Active Directory domain with
Windows Vista clients, the answer to
all of these questions is yes.
As you will see
, this does not have to be a complicated process. Having a basic understanding of the encryp-
tion and authentication choices available, related group policy settings, and Windows Vista features will help
you narrow down your choices and make the decisions that are best for your environment.
We will start of by walking through the process of configuring a wireless connection on a Windows Vista sys-
tem manually. This will allow us to view the different features and options available during setup. We will then
discuss how to implement configuration changes automatically through
Active Directory by using 802.11 group
policy settings or script files. Of course, a discussion about wireless networking would not be complete without
taking time to discuss the security issues it will raise and how to deal with them, so we will look at that as
well. First, let’s connect a Windows Vista laptop to a wireless network.
Connecting to a Wireless Network
Configuring the client connection can easily be done from the Connect to a Network window (Figure
1.1). You can get to it by clicking on the
Connect to option from the Start menu or open it from the shortcut
av
ailable in the
Network and Sharing Center.
T
he list of networks shown will include all av
ailable connec
-
tions including Dial-up and
VPN
. To limit the list to only wireless networks, choose “Wireless” from the
“Show” drop down box.
Neil Tucker, Global Knowledge Instructor, MCT, MCIPT, MCTS, MCDBA,
MCSE, MCDST
Using Windows Vista on a Corporate
Mobile Network
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 2
Figure 1.1: Connect to a Network Window
One interesting option you might notice in the list of available networks is the ability to connect networks that
have the name
“Unnamed Network.” These are wireless access points (APs) that do not advertise their name
or Service Set Identifier (SSID). Sometimes called a non-broadcast or hidden network, many take advantage of
this feature on their
APs in an effort to make the network more secure by “hiding it” from older operating sys-
tems like Windows 2000 or XP. Obviously, they are not hidden from Vista systems, but this feature has proved
to be a very ineffective security option in any case. If you decide to use it, don’t let it give you a false sense of
security. It really shouldn’t be seen as a security feature, especially on a corporate network.
T
here is also an option showing whether the connection to the AP will be secure or not. If security is enabled,
Vista will automatically use the strongest encryption protocol it supports on the access point. If security is not
enabled, a warning message will alert you to the dangers of connecting to such a network. You will also have
the option to connect to the
AP automatically
,
making it your preferred network.
Y
ou will also be able to dis-
connect from a network or modify your preferred network settings when necessary.
If you need to manually configure your network connection settings, from the Connect to a network window
use the
Set up a connection or network option in the lower left hand corner and choose to open the
Manually connect to a wir
eless network window
(F
igure 1.2).
F
rom here
,
you can configure a network
name and security protocols
.
Y
ou may also choose to start the connection automatically and to connect to the
AP, even if it is not broadcasting.
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 3
Figure 1.2: Manually Connect to a Wireless Network Window
Which security protocol should you use? You should try to use Wi-Fi Protected Access WPA2 with Advanced
Encryption Standard AES encryption as your first choice. Wired Equivalency Privacy WEP is a last resort because
of its known security issues. WPA does a good job of dealing with the weaknesses inherent in WEP but might
be vulnerable to some of the same security issues because it was designed to be compatible with it. WPA2
was redesigned from the ground up with both eyes on security and little concern for compatibility with WEP
hardware
. If you are unable to upgrade your
APs to support it,
your next best bet is, of course, WPA. What do
the P
ersonal and Enterprise designations mean for WPA and WPA2? Personal connections fall back on using a
password or preshared k
ey for authentication while Enterprise uses the 802.1X.
T
his allows an Enterprise con
-
nection to use Extensible Authentication Protocol – Transport Layer Security EAP-TLS for stronger security and
mutual authentication. After clicking next, you will be able to modify other options like the use of other pre-
ferred networks, server certificates and smart cards by using the “Change Connection Settings Option.”
Once you have verified that all your options are correct, you accept the configuration and start using the wire-
less network. Now, unless you have just a few laptops, you probably want to use Active Directory to apply and
maintain these settings centrally. How can that be done?
Leveraging Active Directory
One issue that often comes up when connecting domain laptops through wireless networks is the problem of
having to authenticate twice. A secure wireless network will require some form of authentication before con-
necting, after which you will need to provide your Active Directory credentials for connecting to the domain.
Although not required, it’s a good idea to simplify this process for users by allowing them to connect to the
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 4
n
etwork and domain in a single logon process using a bootstrap wireless profile. You do this by modifying the
properties of a wireless profile to disable the validation of the RADIUS Server certificate when using PEAP-MS-
CHAPv2 authentication and enabling Single Sign On. The network administrator might make the laptop a
member of the domain by using a wired connection and configure a new wireless profile with these settings. If
the laptop is already a member of the domain, a configuration file can be used to apply the new settings using
netsh. When users want to connect, they simply login with their domain credentials. Normally, without cached
credentials or an existing network connection, this logon process would fail. Enabling Single Sign On will allow
the client to connect to the network and domain in a single step using the domain credentials they provided at
logon.
A network administrator would normally want to maintain these settings by using group policies to push any
configuration changes to laptops. However, a domain running Windows Server 2003 with SP1 does not support
some of the new security features available for 802.11 networks on Vista, such as using WPA2. This can be
overcome by performing schema modifications that add these features. If you are unable or unwilling to risk
such a change to your active directory forest, a simpler solution would be to use script files. Netsh now has a
new
WLAN parameter than can be used to export and import wireless configuration settings using XML files. It
takes three parameters when exporting the configuration:
• First, the name of the XML file to export the configuration to
• Second, the name of the wireless profile being exported
• Third, the name of the wireless adapter used by the profile.
The command might look like this:
netsh wlan export profile configuration.xml secure_profile
secure_adapter
. Once you have the file you can import it to another system using the command: netsh
wlan add pr
ofile configuration.xml local_adapter
. A startup script can then be created in a group poli-
cy to apply the changes to mobile systems running the same operating system.
The unique security issues raised by these systems might also move you to separate them in their own
Organizational Unit OU. This would make it easier to apply different group policy settings from other systems
and also to administer them separately. A separate domain would not be necessary unless it were decided that
wireless users should have different account policy requirements. Smart Card authentication can be enabled or
disabled for individual users in the same domain.
Securing the Network
It is alw
ays a good idea to treat the wireless part of your network with the same scrutiny you apply to incom-
ing Internet connections. Make sure that due consideration is given to choosing who will be able to use wire-
less connections
,
what encryption and authentication protocols will be required,
and how each
AP will be
secured and accessed. Here are a few other suggestions that should help to prevent security breaches.
Cr
eate a written security policy
.
T
his part of the process is often overlook
ed in the rush to get the net-
work up and working. When everyone knows exactly who should or shouldn’t be able to connect, the mini-
mum security requirements for clients and APs, what information they will be permitted to access, as well as
whom to notify and what actions to tak
e in case of a breach,
things will go a lot more smoothly in the long
run. Also, never forget to have a proper audit policy. This should include what events will be recorded and how
often and by whom the information must be reviewed.
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 5