Securing Wireless Networks in Windows Server

Most companies now have some sort of wireless access implemented within their networks.  It’s easy to see why, adding a few wireless access points can be extremely useful and save expensive cabling costs.   You can add extra clients and locations to a network for literally a few pounds compared to drilling through walls, laying cables, digging up roads which can be involved in connecting traditional ethernet access for example.

Yet the security implications are often ignored, too often you can find well developed and secure networks compromised by ad-hoc wireless access points installed with little or no thought with regards to security.  Often companies simply buy off the shelf WAPs and add them to their network.  The reality is that every access point added  is an additional gateway into that network and it is essential that it conforms to the same level of security as any other device.

There are various methods to secure these points but the key is to keep to a consistent standard and ensure that these can be enforced.  One common method particularly in Windows environments is to use Group Policy Objects to enforce the wireless network settings on access points and the clients that authenticate to them.  For example you can use GPO’s to ensure that wireless network settings are configured correctly for EAP/TLS authentication which is used for most 802.1x authentication.

You should assign the GPO to computer accounts which are linked either to the domain or a specific OU configured for wireless access.  The latter is the better option as it restricts and controls access to the wireless network meaning only specifically allowed clients can use this access.   Within the group policy you can configure a specific wireless network policy by configuring settings such as the following:

  • Enforce 802.1 Authentication
  • Restrict Access to WAPs only, no ad-hoc connections allowed.
  • Ensure Windows clients can configure wireless network settings automatically
  • Provide preferred and allowed SSIDS (plus block other networks)
  • Enforce encryption – either WEP or WAP as a minimum (although stronger encryption should be used)
  • Define EAP authentication methods and levels
  • Enforce mutual authentication by validating certificates issued by RADIUS servers.

This list is a long way from being complete however it does illustrate some of the minimum configuration issues that should be covered for wireless access. Obviously requirements will vary depending on the network, applications used and the sort of access that is required from wireless connections. However most best practice guides for securing wireless access are fairly sensible. For example there is little reason for not implementing the strongest form of wireless encryption that is available. Encryption adds very little overhead and it is unlikely that there would be any issues with running remote applications or client access across them.

Even running additional layers such as a secured VPN can operate over an encrypted wireless connection. However remember that these can affect external access, even sites like the BBC block some VPN access (read article) in order to enforce their region locks. Even still external access and applications should not be allowed to control or dictate levels of security of your clients and internal networks. Further more through group policy you can enforce minimum levels of authentication, deploy certificates and even define more specific wireless settings. Any clients accessing the network through a Wifi access point would have these settings applied in order to access network resources.

Further Reading:
BBC Deutschland – A Quick Guide