Windows 2003 Server SP1 a big plus for wireless LAN security

Microsoft?today released its first major service pack for its flagship server product Windows 2003 Server.? Aside from other security enhancements to the operating system, SP1 for Windows 2003 Server is a huge boost for enterprise-grade wireless LANs.? With the recent leaps in cryptanalysis tools that can even crack enterprise-grade wireless LANs that use dynamically rotating WEP keys, the encryption bar has been raised to a minimum of TKIP or preferably AES.? In order to run these newer encryption algorithms, hardware and software must be certified to a minimum of WPA or the newest WPA2 standard.? Unfortunately, performing the upgrade is easier said than done especially if firmwares, drivers, and configuration changes have to be replicated across hundreds or even thousands of clients.? While it doesn't address all of these issues, Windows 2003 Service Pack 1 at least makes the last piece (configuration changes) relatively simple and is a huge step forward for any business grade wireless LAN.

While the original version of Windows 2003 Server already made substantial strides in easing the pain of a large secure wireless LAN deployment, its major weakness was that it couldn't deal with WPA capable networks.? SP1 addresses these weaknesses and really makes it easy to deploy a large secure? wireless LAN.? The following summarizes the original feature set of Windows 2003 server and the enhancements of SP1.

Windows 2003 Server wireless LAN capability

• Windows 2003 added PEAP authentication capability to its IAS (Internet Authentication Service) RADIUS component.? This meant that client side certificates were no longer needed for TLS encrypted authentication, which made it possible to only use a server side digital certificate to support thousands of clients without digital certificates.? By using the TLS tunnel to secure the password exchange, dictionary attacks on the popular LEAP authentication protocol could be avoided altogether.

• The built-in Windows XP WZC (Wireless Zero Configuration) client could now be centrally managed via Windows 2003 Server using Active Directory Group Policy configuration.? This meant that every single client computer on a corporate network could be centrally configured to connect to a secure wireless LAN in minutes.? Since WPA was only starting to appear at the time that Windows 2003 was being released, the policy configuration could only work for 802.1x/PEAP dynamic WEP-based wireless LANs.? WPA using TKIP or AES encryption was not supported and had to be manually configured from the client side, which made it very difficult to deploy.

• Fast reconnect for EAP authentication support was added to IAS.? Note that this can cause problems with some access point manufacturers that don't deal well with fast reconnect.

Windows 2003 Server SP1 enhancements for wireless LANs

• Active Directory Group Policy can now configure WPA TKIP or AES encryption settings.? Any Windows XP SP1 (with WPA patch) or Windows XP SP2 client machine could now be centrally configured to connect to a TKIP- or AES-encrypted wireless LAN.
• Clients (Windows XP SP2 only) can now also be locked down to a narrow set of administrator-approved digital certificates and certificate signing authorities.? In the past, there was a potential for unsuspecting users to fall victim to man-in-the-middle attacks if an attacker could coax a user into trusting a rogue access point?that used a fake RADIUS Authentication Server with an alternate digital certificate and signing authority.

The importance of central management cannot be overstressed.? This isn't just a convenience issue but a security issue as well.? Centrally managed and locked down client-side configuration enforces a uniform standard without any effort from end-users or desktop support.? This makes it?very unlikely?that end-users?will accidentally configure their wireless client in an insecure way that can open them up to Evil Twin networks.? If you run a Windows-based network as most organizations do, Windows 2003 Server Service Pack 1 will definitely make life much easier for you when it comes to deploying a large secure wireless LAN.