70-299 : 10 Planning and Implementing Security for Wireless Networks

To configure wireless network security by using a GPO, follow this procedure:

1.Open a blank Microsoft Management Console (MMC) console, and add the Group Policy Object Editor snap-in. Open the GPO you will use to apply the wireless network configuration settings.
2.Expand the GPO, Computer Configuration, Windows Settings, and then Security Settings. Click Wireless Network (IEEE 802.11) Policies.
3.By default, there are no policies. Right-click Wireless Network (IEEE 802.11) Policies,and then click Create Wireless Network Policy. The Wireless Network Policy Wizard appears.
4. Click Next.
5. Type a name for the policy, and then click Next.
6.Select the Edit Properties check box, and then click Finish. The properties dialog box appears.
7.Click the General tab, as shown in Figure 10.8. The security-related settings are Networks To Access, which specifies whether the client is allowed to connect to ad hoc networks, and Automatically Connect To Non-Preferred Networks, which you might want to disable to prevent clients from connecting to potentially dangerous, untrusted wireless networks.
8.Click the Preferred Networks tab.This tab lists preferred networks, which are networks that Windows XP will automatically connect to. There are no preferred networks by default.
9. Click Add.The New Preferred Setting Properties dialog box appears, as shown in Figure 10.9.
The Network Properties tab allows you to specify whether WEP encryption will be used. Generally, you should select the Data Encryption and The Key Is Provided Automatically check boxes. Leave the Network Authentication check box cleared to use open network authentication.
10.Click the IEEE 802.1X tab. Select the Enable Network Access Control Using IEEE 802.1X check box.
11.If you want to be able to manage the computer across a wireless network when no user is logged on, select the Authenticate As Computer When Computer Information Is Available check box.
12.Click the EAP Type list to select either Smart Card Or Other Certificate or Protected EAP. This setting must correspond to the setting specified on the IAS server.
13.Click the Settings button to configure the selected EAP type. This dialog box is exactly the same as the dialog box used to configure wireless clients locally.
14. Click OK three times to return to the MMC console.

Note that you can only create a single wireless network policy for each GPO.

Configuring WAPs :
The final step of the wireless network configuration process is to configure and enable your WAPs. Unfortunately, the user interface varies for each WAP. At a minimum, you will need to configure the following settings:
■ Select WEP or WPA encryption and the encryption level.
■ Specify 802.1X authentication and the authentication method.
■ Specify the SSID.
■ Specify the IP address of the IAS RADIUS servers.
■ Specify a shared key corresponding to the shared secret specified during the IAS configuration.

70-299 : 10 Planning and Implementing Security for Wireless Networks

Designing the Authorization Strategy :

Although many organizations choose to allow all computers and users in the organization to access the wireless network, other organizations choose to restrict access. On Windows networks, you will restrict access to wireless networks by using domain security groups. Although it is possible to use the dial-in properties of domain user objects to allow and deny access to individuals, this is tedious to administer for more than a few users.

One method for implementing this is to create a three-tiered structure for assigning permissions. At the top level, create a universal group, and grant this universal group access by using a remote access policy in IAS. At the second level, create domain global groups for users and computers that will be granted wireless access. Add to these security groups users and groups that should be granted wireless access.

Configuring the Certificate Infrastructure :
Regardless of which authentication method you choose, you will need at least one computer certificate to use 802.1X authentication. This certificate must be installed on the IAS servers that will perform RADIUS services. For computer authentication with EAP-TLS, you must also install a computer certificate on the wireless client computers. A computer certificate installed on a wireless client computer is used to authenticate the wireless client computer so that the computer can obtain network connectivity to the enterprise intranet and download computer Group Policy settings prior to user logon. For user authentication with EAP-TLS after a network connection is made and
the user logs on, you must use a user certificate on the wireless client computer.

If the certificate of the root CA that issued the IAS servers’ certificates is already installed as a root CA certificate on your wireless clients, no other configuration is necessary. If your issuing CA is a Windows 2000 Server or Windows Server 2003 online root enterprise CA, the root CA certificate is automatically installed on each domain member through computer configuration GPO settings. If it is not, you must install the root CA certificates of the issuers of the computer certificates of the IAS servers on each wireless client.

Configuring IAS :
IAS is a component of Windows Server 2003 that provides RADIUS services capable of authenticating users based on information contained within Active Directory. When configuring the security of a wireless network, you must configure the IAS server to use specific authentication methods and to grant access to authorized users. This configuration is done by using two types of policies: Remote Access Policies (RAP) and Connection Request Policy (CRP).

The RAP controls how or whether a connection is authorized to the network. A RAP contains a set of policy conditions that determine whether that policy applies to a given connection request. When configuring a RAP for wireless network access, you can create policy conditions that specify the Active Directory security group that a client must be a member of, the time of day, or the connection type of the requesting client, as shown in Figure 10.3. A RAP is also configured to allow or deny the connection request. If there are multiple RAPs on an IAS server, each connection request is evaluated against them according to the priority until a matching RAP either allows or denies the request.

Regardless of the EAP type you choose, you can select a computer certificate that the IAS server will present to the wireless client. If the IAS server has only one computer certificate, this certificate will automatically be selected. If you choose the PEAP authentication method, you also have the option to enable fast reconnects. Generally, you should select the Enable Fast Reconnect check box on the Protected EAP Properties dialog box to improve performance when wireless clients switch from one WAP to another.

Configuring Wireless Clients :
The first step to configure a wireless client is to ensure that the computer has the software required to authenticate and connect to your wireless network. Computers running Windows 2000 require the Microsoft 802.1X Authentication Client, available from http://support.microsoft.com/?kbid=313664. Additionally, you must start the Wireless Zero Configuration service and set its startup type to Automatic. If you plan to use WPA with any Windows client, including Windows XP and Windows Server 2003, you must install the Windows WPA client update on all clients. You can download the client from http://support.microsoft.com/?kbid=815485.

Windows XP and Windows Server 2003 wireless clients have an Authentication tab in the properties dialog box for a wireless connection, as shown in Figure 10.7. On this tab, you can enable 802.1X authentication, specify and configure the EAP type, and choose the sets of credentials that the computer will use for the authentication.

Select the Enable Network Access Control Using IEEE 802.1X check box to use 802.1X authentication for the network connection. You can leave this option selected even if you have not yet configured 802.1X. If the check box is selected, the computer will attempt to perform an 802.1X authentication when the network interface is initialized. If the computer does not receive a response to its authentication requests, the computer will behave as though the connection does not require authentication. Therefore, it is always okay to leave this check box selected.

Use the EAP Type list to specify the EAP type to use for IEEE 802.1X authentication. By default, you can choose from Protected EAP (PEAP) and Smart Card Or Other Certificate. However, other options will be listed if an application has installed additional EAP libraries.

Module 8 : Implémentation d'une stratégie de groupe (70-290)

Procédure 1 : de création et de liaison d'un objet de stratégie de groupe :

Pour lier un objet de stratégie de groupe à sa création, procédez comme suit :

1. Dans l'arborescence de la console Gestion des stratégies de groupe, développez la forêt contenant le domaine où vous voulez créer et lier un objet de stratégie de groupe, développez Domaines, puis effectuez l'une des tâches suivantes :
• Pour créer un objet de stratégie de groupe et lier l'objet à un domaine, cliquez avec le bouton droit sur le domaine, puis cliquez sur Créer et lier un objet de stratégie de groupe ici.
• Pour créer un objet de stratégie de groupe et lier l'objet à une unité d'organisation, développez le domaine contenant l'unité d'organisation, cliquez avec le bouton droit sur cette dernière, puis cliquez sur Créer et lier un objet de stratégie de groupe ici.
2. Dans la boîte de dialogue New GPO, tapez le nom du nouvel objet de stratégie de groupe, puis cliquez sur OK.

Procédure 2 : liaison d'un objet de stratégie de groupe existant :

Pour lier un objet de stratégie de groupe existant à un site, un domaine ou une unité d'organisation, procédez comme suit :

1. Dans l'arborescence de la console Gestion des stratégies de groupe, développez la forêt contenant le domaine où vous voulez lier un objet de stratégie de groupe existant, puis développez Domaines et le domaine.
2. Cliquez avec le bouton droit sur le domaine, le site ou l'unité d'organisation, puis cliquez sur Lier un objet de stratégie de groupe existant.
3. Dans la boîte de dialogue Sélectionner un objet GPO, cliquez sur l'objet de stratégie de groupe à lier, puis sur OK.

Procédure 3 : filtrer l'étendue d'un objet de stratégie de groupe :

Pour filtrer l'étendue d'un objet de stratégie de groupe à l'aide de groupes de sécurité, procédez comme suit :

1. Dans l'arborescence de la console Gestion des stratégies de groupe, développez la forêt et le domaine contenant l'objet de stratégie de groupe, développez Objets de stratégie de groupe, puis cliquez sur l'objet de stratégie de groupe.
2. Dans le volet d'informations, cliquez sur l'onglet Étendue, puis sur Ajouter.
3. Dans la boîte de dialogue Sélectionnez Utilisateur, Ordinateur ou Groupe, tapez le nom du responsable de la sécurité dans la zone Entrez le nom de l'objet à sélectionner, puis cliquez sur OK.
4. Cliquez sur l'onglet Délégation, puis sur Avancé.
5. Dans la boite de dialogue Paramètres de sécurité, configurez le paramètre de sécurité avancé suivant :
- Affectez l'option Refuser à l'autorisation Appliquer la stratégie de groupe pour le responsible de la sécurité.