Tutorials

 Für unsere deutschen Kunden Premier Support ist auch in deutscher Sprache verfügbar. Wir helfen Ihnen gerne bei allen Ihren Migrationsproblemen.
Specify Alternate Text

Securing your SBS 2003 network - Wireless access points

This article describes in detail how to secure your Wireless Access Point with certificates and Microsofts implementation of a Radius server called Internet Authentication Service. Based on 'Configuring the IAS server and wireless access points for wireless access' I have written a manual that is customized for use on SBS 2003 Standard and Premium server.

In this document we use a Linksys WAP54G with firmware revision 3.04.


Configure your Wireless Access point to use a radius server

  1. Configure your WAP to use a static IP address and set the default gateway to the SBS servers IP address.
    Securing your SBS 2003 network - Wireless access points
  2. We will set the SSID for our wireless network and name it 'linksys'. I also set mode to Wireless-G only because I don't have any old Wireless-B devices.
    Securing your SBS 2003 network - Wireless access points
  3. The Radius servers IP address is the IP address your SBS runs on. In my case that is 192.168.16.2. Set the port to 1812 and create a shared key that is at least 20 characters long. The easiest way is to use a password generator like the one in http://www.winguides.com/security/password.php. Save that password in a text file on your desktop because we will need that later when we configure the Internet Authentication Service (that is the Microsoft Radius server).

    Note: In this example we set encryption to TKIP but if your hardware allows it you should use AES encryption because that is more secure and probably quicker. After I have finished the configuration you can always change this setting in your WAP and in the Wireless Access Policy. It is better to start with a lower setting and test this before you set it to a higher level. At the bottom you will find an explanation of the differences between TKIP and AES encryption.
    Securing your SBS 2003 network - Wireless access points

TKIP (Temporal Key Integrity Protocol) is an encryption protocol included as part of the IEEE 802.11i standard for wireless LANs (WLANs). It was designed to provide more secure encryption than the notoriously weak Wired Equivalent Privacy (WEP), the original WLAN security protocol. TKIP is the encryption method used in Wi-Fi Protected Access (WPA), which replaced WEP in WLAN products.

TKIP is a suite of algorithms that works as a "wrapper" to WEP, which allows users of legacy WLAN equipment to upgrade to TKIP without replacing hardware. TKIP uses the original WEP programming but "wraps" additional code at the beginning and end to encapsulate and modify it. Like WEP, TKIP uses the RC4 stream encryption algorithm as its basis. The new protocol, however, encrypts each data packet with a unique encryption key, and the keys are much stronger than those of its predecesor. To increase key strength, TKIP includes four additional algorithms:

  • A cryptographic message integrity check to protect packets
  • An initialization-vector sequencing mechanism that includes hashing, as opposed to WEP's plain text transmission
  • A per-packet key-mixing function to increase cryptographic strength
  • A re-keying mechanism to provide key generation every 10,000 packets.

While TKIP is useful for upgrading security on devices originally equipped with WEP, it does not address all of the security issues facing WLANs and may not be reliable or efficient enough for sensitive corporate and government data transmission. The 802.11i standard specifies the Advanced Encryption Standard (AES) in addition to TKIP. AES offers a higher level of security and is approved for government use, but requires a hardware upgrade for implementation. As organizations replace older wireless equipment, AES is expected to become the accepted encryption standard for WLAN security.


Install certificate services and Internet Authentication Services

Before you can enable deployment of WPA settings in a GPO (we do this later) you need to install hotfix 811233 'Wi-Fi Protected Access (WPA) support for Wireless Network (IEEE 802.11) Policies is available for Windows Server 2003' or SBS 2003 SP1.

  1. Open add/remove programs and click on 'Add/Remove' Windows Components.
    Securing your SBS 2003 network - Wireless access points
  2. Check 'Certificate Services' . You will receive a warning, click 'Yes'.
    Securing your SBS 2003 network - Wireless access points
    Securing your SBS 2003 network - Wireless access points
  3. Scroll down and highlight 'Network Services'  and choose the button 'Details'.
    Securing your SBS 2003 network - Wireless access points
  4. Check 'Internet Authentication Service' and click 'OK'
    Securing your SBS 2003 network - Wireless access points
  5. We are back in the main window for adding Windows components, click next
    Securing your SBS 2003 network - Wireless access points
  6. We will need to tell the Certificates Services installer what to do. Choose 'Enterprise root CA' and leave the rest to the default. Click next.
    Securing your SBS 2003 network - Wireless access points
  7. Fill in the name to identify the CA. I use the domain name for this.
    Securing your SBS 2003 network - Wireless access points
  8. Choose the default locations for the databases as in figure 8, click 'Next'. You will be warned that IIS will be stopped, click 'Yes'.
    Securing your SBS 2003 network - Wireless access points
    Securing your SBS 2003 network - Wireless access points
  9. Click 'Finish' to finalize the installation of the Windows components we just added.
    Securing your SBS 2003 network - Wireless access points

Enable authentication between the server and the wireless devices

For this we need install the domain controller certificate.

  1. Start Menu -> Run and type 'mmc'. This will start an empty console. Choose from the menu add/remove Snap in..
    Securing your SBS 2003 network - Wireless access points
  2. Click 'Add'
    Securing your SBS 2003 network - Wireless access points
  3. Add the snap-in 'Certificates'.
    Securing your SBS 2003 network - Wireless access points
  4. Check 'Computer Account' and click 'Next'.
    Securing your SBS 2003 network - Wireless access points
  5. Select 'Local computer', click 'Next'.
    Securing your SBS 2003 network - Wireless access points
  6. Click 'Close'.
    Securing your SBS 2003 network - Wireless access points
  7. As you can see the Certificates snap-in has been loaded, click 'OK'.
    Securing your SBS 2003 network - Wireless access points
  8. In the console choose the hive 'Personal', right click and choose 'All tasks' -> 'Request New Certificate'.
    Securing your SBS 2003 network - Wireless access points
  9. Welcome to the Certificate Wizard. Click next.
    Securing your SBS 2003 network - Wireless access points
  10. In the Certificate Request Wizard choose Domain Controller and click next.
    Securing your SBS 2003 network - Wireless access points
  11. Give the certificate a friendly name. Look at the description I gave it...there is more to come
    Securing your SBS 2003 network - Wireless access points
  12. The wizard shows us a summary of the settings.
    Securing your SBS 2003 network - Wireless access points
  13. Last but not least the system tells us that we have done our work the way it should be. Click 'OK' and get some coffee for the next steps...
    Securing your SBS 2003 network - Wireless access points

Configure Internet Authentication Service for a Wireless Access Point (WAP)

  1. From the start menu choose Administrative Tools -> Internet Authentication Service. In IAS right click Radius clients and choose 'New Radius Client'.
    Securing your SBS 2003 network - Wireless access points
  2. Fill in a nice name for the new Radius client and fill in the static IP address of the Wireless Access Point.
    Securing your SBS 2003 network - Wireless access points
  3. Choose 'Radius Standard'  from the dropdown list and fill in the shared secret we used for that WAP earlier in this document.
    Securing your SBS 2003 network - Wireless access points
  4. The end result is that the new Radius client is listed.
    Securing your SBS 2003 network - Wireless access points
  5. Create a new remote access policy that will use the domain certificate we created earlier. Right click 'Remote Access Policies' and choose 'New Remote Access Policy'.
    Securing your SBS 2003 network - Wireless access points
  6. The wizard starts.
    Securing your SBS 2003 network - Wireless access points
  7. Choose the default settings and give the policy a meaningfull name.
    Securing your SBS 2003 network - Wireless access points
  8. Choose 'Wireless' as the access method.
    Securing your SBS 2003 network - Wireless access points
  9. Add the 'Domain Computers' to the group you want to grant access
    Securing your SBS 2003 network - Wireless access points
  10. Select from the dropdown list 'Smart Card or other certificate' and choose 'Configure'.
    Securing your SBS 2003 network - Wireless access points
  11. Be careful to choose the right certificate. You can easily identify the certificate by its friendly name.
    Securing your SBS 2003 network - Wireless access points
  12. Once the correct certificate has been choosen you are back in the previous window and choose 'Next'.
    Securing your SBS 2003 network - Wireless access points
  13. A summary of the settings we choose, click next.
    Securing your SBS 2003 network - Wireless access points

Most work on the server has been done. The only thing we need to do is create a GPO that pushes out all wireless settings and automatically installs the certificates. That is done in the next chapter.


Create a GPO that will set wireless settings and install certificates on the workstations

  1. From the start menu choose 'Administrative Tools' and start Group Policy Management. Right click 'Group Policy Objects' and choose 'New'.
    Securing your SBS 2003 network - Wireless access points
  2. Fill in a meaningful name for the new policy and click 'OK'.
    Securing your SBS 2003 network - Wireless access points
  3. Right click the new policy and choose 'Edit'.
    Securing your SBS 2003 network - Wireless access points
  4. Browse to 'Wireless Network (IEEE 802.11) Policies and right click in the left and choose 'Create Wireless Network Policy..'.
    Securing your SBS 2003 network - Wireless access points
  5. The 'Wireless Network Policy Wizard' has been started. Click 'Next'.
    Securing your SBS 2003 network - Wireless access points
  6. Set your 'Wireless Network Policy Name'.
    Securing your SBS 2003 network - Wireless access points
  7. Select 'Edit properties' and click 'Next'.
    Securing your SBS 2003 network - Wireless access points
  8. On the tab 'General' check settings.
    Securing your SBS 2003 network - Wireless access points
  9. On the 'Preferred Networks' tab choose the button 'Add'.
    Securing your SBS 2003 network - Wireless access points
  10. On the 'Network Properties' tab fill in the SSID, set 'Network Authentication' to WPA and Data encryption to 'TKIP'.

    Note: In this example we set encryption to TKIP but if your hardware allows it you should use AES encryption because that is more secure and probably quicker. After I have finished the configuration you can always change this setting in your WAP and in the Wireless Access Policy. It is better to start with a lower setting and test this before you set it to a higher level.

    Securing your SBS 2003 network - Wireless access points
  11. On the 'IEEE 802.1x' tab make sure you set the EAPOL-Start Message to 'Transmit, EAP type to 'Smart Card or other certificate' and at the bottom choose for Computer Authentication 'Computer only'. Then click the 'Settings' button below the EAP type dropdown menu to continue.
    Securing your SBS 2003 network - Wireless access points
  12. On the 'Smart Card or other Certificate Properties' window make sure you fill in at 'Connect to these servers' the fully qualified internal domain name. My servers name is 'srv-ctrx' and my local domain is 'concentrix.local'. The result of this is. Now there is something strange going on with the 'Trusted Root Certificate Authorities'. I have the authority 'Concentrix' listed twice. If you click on 'View Certificate' you can see the date that certificate is made and choose the certificate that was made on the date that you installed it. The names used in this list for the certificates are the same as the 'Common Name' you used when you installed Certificate Services. Click OK when you are done.
    Securing your SBS 2003 network - Wireless access points
  13. Click 'OK'.
    Securing your SBS 2003 network - Wireless access points
  14. You are now back in the main GPO window. Choose Autoenrollment Settings and right click 'Properties.
    Securing your SBS 2003 network - Wireless access points
  15. On the 'Autoenrollment Settings' check both checkboxes. Click 'Apply' and 'OK'.
    Securing your SBS 2003 network - Wireless access points
  16. In the Group Policy Manager choose 'Public Key Policies' and right click 'Automatic Certificate Request Settings'.
    Securing your SBS 2003 network - Wireless access points
  17. The 'Automatic Certificate Request Setup Wizard' starts, click 'Next'.
    Securing your SBS 2003 network - Wireless access points
  18. For the certificate template choose 'Computer' and choose 'Next'.
    Securing your SBS 2003 network - Wireless access points
  19. The wizard is finished.
    Securing your SBS 2003 network - Wireless access points
  20. Now that you are in the main Group Policy Management console we need to decide where we are going to link the new policy. IMHO you should never link such a policy on domain level but rather on the Computers OU in the MyBusiness OU. Right click the OU 'Computers' and choose to link an existing Policy.
    Securing your SBS 2003 network - Wireless access points
  21. Choose the 'Small Business Server Wireless Lan Policy' and click 'OK'.
    Securing your SBS 2003 network - Wireless access points

Change ISA 2004 configuration to allow certificate request

I had configured everything for a secure wireless Lan just fine and without ISA it worked but as soon as I tried this with ISA 2004 installed it stopped working for new workstations. I could not understand why this happened till I found "The certificate request failed because of one of the following conditions" error message when you request a certificate in ISA Server 2004. This knowledge base article describes what we need to do but not very precise for a SBS 2003 server. Here are the steps in detail:

  1. Open ISA 2004, browse to the hive 'Firewall Policy' and on the right you will see 'Edit System Policy' under 'Tasks'. Choose to edit the 'System Policy'.
    Securing your SBS 2003 network - Wireless access points
  2. In the left pane choose 'Authentication Services' -> 'Active Directory'. Uncheck 'Enforce strict RPC compliance' and click OK.
    Securing your SBS 2003 network - Wireless access points
  3. Choose 'SBS Protected Networks Access Rule' and right click to choose 'Configure RPC Protocol'.
    Securing your SBS 2003 network - Wireless access points
  4. Uncheck 'Enforce strict RPC compliance.
    Securing your SBS 2003 network - Wireless access points
  5. Click 'Apply' to save changes and update the configuration.
    Securing your SBS 2003 network - Wireless access points

Configure and test your wireless Lan on Windows XP clients

On the Windows XP clients you need to make sure you use the native Windows XP solution for wireless access 'Wireless Zero Configuration'. Any other 3rd party solution should be uninstalled.

  1. Open control panel and double click 'Administrative Tools' -> Choose 'Computer Management'.
    Securing your SBS 2003 network - Wireless access points
  2. Open the hive 'Services'  and scroll down to 'Windows Zero Configuration'. If it is not set to start automatically change that and start the services. If all is OK you close this window.
    Securing your SBS 2003 network - Wireless access points
  3. Be sure you connected your laptop using a wire to the server and type gpupdate /force from the command prompt. Choose 'Y' to logoff. Logon to your laptop again.
    Securing your SBS 2003 network - Wireless access points
  4. Check your event log and confirm a successful 'AutoEnrollment' event. If you don't have that something is wrong. If you have other policy related errors in your event log you need to fix those first but that is out of the scope of this article.
    Securing your SBS 2003 network - Wireless access points
  5. From the Control Panel open 'Network Connections'. Right click the 'Wireless Network Connection'.
    Securing your SBS 2003 network - Wireless access points
  6. Check if you see in 'Preferred networks' the wireless network you added in the GPO on the server.
    Securing your SBS 2003 network - Wireless access points

Troubleshooting the Wireless connection

If something does not work we need to get information why it does not work. First thing to do is to enable logging in IAS.

  1. From the start menu on the server choose 'Administrative Tools' -> 'Internet Authentication Service'. Choose 'Remote Access Logging' and in the right pane right click 'Local File' and choose properties.
    Securing your SBS 2003 network - Wireless access points
  2. On the 'Settings' tab check all three options. The rest of the settings on tab 'Log File' can remain default but if you wish to store logging into a SQL database you need to change that setting there. Click OK. The IAS log files are stored in C:\WINDOWS\system32\LogFiles.
    Securing your SBS 2003 network - Wireless access points

Final lockdown of your Wireless network

Default encryption settings in the Remote Access Policy in Internet Authentication Service is set to allow any encryption and even no encryption at all. This is something we want to change.

  1. Open Internet Authentication Service from the Administrative Tools. Right click the Remote Access Policy you created, in our case that is the 'Concentrix Wireless Lan' policy.
    Securing your SBS 2003 network - Wireless access points
  2. Choose the button 'Edit Profile'.
    Securing your SBS 2003 network - Wireless access points
  3. Choose the tab 'Encryption' and uncheck all but 'Strongest encryption (MPPE 128 bit).
    Note: If any of your wireless devices can no longer connect you will probably need to upgrade the firmware or purchase more advanced hardware that can run at a high encryption level. Another option is to lower encryption to 56 bit. Just try it and find out what works best for you.
    Securing your SBS 2003 network - Wireless access points

Subscribe and receive ‘how to’ and ‘best practice’ articles on server and cloud maintenance, design and troubleshooting.

  • Monthly newsletter with a summary of all new tutorials
  • Get an email as soon as a new tutorial has been published

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings


 
Contact Us

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.