Using Wireless Security & Configuring Wireless on Windows 7

One of the great strengths of mobile computers is their ability to connect to wireless networks. Today, most mobile computers come with built-in wireless capabilities, and you can connect to wireless networks within the company and in public places.

Windows 7 supports all the standard wireless protocols. If your wireless devices and wireless NICs support it, so does Windows 7. This includes 802.11a, 802.11b, 802.11g, and 802.11n. Windows 7 also supports the newer WPA2 authentication options that significantly improve wireless network security. In this section, you'll learn about

• Using wireless security
• Configuring wireless on Windows 7
• Connecting to a wireless network
• Troubleshooting wireless connections

1. Using Wireless Security

When wireless networks were first designed, the primary goal was ease of use. The designers wanted to make it easy to discover, connect to, and use wireless networks. They did a great job. However, security was more of an afterthought.

They came up with Wired Equivalent Privacy (WEP) to provide the same level of privacy for a wireless network as you'd have in a wired network. Unfortunately, WEP had significant problems and was later cracked. Attackers could download software from the Internet and easily crack WEP-protected networks.

Wi-Fi Protected Access (WPA) is the first improvement over WEP. One of the primary benefits of WPA is that it is compatible with most of the same hardware that used WEP. WPA was intended to be an interim fix for WEP until a more permanent solution was identified. Although WPA is more secure than WEP, attackers have cracked it.

Wi-Fi Protected Access 2 (WPA2) is the permanent fix for WEP. It is also known as 802.11i. If you have a choice among WEP, WPA, and WPA2, use WPA2. WPA2 provides the strongest security.

WEP is not recommended for use today. You should use at least WPA, but use WPA2 whenever possible. WEP is easy to crack. Even though WPA has vulnerabilities, it isn't as vulnerable as WEP.

When configuring Windows 7 to connect to a wireless network, you should have an understanding of the security types and encryption types available. First, it's important to understand what each of these is doing:

Security type

The security type identifies the type of authentication used. Authentication is used to verify a client prior to allowing access.

Encryption type

After the client connects, the data can be encrypted. This provides confidentiality by preventing others from being able to read the data. Advanced Encryption Standard (AES) is a strong, efficient encryption algorithm. WEP can also be selected as an encryption type for some security types. However, WEP is the weakest.

Consider Figure 1. It shows the security settings for a wireless profile named WileyNetwork. As you can see, it is using the WPA2-Enterprise security type and AES as the encryption type. These are the strongest settings available.

Figure 1. Wireless profile security settings

This figure also shows the Choose A Network Authentication Method drop-down box. These selections are available only for the WPA-Enterprise and WPA2-Enterprise security types. The Microsoft: Smart Card Or Other Certificate option (selected in the figure) is the strongest authentication method available. You can also choose the Microsoft: Protected EAP (PEAP) authentication method.

It's important to realize that you must match these settings to the wireless network. In other words, if your network is using a wireless access point with WPA2-Personal, you must configure Windows 7 to use WPA2-Personal. Otherwise, the Windows 7 system won't connect.

Windows 7 supports the following security types:

No Authentication (Open)

This uses no authentication. It is not recommended for use in a production environment but can be used for testing.

You can select either WEP or None for encryption. If you select WEP, you also need to enter a pre-shared key (PSK). This is also known as a password or passphrase. You need to enter the same PSK on the Windows 7 system as is used on the wireless device.

Shared

Shared uses a PSK for authentication and WEP for encryption. WEP uses the same PSK that you enter for authentication. Shared is not recommended for use in a production environment but can be used for testing. It is marginally better than No Authentication (Open) but can be easily cracked.

WPA-Personal

WPA-Personal uses a pre-shared key for authentication. This PSK provides limited authentication.

You can select either Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) for encryption. TKIP is compatible with older hardware, but AES is preferred if your hardware supports it.

WPA-Enterprise

WPA-Enterprise is similar to WPA except that it uses an 802.1x server for authentication. The 802.1x server will distribute the keys to each client instead of the clients using a PSK. It can also use either smart cards or Protected Extensible Authorization Protocol (PEAP) for authentication. Smart cards provide better security, but they also require more resources on your network. For example, you must have a Public Key Infrastructure (PKI) to issue certificates for the smart cards.

You can select either AES or TKIP for encryption. AES is preferred.

WPA2-Personal

WPA2-Personal is similar to WPA-Personal except it uses the stronger WPA2 authentication instead of WPA. WPA2-Personal uses a PSK. You enter the same PSK on the Windows 7 system and the wireless devices.

You can select either AES or TKIP for encryption. AES is preferred.

WPA2-Enterprise

WPA2-Enterprise is the strongest security type available with Windows 7. It uses an 802.1x server for authentication just as WPA-Enterprise does. It can use either smart cards or PEAP for authentication. Smart cards provide the best authentication.

You can select either AES or TKIP for encryption. AES is preferred.

802.1x

The 802.1x security type was intended to provide better protection for WEP by providing a better authentication mechanism when WEP was used. With WEP no longer recommended, this is also not recommended.

802.1x uses WEP for encryption.

There's an important distinction when using 802.1x servers. The 802.1x security type is not recommended because it uses WEP, and WEP is not secure. However, WPA-Enterprise and WPA2-Enterprise both use 802.1x servers. WPA2-Enterprise provides the best security, and it is recommended for use in enterprise environments.

Both WPA and WPA2 can use either Personal or Enterprise mode. When Personal is used (as in WPA-Personal or WPA2-Personal), it uses a pre-shared key (PSK). This PSK can be a password or passphrase. When Enterprise is used (as in WPA-Enterprise or WPA2-Enterprise), an 802.1x server is used.

2. Configuring Wireless on Windows 7

You can configure a Windows 7 computer to work with three different wireless configurations. You can connect to wireless access point or a wireless router in a network. You can also configure a Windows 7 system to connect to an ad hoc network.

2.1. Wireless Access Point

A wireless access point (WAP) can be used to provide access from a wireless device to a wired network. WAPs are commonly used in larger networks to provide this access.

Figure 2 shows how a Windows 7 system can connect to a WAP in a network. Once the Windows 7 system is connected, it can access resources in the network just as if it were a wired computer.

Figure 2. Wireless access point in a network

The wireless client will be able to connect to servers in the network. If other clients have Internet access, the wireless client will also have Internet access.

2.2. Wireless Routers

A wireless router is a WAP with additional capabilities. Many small offices, home offices (SOHOs) and home users commonly use a wireless router. Figure 3 shows how a wireless router can be used to provide connectivity for users in a network.

Figure 3. Wireless router in a network

The wireless client is able to connect to the wireless router and have access to the same resources as the wired user. Notice how the router has connectivity with the Internet. On the Internet side, it would have a public IP address issued from the Internet service provider. On the internal network side, it would have a private IP address. In addition to being a router, it would also have network address translation (NAT) capabilities to translate the internal private IP addresses to external public IP addresses.

Most wireless routers also have DHCP capabilities. DHCP is used to issue TCP/IP configuration to internal clients. This includes IP addresses, subnet masks, default gateway addresses, DNS addresses, and more.

2.3. Ad Hoc Network

Ad hoc is a Latin phrase that essentially means "as needed." An ad hoc network is a wireless network without a wireless access point or wireless router. Imagine that you and a friend or two want to connect your computers to share some data or even play a game. If all three of your computers have wireless capabilities, you can create an ad hoc network.

Figure 4 shows three wireless users configured in an ad hoc wireless network. One of the computers creates the ad hoc network, and the other two computers connect to it.

An ad hoc network is created for a specific purpose but is usually destroyed when users disconnect. However, it is possible to save the network profile for later use.

Figure 5 shows the screen used to create the ad hoc network. You need to give the network a name. In the figure, I've called it TempAdHoc. You also need to identify the security type and the security key that will be used. The security key is a pre-shared key such as a password or passphrase. All participants in the ad hoc network need to use the same security type and PSK.

Figure 4. A wireless ad hoc network

Figure 5. Creating a wireless ad hoc network

You can get to the screen shown in Figure 5 by clicking Control Panel => Network And Internet => Network And Sharing Center. You can also get to the Network and Sharing Center by entering Network in the Control Panel Search box and selecting Network And Sharing Center. From there, click Manage Wireless Networks. Click Add and select Create An Ad Hoc Network.

The Manage Wireless Networks screen will appear only on clients that have wireless NICs. If your system doesn't have a wireless NIC installed, you will not see this choice.

Ad hoc networks support three security types:

No Authentication (Open)

Data is sent in the clear. Generally, this is not recommended. However, gamers may choose this for better performance over a wireless network.

WEP

If older computers support only WEP, you can use this. It has known vulnerabilities but is better than nothing to secure the connection.

WPA2-Personal

WPA2-Personal provides the best security. An ad hoc network does not support WPA2-Enterprise.

NOTE

WPA-Personal is not available as a choice for ad hoc networks. WPA Enterprise and WPA2 Enterprise aren't available as choices either, because you are connected only between peers. Enterprise choices require a separate 802.1x server to be used for authentication.

The security key is a shared secret. Each user will need to enter the same security key in their wireless profile to connect to the ad hoc network.

Last, if you want to save the ad hoc network for later use, you can check the Save This Network box, as shown in Figure 5 earlier. It will save this as an ad hoc profile that can be used later.

Only the first computer needs to create the ad hoc network. Once it's created, other computers can connect to it as if it was a wireless network connection.

3. Connecting to a Wireless Network

If you're running Windows 7 and want to connect to a wireless network, you'll need to create a wireless profile. First, ensure you have the correct information on the wireless network. You'll need to know the following:

• The name of the wireless network
• The security type used by the wireless network
• The encryption type used by the wireless network
• The security key if one is used

The name of the wireless network is also called the Service Set Identifier (SSID). Wireless devices come with default names such as Linksys. However, it's common for administrators to rename the SSID.

Figure 6 shows the screen used to create a wireless profile. For this figure, the network name is WileyNetwork. It is using WPA2-Personal and AES. The PSK is IL0veWindows7.

Figure 6. Creating a wireless profile

Notice in the figure that the Start This Connection Automatically box is checked. This will ensure that Windows 7 will connect to this wireless network when it is in range. If WileyNetwork is configured to broadcast the SSID, the Windows 7 system will detect the broadcast and automatically connect.

You can get to the screen shown in Figure 6 by clicking Control Panel => Network And Internet => Network And Sharing Center. Click Manage Wireless Networks. Click Add and select Manually Create A Network Profile.

Once you have created the wireless profile, you can access it from the Network and Sharing Center. Figure 7 shows the Network and Sharing Center with a computer named DRG connected to a wireless network named HomeSweetHome.

Figure 7. Network and Sharing Center

You can click the Connect Or Disconnect link to connect to another wireless network. If the system wasn't connected, this link would be labeled Connect To A Network. You can also click the Connect To A Network link in the Change Your Networking Settings section.

As a reminder, the extra menu item in the left pane, Manage Wireless Networks, will appear only if the computer has a wireless adapter installed. If your computer doesn't have a wireless adapter, you won't see it. 

Exercise: Creating a Network Profile Launch the Network and Sharing Center. Click Start => Control Panel => Network And Internet => Network And Sharing Center. Click Manage Wireless Networks. Click Add. Click Manually Create A Network Profile. Enter the name of the wireless network (SSID) in the Network Name text box. Select the security type used by the wireless network. This can be WEP, WPA-Personal, WPA-Enterprise, WPA2-Personal, WPA2-Enterprise, or 802.1x. Select the encryption type. This is also dependent on the wireless network settings. If the security type requires a security key, enter it in the Security Key text box. This is also known as the pre-shared key, or PSK. If you want to connect to this network whenever it is in range, ensure that Start This Connection Automatically is checked.

4. Setting Up Connections

The Network and Sharing Center includes other tools to make the setup and connection of wireless networks easy. You can click Set Up A New Connection Or Network in the Change Your Networking Settings section.

Figure 8 shows this screen. You can use this to launch several different wizards for different types of connectivity. Some of these wizards are for wireless connections. Some are for remote access connections.

This screen gives the following choices:

Connect To The Internet

You would use this to set up a broadband or dial-up connection. Broadband includes digital subscriber line (DSL) or cable connections. Dial-up includes traditional phone lines and the faster Integrated Services Digital Network (ISDN) connections.

Set Up A New Network

You can use this to configure some wireless routers or access points. While this may work, you'll probably have better luck following the directions of the manufacturer for the wireless device.

Manually Connect To A Wireless Network

You can use this to connect to a hidden network, connect to an ad hoc network, or create a new wireless profile. A hidden network is one where the SSID is not broadcasting. You saw this screen earlier in Figure 6. This is just a different path to get to the same place. After you enter the network name, the security type, encryption type, and security key (if used), you'll be able to connect.

Connect To A Workplace

You can use this to create a connection to a remote access server. It allows you to create either a dial-up connection to your workplace or a VPN connection.

Set Up A Dial-up Connection

You can use this to create a dial-up connection to your Internet service provider. You'll need to have the phone number and credentials provided by the ISP. Although most urban areas have high-speed Internet access, many rural areas are still using dial-up.

Set Up A Wireless Ad Hoc (Computer-To-Computer) Network

You can use this option to create the ad hoc network from this wizard, and then other users can connect using the Manually Connect To A Wireless Network option. This choice is not shown in the figure but can be viewed by scrolling down.

Figure 8. Creating connections

5. Troubleshooting Wireless Connections

Occasionally, things don't work as planned. There are a few things you can check to troubleshoot the connection:

• Signal strength
• Security settings
• Network diagnostics

5.1. Signal Strength

If the signal strength of the wireless network is low, your computer may not be able to connect to it. If you're unable to connect, you can easily check the signal strength.

As background, wireless technologies often advertise specific speeds. For example, 802.11g advertises speeds of 54 Mbps. However, this is not the guaranteed speed. Instead, this is the fastest speed it can achieve without errors.

When a wireless system connects with the wireless device, it attempts to connect at the fastest speed without errors. If the WAP and the wireless client are close, they may use the maximum speed. However, if distance and barriers such as walls separate the two devices, the speed may be substantially slower.

NOTE

Hobbyists and attackers have played around with methods to increase the range of wireless networks for a long time. One well-known method uses a directional Pringles potato chip can. A wire is attached to the base of an empty Pringles can and then to the wireless NIC. The Pringles can is then pointed to the wireless network. Some people have reported getting a signal from more than a mile away using this method.

At some point, the devices will determine that the signal is just not strong enough and they can't connect. You can check the signal strength by clicking Connect To A Network from the Network and Sharing Center. You can hover your mouse over any of the connections to see additional details. Figure 9 shows the display.

Figure 9. Checking signal strength

Although not apparent in a black-and-white picture, the strength is shown by colored bars. The more colored bars, the better the signal strength. If the signal is not readable, it will be listed as No Signal.

In the figure, I've hovered over the HomeSweetHome connection. It shows Signal Strength as Excellent. Notice that it also shows Security Type, Radio Type, and SSID.

5.2. Security Settings

In addition to checking the signal, you can also verify the security settings of the wireless profile.  The simplest thing to do is double-check the settings.

You can access the settings for a wireless profile after clicking Manage Wireless Networks from the Network and Sharing Center. You can also access these profiles by launching Control Panel, entering Wireless in the Control Panel Search box, and selecting Manage Wireless Networks. Right-click any profile and select Properties.

Double-check the following settings:

• Network Name
• Security Type
• Encryption Type
• Security Key

A common problem you may see with mobile computers is that the wireless capability is turned off. Some mobile computers do this automatically to save power. You can usually turn it on from a switch somewhere on the laptop. For example, my HP Pavilion laptop has a touch switch. When I touch it, it turns orange indicating it's off. If I touch it again, it turns blue indicating it's on.

5.3. Network Diagnostics

Network Diagnostics in Windows 7 can identify and resolve many problems with network connections. This includes both wired and wireless connectivity issues.

Some of the troubleshooting wizards in earlier Windows versions didn't always provide real help for professional administrators. They may have been useful for basic users but not for the professionals. However, the Network Diagnostics tool is clearly valuable to both basic users and advanced troubleshooters.

Microsoft mentions that the Network Diagnostics tool can diagnose more than 180 different issues. I'm stressing this because you may think of the older wizards and overlook this tool. This and other troubleshooting wizards are truly valuable.

You can also launch Network Diagnostics from the Network and Sharing Center. Click the Troubleshoot Problems link in the Change Your Network Settings section.

Network Diagnostics works best with native Wi-Fi drivers. You can check to ensure that your system is using native drivers with the following command prompt command: netsh wlan show drivers. The type should be listed as Native Wi-Fi Driver. If it is listed as Legacy Wi-Fi Driver, you should update the driver to get the best performance from the diagnostics.

Exercise: Running Network Diagnostics on a Wireless Connector

1. Launch the Network and Sharing Center. Click Start => Control Panel => Network And Internet => Network And Sharing Center.
2. Click Change Adapter Settings. Select your wireless connection. Your display will look something like the following graphic. Note that the commands available on the toolbar change based on the connection you select.

   
   
   
3. Select Diagnose This Connection. This will run a wide range of diagnostics and lead you through the steps needed to resolve the problem.
4. If you're unable to resolve the problem with the diagnostics, check the System log in Event Viewer. The Network Diagnostics Wizard logs events with a source of Diagnostics Networking.