Sign in with
Sign up | Sign in
Your question

Wireless Login help please

Last response: in Windows XP
Share
Anonymous
a b F Wireless
April 18, 2005 10:54:43 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

My domain has 8000 laptops we give to our high school kids. I hear you! To
further complicate our lives, they are all wireless. If there is a way for
them to download and share music or surf porn on campus, they'll find it.
My shops challange is to stop them and help direct them to more educational
subjects while trying to stop them from crashing the domain controllers /
NAS boxes. We have several fine products to help us but where there is a
kid, there is a way. Our recent trouble is kids have figured out to just
close their lids at home where they have a home wireless network. When they
open their laptops they get a new IP address and able to bypass all the
stops we have in place.

Now our challange is to have the kids, when they get a new school IP
address, force them to log in to our network so they get the updates and
GPOs. We're toying with Microsoft Certificates but we have issues. Namely,
we have not experience with certificates or if this is the right path to
achieve what we want.

Anyone want to weigh in?

Thanks!

Fred

More about : wireless login

Anonymous
a b F Wireless
April 18, 2005 10:54:44 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

A) Why are your DCs and whatnot on the same subnet as your wireless kids?
B) Why don't you have firewalls between the DCs and whatnot in place?

If all it takes to get round your security measures is getting an IP
address, then you've got some pretty big problems.

Matt Gibson - GSEC


"Fred T" <fredt2@mail.com> wrote in message
news:%23g6C%23HHRFHA.3496@TK2MSFTNGP12.phx.gbl...
> My domain has 8000 laptops we give to our high school kids. I hear you!
> To further complicate our lives, they are all wireless. If there is a way
> for them to download and share music or surf porn on campus, they'll find
> it. My shops challange is to stop them and help direct them to more
> educational subjects while trying to stop them from crashing the domain
> controllers / NAS boxes. We have several fine products to help us but
> where there is a kid, there is a way. Our recent trouble is kids have
> figured out to just close their lids at home where they have a home
> wireless network. When they open their laptops they get a new IP address
> and able to bypass all the stops we have in place.
>
> Now our challange is to have the kids, when they get a new school IP
> address, force them to log in to our network so they get the updates and
> GPOs. We're toying with Microsoft Certificates but we have issues.
> Namely, we have not experience with certificates or if this is the right
> path to achieve what we want.
>
> Anyone want to weigh in?
>
> Thanks!
>
> Fred
>
April 20, 2005 1:01:30 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:uP3dPaHRFHA.3988@tk2msftngp13.phx.gbl,
Matt Gibson <mattg@blueedgetech.ca> had this to say:

My reply is at the bottom of your sent message:

> A) Why are your DCs and whatnot on the same subnet as your wireless
> kids? B) Why don't you have firewalls between the DCs and whatnot in
> place?
> If all it takes to get round your security measures is getting an IP
> address, then you've got some pretty big problems.
>
> Matt Gibson - GSEC

Alright. I flagged this for a day to let the real experts weigh in and all
we got was Matt. <g> Actually that's about as good as you're going to get.

I'm going to make this one short I hope. You're obviously at some sort of
school. My advice to you is to hire a professional. Really. A short-term
security consultant with a decent contract would be your best answer.
However many schools can't afford this today. Your options are then to
contact your local technical college and see if they want to help for the
low price of giving their students some real world experience. Believe it or
not in similar circumstances I've recommended this in the past and inside of
a few months they had everything worked out. Most tech colleges will jump at
a chance like that. Another option is simply to log the actions and
discipline the offending students or to ask a student (or group of students)
who are smarter then we are to fix it for you. That option is probably your
second best option before trying the professionals but after trying the
local tech college. Promise the tech students free food and a "party" when
the project is complete. What you have at said party is up to you...

Galen
--
Signature changed for a moment of silence.
Rest well Alex and we'll see you on the other side.
Related resources
Anonymous
a b F Wireless
April 21, 2005 10:04:39 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Truely up a tree without a paddle!

Thanks for your suggestions.

Fred

"Galen" <galennews@gmail.com> wrote in message
news:o 9T19RURFHA.688@TK2MSFTNGP10.phx.gbl...
> In news:uP3dPaHRFHA.3988@tk2msftngp13.phx.gbl,
> Matt Gibson <mattg@blueedgetech.ca> had this to say:
>
> My reply is at the bottom of your sent message:
>
>> A) Why are your DCs and whatnot on the same subnet as your wireless
>> kids? B) Why don't you have firewalls between the DCs and whatnot in
>> place?
>> If all it takes to get round your security measures is getting an IP
>> address, then you've got some pretty big problems.
>>
>> Matt Gibson - GSEC
>
> Alright. I flagged this for a day to let the real experts weigh in and all
> we got was Matt. <g> Actually that's about as good as you're going to get.
>
> I'm going to make this one short I hope. You're obviously at some sort of
> school. My advice to you is to hire a professional. Really. A short-term
> security consultant with a decent contract would be your best answer.
> However many schools can't afford this today. Your options are then to
> contact your local technical college and see if they want to help for the
> low price of giving their students some real world experience. Believe it
> or not in similar circumstances I've recommended this in the past and
> inside of a few months they had everything worked out. Most tech colleges
> will jump at a chance like that. Another option is simply to log the
> actions and discipline the offending students or to ask a student (or
> group of students) who are smarter then we are to fix it for you. That
> option is probably your second best option before trying the professionals
> but after trying the local tech college. Promise the tech students free
> food and a "party" when the project is complete. What you have at said
> party is up to you...
>
> Galen
> --
> Signature changed for a moment of silence.
> Rest well Alex and we'll see you on the other side.
>
Anonymous
a b F Wireless
April 21, 2005 4:37:06 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You have a tough nut to crack with wireless connections and a group that
will have a fairly large percentage of undisciplined users. You don't give
much info either as to type of domain controllers. I assume all the laptops
are XP Pro hopefully since this is an XP newsgroup.

Since the students can take the computers home, that also gives them plenty
of time to hack the computer, gain administrator access to do whatever they
want and then logon to the computer locally [instead of the domain] to
bypass domain user configuration Group Policy. I am not saying they are all
doing that but it is something you should be aware of. Most schools
organizations have an acceptable computer use policy with stated
consequences. It may be a good idea to have such and a copy signed by both
student and parents. If the school does not have the backbone to enforce
such a policy consistently it will be a waste however.

As far as restricting internet access, that needs to be done at the gateway
or firewall. There are plenty of devices that will interface with content
management subscription services that will help you restrict access to
undesired websites. These services work full time updating their database
with website info. ISA 2004 is a very powerful application filtering
firewall that can be used to help control what users are accessing and
attempting to download. The link below explains this capability in more
detail.

http://www.microsoft.com/technet/prodtechnol/isa/2004/p...

It can be difficult to force a user to use a domain computer. A couple
things may help. Users may try to unjoin their computers from the domain to
bypass restrictions. If there are domain computers [other than domain
controllers] that they must access then you can create an ipsec policy for
some of those computers with a "require" ipsec policy that will allow only
domain computers access with the default kerberos computer authentication.
Ipsec is something that needs a lot of testing and domain controllers must
be exempted from ipsec negotiation traffic between them and domain
computers. In Domain Controller Security Policy you should also remove
authenticated users from the user right to add workstations to the domain to
prevent users from removing and adding their workstations to the domain [up
to ten times] at their convenience.

Group Policy is a challenge in your environment. Your users can unplug their
wireless card, logon with cached credentials, then plug their network card
in to access the network but in doing so bypassing startup/logon scripts and
Group Policy refresh. I don't know of a way to prevent that as long as
cached logons are allowed which they probably are if the user can take
"your" computers home. What may help somewhat though is to shorten the Group
Policy refresh interval. By default it is 90 minutes for domain
workstations/users. You might try shortening that to 20 minutes or maybe
less for computer and user. If you go to computer
configuration/administrative templates/system/Group Policy you will see some
options for "policy processing" such as registry policy processing which
would be a good one at least to enable and then select the option "process
even if Group Policy objects have not changed". This would help in
reversing changes students have made possibly by modifying the registry on
their [your's actually!] computers.

As far as Windows Updates. You can configure it via Group Policy to download
and install updates automatically by schedule and the user does not need to
be a local administrator. Many larger organizations are using Software
Update Services to manage their updates along with client Group Policy for
Windows Updates.

http://www.bris.ac.uk/is/services/computers/operatingsy...
-- Group Policy Automatic Updates

To answer your main question, certificates may help. If you can enable
802.1X authentication with EAP-TLS for the wireless connections that may
force users to logon to the domain to access the networks. EAP-TLS requires
certificates for the user AND computer to both authenticate to the network
to access it. The problem is you will need wireless access points and
wireless network adapters that support 802.1X AND work well with it as they
all do not. Some have a problem with a user booting ther computer in that
the wireless card does not initialize fast enough to do the computer
authentication. So if you would consider 802.1X be sure to test it out and
buy products that work well in a domain environment for EAP-TLS. The link
below explains 802.1X more. PEAP can be used but is not as secure a
solution, though you could try it to see if it helps your situation. PEAP
requires a certificate only on the IAS server.

http://www.microsoft.com/downloads/details.aspx?FamilyI...
http://www.microsoft.com/windowsserver2003/technologies...
-- general wifi link

Something else you need to be aware of is that students may install "rouge"
wireless access points to bypass your wireless access security. This is a
big problem. If you are using Windows 2003 domain controllers and use
Service Pack 1 you can implement a wireless access policy that allows access
to only approved wireless access points with the authentication methods youe
specify such as 802.1X. You should periodically scan your network for rouge
wireless access points. They will usually show only ports 80 TCP and maybe
23 TCP for telnet. It may also help to occasionaly war drive or war walk
your school with a wireless laptop looking for wireless devices. There are
free programs [net stumbler?] that can search for wireless access points
that have their SSID broadcasts disabled.

PKI [public key infrastructure] can be implemented failry easy, particualry
if you you have a Windows 2003 Enterprise Server on the network that can
become a CA to issue certificates that can even be done automatically via
autoenrollment to domain users and computers. Windows 2000 can issue
computer certificates automatically but not user certificates. There is a
LOT of documentaion on PKI at Microsoft but if you are seriously considering
it just buy Windows Server 2003 PKI and Certificate Security by Brian Komar.

http://www.microsoft.com/windowsserver2003/technologies... ---
Windows 2003 PKI.

The ultimate solution would be a quarantine. Right now Microsoft supports
quarantine network access but only for VPN access. Quaratine runs scripts on
the computer attempting network access to do things like check for security
updates and anti virus software. If the computer does not comply there are
servers on the quarantine network that can user can use to update their
computer to comply in order to gain access. The scripts can be very complex
but there are a lot of ones available for use that can be used as is or as a
template to create your own. Hopefully in the near future MS will develope
quarantine for regular network access.

Anyhow I wish you luck and certainly 802.1X would be something to look into
for your network. --- Steve

"Fred T" <fredt2@mail.com> wrote in message
news:%23g6C%23HHRFHA.3496@TK2MSFTNGP12.phx.gbl...
> My domain has 8000 laptops we give to our high school kids. I hear you!
> To further complicate our lives, they are all wireless. If there is a way
> for them to download and share music or surf porn on campus, they'll find
> it. My shops challange is to stop them and help direct them to more
> educational subjects while trying to stop them from crashing the domain
> controllers / NAS boxes. We have several fine products to help us but
> where there is a kid, there is a way. Our recent trouble is kids have
> figured out to just close their lids at home where they have a home
> wireless network. When they open their laptops they get a new IP address
> and able to bypass all the stops we have in place.
>
> Now our challange is to have the kids, when they get a new school IP
> address, force them to log in to our network so they get the updates and
> GPOs. We're toying with Microsoft Certificates but we have issues.
> Namely, we have not experience with certificates or if this is the right
> path to achieve what we want.
>
> Anyone want to weigh in?
>
> Thanks!
>
> Fred
>
April 21, 2005 4:37:29 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:u5tYqHmRFHA.1208@TK2MSFTNGP10.phx.gbl,
Fred T <fredt2@mail.com> had this to say:

My reply is at the bottom of your sent message:

> Truely up a tree without a paddle!
>
> Thanks for your suggestions.
>
> Fred

I'm not kidding, give the nearest technical college a call. You might be
very happy with the results you get though you may have to do some searching
to find out who to ask and then ask them properly.

Galen
--
Signature changed for a moment of silence.
Rest well Alex and we'll see you on the other side.
April 22, 2005 8:28:34 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:kb-dnfS7QMviefrfRVn-gg@comcast.com,
Steven L Umbach <n9rou@n0-spam-for-me-comcast.net> had this to say:

My reply is at the bottom of your sent message:

> You have a tough nut to crack with wireless connections and a group
> that will have a fairly large percentage of undisciplined users. You
> don't give much info either as to type of domain controllers. I
> assume all the laptops are XP Pro hopefully since this is an XP
> newsgroup.
<snip>

I just wanted to say thank you in public though you've one coming in private
when I've a bit more time. I appreciate you weighing in on this as I'd asked
and to be frank you're as good as myself and probably better in this sort of
arena and perhaps many others. *winks* That's negotiable though, more so
after reading your email as you were honest enough to admit your weeknesses.
We all have some... I'd further like to thank you for slumming in an XP
group. A large number of the questions in this group *might* interest you
though I consider you to be among the 2k gurus...

Once again, I personally thank you though I don't know if anyone else will
notice at this point. (I'll ping a few people and see that they do. Who
knows, they might have other ideas?) But thanks again for giving your valued
opinion. I like how you kicked the answer in the teeth and didn't disagree
with my solution though mine's a long shot that I've seen work in the past.
(To be honest we're talking 8k users on a limited budget or they're not
going to be posting to the NG are they???? That could be wrong but that's
always going to be my assumption.)With those figures and the colleges
looking to keep it in-house I can't think of a better option other than your
additions which might be beyond the level of the in-house support as it
doesn't seem that there's an IT depertment specifically for this. If there
was then they failed and it's time to look elsewhere for new employees. But
that's my opinion though I think all those who weighed in on this would
agree.

Galen
--
Signature changed for a moment of silence.
Rest well Alex and we'll see you on the other side.
!