When the IEEE ratified the 802.11i Wireless LAN security standard and the Wi-Fi Alliance subsequently began certifying a subset of 802.11i called WPA2, it seemed that enterprises with relatively current hardware would be able to quickly leverage the upgraded authentication, encryption and roaming capabilities afforded by the standard. Yet Microsoft has remained a stick in the mud, slow to fully adopt the standard for the Windows XP client and positively glacial for server-side management and configuration.
Microsoft has now dragged itself to the gate, finally acknowledging future support for Wi-Fi Protected Access 2 both in the forthcoming Longhorn Server and in Service Pack 2 for Windows 2003 Server.
But, when all is said and done, companies will have waited almost three years to be able to adopt the strongest levels of wireless security for Microsoft wares without needing to investigate a third-party supplicant.
On the client side, Microsoft started supporting WPA2 last summer with the release of its WPA2/WPSIE (Wireless Provisioning Services Information Element) update for Windows XP Service Pack 2.
This optional patch allows XP SP2 users to connect to wireless networks using strong AES (Advanced Encryption Standard) and 802.1x port-based authentication, as defined in the 802.11i standard.
Unfortunately, enterprise administrators could not manage these new settings via Microsofts Group Policy. Although the latest iterations of Group Policy allowed administrators to configure and deploy wireless network settings to XP-based workstations, it was not possible to configure WPA2 authentication settings. Administrators had to settle for the weaker WPA or WEP (Wired Equivalent Privacy) alternatives.
By making the XP WPA2 patch an optional add-on last year (it is not even offered on the Microsoft Update site), Microsoft showed a lack of interest in helping consumers reap the benefits of the new standard. And because Microsoft does not tend to release new server features outside of large releases, such as a service pack, some organizations have fallen victim to Microsofts inattention.
eWeek Labs recently took a look at the latest beta of Longhorn Server to bear witness to Microsofts WPA2 implementation. While long overdue, it appears that the implementation may still leave some wanting.
From the Group Policy Management Console, we needed to create and enforce separate wireless policies for XP and for Windows Vista. Within the policies, we could configure WPA2 settings using 802.1x with either PEAP/MS-CHAPv2 or EAP-TLS.
For the first time, PEAP is now the default transport mechanism, although its a little hard to tell because a bug in the implementation shows the relevant DLL location, rather than the expository label. We were disappointed to see that Microsoft still does not support other EAP flavors that are certified by the Wi-Fi Alliance, such as EAP-TTLS, PEAP/EAP-GTC and EAP-SIM.
And, as is the case with Windows Server 2003-based Group Policy, we could not distribute PSK (pre-shared key)-based wireless security (for either WPA or WPA2) via Group Policy. Although Microsoft has chosen to list PSK as a selectable alternative in Group Policy, there remains no way to set the shared key.
We ultimately agree with Microsofts rationalization that PSK is not a recommended or scalable security solution for large enterprises that are using Group Policy, yet the same could be said for WEP—which is neither secure nor scalable. In any case, Microsoft should remove the selection from the security selection drop-down box in Group Policy rather than advertise a tantalizing yet nonexistent feature.
While were happy to see the progress shown in Longhorn Server, lets face it: The release of the next-generation Windows server—let alone its adoption en masse—is still a distant speck on the horizon. But customers can take heart that Microsoft recently announced that WPA2 in Group Policy will also be supported in the next service pack for Windows Server 2003.
Technical Analyst Andrew Garcia can be reached at [email protected].