|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
I read that SP2 supposedly includes support for WPA2 wireless security.
However, on our SP2-equipped SBS2K3 I still only see Open, Shared, WPA
and WPA-PSK in group policy. Is there a group policy template update
that can be downloaded to add WPA2 support? If yes, why wasn't this
included in SP2, I wonder? Thanks in advance.
--
Regards,
Steve.
|
|
IMO this new group policy thing for wireless is a little less compelling
than it could have been. For starters, you need to configure the GPO from a
Vista client PC or a longhorn server. I haven't done it yet, so I don't
have a lot of information. If you check out the group policy section of
this FAQ, there's a link to an article.
Wireless LAN Support in Windows: Frequently Asked Questions
http://www.microsoft.com/technet/network/wifi/wififaq.mspx#E3HAC
Personally, as much as I'm a paranoid tin-foil-hat-wearer when it comes to
wireless security, this is how I configured mine. IMO this way is good
enough, at least until I get enough Vista clients to justify starting to
configure them with group policy. To me, any benefit from using AES over
TKIP is negated by the extra work involved (at least for now).
Configuring Secure Wireless Network Access with Microsoft® Windows® Small
Business Server 2003
http://home.comcast.net/~clearviewtc/
"spm" <nospam[ at ]coco.dot.co.dot.uk> wrote in message
news:xn0f7ypp8vk9si001[ at ]news.microsoft.com...
[Quoted Text] >I read that SP2 supposedly includes support for WPA2 wireless security.
> However, on our SP2-equipped SBS2K3 I still only see Open, Shared, WPA
> and WPA-PSK in group policy. Is there a group policy template update
> that can be downloaded to add WPA2 support? If yes, why wasn't this
> included in SP2, I wonder? Thanks in advance.
>
> --
> Regards,
> Steve.
|
|
Dave Nickason [SBS MVP] wrote:
[Quoted Text] > IMO this new group policy thing for wireless is a little less > compelling than it could have been. For starters, you need to > configure the GPO from a Vista client PC or a longhorn server. I > haven't done it yet, so I don't have a lot of information. If you > check out the group policy section of this FAQ, there's a link to an > article. > > Wireless LAN Support in Windows: Frequently Asked Questions > http://www.microsoft.com/technet/network/wifi/wififaq.mspx#E3HAC
Ah, thanks for that Dave. I am completetly underwhelmed by this
revelation (of needing to configure the GPO on a Vista client). Mmm.
> Personally, as much as I'm a paranoid tin-foil-hat-wearer when it
> comes to wireless security, this is how I configured mine. IMO this
> way is good enough, at least until I get enough Vista clients to
> justify starting to configure them with group policy. To me, any
> benefit from using AES over TKIP is negated by the extra work
> involved (at least for now).
>
> Configuring Secure Wireless Network Access with Microsoft® Windows®
> Small Business Server 2003 http://home.comcast.net/~clearviewtc/
Yes, we already use Owen Williams' excellent procedure, and this works
well. My passing thought of enhancing this with WPA2 has, um, passed by
now.
--
Regards,
Steve.
|
|
Owen's schedule has been pretty hectic recently, but I believe it's
somewhere on his to-do list to add the WPA2 steps to his document. I'd like
to try and help out with this, but I won't have any Vista client PCs on the
office LAN until at least fall. If you do put any time into this, I'm sure
Owen would love to hear about your experience.
"spm" <nospam[ at ]coco.dot.co.dot.uk> wrote in message
news:xn0f7z5xsmxcx000[ at ]news.microsoft.com...
[Quoted Text] > Dave Nickason [SBS MVP] wrote: > >> IMO this new group policy thing for wireless is a little less >> compelling than it could have been. For starters, you need to >> configure the GPO from a Vista client PC or a longhorn server. I >> haven't done it yet, so I don't have a lot of information. If you >> check out the group policy section of this FAQ, there's a link to an >> article. >> >> Wireless LAN Support in Windows: Frequently Asked Questions >> http://www.microsoft.com/technet/network/wifi/wififaq.mspx#E3HAC> > Ah, thanks for that Dave. I am completetly underwhelmed by this > revelation (of needing to configure the GPO on a Vista client). Mmm. > >> Personally, as much as I'm a paranoid tin-foil-hat-wearer when it >> comes to wireless security, this is how I configured mine. IMO this >> way is good enough, at least until I get enough Vista clients to >> justify starting to configure them with group policy. To me, any >> benefit from using AES over TKIP is negated by the extra work >> involved (at least for now). >> >> Configuring Secure Wireless Network Access with Microsoft® Windows® >> Small Business Server 2003 http://home.comcast.net/~clearviewtc/> > Yes, we already use Owen Williams' excellent procedure, and this works > well. My passing thought of enhancing this with WPA2 has, um, passed by > now. > > -- > Regards, > Steve.
|
|
Dave Nickason [SBS MVP] wrote:
[Quoted Text] > Owen's schedule has been pretty hectic recently, but I believe it's
> somewhere on his to-do list to add the WPA2 steps to his document.
> I'd like to try and help out with this, but I won't have any Vista
> client PCs on the office LAN until at least fall. If you do put any
> time into this, I'm sure Owen would love to hear about your
> experience.
OK, I've had a very brief look...
1. Using a test Vista client I ran the Group Policy Management Console,
thus:
runas /user:user[ at ]domain "mmc gpmc.msc"
(where user[ at ]domain is a domain admin), and entered the password when
prompted.
2. In GPMC I opened the existing (WPA) WLAN GPO for editing and
drilled down to the existing wireless policy.
3. In the preferred network's properties, the WPA2 and WPA2-PSK
authentication schemes are available for selection. I have to admit,
though, that I haven't tried pushing out such a WPA2 policy, being
worried that the policy will only function correctly on Vista clients.
I might be mistaken here, but I don't have a suitable test SBS + Vista
+ XP clients to test with at the mo'.
*However* ... once any changes are made to the GPO from the Vista
client, the GPO can no longer be edited in the SBS GPMC. Any future
changes then need also to be made on a Vista client. The only way I can
find to restore access to the GPO in SBS is to delete the object and
recreate it there (in which case the policy needs to revert to WPA, as
WPA2 is not available via the SBS GPO editor). Yuk.
If Owen is able to make some use of all this then I'll be pleased, but
I for one will stay away from WPA2 on SBS2003 for now.
--
Regards,
Steve.
|
|
Thanks, I'll forward this on to Owen in case he doesn't see it here.
I guess the answer would be to create separate GPOs for anything that has to
be edited from Vista. So you could un-link your current GPO, then link the
Vista one to the appropriate OU. If something goes wrong, you can switch
them - I'm assuming you can at least disable the Vista GPO from the SBS's
GPMC, even if you can't edit it there. IMO this is still far from an ideal
situation, though.
My understanding from what documentation I've seen so far is that the
Vista/SP2 GPO will apply to XP and WS03 boxes. I'm assuming that they need
to be at some service pack level or have that WPA2 patch from a couple of
years ago applied, which would be easy enough to check by just verifying
that WPA2 is an option in the wireless settings.
"spm" <nospam[ at ]coco.dot.co.dot.uk> wrote in message
news:xn0f8039wg15tv000[ at ]news.microsoft.com...
[Quoted Text] > Dave Nickason [SBS MVP] wrote:
>
>> Owen's schedule has been pretty hectic recently, but I believe it's
>> somewhere on his to-do list to add the WPA2 steps to his document.
>> I'd like to try and help out with this, but I won't have any Vista
>> client PCs on the office LAN until at least fall. If you do put any
>> time into this, I'm sure Owen would love to hear about your
>> experience.
>
> OK, I've had a very brief look...
>
> 1. Using a test Vista client I ran the Group Policy Management Console,
> thus:
>
> runas /user:user[ at ]domain "mmc gpmc.msc"
>
> (where user[ at ]domain is a domain admin), and entered the password when
> prompted.
>
> 2. In GPMC I opened the existing (WPA) WLAN GPO for editing and
> drilled down to the existing wireless policy.
>
> 3. In the preferred network's properties, the WPA2 and WPA2-PSK
> authentication schemes are available for selection. I have to admit,
> though, that I haven't tried pushing out such a WPA2 policy, being
> worried that the policy will only function correctly on Vista clients.
> I might be mistaken here, but I don't have a suitable test SBS + Vista
> + XP clients to test with at the mo'.
>
> *However* ... once any changes are made to the GPO from the Vista
> client, the GPO can no longer be edited in the SBS GPMC. Any future
> changes then need also to be made on a Vista client. The only way I can
> find to restore access to the GPO in SBS is to delete the object and
> recreate it there (in which case the policy needs to revert to WPA, as
> WPA2 is not available via the SBS GPO editor). Yuk.
>
> If Owen is able to make some use of all this then I'll be pleased, but
> I for one will stay away from WPA2 on SBS2003 for now.
>
> --
> Regards,
> Steve.
|
|
Dave Nickason [SBS MVP] wrote:
[Quoted Text] > Thanks, I'll forward this on to Owen in case he doesn't see it here.
>
> I guess the answer would be to create separate GPOs for anything that
> has to be edited from Vista. So you could un-link your current GPO,
> then link the Vista one to the appropriate OU. If something goes
> wrong, you can switch them - I'm assuming you can at least disable
> the Vista GPO from the SBS's GPMC, even if you can't edit it there. IMO
> this is still far from an ideal situation, though.
>
> My understanding from what documentation I've seen so far is that the
> Vista/SP2 GPO will apply to XP and WS03 boxes. I'm assuming that
> they need to be at some service pack level or have that WPA2 patch
> from a couple of years ago applied, which would be easy enough to
> check by just verifying that WPA2 is an option in the wireless
> settings.
I don't think this update has been out in WSUS or Microsoft Update,etc. (If
it is I missed it.)
Plus there's some good info on the subject...
http://support.microsoft.com:80/kb/917021/en-us
WiFi Devices and drivers of course all have to be up to the task as well.
>
> "spm" <nospam[ at ]coco.dot.co.dot.uk> wrote in message
> news:xn0f8039wg15tv000[ at ]news.microsoft.com...
>> Dave Nickason [SBS MVP] wrote:
>>
>>> Owen's schedule has been pretty hectic recently, but I believe it's
>>> somewhere on his to-do list to add the WPA2 steps to his document.
>>> I'd like to try and help out with this, but I won't have any Vista
>>> client PCs on the office LAN until at least fall. If you do put any
>>> time into this, I'm sure Owen would love to hear about your
>>> experience.
>>
>> OK, I've had a very brief look...
>>
>> 1. Using a test Vista client I ran the Group Policy Management
>> Console, thus:
>>
>> runas /user:user[ at ]domain "mmc gpmc.msc"
>>
>> (where user[ at ]domain is a domain admin), and entered the password when
>> prompted.
>>
>> 2. In GPMC I opened the existing (WPA) WLAN GPO for editing and
>> drilled down to the existing wireless policy.
>>
>> 3. In the preferred network's properties, the WPA2 and WPA2-PSK
>> authentication schemes are available for selection. I have to admit,
>> though, that I haven't tried pushing out such a WPA2 policy, being
>> worried that the policy will only function correctly on Vista
>> clients. I might be mistaken here, but I don't have a suitable test
>> SBS + Vista + XP clients to test with at the mo'.
>>
>> *However* ... once any changes are made to the GPO from the Vista
>> client, the GPO can no longer be edited in the SBS GPMC. Any future
>> changes then need also to be made on a Vista client. The only way I
>> can find to restore access to the GPO in SBS is to delete the object
>> and recreate it there (in which case the policy needs to revert to
>> WPA, as WPA2 is not available via the SBS GPO editor). Yuk.
>>
>> If Owen is able to make some use of all this then I'll be pleased,
>> but I for one will stay away from WPA2 on SBS2003 for now.
>>
>> --
>> Regards,
>> Steve.
--
/kj
|
|
kj wrote:
[Quoted Text]
Ah, thanks for that - I wasn't aware of it. The WPA2 patch for XP that
Dave was referring to is, I believe, KB893357 which dates from April
2005, and that added WPA2 support to XP. KB917021 (dating from October
2006) adds the group policy support and would, I presume, require
KB893357, but there's no mention in either KB article of any such
dependency.
None of our XP machines had 917021 installed, so I also assume it
hasn't been delivered through WSUS or MU. Shouldn't all this be tied
together somewhere in a MS KB article? I'm not aware of one.
--
Regards,
Steve.
|
|
spm wrote:
[Quoted Text] > kj wrote: > >> I don't think this update has been out in WSUS or Microsoft >> Update,etc. (If it is I missed it.) Plus there's some good info on >> the subject... >> >> http://support.microsoft.com:80/kb/917021/en-us> > Ah, thanks for that - I wasn't aware of it. The WPA2 patch for XP that > Dave was referring to is, I believe, KB893357 which dates from April > 2005, and that added WPA2 support to XP. KB917021 (dating from October > 2006) adds the group policy support and would, I presume, require > KB893357, but there's no mention in either KB article of any such > dependency. > > None of our XP machines had 917021 installed, so I also assume it > hasn't been delivered through WSUS or MU. Shouldn't all this be tied > together somewhere in a MS KB article? I'm not aware of one.
I don't find it on a sampling of available machines either. It might be
there under drivers or something that I don't do.
Yep, should have those ends tied together somewhere. Probably Owen will have
it all neatly gathered for us someday.
--
/kj
|
|
|