IN THIS ISSUE

3 Ways to Rein in Your Wireless Signals Access Denied 1 1 3 7 9 11 14 15 15

APRIL 2006

$14.95

Configuring SSL/TLS Core Concepts: Embrace the IT Audit

On the Web
To read articles online, participate in the Security forum, or subscribe to Security UPDATE (a free weekly email newsletter), visit the Windows IT Security Web site at http://www.windowsitpro .com/windowssecurity To access an article online, enter the article's InstantDoc number (which appears at the end of the print article) in the Web site's InstantDoc ID box. To download any code mentioned in an article, open the article online and click the .zip file link at the beginning of the article.

3 Ways to Rein in Your Wireless Signals

Foil intruders by containing your radio waves
by Mark Joseph Edwards
ireless networks have an inherent security threat: They transmit radio signals nonstop. However, by limiting the direction and range of those signals, you can improve the security of your network. The logic is simple: If an intruder cant pick up a useful signal, he or she wont be able to successfully connect to your network. You can use three basic methods to limit wireless network radio signals: adjust the output power of your wireless Access Points (APs), cover your walls and windows with specially made signal-confining coverings, and limit the direction in which your wireless antennas transmit signals. You can also use a combination of these methods. Heres how they work. weaker the signal strength will be. Some, but not all, wirelessequipment manufacturers include adjustable settings in their firmware that let you set the radio transmitters output power level. For example, a typical AP might output 20 milliwatts (MW) of power, and the firmware interface might let you turn up that power level to as much as 200MW. The AP might also let you turn down the output power to a setting as low as 1MW. By adjusting this setting, youre effectively adjusting the distance the signal will cover. You could feasibly reduce the output power in any given area where you use a wireless network without causing problems with authorized connectivity. If your AP firmware doesnt let you adjust output power levels, you can install third-party firmware. Several third-party firmware solutions are available for various types of APs, including APs from ASUS, Buffalo Technology, Cisco Systems, Linksys, Motorola, NETGEAR, Siemens, and USRobotics. Consider, however, taking a close look at OpenWrt (http://open wrt.org), DD-WRT (http://ddwrt.gruftie.com), or Sveasofts Alchemy and Talisman (http:// sveasoft.com) AP firmware solutions. Each of these options is a reasonable choice (although

Toolbox: Avoid Risky Rules with Netsh Audit Your Passwords Security FAQ Patch This! Reader to Reader

Access Denied
Randy Franklin Smith answers your Windows security questions AT A GLANCE
Locating the user causing failures on a folder . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Determining who enabled an account . 13 Distinguishing user account reenablements from creations . . . . . . 13 Viewing the security settings on a computer . . . . . . . . . . . . . . . . . . . . . . . 13 The two Generate Resultant Set of Policy permissions . . . . . . . . . . . . . . . 13

Instant Poll
Which of these methods have you used or will you use to contain your wireless network radio signals?
Reducing the AP output power Covering your walls and windows with special materials Using directional antennas or adding signal reflectors on your APs Two or more of the above methods None of the methods Take the poll online at http://www.windowsitpro .com/windowssecurity

Q: We have auditing enabled on a certain

folder, and were seeing frequent access failuresevent ID 560 (object open)for a certain user account. But we dont know what system this user is logged on to or what he or she is doing to create the access failures. How can we find out?

Adjust Your Power

First, lets talk about adjusting your wireless APs output power. The FCC regulates the radio spectrum that wireless network equipment uses, including how much power a device can output during radio transmissions. A certain output power level equates to different signal strength levels at different distances: The farther away from the signal the receiver is, the

A: The best way to determine what the

user is actually doing to cause the access failure is to find out what program shes using to try to open the object. Event ID 560 provides both the ID of the users logon session (Logon ID) and the ID of the process attempting to access the file (Process ID). Find the corresponding logon event to find out the type of logon session (e.g., interactive, Terminal Services, network share, service). The logon event on Windows Server 2003 also provides the IP address of the Continued on page 12

Rein in Your Wireless Signals

OpenWrt is a bit tedious to use because its modular in design, requiring you to add modules to gain various types of functionality). Keep in mind that not all firmware will work on all APs. You must review the associated Hardware Compatibility Lists (HCLs) to make sure the firmware has been tested successfully on your particular APs. Also, dont overlook the need to verify compatibility with different versions of the same AP models. Third-party AP firmware is generally easy to install. Each product provides a simple Web-based configuration interface and gives you many extra features that your AP might not support with its original firmware. Keep in mind that, in some cases, using third-party firmware can void a hardware warranty or support package. If someday you need to return the hardware to the vendor, you might be out of luck. Regardless of which firmware you use, when you adjust AP output power levels, remember that many factors affect overall signal reception. For example, a wireless workstation thats using a high-gain antenna could possibly pick up a very weak AP signal and successfully make a connection to that network. This scenario is possible because high-gain antennas amplify weak signals to make them more usable. These types of antennas also amplify the output signal during transmission back to the AP Malicious users . can use workstations with high-gain antennas to intrude on your network, even when those workstations are far from your APs. Many demonstrations have proved that such antennas can span distances of several miles! To combat this scenario, the second method of limiting wireless signals can come Figure 1: Parabolic Reflector in quite handy. output pattern

Cover Your Walls

You can use special wall and window coverings to confine radio signals. Such surface coverings essentially prevent radio signals from moving through the surface to which you apply them. So, for example, you could confine a wireless network to one room or one department area. Likewise, you can prevent outside intruders from sending their signals in. These surface coverings come in two primary types: a specialized type of paint that contains materials designed to reflect radio signals, or sheets of material designed for application either behind or on top of existing wall coverings. Both types of coverings can be expensive, and they require a considerable amount of work to install. Therefore, they might not be cost effective for your needs and budget constraints.

Narrow the Field

The third method of limiting wireless signals is limiting the direction in which your wireless antennas transmit signals. Nearly every AP sold today comes with omni-directional antennas. An omnidirectional antenna broadcasts signals in a 360-degree pattern. The signal pattern looks like a toroid, which is similar to the shape of a donut. To modify an AP so that it broadcasts its signal in a specific direction (instead of every direction), you can either buy directional antennas or modify existing antennas by adding signal reflectors. Adding signal reflectors is undoubtedly the cheaper way to go, as youll soon learn. Reflectors cause a signal to travel primarily in the direction the reflector faces. So, for example, if you place an AP in the corner of a room and place reflectors behind the AP antennas, the radio signal will propagate out into the room and very little of the signal will propagate through the wall behind the antenna. To capture information, a potential intruder needs to be within the path

of the radio signal; by using a reflector, you can limit the area where the intruder must be to pick up your AP signals. Using reflectors not only prevents rogue intruders on the streets from accessing your data but can also be useful in buildings shared by many companies. You can use reflectors to limit your signals propagation into neighboring office suites, thereby reducing potential security problems. Designing efficient reflectors involves antenna-design engineeringa complicated process that requires considerable knowledge. Its safe to say that most network administrators dont have the right skills to design an efficient reflector. Fortunately, some network administrators who are well versed in radio and antenna design have made their reflector templates available online for anybody to use. One such person is Michael Erskine, who offers reflector designs that users can retrofit to the omni-directional antennas that are standard equipment on most APs. Erskines three designsthe Corner Reflector (http://www.freeantennas.com/pro jects/Ez-10), the Parabolic Reflector (http://www.freeantennas.com/pro jects/template2), and the Deep Dish Cylindrical Parabolic Reflector (http:// www.freeantennas.com/projects/ template)throw an APs output signal in a specific direction. All three reflectors both increase power in the direction of the signal and severely limit signal power behind the reflectors. Each reflector is incredibly easy to use: You simply construct the reflector and position it on your antenna. A wonderful benefit of Erskines designs is that you can make the reflectors yourself by using readily accessible parts that you probably have on hand or that you can obtain from your local grocery store or convenience store. You can make both the Corner Reflector and Parabolic Reflector from either a thin piece of cardboard, a thick piece of paper, or

Windows IT Security APRIL 2006

acetate (typically used for printing transparencies). Youll also need some household aluminum foil and glue, such as rubber cement. You can make the Deep Dish Cylindrical Parabolic Reflector (a variation of the Parabolic Reflector), from those same components, or you might consider using a Pringles potato chip can (which is already lined with foil), some wire screen, or a thin piece of flat flexible metal. If your AP has dual antennas, you can simply construct two reflectors and place one on each antenna. Templates are available at Erskines Web site, so you can print them out to make sure you construct the designs in the proper proportions, which is crucial for optimum performance. You might wonder what your signal patterns will look like if you use these reflector designs. Radio signals are invisible to the unaided eye, but an

antenna-design software package can produce fascimile images that provide a good representation of the signal pattern. In Figures 1 and 2, the mesh is the reflector, the black line is the antenna, and the donut-shaped area is the signal pattern. Figure 1 shows the signal pattern for both the Parabolic Reflector and the Deep Dish Cylindrical Parabolic Reflector, both of which produce very little signal behind the antenna. Figure 2 shows that the Corner Reflector produces a bit more signal behind the antenna than the other two reflector designs, but its still an effective design. These solutions are extremely cost effective. Commercial directional antennas can costs hundreds of dollars each, whereas these reflectors will cost you only pennies, plus a minimal amount of time to build. Your best bet for limiting your

wireless exposure is probably to combine reduced AP output power with the use of antenna reflectors to confine the signals to a limited area. Of course, none of these Figure 2: Corner Reflector solutions elimi- output pattern nates the need for the usual wireless network security 49501 measures.
Mark Joseph Edwards (mark@ntshop .net) is a senior contributing editor for Windows IT Pro and writes the weekly email newsletter Security UPDATE (http://www.windowsitpro.com/email). He is a network engineer and the author of Internet Security with Windows NT (29th Street Press).

Configuring SSL/TLS
Securing your Web traffic isnt a trivial task
by Jan De Clercq

oday, online shopping is about as popular as driving to the mall was a few years ago, and registering for a class or seminar is much easier to do online instead of by telephone. But honestly, dont you always hesitate for a second before you enter your credit card number and personal information? So whats behind that HTTP Secure (HTTPS) Internet connection between your browser and the online sites server? Most likely, the online site is using either the Secure Sockets Layer (SSL) protocol or Transport Layer Security (TLS) protocol. SSL was initially developed by Netscape and in 1999 was standardized by the Internet Engineering Task Force (IETF) in Request for Comments

(RFC) 2246 and named the Transport Layer Security (TLS) protocol. Today, SSL/TLS protocol support comes bundled with many Web servers, such as Microsoft Internet Information Services (IIS). Lets look at some of the hidden traps you might encounter when you configure SSL/TLS for secure Web communications.

How It Works
SSL sits between the application and transport layers of the TCP/IP networking stack and provides security services to a wide range of application-level protocols, such as HTTP for secure Web communications, SMTP for secure mail transfer operations, and Network News Transfer Protocol (NNTP) for secure news operations. SSL/TLS can provide the following security services:

Data confidentiality and integrity servicesSSL provides channel encryption services (also known as secure channel services) that secure traffic exchanged between an SSL-enabled client and server. Server authenticationSSLenabled applications use an X.509 server certificate to authenticate a server. Client authenticationSSL uses an X.509 client certificate to authenticate a client. Client authentication is an optional SSL service and isnt used often because it requires a user to obtain a client certificate. SSL and TLS are based on symmetric and asymmetric cryptographic protocols (also known as public key cryptography) and X.509 certificates. From an operations viewpoint,

www.windowsitpro.com/windowssecurity