Professional Documents
Culture Documents
APRIL 2006
$14.95
On the Web
To read articles online, participate in the Security forum, or subscribe to Security UPDATE (a free weekly email newsletter), visit the Windows IT Security Web site at http://www.windowsitpro .com/windowssecurity To access an article online, enter the article's InstantDoc number (which appears at the end of the print article) in the Web site's InstantDoc ID box. To download any code mentioned in an article, open the article online and click the .zip file link at the beginning of the article.
Toolbox: Avoid Risky Rules with Netsh Audit Your Passwords Security FAQ Patch This! Reader to Reader
Access Denied
Randy Franklin Smith answers your Windows security questions AT A GLANCE
Locating the user causing failures on a folder . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Determining who enabled an account . 13 Distinguishing user account reenablements from creations . . . . . . 13 Viewing the security settings on a computer . . . . . . . . . . . . . . . . . . . . . . . 13 The two Generate Resultant Set of Policy permissions . . . . . . . . . . . . . . . 13
Instant Poll
Which of these methods have you used or will you use to contain your wireless network radio signals?
Reducing the AP output power Covering your walls and windows with special materials Using directional antennas or adding signal reflectors on your APs Two or more of the above methods None of the methods Take the poll online at http://www.windowsitpro .com/windowssecurity
OpenWrt is a bit tedious to use because its modular in design, requiring you to add modules to gain various types of functionality). Keep in mind that not all firmware will work on all APs. You must review the associated Hardware Compatibility Lists (HCLs) to make sure the firmware has been tested successfully on your particular APs. Also, dont overlook the need to verify compatibility with different versions of the same AP models. Third-party AP firmware is generally easy to install. Each product provides a simple Web-based configuration interface and gives you many extra features that your AP might not support with its original firmware. Keep in mind that, in some cases, using third-party firmware can void a hardware warranty or support package. If someday you need to return the hardware to the vendor, you might be out of luck. Regardless of which firmware you use, when you adjust AP output power levels, remember that many factors affect overall signal reception. For example, a wireless workstation thats using a high-gain antenna could possibly pick up a very weak AP signal and successfully make a connection to that network. This scenario is possible because high-gain antennas amplify weak signals to make them more usable. These types of antennas also amplify the output signal during transmission back to the AP Malicious users . can use workstations with high-gain antennas to intrude on your network, even when those workstations are far from your APs. Many demonstrations have proved that such antennas can span distances of several miles! To combat this scenario, the second method of limiting wireless signals can come Figure 1: Parabolic Reflector in quite handy. output pattern
of the radio signal; by using a reflector, you can limit the area where the intruder must be to pick up your AP signals. Using reflectors not only prevents rogue intruders on the streets from accessing your data but can also be useful in buildings shared by many companies. You can use reflectors to limit your signals propagation into neighboring office suites, thereby reducing potential security problems. Designing efficient reflectors involves antenna-design engineeringa complicated process that requires considerable knowledge. Its safe to say that most network administrators dont have the right skills to design an efficient reflector. Fortunately, some network administrators who are well versed in radio and antenna design have made their reflector templates available online for anybody to use. One such person is Michael Erskine, who offers reflector designs that users can retrofit to the omni-directional antennas that are standard equipment on most APs. Erskines three designsthe Corner Reflector (http://www.freeantennas.com/pro jects/Ez-10), the Parabolic Reflector (http://www.freeantennas.com/pro jects/template2), and the Deep Dish Cylindrical Parabolic Reflector (http:// www.freeantennas.com/projects/ template)throw an APs output signal in a specific direction. All three reflectors both increase power in the direction of the signal and severely limit signal power behind the reflectors. Each reflector is incredibly easy to use: You simply construct the reflector and position it on your antenna. A wonderful benefit of Erskines designs is that you can make the reflectors yourself by using readily accessible parts that you probably have on hand or that you can obtain from your local grocery store or convenience store. You can make both the Corner Reflector and Parabolic Reflector from either a thin piece of cardboard, a thick piece of paper, or
acetate (typically used for printing transparencies). Youll also need some household aluminum foil and glue, such as rubber cement. You can make the Deep Dish Cylindrical Parabolic Reflector (a variation of the Parabolic Reflector), from those same components, or you might consider using a Pringles potato chip can (which is already lined with foil), some wire screen, or a thin piece of flat flexible metal. If your AP has dual antennas, you can simply construct two reflectors and place one on each antenna. Templates are available at Erskines Web site, so you can print them out to make sure you construct the designs in the proper proportions, which is crucial for optimum performance. You might wonder what your signal patterns will look like if you use these reflector designs. Radio signals are invisible to the unaided eye, but an
antenna-design software package can produce fascimile images that provide a good representation of the signal pattern. In Figures 1 and 2, the mesh is the reflector, the black line is the antenna, and the donut-shaped area is the signal pattern. Figure 1 shows the signal pattern for both the Parabolic Reflector and the Deep Dish Cylindrical Parabolic Reflector, both of which produce very little signal behind the antenna. Figure 2 shows that the Corner Reflector produces a bit more signal behind the antenna than the other two reflector designs, but its still an effective design. These solutions are extremely cost effective. Commercial directional antennas can costs hundreds of dollars each, whereas these reflectors will cost you only pennies, plus a minimal amount of time to build. Your best bet for limiting your
wireless exposure is probably to combine reduced AP output power with the use of antenna reflectors to confine the signals to a limited area. Of course, none of these Figure 2: Corner Reflector solutions elimi- output pattern nates the need for the usual wireless network security 49501 measures.
Mark Joseph Edwards (mark@ntshop .net) is a senior contributing editor for Windows IT Pro and writes the weekly email newsletter Security UPDATE (http://www.windowsitpro.com/email). He is a network engineer and the author of Internet Security with Windows NT (29th Street Press).
Configuring SSL/TLS
Securing your Web traffic isnt a trivial task
by Jan De Clercq
oday, online shopping is about as popular as driving to the mall was a few years ago, and registering for a class or seminar is much easier to do online instead of by telephone. But honestly, dont you always hesitate for a second before you enter your credit card number and personal information? So whats behind that HTTP Secure (HTTPS) Internet connection between your browser and the online sites server? Most likely, the online site is using either the Secure Sockets Layer (SSL) protocol or Transport Layer Security (TLS) protocol. SSL was initially developed by Netscape and in 1999 was standardized by the Internet Engineering Task Force (IETF) in Request for Comments
(RFC) 2246 and named the Transport Layer Security (TLS) protocol. Today, SSL/TLS protocol support comes bundled with many Web servers, such as Microsoft Internet Information Services (IIS). Lets look at some of the hidden traps you might encounter when you configure SSL/TLS for secure Web communications.
How It Works
SSL sits between the application and transport layers of the TCP/IP networking stack and provides security services to a wide range of application-level protocols, such as HTTP for secure Web communications, SMTP for secure mail transfer operations, and Network News Transfer Protocol (NNTP) for secure news operations. SSL/TLS can provide the following security services:
Data confidentiality and integrity servicesSSL provides channel encryption services (also known as secure channel services) that secure traffic exchanged between an SSL-enabled client and server. Server authenticationSSLenabled applications use an X.509 server certificate to authenticate a server. Client authenticationSSL uses an X.509 client certificate to authenticate a client. Client authentication is an optional SSL service and isnt used often because it requires a user to obtain a client certificate. SSL and TLS are based on symmetric and asymmetric cryptographic protocols (also known as public key cryptography) and X.509 certificates. From an operations viewpoint,
www.windowsitpro.com/windowssecurity