| Date post: | 17-Feb-2016 |
| Category: |
Documents |
| Upload: | anonymous-pfftoh |
| View: | 213 times |
| Download: | 0 times |
Wireless Networking in Windows VistaSecurity, usability, and manageability improvements for wireless clients
Published: December 2006For the latest information, please see http://www.microsoft.com/windowsvista
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2006 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Microsoft, Active Directory, Windows, Windows Vista, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
ContentsIntroduction..................................................................................................5Core Wireless Improvements........................................................................5Security Improvements.................................................................................6
Passive and Active Countermeasures.....................................................6Connecting to Unprotected Networks.....................................................6More Secure Ad Hoc Networking............................................................7Enterprise Single Sign On.......................................................................8Network Location Types..........................................................................8Security Protocols...................................................................................9Extensibility Through EAPHost................................................................9
Improvements to the End-User Experience................................................10Connecting to a Wireless Network........................................................10Network and Sharing Center................................................................14Networking System Tray Icon...............................................................15Ad Hoc Networking...............................................................................16
Troubleshooting Improvements...................................................................17Wireless Diagnostics Event Logging.....................................................17Wireless Diagnostics Tracing................................................................19
Manageability Improvements.....................................................................21Group Policy.........................................................................................22Netsh....................................................................................................23
Summary....................................................................................................24
IntroductionComputing has changed in many ways since Microsoft® released Windows® XP. Some of the most significant changes have been in the area of mobile computing and wireless networking. In 2001, when Windows XP was released, most computers used wired network connections. Today, mobile users constantly connect to wireless networks at the office, at home, in airports, in coffee shops, and in hotels.When using wireless networks, people can be more productive and can stay in touch when traveling, but these networks have also introduced some challenges. Unfortunately, malicious users have created tools to exploit vulnerabilities in wireless communications, putting confidential information at risk. Additionally, as the number of wireless users increased, so did the number of support center calls related to connecting and troubleshooting wireless connections. Finally, information technology (IT) departments discovered they needed better tools to manage the growing number of wireless clients and connections.When designing Windows Vista™, Microsoft focused on addressing these problems so that users could take advantage of wireless networks in the most secure and user-friendly way possible, while minimizing the burden on IT departments. Windows Vista makes wireless networking more secure, easier to use, and simpler to manage and troubleshoot. Naturally, wireless connections also benefit from the many improvements made to the Windows Vista core networking components. The sections that follow describe these improvements in more detail.
Core Wireless ImprovementsWindows Vista was designed from the ground up to provide support for wireless networking that is as closely integrated with the operating system as wired networking. This integration also offers improved stability and reliability, which should result in fewer support calls and more productive users. In the past, some hardware vendors provided their own tools for managing wireless networks. This was a challenge for both users and IT: Users needed to learn how to use different vendor-specific wireless software depending on the type of computer or network adapter they had, and IT had to manage these different clients with different tools, mostly in decentralized manner. Windows Vista provides a single wireless network client that all computers in your organization can use, regardless of the hardware vendor. As you will learn in the “Manageability Improvements” section, the Windows Vista wireless software is easy to use and manage.Windows Vista wireless networking does not provide this consistency by locking out third-party vendors. On the contrary, wireless networking includes much improved extensibility that will permit third parties to take advantage of future wireless networking improvements. Additionally, developers can use wireless networking application programming interfaces (APIs) to manage wireless networking connections, adapters, and profiles. As discussed in the “Extensibility Through EAPHost” section, third parties can use EAPHost to develop custom authentication mechanisms that support wireless networks.Windows Vista also includes numerous networking improvements that benefit both wired and wireless networks. For example, Windows Vista has a significantly improved ability to dynamically tune network performance for different connections. This automatic tuning will benefit users who travel the most, because it can greatly improve performance over wide area network (WAN) and satellite links.
Security ImprovementsWindows Vista shows Microsoft’s commitment to security through support for numerous security protocols as well as extensions of protocols to enhance the user experience and manageability of wireless networking infrastructure. This section examines some aspects of the wireless network security in Windows Vista.
Passive and Active Countermeasures In recent years, attackers have discovered several ways to exploit wireless clients before they connect to a network. Wireless clients must broadcast information to discover and connect to some networks, particularly non-broadcast or hidden networks that have been configured to not broadcast a Service Set Identifier (SSID), and attackers can use those broadcasts to trick the wireless client into connecting to a malicious access point. After a malicious access point is connected, it can record unencrypted network communications and attempt to attack the wireless client across the wireless connection.Windows Vista has been designed to be as passive as possible to reduce the amount of private information that is broadcast before connecting to a network. For example, Windows Vista broadcasts the names of only preferred networks that are specifically marked as non-broadcast. If you configure your internal wireless networks to not hide the SSID, this passive behavior will prevent attackers from identifying a client’s preferred networks. In other words, not hiding the SSID actually improves security because it does not require the Windows Vista client to broadcast the network name when searching for available networks.Note In the past, some network administrators configured wireless networks to be hidden by not broadcasting their SSID. Broadcasting the SSID is the security best practice because, among other reasons, it enables Windows Vista and some earlier versions of Windows to keep your network names private when away from your internal network. Additionally, hiding the SSID was never an effective security technique, because the SSID is easily discovered by attackers. For more information, read “Non-broadcast Wireless Networks with Microsoft Windows” at http://www.microsoft.com/technet/itsolutions/network/evaluate/hiddennet.mspx.If you do continue to use non-broadcast networks, Windows Vista will follow the order of the preferred networks regardless of whether they are broadcast or non-broadcast—different behavior than Windows XP. Additionally, when resuming from sleep, Windows Vista clients do not broadcast the wireless network name unless absolutely necessary. Users can avoid broadcasting the network name when away from the non-broadcast network by connecting to the network manually and typing the non-broadcast SSID each time, as described later in the “Connecting to a Wireless Network” section. Another common wireless exploit takes advantage of the fact that some wireless clients generate a temporary network name when no preferred network is available. As a result, the client continues to scan for newly available wireless networks. To exploit this, an attacker could connect to the temporary network and then submit network requests to the wireless client. Windows Vista reduces the risk of this type of attack in two different ways: If a native Windows Vista wireless driver is installed, the wireless adapter is parked
without generating a temporary network name that could be exploited, eliminating the vulnerability.
If a legacy wireless driver is installed, Windows Vista creates a random network key for the temporary network. Before an attacker could connect, he or she would need to guess the network key; mathematically, this would be almost impossible.
Connecting to Unprotected NetworksMany wireless networks are unprotected (often called unsecured or unencrypted networks). Connecting to an unprotected network is a significant security risk—too great for most organizations to tolerate. Anyone in the area near the wireless network can
capture and view all unprotected network traffic, which might include user names and passwords, e-mail messages, instant messages, and Web sites. Most public wireless hot spots are unprotected. To make sure users can take advantage of these hot spots, Windows Vista does allow users to connect to unprotected networks. However, the Windows Vista user interface (UI), as shown in Figure 1, alerts users to the risks associated with unprotected networks so that they can better choose the applications to use while connected. Additionally, Windows Vista will never automatically connect to an unprotected or ad hoc network, reducing the risk of automatically connecting to a malicious wireless access point.
Figure 1. Windows Vista warns users about the risks of unprotected networksWindows Vista uses wireless network profiles to determine which preferred, protected networks to automatically connect to. These wireless network profiles consist of an SSID, security settings (such as authentication and encryption methods and network key), and whether the network is an infrastructure or ad hoc wireless network. Windows Vista will only automatically connect to a network if all aspects of the profile match. This prevents an attacker from creating an unprotected or ad hoc network with the same SSID and trying to trick the Windows Vista client into automatically connecting to it.
More Secure Ad Hoc NetworkingWith ad hoc wireless networks, two or more wireless clients can communicate without a wireless access point or any network infrastructure. Ad hoc networks are frequently used for collaboration when two or more employees are away from the office. Unfortunately, if users are not careful about how they set up and connect to ad hoc networks, they might create an unprotected network or connect to a malicious network.Windows Vista attempts to make ad hoc networks as secure as possible by default. Windows Vista supports Wi-Fi Protected Access 2 (WPA2)-Personal for the highest level of standards-based security for ad hoc wireless networking. With a WPA2-Personal ad
hoc network created in Windows Vista, users are better protected from common attacks and vulnerabilities found in an open, unprotected ad hoc network.After creating an ad hoc network, Windows Vista will automatically delete the network after all users disconnect or leave the range of the network unless the user specifically creates it as a permanent network. If you share your Internet connection across an ad hoc network, Windows Vista will automatically disable Internet Connection Sharing (ICS) if you disconnect from the ad hoc network, create a new ad hoc network, or log off and log back on to your computer.
Enterprise Single Sign OnTo permit users to connect to protected wireless networks before domain logon (and thus allow wireless users to authenticate to a domain and the network in a single step), administrators can use Group Policy settings or the new Netsh wireless commands to configure Single Sign On (SSO) profiles on wireless client computers. This means that users do not have to manually authenticate through the Windows logon process and then again to a wireless network in Windows Vista.After an SSO profile is configured, 802.1X authentication will precede the computer logon to the domain, and users are only prompted for wireless credential information if needed. This feature ensures that the wireless connection is in place before the computer domain logon. With the wireless connection in place before logon, Windows Vista can apply Group Policy updates, run logon scripts, download software updates, and perform wireless client domain joins.SSO is supported by both standard Extensible Authentication Protocol (EAP) methods—such as Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), which relies on an account name and password, and EAP-Transport Layer Security (EAP-TLS), which uses a smart card or digital certificate for authentication—and third-party EAPHost methods.
Network Location TypesDifferent types of networks require different levels of protection. For example, when connected to your organization’s Microsoft Active Directory® directory service network, you might want Windows Vista computers to allow network management tools to establish incoming connections. However, you would not want to allow incoming network management connections if a user connects to a wireless hot spot at an airport or coffee shop.Windows Vista provides three different network location types, each of which can have unique Windows Firewall configurations and can be easily set by the IT administrator via Group Policy: Public. All unidentified networks, including wired or wireless hot spots, are created
as public networks to best protect the computer from network attacks. Windows Firewall blocks all unrequested incoming traffic unless you specifically create exceptions. To further improve security, Network Discovery (a tool used to find network resources and announce the computer to peers) is disabled.
Private. Administrators can define home or small-office networks as private to enable users to share resources with other computers on the local area network (LAN). Private networks should be used when an Active Directory domain controller (DC) is unavailable. Windows Firewall exceptions and Network Discovery are enabled by default on private networks.
Domain. Any time the Windows Vista computer can connect to and authenticate with an Active Directory DC of the domain for which it is a member, the network is considered a domain network. Windows Firewall exceptions and Network Discovery are enabled by default on domain networks, unless overridden by domain Group Policy settings. Administrators can use Group Policy settings to create Windows
Firewall exceptions for internal monitoring and management software to the domain network.
With network location types, wireless clients can have a higher level of security when connected to public networks without sacrificing capabilities when connected to private networks. As a result, users can use their portable computers to share files and printers on their home networks (with a Private network location type), while automatically being protected by Windows Firewall when connected to Public wireless networks.
Security ProtocolsToday's wireless infrastructure is a mix of differing standards and vendor-proprietary extensions to wireless standards and protocols. Connecting to the varied wireless networks that a user may encounter can become difficult. Windows Vista supports the major security initiatives and standards for wireless networking. These standards ensure interoperability between Windows Vista and a popularly deployed network infrastructure.In addition to Wired Equivalent Privacy (WEP), which no longer meets many organization’s security requirements, some of the security protocols and initiatives supported by Windows Vista include: WPA and WPA2. These security standards are for wireless networks that use
dynamic keys and either the Temporal Key Management Protocol (TKIP) or Advanced Encryption Standard (AES) to provide much stronger encryption when compared with WEP.
PEAP. This open standard is for transmitting encrypted authentication information over wireless networks.
PEAP-MS-CHAP v2. With this wireless authentication protocol, clients can use their Active Directory account name and password credentials to authenticate to the wireless network. PEAP-MS-CHAP v2 is natively supported by the Internet Authentication Service (IAS) in Windows Server® 2003 and Network Policy Server (NPS) in Windows Server Code Name “Longhorn,” and it is the default protocol for wireless authentication in Windows Vista. Earlier versions of Windows also support PEAP-MS-CHAP v2.
EAP-TLS. With this wireless authentication protocol, clients can authenticate to the wireless network by using certificates or smart cards. Earlier versions of Windows also support EAP-TLS.
All of these security protocols and initiatives can be centrally configured by using Group Policy in Active Directory domains to provide simplified management.Each security protocol supported by Windows Vista is helpful for connecting to a variety of wireless networks and helps make the connection more secure. By supporting such a wide range of protocols, Windows Vista can use the most secure method available for a given network.Windows Vista can use the highest level of standards-based security. Support for WPA2 out of the box in both WPA2-Enterprise and WPA2-Personal mode means that users are protected in both enterprise and home environments, whether connecting at the office or creating a network on the road. WPA2 can provide AES encryption, the same protection on which the U.S. government relies.
Extensibility Through EAPHostFor easier development of EAP authentication methods for wireless connections, Windows Vista supports a new EAP architecture called EAPHost. The EAPHost platform provides a framework for the creation of authentication schemes that are not provided natively as part of Windows Vista. By using this extensibility, administrators can use third-party plug-ins for wireless authentication.
EAPHost provides the following features that are not supported by the EAP implementation in earlier versions of Windows: EAP method coexistence. EAPHost allows multiple implementations of the same
EAP method to coexist simultaneously. For example, the Microsoft version of PEAP and a version of PEAP from another vendor can be installed and selected.
Support for new standards. EAPHost supports network discovery as defined in the "Identity selection hints for EAP" Internet draft, it conforms to the EAP State Machine, and it addresses a number of security vulnerabilities that have been specified in Request for Comments (RFC) 3748 (available at http://www.ietf.org/rfc/rfc3748.txt ).
For EAP method vendors, EAPHost provides support for EAP methods already developed for Windows Server 2003 and Windows XP, and an easier method of developing new EAP methods for Windows Vista. EAPHost also allows better classification of EAP types so that the built-in 802.1X and Point-to-Point Protocol (PPP)-based Windows supplicants can use them.Because EAPHost is integrated with Network Access Protection (NAP), a feature of Windows Server “Longhorn” that checks the health of clients before they connect to a network, new supplicants do not have to be NAP-aware. To participate in NAP, new supplicants just need to register a connection identifier and a callback function that informs the supplicant to reauthenticate.
Improvements to the End-User ExperienceWindows Vista makes wireless networking easier to use, which means users will spend less time connecting to networks and troubleshooting connection problems. The sections that follow describe the Windows Vista wireless networking UI.
Connecting to a Wireless NetworkWindows Vista computers can automatically connect to your internal wireless networks. Using Group Policy or scripts, as discussed in the “Manageability Improvements” section, you can configure computers to automatically connect to specific protected networks whenever they are available. Thanks to SSO, users can connect to wireless networks before they log on to their computers. Therefore, users may never need to manually configure a wireless network.However, some users will also want to connect to wireless networks that are not managed by an enterprise IT department, such as their home networks and hot spots at coffee shops or airports. Naturally, you can also use Group Policy settings to restrict users to only approved networks. However, if you choose to allow users to connect to other networks, the friendly Windows Vista UI will make it easy enough that most users will not require any training, and they will not need to make a support call for assistance.The process of connecting to a wireless network is the same as connecting to a VPN or a dial-up connection. From the Start menu, users can click Connect To and start the Connect to a network wizard, as shown in Figure 2. This wizard shows all available VPN, dial-up, and wireless connections. Networks that do not broadcast an SSID appear as Unnamed Network. The user can also right-click on the networking icon in the System Tray and select “Connect To.”
Figure 2. The Connect To a Network wizardMost of the time, users simply need to select a network and click Connect. Windows Vista then gathers security information (if not already configured) or warns users about the risks of connecting to an unprotected network. The first time the user connects to a network that does not broadcast an SSID, the user must type the Network Name.After connecting, the Connect to a network wizard can detect wireless hot spots that do not provide Internet access until the user has registered and possibly paid for the service. As shown in Figure 3, if the wizard can connect to the wireless network but cannot reach the Internet, it instructs the user to open a Web browser to finish connecting, a process that is required by most wireless hot spots and that is often not clear to users.
Figure 3. The Connect To a Network wizard detects a hot spot that requires registrationHowever, wireless users know that connecting to wireless networks does not always go smoothly. If a problem occurs, Windows Vista will detect it and give the user the option of using Windows Network Diagnostics to try and solve the problem, as Figure 4 shows.
Figure 4. The Connect To a Network wizard helps the user diagnose a problemWindows Network Diagnostics cannot solve all problems. However, it can provide guidance to the user to solve many problems, and each problem it solves means fewer calls to your support center. Figure 5 shows an example of how Windows Network Diagnostics provides guidance to users. The choices given to the users are unique for each situation and are presented to users only after gathering diagnostic information about the network environment.
Figure 5. Windows Network Diagnostics provides scenario-specific troubleshooting guidanceSome common wireless networking problems for which Windows Network Diagnostics can suggest solutions include: Receiving a weak wireless signal. Having a disabled wireless radio. Successfully connecting to the wireless networking but not receiving an IP address
assignment. Typing the incorrect security key. Using invalid digital certificates for EAP-TLS authentication. Experiencing hardware or driver incompatibilities.
Having authentication failures because of infrastructure failure, such as an offline authentication server.
The raw information gathered by Windows Network Diagnostics, the repair options provided to the user, and the choices made by the user are all recorded in the System Event Log to assist administrators in troubleshooting if users are unable to resolve the problem themselves. For more information, see the “Improvements to Event Logging” section.
Network and Sharing CenterThe Windows Vista Network and Sharing Center, as shown in Figure 6, provides a clear view of both wired and wireless network connections; a network map to show how the computer is connected to the Internet; and links for managing, joining, creating, or troubleshooting wireless networks. Users can also browse network resources by starting the new Network window, which is available by clicking View computers and devices.
Figure 6. The Network and Sharing CenterThe Network and Sharing Center is especially useful for traveling users who connect to wireless networks and use VPN connections. With previous versions of Windows, connecting remotely could be complicated. Without direct access to IT support, users could have trouble troubleshooting these connection problems. As a result, the Network and Sharing Center should reduce the number of IT support calls related to remote connectivity.If a network connection is not available, such as a failed Internet connection (even if the wireless connection is functioning), the Network and Sharing Center detects this failure and displays it graphically on the abbreviated version of the network map, as shown in Figure 7. Users can troubleshoot the problem simply by clicking the failed portion of the network map to launch Windows Network Diagnostics.
Figure 7. The Network and Sharing Center can help diagnose network problemsTo open the Network and Sharing Center, click Start, click Network, and then click Network Center. Alternately, click Start, right-click Network, and then click Properties.
Networking System Tray IconIn Windows Vista, a single icon in the system tray represents connectivity through all network adapters, allowing users with both wired and wireless network adapters to quickly determine whether they are connected to a local network or the Internet. By creating a single icon for all connection types, users no longer need to examine multiple network adapters to determine whether they have network access.The networking icon has four states, which Table 1 shows.Table 1. Four States of the Networking IconIcon Status Description
No connectivity Represented by an icon with a red X, this state indicates that no network adapters are connected to the local network.
Connectivity problem Represented by an icon with an exclamation point on a yellow triangle, this state indicates that a connectivity problem exists. When this icon is displayed, users can use Windows Network Diagnostics to help them troubleshoot the problem.
Local connectivity only
Represented by an icon without an X, a triangle, or a globe, this state indicates that at least one network adapter is connected to the local network but cannot reach the Internet. When a user is using a hot spot, this icon often means that the user has connected to the wireless network but needs to use browser-based registration or authentication to gain Internet access.
Internet connectivity Represented by an icon with a globe, this state indicates that at least one network adapter is connected to the local network and that
Windows Vista can reach the Internet.
If the computer has multiple network connections that have different levels of connectivity (for example, both wired and wireless network adapters), the tray icon will only communicate the greatest level of connectivity. To display the status of individual networks, users can click the icon, as shown in Figure 8.
Figure 8. Hover over the networking system tray icon to view the network adapter status
Ad Hoc NetworkingAd hoc networks can be useful so that users can collaborate when a wireless access point is available. Windows Vista makes it possible for users to create ad hoc networks by using the same Connect to a network wizard they use to connect to infrastructure wireless networks, as shown in Figure 9.
Figure 9. Creating an ad hoc network
Troubleshooting ImprovementsWindows Vista includes the Network Diagnostics Framework, a new set of diagnostics tools that helps resolve connectivity issues quickly without the user having to call the support center. It also provides richer root cause information to the Windows event logs when a support center call is necessary. As shown earlier, Windows Network Diagnostics leverages this framework to guide users through the process of troubleshooting common problems without calling their support center. In circumstances when Windows Network Diagnostics cannot solve a problem, users might still ask the support center for assistance. Windows Network Diagnostics and the wireless client simplify this part of the troubleshooting process by recording extremely detailed information in the System Event Log both when problems occur and when wireless connections are successful. Additionally, administrators can use Wireless Diagnostics tracing to capture and analyze diagnostic information by using graphical tools.
Wireless Diagnostics Event LoggingWhen Windows Network Diagnostics runs, it creates events containing the following information: The name of the wireless network adapter and whether it is a native Windows Vista
driver or a legacy driver. A list of visible wireless networks with the signal strength, channel, and protocol
(such as 802.11b or 802.11g) for each. Additionally, the event shows whether each network is infrastructure or ad hoc.
The list of preferred wireless networks and each network’s configuration settings. The diagnostic conclusions, such as, “The wireless connection on this computer
appears to be working correctly,” “The Internet connection on the wireless router or access point might not be working correctly,” and “The computer has a low signal strength from ContosoWLAN.”
The repair options offered to the user, such as, “Try moving the computer to a different location, eliminating any sources of possible interference, and then try connecting to ContosoWLAN again.”
The repair options chosen by the user and whether the repair solved the problem.Windows Vista also logs all wireless connections in the Event Log, not just if diagnostics have been invoked. Later, you can view these events by using the Event Viewer tool, as shown in Figure 10. You can use the Event Viewer tool to help you understand the network environment at the time the problem occurred, without needing to recreate the scenario (a situation that is often impossible when users are traveling). Additionally, you no longer have to rely on users to explain the symptoms of the problem.
Figure 10. The Event Viewer toolOccasionally, you might need to escalate a wireless networking problem to Microsoft or another support specialist. To ensure these specialists have as much information as possible about the problem and the diagnostics process, Windows Vista creates detailed debug logs separate from the System events. As Figure 11 shows, you can access these events in Event Viewer by expanding Applications and Services Logs, expanding Microsoft, expanding Windows, expanding Diagnostics-Networking, and then selecting Operational. These detailed debugging logs are not required to troubleshoot most networking problems, however.
Figure 11. Debug logs in Event Viewer
Wireless Diagnostics TracingYou can use Event Viewer to examine information about wireless problems after the problem has occurred. If you have a recurring wireless problem, you can also use tracing to capture and analyze even more detailed wireless diagnostics information. Tracing provides extremely in-depth troubleshooting data, including extensive detail about the system’s state and events that occurred while tracing was active. While Event Viewer reveals enough information to troubleshoot most common problems, tracing provides sufficient information for even the most complex problems and can be useful to system administrators, driver developers, hardware manufacturers, and Microsoft.As shown in Figure 12, administrators can start wireless diagnostics tracing by using the Computer Management tool. Additionally, administrators can use the Netsh tool to start tracing from the command line or from a script.
Figure 12. Administrators can start tracing interactivelyStarting wireless diagnostics tracing causes Windows Vista to collect detailed information about wireless adapters, Group Policy settings, Windows Network Diagnostics, and overall operating system performance. After tracing has completed (or when an administrator stops tracing), administrators can view the collected information in a report, as shown in Figure 13.
Figure 13. Tracing reports show detailed information gathered while Wireless Diagnostics tracing was enabledThe report includes the following information: Wireless configuration, including allowed and blocked wireless networks Current IP configuration (including data provided by the ipconfig /all command) A list of all connection attempts, and detailed information about each step of the
connection process A detailed list of all Windows Network Diagnostics events Wireless certificate information Wireless profiles and their locations Wireless network adapter driver information Wireless networking system files and versions Raw network tracing information Computer make and model Operating system version A list of all services, their current states, and their process IDs
Manageability ImprovementsCentralized management of network settings on client computers is important in any size deployment. Management includes not only the initial configuration but also changes and
ongoing maintenance of security and configuration settings. Even small deployments of wireless clients benefit from centralized management. Windows Vista includes two methods for managing wireless settings on client computers: Group Policy and the Netsh command-line tool.
Group PolicyGroup Policy is a powerful tool to centrally manage users and computers across an organization, regardless of location. Administrators can use Group Policy to configure many aspects of Windows Vista, including Windows Firewall, Internet Protocol security (IPsec), and user security settings. Administrators can also use Group Policy to configure wireless network settings so that they can rapidly deploy wireless network profiles and minimize ongoing maintenance. Many environments have an Active Directory domain by using Windows Server 2003 (or Windows Server “Longhorn,” which is currently in beta testing). When Windows Vista computers are joined to a domain, administrators can automatically distribute Group Policy settings to member computers. Group Policy provides very granular control, including applying different settings to computers in different locations or to users who are members of different security groups.You can use Group Policy to: Configure wireless clients to automatically connect to your organization’s protected
wireless networks. Configure wireless clients to connect to specific networks when multiple networks are
available, such as connecting to your most protected wireless network. Configuring preferred networks from a Windows Server 2003 DC is illustrated in Figure 14.
Figure 14. Configuring preferred wireless networks Block access to nearby wireless networks managed by different organizations. Disable the built-in support for wireless auto configuration.
NetshYou can also configure and troubleshoot wireless settings by using the Netsh command-line tool. This tool is useful for: Managing computers that are not joined to a domain. Deploying new computers and automatically connecting them to a trusted and
protected wireless network. Quickly viewing available wireless networks and wireless configuration settings. Copying wireless settings between Windows Vista computers. Deleting or updating outdated wireless profiles by using a logon script.Using Netsh to view and configure wireless settings is extremely easy. For example, to list available wireless networks, run the netsh wlan show networks command. The following is an example output:Interface Name : Wireless Network ConnectionThere are 2 networks currently visible
SSID 1 : Contoso1 Network Type : Infrastructure Authentication : Open Encryption : None
SSID 1 : Contoso2 Network Type : Infrastructure Authentication : Open Encryption : WEPTo ease configuration of wireless networks in enterprises, Netsh uses profiles to connect to networks. The easiest way to create a wireless profile is to manually connect to a wireless network from a computer and save the profile to a file by using the netsh wlan export profile command. The following is an example:C:\>netsh wlan export profile name=”Contoso1”Interface profile “Contoso1” is saved in file “.\Wireless Network Connection-Contoso1.xml” successfully.Then, you can distribute the profile to computers in your enterprise, add the profile by using the netsh wlan add profile command, and connect to the network by using the netsh wlan connect command. The following is an example:C:\>netsh wlan add profile filename=”C:\profiles\contoso1.xml”Profile contoso1 is added on interface Wireless Network ConnectionC:\netsh wlan connect Contoso1Connection request is received successfullyYou can use Netsh to perform almost any wireless task from a script or a command prompt. Besides viewing and connecting to networks, you can: View existing wireless connection properties. Disconnect from wireless networks. Allow or block access to wireless networks based on SSID. Enable or disable wireless autoconfiguration. Specify an order for connecting to different preferred wireless networks.
Besides wireless networking, Netsh includes commands for configuring almost every aspect of networking. As a result, you can create scripts that intelligently configure computers in your enterprise for every network environment in your organization, as well as network environments users might encounter while traveling.
SummaryThe wireless networking experience in Windows Vista reflects the increased importance of wireless networks as a means of connecting users with their applications, data, and each other. Wireless networks are treated as the equivalent of wired networks in Windows Vista and can be managed through the same tools as their wired counterparts. Security is central to the design of wireless networking in Windows Vista. Windows Vista uses the highest levels of security for wireless networks and also uses a more secure-by-default design that helps prevent common vulnerabilities. The end-user experience has also been enhanced in Windows Vista, helping users configure protected wireless networks and get connected, whether at home, in the office, or on the road. If problems do arise, Windows Vista helps the user diagnose and attempt to solve the problem.IT departments might appreciate the wireless networking improvements more than anyone. When using the command line, administrators can set, view, and change all configuration settings for wireless clients. With Group Policy, wireless clients can be centrally managed. If users have problems that Windows Network Diagnostics cannot automatically fix, administrators can view detailed troubleshooting information in the System Event Log and quickly isolate the symptoms of the problem.Combined, these improvements make Windows Vista an excellent value for organizations that rely on wireless networking so that employees can stay productive—whether the employees are in a meeting room down the hall or a hotel on a different continent.
