Using Windows Vista
on a Corporate
Mobile Network
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
Can you remember the frustration you felt the last time you needed to work on a document but couldn’t con-
nect to the network to use it? What about the last time you wanted to write an email or get some work done
on the Internet, but you had to go to a different location where you could use a networked system? Multiply
these problems and frustrations by every employee who has every experienced them and you will understand,
if you don’t already, why wireless networking is becoming a requirement in many offices. When properly imple-
mented and used, wireless networking acts not only as a nice convenience, but as a valid tool for increasing
productivity and efficiency
.
Those who resist the idea of creating a Wi-Fi network will normally acknowledge its advantages, but express
valid concerns about expanding the network infrastructure and preventing security problems inherent in the
technology. Can you implement this kind of change without unduly impacting the security of the existing net-
work infrastructure? Can you enforce security procedures created just for the wireless network on end-users
working with laptops? Some of your users might be allowed to use their laptops on public Wi-Fi networks
where you have no control. Can you run system checks and prevent computers with security problems from
rejoining your network? If you are using an Active Directory domain with
Windows Vista clients, the answer to
all of these questions is yes.
As you will see
, this does not have to be a complicated process. Having a basic understanding of the encryp-
tion and authentication choices available, related group policy settings, and Windows Vista features will help
you narrow down your choices and make the decisions that are best for your environment.
We will start of by walking through the process of configuring a wireless connection on a Windows Vista sys-
tem manually. This will allow us to view the different features and options available during setup. We will then
discuss how to implement configuration changes automatically through

or Service Set Identifier (SSID). Sometimes called a non-broadcast or hidden network, many take advantage of
this feature on their
APs in an effort to make the network more secure by “hiding it” from older operating sys-
tems like Windows 2000 or XP. Obviously, they are not hidden from Vista systems, but this feature has proved
to be a very ineffective security option in any case. If you decide to use it, don’t let it give you a false sense of
security. It really shouldn’t be seen as a security feature, especially on a corporate network.
T
here is also an option showing whether the connection to the AP will be secure or not. If security is enabled,
Vista will automatically use the strongest encryption protocol it supports on the access point. If security is not
enabled, a warning message will alert you to the dangers of connecting to such a network. You will also have
the option to connect to the
AP automatically
,
making it your preferred network.
Y
ou will also be able to dis-
connect from a network or modify your preferred network settings when necessary.
If you need to manually configure your network connection settings, from the Connect to a network window
use the
Set up a connection or network option in the lower left hand corner and choose to open the
Manually connect to a wir
eless network window
(F
igure 1.2).
F
rom here
,
you can configure a network
name and security protocols
.

One issue that often comes up when connecting domain laptops through wireless networks is the problem of
having to authenticate twice. A secure wireless network will require some form of authentication before con-
necting, after which you will need to provide your Active Directory credentials for connecting to the domain.
Although not required, it’s a good idea to simplify this process for users by allowing them to connect to the
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 4
n
etwork and domain in a single logon process using a bootstrap wireless profile. You do this by modifying the
properties of a wireless profile to disable the validation of the RADIUS Server certificate when using PEAP-MS-
CHAPv2 authentication and enabling Single Sign On. The network administrator might make the laptop a
member of the domain by using a wired connection and configure a new wireless profile with these settings. If
the laptop is already a member of the domain, a configuration file can be used to apply the new settings using
netsh. When users want to connect, they simply login with their domain credentials. Normally, without cached
credentials or an existing network connection, this logon process would fail. Enabling Single Sign On will allow
the client to connect to the network and domain in a single step using the domain credentials they provided at
logon.
A network administrator would normally want to maintain these settings by using group policies to push any
configuration changes to laptops. However, a domain running Windows Server 2003 with SP1 does not support
some of the new security features available for 802.11 networks on Vista, such as using WPA2. This can be
overcome by performing schema modifications that add these features. If you are unable or unwilling to risk
such a change to your active directory forest, a simpler solution would be to use script files. Netsh now has a
new
WLAN parameter than can be used to export and import wireless configuration settings using XML files. It
takes three parameters when exporting the configuration:
• First, the name of the XML file to export the configuration to
• Second, the name of the wireless profile being exported
• Third, the name of the wireless adapter used by the profile.
The command might look like this:
netsh wlan export profile configuration.xml secure_profile

e in case of a breach,
things will go a lot more smoothly in the long
run. Also, never forget to have a proper audit policy. This should include what events will be recorded and how
often and by whom the information must be reviewed.
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 5