There is, unfortunately, some misleading wording in that KB article.
Consider this sentence: "The Wireless Client Update lets you configure
wireless networks as broadcast networks or as nonbroadcast networks." It
could be interpreted to mean that if you configure all your clients not to
broadcast their network names, then there will be no broadcasts at all. This
is not entirely true. Remember, access points also broadcast their names.
This setting in XP and Vista makes it easier for your computers to operate
in environment where the access points are not broadcasting.
However, it is actually a mistake to assume that hiding your network name
(the "SSID," as it's called) offers security. SSIDs are names, not
passwords, and you can't keep them completely hidden. I explain in full
detail here:
http://blogs.technet.com/steriley/ar...ess-ssids.aspx
There is actually very little risk when XP/Vista clients broadcast their
configured networks. Here's the statement from the KB:
"An observer may monitor these probe requests [of its preferred networks]
and configure a wireless network by using a name that matches a preferred
wireless network. If the wireless network is not secured, this network could
enable unauthorized connections to the computer."
Say you have a secured (WPA or WPA2) network in your company and you call it
FRAMISTAN. Furthermore, you've left the default enabled, so all the
FRAMISTAN access points are happily broadcasting their SSIDs. This is all
well and good. Now a client computer is sitting in an airport lounge and the
user powers it up. The computer will probe for FRAMISTAN but, of course,
won't find it in the lounge. But there's a bad guy there, scanning the air,
looking for probes. He sees a probe for FRAMISTAN and quickly sets up an
access point. This bad guy won't, of course, be able to configure his access
point with the security settings that your computer requires for FRAMISTAN
(he can't know your authentication passphrase for WPA(2)-Personal, he can't
set up a RADIUS server that authenticates against your domain for
WPA(2)-Enterprise). Therefore, your computer won't connect to this other
version of FRAMISTAN because your computer has certain security requirements
not met by the bad guy in the lounge.
So my advice: leave your SSID broadcasts switched on, use WPA or WPA2, and
don't worry about your wireless security any more.
--
Steve Riley
(E-Mail Removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"lldan" <(E-Mail Removed)> wrote in message
news:FB7558A9-DC20-47BD-B354-(E-Mail Removed)...
> We are currently running Windows XP SP2 on all of our laptops. Now, of
> course laptops travel around connecting to various wireless networks and
> broadcasting there preferred network list. I would like to stop that, but
> a
> way to easy manage this. I have looked at this patch.
>
> http://support.microsoft.com/default.aspx/kb/917021
>
> This patch looks good and it sounds like setting up a non-broadcast
> wireless
> network is the way to go on this. The only problem I see is that each
> wireless network you connect to the user would have to do this setting.
> We
> are using Windows 2003 servers and we have 0 Vista machines.
>
> I'm looking for a way to best secure our laptops from broadcasting there
> own
> preferred network list while traveling. Also looking for a tool to shut
> off
> wireless networking when connected through an ethernet, patch cable,
> connection. Any help would be greatly appreciated.
>
> Thanks
Similar Threads
Linear Mode
