With the recent leaps in cryptanalysis tools that can even crack enterprise grade wireless LANs that use dynamically rotating WEP keys, the encryption bar has been raised to a minimum of TKIP or preferably AES. In order to run these newer encryption algorithms, hardware and software must be certified to a minimum of WPA or the newest WPA2 standard. Unfortunately, performing the upgrade is easier said than done especially if firmwares, drivers, and configuration changes have to be replicated across hundreds or even thousands of clients. While it doesn’t address all of these issues, Windows 2003 Service Pack 1 at least makes the last piece (configuration changes) relatively simple and is a huge step forward for any business grade wireless LAN.
While the original version of Windows 2003 Server already made substantial strides in easing the pain of a large secure wireless LAN deployment, its major weakness was that it couldn’t deal with WPA capable networks. SP1 addresses these weaknesses and really makes it easy to deploy a large secure a wireless LAN. The following summarizes the original feature set of Windows 2003 server and the enhancements of SP1.
Windows 2003 added PEAP authentication capability to its IAS (Internet Authentication Service) RADIUS component. This meant that client side certificates were no longer needed for TLS encrypted authentication which makes it possible to only use a server side Digital Certificate to support thousands of clients who don’t have Digital Certificates. By using the TLS tunnel to secure the password exchange, dictionary attacks on the popular LEAP authentication protocol could be avoided altogether.
The built-in Windows XP WZC (Wireless Zero Configuration) client could now be centrally managed via Windows 2003 Server using Active Directory Group Policy configuration. This meant that every single client computer on a corporate network could be centrally configured to connect to a secure wireless LAN in minutes. Since WPA was only starting to appear at the time Windows 2003 was being released, the policy configuration could only work for 802.1x/PEAP dynamic WEP based wireless LANs. WPA using TKIP or AES encryption was not supported and had to be manually configured from the client side which made it very difficult to deploy.
Fast reconnect for EAP authentication support was added to IAS. Note that this can cause problems with some Access Point manufacturers that don’t deal well with fast reconnect.
Active Directory Group Policy can now configure WPA TKIP or AES encryption settings. Any Windows XP SP1 (with WPA patch) or Windows XP SP2 client machine could now be centrally configured to connect to a TKIP or AES encrypted wireless LAN.
Clients (Windows XP SP2 only) can now also be locked down to a narrow set of administrator approved Digital Certificates and Certificate Signing Authorities. In the past, there was a potential for unsuspecting users to fall victim to man-in-the-middle attacks if an attacker could coax a user into trusting a rogue Access Point which used a fake RADIUS Authentication Server with an alternate Digital Certificate and Signing Authority. The importance of central management cannot be overstressed. This isn’t just a convenience issue but a security issue as well.
http://blogs.zdnet.com/Ou/index.php?p=47