programming4us
programming4us
DESKTOP

Windows Vista : Build Your Network (part 5) - Lock Out Unauthorized PCs, Connect to a Public Wireless Network

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
11/13/2012 3:26:32 AM

6. Lock Out Unauthorized PCs

You've got encryption. You've got a hidden SSID. You've set up a password on all your shared folders . You're probably thinking that your biggest problem is that nobody seems capable of remembering any of their passwords, but it may be quite the opposite.

All of these security schemes rely on preshared information: anyone with your WPA2 passphrase, your SSID, and your Windows password can connect to your wireless network and possibly even read the files on your hard disk. The system is built upon secrecy, and all it takes is a breach of that secrecy for the whole system to break down.

For example, say you've got a small business with 20 employees, and someone gets fired. Or, perhaps you live in an apartment building with shared wireless, and someone moves out. Either way, the person who has left the system may still have the wireless passphrase (and, in the case of the small business, a common Windows password), and may still be able to get into your network.

What do you do? For one, you can change the password and then have everyone remaining on the network update their PCs and try to remember the new password. But the ex-employee might sneak a peek at the new password when he comes back to clean out his desk. Or, that ex-tenant might have a friend who still lives in the building and is willing to share the new password. In short, a network that relies only on passwords to keep out intruders is still vulnerable.

The solution for home networks and small businesses—any outfit without the means to install an authentication server typically available only to large companies—is to use MAC address filtering.

A MAC (Media Access Control) address is a (more or less) unique ID for each network adapter on your PC, or—from the point of view of your router—a unique ID for each connection on your network. You can configure your router to allow only specific MAC addresses to connect to your network, and in so doing, turn away anyone else whether he or she knows your WPA2 passphrase or not.

A typical Wireless MAC Filter page is shown in Figure 13. Here, turn on the Permit only PCs listed to access the wireless network option, and then type or paste the MAC address of your PCs' wireless adapters into the boxes. Click Save Settings when you're done.

Figure 13. Use your router's wireless MAC address filtering to keep out unauthorized PCs


To get your PC's MAC address—which has nothing to do with Macintosh computers, by the way—open the Network and Sharing Center in Control Panel, and then click the View status link next to the Connection area in the middle of the window. Finally, click the Details button to show the Network Connection Details window shown in Figure 14; the six-segment Physical Address is the MAC address for this adapter.

Figure 14. The MAC address of your wireless is adapter is the "Physical Address" listed in the Network Connection Details window


To show the MAC addresses for all the network adapters on your PC at once, open a Command Prompt window and type ipconfig /all. Or, for a more abbreviated view, type getmac at the prompt. (Note that only the MAC address of your wireless adapter matters here.)


You'll need to enter the MAC address of each and every PC that connects to your network wirelessly; leave one off, and it won't be able to connect (and the person using the PC won't know why). Don't worry about any PCs connected to your network with cables; they won't be affected.

Now, MAC address filtering is a useful solution, but it's not foolproof. For one, anyone with access to your router setup page can make changes to the approved list, so you'll want to change your router's administrative password if you haven't done so already; you're asking for trouble if you leave the default password in place (e.g., "admin" for Linksys routers). Next, turn off your router's Remote Administration option to ensure that only those connected to your private network have access. Finally, consider the potential weakness in MAC address filtering explained in the upcoming "Why MAC Address Filtering Is Not Perfect" sidebar.

Why MAC Address Filtering Is Not Perfect

MAC addresses—which are different for each device on your network—may seem to be the perfect way to keep out intruders, but there's a catch. Since you can change the MAC address on most modern hardware, someone could theoretically connect to a filtered network by spoofing the MAC address.

This makes the MAC address somewhat like a password, right?

Not exactly. First, no two devices on a network can have the same MAC address, so if your PC is connected, and someone else tries to break in by spoofing your MAC address, the attempt will fail. Second, each PC has its own MAC address and its own entry on your router's MAC address filter page; this means that an administrator can remove a compromised entry without affecting any other PCs. (This is in contrast to the single WPA-Personal passphrase or WEP encryption key that everyone on the network shares.)

Think it's difficult to change the MAC address? Think again. You can use Mac Makeup, available for free from http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp, or MadMACs, free from http://www.irongeek.com/i.php?page=security/madmacs-mac-spoofer, to change your wireless adapter's MAC address in a few moments.

You can also change your MAC address—without any special software—by editing the Registry. Open Registry Editor and expand the branches to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}. Press Ctrl-F, type DriverDesc in the box, and click Find Next. Press F3 to cycle through the subkeys here (e.g., 0001, 0002, etc.) until you hit the one where the DriverDesc value matches the name of your wireless adapter. Once you stumble upon the correct key, select Edit → New → String Value, and name the value NetworkAddress. Double-click the new value, type the MAC address you want to use in the Value data field (without any hyphens, like this: 040815162342), and click OK. To put the new address into effect, use the Network Connections window to disable and then re-enable your network adapter (or restart Windows).

Of course, there are plenty of legitimate reasons to change one's MAC address, such as troubleshooting or conflict management. Even your router probably has a way to change its MAC address—via the MAC Address Clone feature—to match your PC's address so remote servers that have been configured to permit access from your PC won't reject your router.

All this means that there's no such thing as an impentetrable wireless network. If you really care about security, abandon wireless and stick with cables.


With MAC address filtering in place, all you have to do is create a new entry for each new PC you want to allow to connect wirelessly. And of course, you'll need to remove entries for PCs you want to de-authorize. For this reason, it's useful to keep a record of the MAC addresses of all the PCs on your network in say, a text file, somewhere safe.

7. Connect to a Public Wireless Network

The point of wireless networking is not necessarily to do away with a few feet of cables, but to make a network do things it could never do before. For instance, if you have a portable computer equipped with wireless, you should be able to walk into any airport, coffee shop, hotel, or college dormitory and connect to the Internet in a matter of seconds. In more populated areas, it's not uncommon to walk down the street and have your pick of WiFi networks. (See the sidebar "The Ethics of WiFi," next, for an extra consideration.)

The Ethics of WiFi

Once you get the technical details out of the way, the one remaining hurdle when considering using someone else's Internet connection is a question of ethics. There are countless personal wireless networks around the globe and most of them, you'll find, are unsecured. This means that you can literally walk down the street in a populated area and probably find a working wireless Internet connection before you reach the end of the block. 

Now, just because you can connect to these networks, does it mean you should? Are you taking advantage of someone else's ignorance by breaking into his private network, or are you simply making use of a public resource that you'd be equally eager to share?

I'm not about to try to solve this dilemma in these short pages; I only wish to raise the question, and to suggest that if you do ever decide to utilize someone else's wireless network, that you not do any harm. Think about your impact, both on the bandwidth of the foreign network and the privacy of those who operate it. And then tread lightly.


You can connect to any unsecured wireless network that Vista's built-in WiFi sniffer is able to detect. (The exceptions, of course, are those networks requiring a paid subscription or account access, but that's a different story.) This applies to networks you'll encounter while you're on the road, as well as those that are in range of your home or office.

The problem is that by connecting to these networks, you're exposing your computer to the full array of viruses, hackers, and other dangers present on any network. The solution is to take steps to protect your computer (or workgroup), and the steps necessary depend on the scenario.


7.1. Scenario 1: Single-serving Internet

Say you've just sat yourself down at a sidewalk cafe and pulled out your laptop. (This scenario also applies to hotel rooms, airports, and coffee shops.) You boot up Windows, open the "Connect to a network" window, find a local network, and connect for 20-or-so minutes to check your email. When you're done, you'll likely never use this network again.

Now, if you typically use your laptop when connected to your own private network, protected by your wireless router's firewall, you'll want to take some extra steps to secure your PC before you connect elsewhere. Since you won't have your router with you on the road, and thus won't have any dedicated firewall hardware, you'll want to employ the built-in Windows Firewall software (or a third-party firewall solution). This will provide minimal protection, but certainly nothing you'd want to live with for the long haul.

7.2. Scenario 2: The long haul

Say you just moved into an apartment complex (or have a small business in an office building) that provides free wireless Internet. Naturally, you would never want to connect your computer or workgroup to this wireless free-for-all without some sort of reliable, long-term firewall protecting you from the rest of the riff-raff. Now, since this is not your own, private Internet connection, you can't just plug in a router to facilitate your firewall. But you can add another device, a wireless bridge, in order to build an "island" of sorts, in a sea otherwise filled with peril.

A bridge connects two networks; in this case, you're bridging the public network to your private, secure network, as shown in Figure 15. Between them is the wireless bridge and your router (which protects your private network with its built-in firewall). The two dotted areas represent the scope of the two different WiFi networks in effect: your own private, encrypted wireless network is shown on the left, and the public network is illustrated on the right. (Your bridge and router actually form a tiny, third network, complete with its own IP space separate from those in either of the two wireless networks.)

Figure 15. Use a wireless bridge in conjunction with a wireless router to protect your workgroup when connecting to a public Internet connection


Here's how you set it up:

  1. Use the "Connect to a network" window as described earlier in "Section 7.1.4" to find the name (SSID) of the public wireless network to which you'd like to connect. Connect to the network temporarily to confirm that it actually works.

  2. Obtain a wireless bridge, and follow the procedure laid out in its documentation to set it up with the public wireless network you want to use, a process that typically involves plugging the bridge directly into your PC with an Ethernet cable.

  3. While the bridge is still connected to your PC, obtain the local IP address of your bridge; it'll be something like 192.168.1.1 or 192.168.0.1. (You won't need the bridge's remote IP address assigned to it by the public network.)

  4. When you're done setting up the bridge, unplug it from your PC and connect it directly to the WAN port of your wireless router. (This is the port into which you'd normally plug a DSL or cable modem.)

  5. Connect your PC to your router and use a web browser to open up your router's setup page.

  6. Configure your wireless router so that it has a Connection Type of Static IP. (Refer to your router's documentation for the specific details on this and the next few settings.)

  7. In the router setup, set the Gateway address to the IP address of your bridge that you obtained in step 3.

  8. Then, still on the router setup page, set the static IP address of the Internet connection (as the router sees it) to a fictitious IP address in the same subnet as your bridge. This means that the first three numbers of both IP addresses should be the same, but the fourth should be different. That is, if your bridge's address is 192.168.1.1, then you could set the IP address of your Internet connection to something like 192.168.1.2 or 192.168.1.73.

    Don't confuse these addresses with the IP addresses used on your private network. The local IP address of your bridge and the IP address for your Internet connection that you enter here form the tiny, third network mentioned at the beginning of this section. Alternatively, you could set your router to obtain its IP address automatically (back in step 6), a strategy that may or may not work depending on how cooperative your bridge is.


  9. Finally, set the DNS server addresses in your router setup to the IP addresses of your Internet Service Provider's DNS servers.

    If you don't know which ISP is responsible for the public network you're trying to connect to, try connecting directly with your PC once more. Open a web browser, type http://www.annoyances.org/ip in the address bar, and press Enter; this will show the true IP address of your Internet connection. Then, open a Command Prompt window and type nslookup ip_address, where ip_address is the set of four numbers reported by Annoyances.org. This gives you the name of your ISP, plus some extra stuff. So, you might see something like dsl456.eastcoast.superisp.net, which means your ISP is superisp.net. Then, it's only a matter of visiting the ISP's web site (e.g., http://www.superisp.net/) and determining its DNS server addresses from its online documentation.

  10. Complete the setup of your router, and make sure to enable wireless encryption and any other security settings at your disposal.

This should do it. The bridge will funnel the public Internet connection into your router, and your router will funnel it to the computers in your workgroup. The router acts like a firewall, provided that you connect all your computers directly to your own, personal WiFi network, and not the public, unsecured one.

Among other things, your bridge/router combination will serve as a repeater (a.k.a. range extender), and should boost the signal strength and might even improve performance over connecting your PCs directly to the public network.

Other  
  •  Asus GeForce GTX 690 - SLI speeds on a single card
  •  Gigabyte G1.Sniper M3 - MicroATX Board Shoots For Your Dollar
  •  Windows Server 2008 and Windows Vista : Filtering Administrative Templates in the GPME, Reporting on GPOs
  •  Windows Server 2008 and Windows Vista : Working with GPOs - Searching GPOs
  •  Windows Server 2008 Server Core : Working with Scripts - Testing Scripts
  •  Windows Server 2008 Server Core : Working with Scripts - Impersonating a User with the RunAs Utility, Changing the Environment
  •  Switching to Microsoft Windows 7 : Migrating Applications and Data to a New Windows 7 Computer (part 2)
  •  Switching to Microsoft Windows 7 : Migrating Applications and Data to a New Windows 7 Computer (part 1)
  •  Switching to Microsoft Windows 7 : Migrating Data on a Single Computer
  •  The Download Directory - November 2012 (Part 3) - Multiplicity 2.0, LastPass Password Manager 2.0.0
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us