In the past three parts of this series, I already gave you some tips and tricks to tackle the problems you might encounter when introducing Windows 7 in your existing environment. We’ve already covered a schema update, when we looked at storing BitLocker and TPM recovery information in Active Directory. This post features another schema update scenario and resembles the previous scenario greatly.
In this part of this series we’re diving deeper into security within Windows 7 (and Windows Vista) and looing into 802.1X.
This IEEE standard allows for authentication-based access control on the network level. It can be used with wireless and wired networks. Unless a computer authenticates using 802.1x to a switch or wireless access point, the computer is not granted access to the network. More information here.
Since Windows 2000 Service Pack 4, 802.1X is part of the Operating System, but in Windows Vista and Windows 7, administrators are assisted in configuring 802.1X through Group Policy. These enhancements are:
- Wired LAN settings
Windows XP Service Pack 3 and up now support the configuration of IEEE 802.1X-authenticated wired connections through Group Policy.
- Mixed security mode
You can now configure several profiles with the same SSID with different security methods so that clients with different security capabilities can all connect to a same wireless network.
- Allow and deny lists for wireless networks
You can configure a list of wireless networks to which the Windows Vista wireless client can connect and a list of wireless networks to which the Windows Vista wireless client cannot connect.
You can import profiles that have specific connectivity and security settings of wireless vendors, such as different EAP types.
Getting Active Directory ready
For this purpose, Active Directory uses new schema attributes for storing this information. To store this information in Active directory, your Active Directory environment will need to meet certain requirements:
Windows 2000 Server-based Domain Controllers
For environments with Windows 2000 Server-based Domain Controllers, all Domain Controllers need to be upgraded or migrated to Windows Server 2003 with at least Service Pack 1. Domain Controllers prior to Windows Server 2003 SP1 are incapable of storing this information securely, since they lack the Active Directory confidential flag.
Windows Server 2003 (R2)-based Domain Controllers
For environments with Windows Server 2003 and Windows Server 2003 R2-based Domain Controllers, all Domain Controllers need to be running at least Service Pack 1. The Active Directory schema needs to be extended using 802.11Schema.ldf and/or 802.3Schema.ldf More information here.
Windows Server 2008 (R2)-based Domain Controllers
For environments with Windows Server 2008 and Windows Server 2008 R2-based Domain Controllers, the 802.1X enhancements can be used out of the box.