Darren Watt

Much has been made on Tech news sites about the cracking of WPA, which was thought to be fully secure.

My recommendation to understand the actual facts on this is to have a listen to Security Now podcast in which Steve Gibson explains in patronising but accessable words, which is useful.

Revealing how its done you have to wonder why it took so long to find this flaw. It’ll be interesting to see where it goes from here but as it stands WPA is not what I’d call ‘cracked’.

One of the things I get involved with at work is sorting auto-deployment of wireless profiles via Group Policy. In the past this has been great for configuring WPA/TKIP wireless profiles which are fine for most situations. However, most implementations of 802.11n require either no encryption or WPA2 before the advanced features of ‘n’ (eg. high speeds) are available.

Microsoft Server 2003 doesn’t support WPA2 in Group Policy, despite the fact it’s in XP Service Pack 3, and Windows Server 2008. It is also supported in Windows XP Service Pack 2 with update kb893357. After a lot of faffing around various forums it turns out there is a workaround to implement WPA2 in GPO on Server 2003.

WPA2 Option in Server 2003

Updating Active Directory for Group Policy Enhancements

Described in http://technet.microsoft.com/en-gb/library/bb727029.aspx
. This is just a howto so I won’t go into detail, just how to get it done.

Copy the file 802.11Schema.ldf onto the Active Directory server (the content of this file is listed at the end of this post in plaintext which you can cut n paste into a file if the link fails. Open command prompt and run the following command on AD Server:

C:\ldifde -i -v -k -f 802.11Schema.ldf -c DC=X [Distinguished_Name_of_domain_controller]

It should respond that 6 items have been updated. That’s it for the Server.

Group Policy Update from Vista PC or Server 2008

Join the PC to the domain if not already on it. Log onto the PC as Domain Admin if possible.

Start, Run ‘gpmc.msc’ – If it’s not installed you need to install Microsoft Remote Server Administration Tools for Windows Vista (KB941314)

After the MRSAT have been installed you need to enable them: Go to Control Panel, Programs and Features, Turn Windows features on and off, Enable Tools.

From Group Policy Management you should now be able to select the Wireless Policy under:
Computer Config, Policies, Windows Settings, Security Settings, Wireless Network Policies, edit ‘XP’ policy, select Preferred Networks, and enter or edit the network profile. Change the authentication type to WPA2 and encryption to AES.

The following is the content of the ldf file, you should just be able to download the file above though.

# -----------------------------------------------------------------------
# Copyright (c) 2006 Microsoft Corporation
#
# MODULE: 802.11Schema.ldf
# -----------------------------------------------------------------------

# ———————————————————————–
# define schemas for these attributes:
#ms-net-ieee-80211-GP-PolicyGUID
#ms-net-ieee-80211-GP-PolicyData
#ms-net-ieee-80211-GP-PolicyReserved
# ———————————————————————–

dn: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDescription: This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain.
attributeId: 1.2.840.113556.1.4.1951
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: YnBpNa8ei0SsHjiOC+T97g==
showInAdvancedViewOnly: TRUE
systemFlags: 16

dn: CN=ms-net-ieee-80211-GP-PolicyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDescription: This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks.
attributeId: 1.2.840.113556.1.4.1952
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: pZUUnHZNjkaZHhQzsKZ4VQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16

dn: CN=ms-net-ieee-80211-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDescription: Reserved for future use
attributeId: 1.2.840.113556.1.4.1953
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: LsZpD44I9U+lOukjzsB8Cg==
showInAdvancedViewOnly: TRUE
systemFlags: 16

# ———————————————————————–
# Reload the schema cache to pick up altered classes and attributes
# ———————————————————————–
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# ———————————————————————–
# define schemas for the parent class:
#ms-net-ieee-80211-GroupPolicy
# ———————————————————————–

dn: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ms-net-ieee-80211-GroupPolicy
adminDisplayName: ms-net-ieee-80211-GroupPolicy
adminDescription: This class represents an 802.11 wireless network group policy object. This class contains identifiers and configuration data relevant to an 802.11 wireless network.
governsId: 1.2.840.113556.1.5.251
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1953
systemMayContain: 1.2.840.113556.1.4.1952
systemMayContain: 1.2.840.113556.1.4.1951
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.6
schemaIdGuid:: Yxi4HCK4eUOeol/3vcY4bQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16

# ———————————————————————–
# Reload the schema cache to pick up altered classes and attributes
# ———————————————————————–
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-

In an attempt to drum up a bit more interest in my old but still perfectly good laptop. It’s for sale on Ebay here and is currently going for a pitiful £0.99 to my mate, which is annoying. Please can someone else outbid him. It’s actually a great laptop dammit. Bid now! No? How about now!?

Brilliant!

Edit: It’s actually ok, there are 10 people watching who will no doubt have their snipes at the ready.

So they say. Just the other day I read an article on how difficult it is to claw back investment into making games because everyone’s gone piracy crazy (mainly China possibly).

Found that EA have re-released Red Alert 1 for free! - Great plan but rubbish for income.

Red Alert 3 trailer then contains more famous people than you would think for a game trailer, paid for presumably with the money they found down the back of the sofa?

But is the game any good? Not sure, will probably be busy playing original Red Alert…

Excellent, with these 5 million tanks I will surprise the enemy..