The wireless components in Windows Vista have been extensively reworked. In this section, you’ll look at the changes to these components and how they are used to improve flexibility and security. You’ll learn about:
Wireless networking changes.
New ways of connecting to wireless networks.
Fast roaming and auto configuration.
Wireless connections in earlier versions of Windows are designed to emulate Ethernet connections and can be extended only when using additional Extensible Authentication Protocol (EAP) types for IEEE 802.1X authentication. Wireless connections in Windows Vista use a software infrastructure for 802.11 wireless connections called the Native Wireless Fidelity (Wi-Fi) architecture.
Native Wi-Fi architecture has many benefits. It allows:
Windows Vista to represent wireless (IEEE 802.11) as a media type separate from Ethernet (IEEE 802.3). This increases flexibility by allowing hardware vendors to support advanced features specific to IEEE 802.11 networks, such as larger frame sizes than Ethernet.
Windows Vista to include the authentication, authorization, and management components necessary for 802.11 connections. This streamlines the development of miniport drivers that expose a native 802.11 interface and makes it easier for hardware vendors to develop wireless network adapter drivers.
Hardware vendors to extend the built-in wireless client for additional wireless services and custom capabilities. This allows vendors to create extensible components and also makes it possible for vendors to provide customized configuration dialog boxes and wizards.
You can configure wireless networking by using the Wireless Network Setup Wizard. This wizard retrieves the security capabilities of the wireless network adapter and recommends the strongest security setting that is supported by the wireless network adapter as the default configuration. For example, if a wireless network adapter supports both Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA), the Wireless Network Setup Wizard will configure settings for WPA by default.
Wireless clients can connect to three different types of networks:
Secure Secure wireless networks transmit passwords and data securely. Typically, they use some form of encryption, and the stronger the encryption, the more protection offered.
Unsecured Unsecured wireless networks do not transmit passwords or data securely. While they may require a password to establish a connection, they typically transmit all data without encryption or protection.
Hidden Hidden wireless networks do not advertise their network names and can be either secured or unsecured. You can connect to a hidden network only if you know its network name.
Windows Vista works with hidden and unsecured networks in different ways than earlier versions of Windows. Because of the many changes, keep the following information in mind:
Wireless access points used by hidden wireless networks can be configured to use nonbroadcast Service Set Identifiers (SSIDs). In this configuration, the wireless access points either do not send Beacon frames, which announce their network names, or they send Beacon frames with an SSID set to NULL. Although earlier versions of Windows do not allow you to mark a preferred wireless network as hidden, Windows Vista allows you to indicate that a preferred wireless network is hidden by configuring it as a nonbroadcast network.
Wireless access points used by unsecured networks are at high risk of being compromised. To help improve awareness about unsecured networks, Windows Vista displays a prompt when you connect to an unsecured wireless network and allows you to confirm or cancel the connection attempt.
When connecting to wireless networks, if preferred wireless networks are not found or if connections to detected preferred wireless networks are not successful, the wireless client in earlier versions of Windows prompts you to connect to any detected wireless network. Wireless clients running earlier versions of Windows cannot be configured to prompt you to connect only to specific wireless networks or to never prompt you to connect to specific wireless networks.
Group Policy settings in Windows Vista allow administrators to configure lists of allowed and denied wireless network names. With an allow list, administrators can specify by name the set of wireless networks to which wireless clients are allowed to connect, thereby limiting wireless connections to a specific set of wireless networks. With a deny list, administrators can specify by name the set of wireless networks to which wireless clients are not allowed to connect and in this way prevent connections to known unsecured wireless networks as well as to any other wireless networks that might be available but should not be used.
Through Group Policy settings, administrators can also configure fast roaming and automatic connections on preferred wireless networks. With fast roaming, wireless clients can more quickly roam from one wireless access point to another by using preauthentication and Pairwise Master Key (PMK) caching. With automatic connections, wireless clients can establish connections automatically when preferred networks are detected. If you don’t want to use automatic connections, you can specify that manual connections should be used instead.
Wireless Auto Configuration is a service that dynamically selects the wireless network to which the computer will automatically connect, based either on your preferences or on default settings. This includes automatically selecting and connecting to a more preferred wireless network when it becomes available.
Wireless Auto Configuration in Windows Vista helps to protect computers running Windows Vista from attackers. As with earlier versions of Windows, a computer running Windows Vista uses a randomly named wireless network if no preferred network is available and periodically scans for a preferred network to become available. Unlike earlier versions of Windows, Windows Vista prevents a wireless connection to a wireless network matching the random wireless network name. Further, because Windows Vista attempts to connect preferred networks in the order specified, you can connect to a hidden network before a nonhidden network if the hidden network is higher in the preferred network list.
Wireless connections also support integration with Network Access Protection (NAP) when using 802.1X authentication and Single Sign-On profiles. Using Network Access Protection and 802.1X authentication, administrators can prevent wireless clients that do not comply with system health requirements from gaining unlimited access to a private network. With Single Sign-On profiles, administrators can ensure that only an appropriate user or device is allowed on the protected network and that their data is secure when establishing the connection as well as once the connection is established.
When a Single Sign-On profile is configured, 802.1X authentication is used prior to the computer logon to the domain and users are prompted for credential information only if needed. This ensures that the wireless connection is established prior to the computer domain logon, which enables scenarios that require network connectivity prior to user logon such Group Policy updates, wireless client domain joins, and execution of logon scripts.