Securing my wireless network

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last week I wrote about upgrading my wireless network. It’s been running well since then, so this afternoon I decided to go ahead with stage 3 – configuring wifi protected access (WPA). As I haven’t set up a RADIUS server here, and to be honest, it would be overkill for a small network like mine, I decided to implement WPA-PSK (pre-shared key), as detailed in Steve Lamb’s post (and blogcast) on the subject.

Initially, it all went well, simply setting the access point to use WPA-PSK and defining a passphrase. Within a few minutes, I had entered the passphrase on two of my notebook PCs and all was working well (one using a Compaq WLAN MultiPort W200 and one using an Intel PRO/Wireless 2200BG network connection) but then I hit some real problems. My wife’s PC (the whole reason for us having a wireless network) and my server were refusing to play with the access point displaying the following message when I selected the wireless network and entered the network key:

Wireless configuration

The network password needs to be 40 bits or 104 bits depending on your network configuration.

This can be entered as 5 or 13 ASCII characters or 10 or 26 hexadecimal characters.

This seemed strange to me – there was no mention of any no such restrictions when I set up the WPA-PSK passphrase (the network key). With one machine running Windows XP SP2 and the other running Windows Server 2003 SP1, WPA support shouldn’t have been a problem (I double-checked the server with the D-Link AirPlus DWL-520+ wireless PCI adapter and once I’d manually switched the properties to WPA-PSK using TKIP, I was able to enter the network key and connect as normal).

It seems that for some reason, the D-Link card had defaulted to using WEP, and sure enough, once I set it to use WPA-PSK, the network description changed from security-enabled wireless network to security-enabled wireless network (WPA).

So, three machines working, one to go.

I read in Kathryn Tewson and Steve Riley’s security watch: a guide to wireless security article that WPA is “both more secure and easier to configure than WEP, but most network cards made before mid-2003 won’t support it unless the manufacturer has produced a firmware update”. The problem machine was using a Compaq WL110 Wireless PC Card, which I was given around 2002/3 (when we first put in the 802.11b network) so it sounded plausible that I might need a firmware update. A little more googling turned up the does/can the WL110 support WPA? thread on the HP IT Resource Center which gave me the answer. No, there is no firmware upgrade (card support was dropped before the WPA specification was finalised), but if you download the Agere version of the drivers, and tell Windows XP that the WL110 is a 2Wire Wireless PC Card, WPA is available and it works (even inside the WL210 PCI adapter)!

So, that’s all done – a working, (hopefully) secure, wireless network, all for the price of a new access point.

Didn’t get far with Linux so trying Solaris 10 now

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Sun SolarisLast year, I blogged about how I was starting to look at Linux… well, I installed SUSE Linux but never really got much further. I didn’t like the interface, I didn’t like that all the tools had weird or mis-spelt names, and it all felt a bit amateur (Linux zealots, please don’t flame me).

Still wanting to have a play with a Unix-based system and rebuild some long-lost skills, I had another go a few nights back and installed the x86 version of Sun Solaris 10 (the idea being that I’ll get used to a real Unix system and then maybe take another look at Linux later). It took an age to install, but I do now have a running system. I’m sure I’ve missed some essential configuration somewhere, but I’ll find my way through! First impressions are good, and I’m very proud of myself for managing to successfully install the Macromedia flash plug-in for Mozilla just by following the readme file (believe me, extracting files from an archive, finding out where Mozilla is installed, and then successfully running the installer is a big deal for a Unix newbie, even if it does sound trivial).

I still need to use Windows on my everyday systems, but maybe I’ll move my e-mail and browsing at home over onto the Solaris box once I feel comfortable with it all (after a couple of weeks’ use I’m not over-impressed with Mozilla Thunderbird on Windows XP so changing e-mail clients again won’t really upset me). In the meantime, if anyone out there has any Solaris hints and tips, good ‘net resources, etc., I’d be pleased to hear from you.

Dealing with winmail.dat files

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few days back, a business contact e-mailed me a copy of a presentation as a .PDF file. No problems there, except that when it got to me (using the Mozilla Thunderbird e-mail client), it was called winmail.dat. I tried saving the file as a .PDF but Acrobat Reader didn’t like it so I had to do some googling to find out what to do with this strange file (I remember having problems with this during a migration from Pegasus mail to Microsoft Exchange and Outlook a few years back and we had to resort to using plain text e-mails until everyone had been migrated).

I found an article on the PC Hell website that not only explained the purpose of the winmail.dat file (used by Outlook Rich Text e-mails to carry the formatting information in transport-neutral encapsulation format), but also gave links to various programs that can process the winmail.dat file. One of these is Steve Beadle’s WMDecode utility, which successfully extracted my .PDF from the winmail.dat file.

Infrastructure essentials

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Anyone who reads this blog regularly will know that I keep a close eye on what the Microsoft UK IT professional technical evangelist team is up to and John Howard’s blog is one of many that I tend to watch. Since August, John has been posting a series of infrastructure essentials blogcasts to help administrators set up a well-managed infrastructure using Active Directory along with common Microsoft products like ISA Server 2004 and Exchange Server 2003. At the time of writing, John has reached 25 infrastructure essentials blog casts – watch out for more. John covers Windows (client and server), Virtual Server, Virtual PC and Identity Integration Server but it’s also worth checking out are Steve Lamb’s blog (security) and Eileen Brown’s blog (management, messaging, mobility and real time collaboration).

Securing your Windows computer with syskey

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

At an event a few weeks back, Steve Lamb mentioned using the syskey utility to secure a Windows system. Even though it’s a standard Windows utility, I’d never heard of it before and Steve has now written about syskey on his blog, along with a follow up post on storing the keys on a USB token (think of it as a kind of ignition key for a Windows computer).

Handy KVM solution

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few months ago I sold my KVM switch on eBay. Now I’m running out of desk-space again…

To be honest, the old one was too big, too noisy, and had 12 feet long KVM leads making it a bit over the top for a desktop solution but yesterday I picked up a Linksys integrated KVM 2-port switch at RL Supplies.

Linksys KVM2KITWith built-in cables, drawing power from the PS/2 port on one of the PCs, and no software required, this is an ideal solution for letting the port replicator for my work laptop and my desktop PC share the same keyboard, mouse and monitor (at resolutions up to 1920×1440). I just hit the Scroll Lock key twice to switch between PCs and my USB mouse even works with it (using a USB to PS/2 converter). Definitely worth considering by anyone who needs to find some extra desktop real estate.

Upgrading my wireless network

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

As I blogged previously, I experienced problems with my wireless network after I attempted to secure it using wired equivalent privacy (WEP). My 802.11b access point didn’t support WiFi protected access (WPA), so I turned off all the security (except MAC address filtering), thinking that there’s nothing here worth stealing anyway (except my bandwidth, and I don’t mind if my neighbours share my connection from time to time). Then, last week I attended Steve Lamb’s presentation on Wireless security and remote access and one point he made really worried me – what if someone was using my connection for something illegal? How could I prove that it wasn’t me (my ISP’s logs would show the IP address of my ADSL router and my account details)… unfortunately the answer is “with great difficulty”.

Whilst I live on a pleasant housing estate on the edge of a rural market town and I like my neighbours, I don’t know what their Internet interests are, and I didn’t want to run that risk. That meant only one thing – the wireless security must come back on – and ideally using WPA or WPA2.

Stage 1 was to buy a new access point (for not too much money). My budget of £40 (+VAT) meant that choices were somewhat limited. I had considered the Linksys WRT54G and WRT54GC until the friendly people at broadbandstuff highlighted that these devices don’t include a modem – I hadn’t realised that there is a difference between a broadband router (which is for cable) and an ADSL wireless gateway (which includes an ADSL modem). After that, I considered the Linksys WAG54G and it’s replacement, the WAG354G, but both were slightly over my budget and some articles I read suggested that the firewall wouldn’t let me configure my own rules. Thinking about it, I realised that I don’t need a new router – my Solwise SAR 110 has been working well since I stealthed it (I’ve since opened up a few ports and occasionally have to reboot, which I suspect is due to a denial of service attack, but thankfully not too often). After deciding that I only need an access point, I considered models from Linksys, NetGear and D-Link. The Linksys WAP54G looked good, until I read an (admittedly quite old) Toms Networking review that suggested it’s not too great on a mixed 802.11b and 802.11g network. I don’t like the styling on the consumer-focused NetGear equipment, but the business-focused WG102 looked good, had a great specification, but was too expensive for me this time around, so I decided to go for the D-Link DWL-2000AP+ instead, because:

  • It’s cheap (£35.99+VAT).
  • They had stock at RL Supplies (so I could pick one up on my way home).
  • I can’t follow the guideline of going for a one-brand WiFi infrastructure but I already have a D-Link DWL-520+ wireless PCI adapter in my server and using D-Link equipment (supporting AirPlus) would enable 22Mbps running (whilst my mixture of Compaq and HP-branded 802.11b kit would still run at 11Mbps and the Intel card in my Fujitsu-Siemens notebook would run at the full 54Mbps).
  • It supports WPA (although not WPA2).

D-Link DWL-2000AP+AirPlus G+

Stage 2 was to migrate from the old to the new access point. This was remarkably painless (D-Link DWL-2000AP+ firmware version 2.11 6 April 2005):

  1. Note the details of the old access point configuration before switching it off.
  2. Set the IP address on a client PC (wired connection) to use the 192.168.0.0/24 subnet.
  3. Browse to http://192.168.0.50/ and log on with the username admin and a blank password.
  4. Run the setup wizard from the access point Home/Wizard page to set the admin password, SSID and channel (I left this at 6 as I already know that my neighbours are using 1 and 11) and encryption level (none at this stage). Restart the access point when prompted.
  5. From the Home/LAN settings page, change the IP address of the access point to something suitable on the correct subnet (this will automatically change the settings for the DHCP server on the access point, but this is disabled by default in any case) and restart the access point when prompted. At this point you can reset the client PC to use the original IP settings (DHCP in my case).
  6. From the Advanced/Filters page, enter the MAC addresses for any devices which need to connect to the access point and select the option to only allow the defined addresses to connect. Annoyingly, the access point needs to restart after each address is added, but it does have a handy clone feature to read the MAC address of each connected device and add it to the list of allowed addresses. If the MAC addresses are unfamiliar, use the client PC to ping known devices and then read the ARP cache (arp -a) to match MAC address to IP address.
  7. From the Home/Wireless page, change the access point name (from the default of DWL-2000AP+ to something which matches your naming standards). I used the name I had assigned to the existing access point, and which was already in my DNS. Restart the access point when prompted.
  8. Finally, from the Tools/System page, save all settings to the local hard drive (default filename is config.bin).

Stage 3 is to configure WPA; however I want to leave the network running unsecured for a while longer, just to check that the mix of 11, 22 and 54Mbps 802.11b and 802.11g clients is working well. Once I’m happy with that, I’ll lock down the network. In the meantime, check out Steve Lamb’s post (and blogcast) on the subject.

Blog updates now available via e-mail

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Readers of the HTML version of this blog may have noticed the FeedBlitz details which appeared yesterday under the syndication header on the left side of the screen. FeedBlitz is a service which I’m trying out to provide a daily digest of blog updates via e-mail. Hardline bloggers may not see a need for this (after all, isn’t RSS the transport of choice for bloggers?) but e-mail is one of the Internet’s killer applications and I quite like the idea of getting a single daily e-mail which details the updates to the blogs that I read – and it’s a great idea for people who might be interested in hearing when a site is updated, but who don’t have a feed reader, don’t understand what RSS is, or are just generally confused by anything other than basic e-mail and web browsing services.

If you would like to receive updates in this way, enter your e-mail address below and click the subscribe button for a daily digest of new posts to this blog:

Will Windows Vista bring clarity to your world?

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Several months ago I installed Windows Vista Beta 1 (build 5112) on a spare laptop (slowly… as Vista installations tend to be…) but then didn’t get much time to use it (I’m still using XP on my everyday PCs). There are many good information sources on Vista out there (like Paul Thurrott’s Windows Vista Activity Center) – that’s hardly surprising with with 10,000 users testing Beta 1, but I thought I’d write a quick post about how Microsoft is positioning Windows Vista.

From an initial glimpse, I couldn’t see much (apart from the Microsoft support lifecycle) to compel corporations to upgrade from XP. Many of the new features seem to be aimed at consumers and I recently heard that a Gartner briefing note entitled “ten reasons you should and shouldn’t care about Microsoft’s Windows Vista client” recommended that there is little reason to move (and that even the security improvements can be plugged with third party products, or will be back-ported to XP); however on reflection, there may be some advantages for corporate users.

At a recent event, Microsoft were stressing that Beta 1 might look dull (from a visual perspective), but the focus was to establish robustness, reliability and security and then finish off the look and feel later (sounds very unlike Microsoft to me!). Also, there are no ROI/TCO/business value metrics yet as these will be produced after the product is feature complete (otherwise they could become redundant before release to manufacturing, e.g. if components are added or removed between builds).

According to the Microsoft marketing machine, the main benefits of Windows Vista are clustered around three areas, which I’ll expand upon in the following paragraphs:

  • Confident.
  • Clear.
  • Connected.

Confidence is about four areas:

  • Security and privacy:
    • User account protection (not using administrative rights and prompting users when an extra level of access is required).
    • Data protection (trusted platform module v1.2).
    • Secure browsing (anti-phishing filter in Internet Explorer 7 scans URLs for unusual patterns and compares them against a database of known phishing sites).
  • Performance and reliability:
    • Fewer reboots and crashes (50% less than Windows XP; Vista and Office 12 patches save state before restarting).
    • Greater responsiveness (fast start combining the benefits of hibernation and standby).
  • Deployment and servicing:
    • Single image format (XML-based WIM imaging with single instance storage and support for direct patching).
    • Improved application compatibility.
  • Management:
    • Built-in diagnostics.
    • Power saving via group policy (allowing power savings of up to $40 per PC).
    • Unified event log (XML-based, which can be fed to a database for proactive monitoring).

Clarity is concerned with:

  • Instant search:
    • Enterprise-ready integrated desktop search (in a form which is easier to manage in a corporate environment than the current offerings from MSN, Google and others).
  • Smart organisation:
    • New virtual folders and views.
    • Filter-based column controls.
    • Robust metadata support.
  • Visualisation:
    • Live icons and enhanced document previews.
    • Efficient window management (taskbar thumbnails, flip and flip 3D task switching, on which I’ll expand more below).
  • User experience:
    • Scales with hardware (performance scaling to enable operating system features according to the installed hardware).
    • Stable desktop experience.
    • Familiar, but updated, streamlined experience (Microsoft claims to be aiming for users to be up and running with the new interface in less than 20 minutes).

Being connected is about:

  • Networking:
    • Discover and join networks more easily.
    • Secure and reliable wireless networking.
    • Access to corporate applications without requirement for a VPN.
  • Mobility:
    • Windows mobility centre.
    • Seamless wireless connection to external displays and projectors.
    • Hybrid hard drive support (“super-fetch” capabilities to pre-load common applications).
    • Tablet PC enhancements.
  • Collaboration:
    • Face-to-face collaboration on shared networks.
    • Broadcast presentation and text files (e.g. across secure private encrypted networks).
    • Easy sharing of files and folders.
  • Synchronisation:
    • Integrated synchronisation centre (allowing multiple vendors to synchronise devices through a common API).
    • Platform for mobile development.
    • More efficient data synchronisation.

From my own first experiences, and the product demonstration that I saw (using capable hardware), the much-hyped “glass” effect within the Aero interface is uninspiring but Microsoft are keen to emphasis that it will allow third parties to create software which can take advantage of this for a richer user experience; however business users may also benefit from the flip (Alt-Tab replacement) which shows a preview of each running application as it switches between them instead of just an icon and some text details (something similar is available for Windows XP as a PowerToy). This feature also works by presenting taskbar thumbnails within Vista as the user hovers over minimised applications. There is also the Flip 3D task switching, with overlapping windows in a 3-dimensional form. Many of these user interface items are reliant on the Windows graphics foundation (formerly codenamed Avalon) and a graphics card with around 64-128Mb RAM.

Overall, the Aero interface seems to be a mix of the Windows XP Luna interface with hints of Apple OS X and KDE. It’s a fine line to tread between plagiarism and a familiar user interface but personally I don’t like any of those big icons. The new control panel is an improvement over the Luna version but I still prefer the classic control panel.

Other interface changes include adding blue (XML query-based) virtual folders alongside the the traditional yellow folders. Document preview is enhanced, clearly exposing metadata and displaying the first page of a document in a similar manner to the current treatment of graphics files within Windows XP’s document preview features. Although these are all positive improvements, my general feeling was that the new interface was going to take some time to get used to.

Microsoft claim that search is also greatly enhanced, with desktop search across the file system, e-mail and offline server files and the ability to share filters (i.e. views on document searches). Maybe it is this desktop search capability that means there are some major changes to the file system layout – with some familiar folders and others less so (my machine still had a Documents and Settings folder structure with common application data, but also featured a new Users folder structure), meanwhile some of the old favourites are still there (namely autoexec.bat and config.sys). My brief experience with build 5112 searching was actually quite disappointing as the search only seemed to include user folders whereas shelling out to a command prompt and using an old-fashioned dir filename /s produced a different set of results.

When I installed build 5112, I thought it felt fast (even on a 1.4GHz Pentium 4 Mobile with 256GB of RAM) but that could have been down to a fresh Windows installation (rather than more efficient code). Other observations (made after a just a few minutes looking at Windows Vista) were that:

  • As widely predicted, there is no more My prefix on documents, pictures, etc (good).
  • Fast user switching is available in domain mode (very good).
  • Desktop icons are huge (bad).
  • There is a new Control-Alt-Delete dialog, without a domain selection field – possibly encouraging a move to UPNs, but entering the username as domainname\username also worked for me (okay).
  • Checkboxes have a naff Windows 9x feel about them (bad).

So, when can we (finally) expect to see Windows Vista released? Microsoft is sticking to its 2006 release prediction, but is now saying that release to manufacturing (RTM) will be around Christmas 2006 (so that pushes general customer availability out into 2007). We’ve already seen pre-beta releases for the professional developers conference (PDC) in September 2003 and the Windows hardware engineering conference (WinHEC) in April 2004, before Beta 1 was finally released in July 2005.

Despite industry predictions to the contrary, the Microsoft representative that I spoke to insisted that there will be a second, more widely-available, Beta in January 2006, but there will also be community technical previews (CTPs) in December 2005, February 2006 and April 2006, as well as release candidates. Personally, I think this sounds like a lot of releases to manage and from which to solicit feedback – I’ll be surprised if some aren’t dropped from the schedule in order to hit that 2006 RTM date.

Probably the most embarrassing device that I’ve ever been told to fit to a car

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last night, as is normal on a Sunday evening in my house, I had a relaxing evening watching BBC Top Gear. During the news section, Jeremy Clarkson smashed up an extremely annoying device with a light-sensor to detect when a car’s fuel filler cap is opened and warn you to use only diesel fuel.

I thought it was funny and that no-one would actually buy one, until this morning I received one in the post from the lease company that owns my company car along with a letter mandating that I fit it to the car and warning that I will be personally liable for any damage caused by any future misfuelling (I have, of course, told them that I will install the thing but have refused to comply with the liability part).

I understand why they are doing this – the AA motoring trust has produced a report which details the problem along with some interesting statistics about misfuelling call-outs. I also admit that I did previously (many years ago) accidentally put half a tank of petrol into a diesel car as well as nearly filling the tank of this car with petrol when it was new (on both occasions, I had been using a petrol car for the previous few weeks), but the lease company waited 6 weeks to send this to me and I definitely know to use diesel now!

Misfuelling may be expensive and embarrassing, but this thing is a) loud b) American c) tacky d) noise-polluting e) extremely embarrassing! If you don’t believe me, then listen to how it sounds yourself.

Add to that, I’ve had to fit this horrible thing to a car about which Clarkson wrote:

    “You’ve deliberately gone your own way, deliberately bought something that isn’t a BMW or a Merc or an Audi. And in the process you’ve ended up with something that’s not only a little bit different, but also rather good.”

[Jeremy Clarkson, Sunday Times, 13 November 2005]

I’m dreading my next visit to a filling station forecourt. As my wife said, at least it will be a talking point – let’s see if she still thinks that as she cowers down in the passenger seat pretending she’s not there.