WEP security is mere clicks away, in Windows

Ah, the joys of aging: seeing friends who haven't laid eyes on you in a few months or even years and hearing, "Geez, you've certainly got a lot of gray hair." That's always a mood booster. Then I spent 45 minutes watching the end of a Keira Knightley movie, the whole time thinking that Winona Ryder sure had gotten thin. But that's the way. Things become increasingly decrepit with age. Such as WEP, for instance.

Now, most of us IT managers swore off WEP some time ago. The only problem is that swearing off WEP for our personal geek machines and swearing it off for a whole fleet of disparate desktops and laptops are two different things. WEP just happens to be a convenient common denominator, and when the user is breathing down your neck for a fast resolution, it's often easy to rationalize its use. After all, installing a 128-bit WEP key should be enough to keep the average war drivers at bay. And you'll get back to the WPA (Wi-Fi Protected Access) deal as soon as you clear the other 99 highly urgent things on your list.

That may have been the case for the last couple of years, but InfoWorld just ran a story on how WEP security has had even more holes shot through it in the last 12 to 18 months. The piece concerned a bunch of German mathematicians who showed that a 1.7GHz Pentium M CPU took only 3 seconds to crack a 104-bit WEP key. See, that sends chills down my spine. If it sends a shudder or two down yours, then take a shot of something strong and read on.

I griped about these worries to a buddy, and he verbally slapped me about the ears and face: "How can you write a Microsoft column every week and not know that you've got everything you need to fix that problem sitting on your Active Directory server?" I asked him to explain, but at first he'd only compare my intellect to that of various dinner vegetables. Some back and forth on that, a little violence, and we got down to explanations.

All you need to do is disable the preshared key portion of the WEP equation. You can replace this with 802.1x on any post-Windows XP Pro SP2 PC, especially anything running Vista. It does require a little router fiddling, but just enough to cause the router to manage user authentication via RADIUS. Yeah, that means installing IAS (Internet Authentication Service) somewhere on the Windows network, but that's mostly a matter of check boxes. Get that done, and your Wi-Fi users can authenticate using their AD credentials.

He showed me how he did it: Just enabled IAS on the Domain Controller and sent a memo to the user community. I asked how he'd handle something such as the guest credentials I can configure on my SonicWall router for outside users -- easy enough to do by simply ignoring the problem on the router side and creating one or two AD accounts provisioned with only guest access. He liked that approach better anyway, he said, because it allowed him to add things such as guest printer and storage access in addition to wireless Internet access. He also found it easier to manage from an event log basis.

There are other ways to handle your WEP troubles, of course. Jumping to a full WPA2 implementation is preferred, but because most of us have bumped into troubles with that across different notebooks' wireless implementations, dropping that complexity onto the back end is definitely easier for now. And it's one less thing to worry about.