Microsoft on disabling wireless cards

I think it is important to disable wireless cards in laptops when a wired connection is present.   Microsoft doesn’t.   Steve Riley wrote about this back in October 2008.   I blogged about that then.   Now in a post signed by David Pracht but posted under MichaelPlatts’ userid, the Microsoft Enterprise Networking Team argues that it is no big deal to be connected to the internal corporate network in a wired fashion while you are connected to EVILROGUE hotspot in the parking lot.   They says this because Windows 7 has “strong host” routing.   Also you could disable the ability to connect to unapproved wireless.  They don’t really spell out how “strong host” routing helps.  

Disabling the ability to connect to unapproved wireless is not something I see happening in most organizations.   “To improve mobility, here is your laptop.   To improve security, you may not connect this to any wireless network except the one here at work.   And maybe Starbucks”.   Sounds like a recent Dilbert strip.

There is no valid reason for users to have multihomed computers.   While personal firewalls when configured correctly should prevent intrusion by a parking lot pentest access point, why take the risk?   It looks like you have a bad security posture.

Actually the Microsoft article left me wondering what happens if my wired connection is 100 Mb, but the wireless is 802.11n and is identified as having 300 Mb.   If both interfaces have default gateways does the wireless connection then “win”.   As I understand that article, fastest speed wins.   Worth testing.

2 Comments

  1. Hey, Roger!

    So you tear down some arguments, arguments that are actually rather well formed. And then you make this assertion: “There is no valid reason for users to have multihomed computers” but fail to defend it. It sounds more or less like an opinion. Have you really polled the entire universe of users and determined that not a single person might actually need multihomed computers? You know, I’m not really seeing a lot of attack analysis that demonstrates multihoming to be the cause. So what’s the big deal? 🙂

    • Hey Steve. Thanks for the comment. I really enjoyed your and Jesper’s book “Project Your Windows Network”.

      Rather than taking a “prove something bad could happen” approach (and haven’t pentesters already proven this) I’d rather prevent it from occuring in the first place.

      I’m open to correction. I ran the Microsoft article by some people I respect. The concur with my opinion. Microsoft should be providing this freuqently requested feature rather than insisting it isn’t a problem.

Comments are closed.