TechNet Home > TechNet Security > Security Advisories

Microsoft Security Advisory (917021)

Description of the Wi-Fi Protected Access 2 support for Wireless Group Policy in Windows XP Service Pack 2

Published: October 17, 2006

Microsoft is releasing this security advisory to inform customers about an update that enables Wi-Fi Protected Access 2 (WPA2) support for Wireless network Group Policy settings in Windows XP Service Pack 2. This update is being released to provide parity between Windows XP Service Pack 2 (before a broad release vehicle, like a service pack, is released) and the upcoming release of Windows Server 2003 Service Pack 2. With this update, customers can create Wireless network Group Policy settings to simultaneously manage WPA2 on systems running Windows XP Service Pack 2 and for any versions of Windows targeted by the upcoming Windows Server 2003 Service Pack 2.

Also included in this update are Wireless client behavior changes for non-broadcast and ad-hoc networks. These defense-in-depth changes are intended to help prevent systems from connecting to networks other than those a user intends to connect to.

The reason these defense-in-depth changes are included in this update in addition to the WPA2 support for Wireless network Group Policy is to provide parity between the two Windows versions. This makes it possible to manage WPA2 settings for wireless clients on different Windows versions using the same Wireless Group Policy.

These defense-in-depth changes will be included in Windows 2003 Service Pack 2 as part of the same WPA2 support for Wireless network Group Policy settings. For more information about the upcoming Windows 2003 Service Pack 2 see the Windows Service Pack Road Map. The broad release vehicle is still considered to be a service pack for Windows XP for the defense-in-depth changes included in update 917021.

General Information

Overview

Purpose of Advisory: Notification of the availability of an update that enables Wi-Fi Protected Access 2 (WPA2) support for Wireless network Group Policy settings in Windows XP Service Pack 2. Clarification that this update also includes defense-in-depth changes that helps prevent systems from connecting with wireless networks other than those a user intends to connect to.

Advisory Status: Microsoft Knowledge Base Article and associated update were released.

Recommendation: Review the suggested actions and configure as appropriate.

ReferencesIdentification

Microsoft Knowledge Base Article

917021

This advisory discusses the following software.

Related Software

Microsoft Windows XP Service Pack 2

Top of sectionTop of section

Frequently Asked Questions

What is the scope of the advisory?
This advisory is being released to call out the fact that update 917021 also includes the same defense-in-depth changes made to Wi-Fi Protected Access 2 (WPA2) in the upcoming Windows 2003 Service Pack 2. For more information about this update, see Microsoft Knowledge Base Article 917021. For more information about the upcoming Windows 2003 Service Pack 2, see the Windows Service Pack Road Map.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. This is an update that enables Wi-Fi Protected Access 2 (WPA2) support for Wireless network Group Policy settings in Windows XP Service Pack 2. The type of defense-in-depth changes also carried in the update would typically not be made outside of service packs.

What is Wi-Fi Protected Access 2?
Wi-Fi Protected Access (WPA) is an interim standard adopted by the Wi-Fi Alliance to provide more secure encryption and data integrity while the IEEE 802.11i standard was being ratified. WPA supports authentication through 802.1X (known as WPA Enterprise) or with a preshared key (known as WPA Personal), a new encryption algorithm known as the Temporal Key Integrity Protocol (TKIP), and a new integrity algorithm known as Michael. WPA is a subset of the 802.11i specification.

Wi-Fi Protected Access 2 (WPA2) is a product certification that is available through the Wi-Fi Alliance. WPA2 certifies that wireless equipment is compatible with the IEEE 802.11i standard. The WPA2 product certification formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA.

For more information about WPA2, see this TechNet Web page.

What defense-in-depth improvements are included in this update?
The defense-in-depth changes included in this update help prevent systems from connecting to networks other than those a user intends to connect to. There are changes made to how clients behave in non-broadcast networks and in Ad Hoc networks. In addition, changes are made to the default “parking behavior”. These changes are discussed in more detail in Microsoft Knowledge Base Article 917021.

Why are defense-in-depth improvements included in this update?
This update is being released to provide parity between Windows XP Service Pack 2 and the upcoming release of Windows Server 2003 Service Pack 2. With this update, customers can create Wireless network Group Policy settings to simultaneously manage WPA2 on systems running Windows XP Service Pack 2 and for any versions of Windows targeted by the upcoming Windows Server 2003 Service Pack 2. In addition to Windows Server 2003 versions, this also includes Windows XP Professional x64 Edition. By also including these defense-in-depth changes in this update, we make it possible to manage WPA2 settings for wireless clients on different Windows versions using the same Wireless network Group Policy.

Top of sectionTop of section

Suggested Actions

Review the Microsoft Knowledge Base Article that is associated with this advisory

Customers who are interested in learning more about this feature should review Microsoft Knowledge Base Article 917021.

Update Windows XP Service Pack 2

Windows XP Service Pack 2 users can install the update from Microsoft Knowledge Base Article 917021.

Keep Your System Updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Top of sectionTop of section

Resources:

You can provide feedback by completing the form by visiting the following Web site.

Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.

The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions: 

October 17, 2006: Advisory published


Top of pageTop of page