Introduction

In this Read it will be addressed the GPO and some standard wireless concepts.

What is Group Policy (GPO) and What role does it play in Data Security?

A Group Policy is a feature of Windows that facilitates a wide variety of advanced settings that network administrators can use to control the working environment of users and computer accounts in AD. It essencially provides a centralized place for administrators to manage and configure OS, applications and user's settings. When used correctly, can enable you to increase the security of user's computers and help defend against both insider threats and external attacks.

What is a Group Policy Object (GPO)?

A Group Policy Object is a group of settings that are created using the Microsoft Management Control (MMC) Group Policy Editor. GPOs can be associated with single or numerous Active Directory containers, including sites, domains, or organizational units (OUs). The MMC allows users to create GPOs that define registry-based policies, security options, software installation, and much more.

How are Group Policy Objects processed?

The order in which GPOs are processed affects what settings are applied to the computer and user. The order that GPOs are processed is known as LSDOU, which stands for local, site, domains, and organizational unit.

Should you use Group Policy?

GPOs, for example, can help you implement a policy of least privilege where your users only have the permissions they require to do their job. They can do this through disabling Local Administrator rights globally in your network and grating admin privilieges to individuals or groups based on their roles.

Group Policies can be used in numerous ways to bolster security, including disabling outdated protocols, preventing users from making certain changes and more.

The benefits of Group Policy for data security

• Password Policy. Many organizations are operating with relaxed password policies, with many users often having passwords set to never expire. Passwords that aren't regularly rotated, are too simple or use common passphrases are at risk of being hacked through brute force. GPOs can be used to establish password lenght, complexity and other requirements.

• Systems Management. GPOs can be used to simplify tasks that are at best mundane and at worst critically time-consuming. You can save yourself hours and hours of time configuring the environment of new users and computers joining your domain by using GPOs to apply a standardized, universal one.

• Health Checking. GPOs can be used to deploy software updates and system patches to ensure your environment is healthy and up-to-date against the latest security threats.

Wireless Standards

When we talk about a wireless network, we're often talking about one that is the IEEE LAN/MAN Standard from the 802.11 Standard Commitee. This commitee is in charge of maintaining all of the standards for wireless communication on our local area networks, and they create new versions of these all the time. If you see the trademark that says Wi-Fi, we are referring specifically to these 802.11 standards, and the Wi-Fi Alliance is a group that handles the interoperability testing for all of the devices that need to connect to an 802.11 network.

The 802.11x are specifications that allow a total functionality of wireless networks including Roaming, between different manufacturers' equipments.

History of 802.11

• In 802.11 (1997) supported 1Mbps and 2Mbps data range; limited output power of 1 Watt in USA; used the 2.4GHz radio frequency
• In 802.11b (1999) additional rates of 5.5 and 11 Mbps; compatible with old standards
• Obviously, equipment that supports these standards is very rare.

Variations of 802.11

• 802.11a (1999). Operates up to 54 Mbps and at 5 GHz range, although, in special situations, there are other frequencies that you're able to use.
• 802.11b (1999). Operates at 2.4 GHz and at a speed up to 11 Mbps as said above in History of 802.11; obviously, much slower than the 54 Mbps seen with 802.11a, but because this operates at 2.4 GHz, those frequencies tend to bounce off of other objects that may be around us, which is a bit different than 802.11a, where those objects tend to absorb those higher frequencies.
• 802.11g (2003). Update to 802.11b; operates in the 2.4 GHz range, just like 802.11b, but it operates at a higher speed up to 54 Mbps; this is also backwards compatible with 802.11b.
• 802.11n - Wi-Fi4 (2009). Update to 802.11g, 802.11b, and 802.11a; unlike the previous standards, you're able to use 802.11n in either 2.4 GHz frequencies, or 5 GHz frequencies; you can use larger channel widths to be able to transfer more data at one time; because of that, we're able to get maximum throughput to range around 600 Mbps; also include a new technology called MIMO that stands for Multiple Input, Multiple Output; with MIMO you're able to increase the number of transmit and receive antennas to be able to send more information accross the wireless at the same time.
• 802.11ac - Wi-Fi5 (2013). Added a number of improvements over 802.11n, the first being that it operated exclusively in the 5 GHz range and up to 500 Mbps (one station) and up to 1Gbps (multiple stations); there is much larger bandwidths that you can use in this range, and 802.11ac can use up to 160 Mbps; allows for bonding of channels, which means you can transmit much more data accress the wireless network; there is also a denser signal modulation, which really means that we're able to send much more information over a shorter amount of time; introduced a new type of MIMO called multi-user MIMO, and you can have up to eight multi-user MIMO downlink streams.
• 802.11ax - Wi-Fi6 (2021). It operates at both 5 GHz and 2.4 GHz and it can use channel widths ranging between 20 MHz, all the way up to 160 MHz; you can have 1.2 Gbps per channel, which seems to be a relativelly small increase in throughput until you realize that this is a bidirectional speed, and you can now have eight bidirectional muito-user MIMO streams; it is able to send high-density of information very efficiently to a large number of people at the same time. This is referred to OFDMA, or the Orthogonal Frequency Division Multiple Access.

Another variations of 802.11 standard

• 802.11c. Management Group
• 802.11d. Attempt to extend the use of IEEE802.11 standards to other countries where until now they have been prohibited and to regulate the different variants according to the regulatory domain
• 802.11e. Quality of Service (QoS) and security as error correction
• 802.11f. Inter-Access Point Protocol (IAPP), in order to allow roaming between diferrent manufacturers' equipament
• 802.11h. To eliminate the interferences at 5 GHz
• 802.11i. Authentication and security in WLAN
• 802.11j. To become compatible with the japanese market standard
• 802.11p. Vehicles' communication at 5.9 GHz
• 802.11ad. Communication at 6 GHz, 7 GHz (teotheoretically)

802.11 technologies

You commonly see 802.11 networks operating at either 2.4 GHz or 5 GHz or sometimes both.

However, instead of using the specific frequency we tend to refer to these sections of frequencies used by our wireless networks as channels. These frequency groups are numbered and assigned by the IEEE. So if you using a 2.4 GHz network and you're referring to channel 6, then it's always going to be the same channel 6 across all IEEE 802.11 2.4 GHz devices. Some of these channels overlap with each other and that's why we'll often say that it's best if we can use frequencies on multiples access points that do not overlap or conflict with each other.

These ranges of frequencies that we are able to use are dependent on the channel width. This is sometimes referred as the bandwidth. On 802.11 networks, you often see 20 MHz, 40 MHz, 80 MHz and 160 MHz bandwidths.

Band selection and bandwidth

Here's what we mean when we talk about the bandwidths and the number of frequencies available in the 2.4 GHz and 5 GHz range.

There are three non-overlapping channels (channels 1, 6 and 11). They are grouped in 20 MHz blocks.

When we introduced the 5 GHz range, we also introduced a large number of available frequencies. Not only are we using these 20 MHz chanells, but some of these wireless standards allow us to use larger bandwidths, such as the 40 MHz bandwidth, 80 MHz and 160 MHz.

Independent basic service set (IBSS)

802.11 supports the ability for two stations to communicate directly to each other without using any type of access point.

Ad hoc. Created for a particular purpose withour any previous planning; without an AP.

SSID and BSSID

When you're connecting to a wireless network, you'll notice there's usually a name that's listed in the OS. The wireless name is referred to as an SSID or Service Set Identifier.

BSSID, or Basic Service Set Identifier, is the physical address or the media access control address of this wireless access point.

ESSID. The network name shared accross access points; Extended Service Set Identifier.

Counting antennas

New technologies were added to 802.11n, 802.11ac, and 802.11ax.

• Send multiple streams of information over the same frequency at the same time
• 802.11n - MIMO
• 802.11ac - Downstream MU-MIMO
• 802.11ax - Downstream and upstream MU-MIMO

To be able to send and receive information simultaneously, we need to have the proper number of antennas and support the propoer number of streams. If you are looking ata wireless device, you may see that it supports 2x2:2 or 3x3:3 or 4x4:4. The first number refers to the number of antennas on the access point, we put an 'x' and then we refer to the number os antennas on the client. And then after the colon are the total number of streams supported for that device.

Securing a wireless network

If you're using a wireless network in your company, then you're probably sending sensitive information over that network all the time. This means that we need to limit the people who might have access to that wireless network to provide the confidentiality we need to secure all of our data. This means that we’ll need to authenticate users before granting them access to the wireless network.

There’s a mechanism within the wireless network that ensures the data that was sent is what is being properly received on the other side. This is commonly referred to as a Message Integrity Check, or an MIC.

WPA (Wi-Fi Protected Access)

One type of encryption you might find on a legacy wireless device is WPA. This is WPA without a number after it. This was the original version of Wi-Fi Protected Access. And it was introduced in 2002 as a replacement for WEB, or Wired Equivalent Privacy. We found significant cryptographic vulnerabilities in the WEB. We immediately removed it from our networks. And we replaced it with WPA.

Wireless encryption

The problem with wireless networks, of course, is that this is information that’s going over the air. If you happen to know what frequencies are in use and you have the proper equipment, you can grab that information from the air and look at it.

This means that if you want to send something that’s private or personal over this wireless network, you need to encrypt the data so that if someone does intercept that information going over the air, they wouldn’t be able to read anything that they’ve received. You have to have the right encryption key to be able to send and receive information over this wireless network. And we commonly see this implemented on today’s wireless networks using WPA2 and WPA3.

WPA2 and CCMP

WPA2 is Wi-Fi Protected Access version II - And it uses a block mode of encryption called CCMP. CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. And CCMP uses the AES encryption mechanism for data confidentiality. And it uses CBC-MAC as the Message Integrity Check, or MIC.

WPA3 and GCMP

Wi-Fi Protected Access 3, or WPA3. Instead of using CCMP, WPA3 uses GCMP. This is the Galois/Counter Mode Protocol, which is considered to be a stronger encryption method than the older WPA2. This allows us to encrypt data using AES. It includes a message integrity check. But it includes this with a Galois Message Authentication Code, or GMAC.

References

1 - https://www.professormesser.com/network-plus/n10-008/n10-008-video/wireless-standards-n10-008/

2 - https://pplware.sapo.pt/tutoriais/networking/mu-mimo-o-seu-router-ja-suporta-esta-tecnologia/