Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Ethernet and WiFi and Bluetooth, oh my!

Ethernet and WiFi and Bluetooth, oh my!

  • Comments 19
  • Likes

Customers have long requested a way to configure a computer to automatically disable its wireless NIC when its Ethernet is in use. Many third-party utilities can do this for you, but neither XP nor Vista have a built-in way to accomplish this, nor will Windows 7. Although having both NICs enabled first appears to cause a security issue, in reality that would be true only if both of the following were also true:

  • The user is logged on as a local administrator
  • The user, or some code the user runs, enables IP routing

By default, all forms of IP routing (including NIC bridging) are disabled. Only local administrators (or group policy) can enable them. So the risk, actually, is minimal.

If you have a stroll through group policy, you'll discover this setting: "Prohibit installation and configuration of Network Bridge on your DNS domain network" (more here, here). This setting allows you turn a computer into a router that bridges two networks. The bridging works only when one of the interfaces is in the same DNS namespace it was in when the bridge setting was enabled, and it works only when the Windows firewall is disabled on both interfaces (never a good idea). Additionally, regardless of the group policy setting, the function doesn’t even appear as an option when the user is logged in as a non-admin. The group policy setting simply removes the option from people who are local admins of their computers. So here's a way you can remove the ability even for local admins to enable routing.

However, let me admit that I wish we did have a way to implement your request, but for an entirely different reason: IP address preservation. Consider what happens when I'm on my own corpnet in my office. I put my laptop in its dock, which is connected to the Ethernet. I never bother disabling my wireless (I'm lazy). So whenever I'm in my office I'm taking up two IP addresses: one on the Ethernet and one on the wireless. Such wasteful profligacy, I know! (Note this isn’t a problem for any Bluetooth adapter, which always uses APIPA in its default configuration; I can’t imagine a scenario where you’d want Bluetooth to use DHCP.)

If you agree with me that this is something we should address post Windows 7, not for "security" reasons but as a good general networking practice of being conservative with address allocation, please speak up. Now's the time for your input.

Comments
  • <p>I'd like to have the option to configure my clients to turn off wifi when plugged into Ethernet.</p> <p>Not for security, and not for address allocation, but because of applications that get confused and fail or perform suboptimally when there are two active network connections available. </p> <p>Luckily our standard HP hardware has a BIOS setting which, when enabled, will automatically turn off the wifi radio if an Ethernet cable is connected. That works just fine functionaly, but BIOS settings are a PITA to manage in an enterprise environment. It would be much easier to manage this as a Windows setting.</p> <p>Ultimate fix will be for applications to be able to handle multiple network connections without failing. I wonder whether that will happen before Windows 8 ships? </p>

  • <p>Are you really that naive? &nbsp;Do you honestly think that windows routing is the only way to siphon data through an exposed endpoint.... &nbsp;There are these things called user processes, that can talk to the network and will happily, if asked, move data between two network interfaces regardless of the users admin status, UAC prompts etc...</p> <p>I think that the fact the fact that many AV/security vendors are doing something in this space screams out that there is a need that is not being filled by windows.</p>

  • <p>I would love to see this feature implemented in a future version of windows. &nbsp;Our organization has purchased a 3rd party application for IP address preservation and as Dan mentioned, for application optimization. &nbsp;The maintenance costs are pretty minor but in this economy every penny saved helps.</p>

  • <p>I think it'll be hard to convince that it would be necessary to be conservative with IP address allocation at the office.</p> <p>Company networks mostly operate within the reserved private address space (RFC1918) containing IPv4 prefixes: 10/8, 172.16/12 and 192.168/16, which represents roughly over 17 million available IP-addresses, locally.</p> <p>Regarding security, people most likely use a computer its Ethernet within a trusted environment, like at the office. This means that the wireless NIC would only get disabled automatically in trusted environments (if this option would be included in Windows 7). However, when leaving a trusted environment, I assume the wireless NIC automaticly re-enables again. This means that people using a computer in untrusted environments, like in public places and underway while traveling, have its wireless NIC enabled while they are theoretically more at risk. Therefore automatically disabling a computer its wireless NIC when its Ethernet is in use most likely doesn't significantly improve security.</p> <p>Applications that get confused and fail or perform suboptimally when multiple network connections are available, as Dan Becker stated earlier, sounds like a problem of an other nature. I could not reproduce this particular situation as I do not use Windows, but maybe Dan is willing to share his experiences in more detail.</p>

  • <p>That's very sad news. I remember during the Vista TAP-RD program that this was a high demand by most participants. The program manager said they would look at it for post Vista. So, I was expecting this for Windows 7 and now it seems skipped again. It's not only about security, we've seen software behave very weird when multiple connections are active. I believe this is a mistake.</p>

  • <p>I would like to see this feature for a totally different reason. I had a laptop configured to connect to the wireless of a local cafe. However when doing work for a company that shared the buliding with the cafe I found the networks would randomly take presendent so I would one minute be connected to the companys resources and the next I would get a login page for the cafe. Easy solution turn of the wireless but I forget at times.</p>

  • <p>We would like to have this for Win7. Got about 19K workstations and a varible degree of local admins.</p> <p>I'll agree with daniel that it can be a useability issue and if they got maleware on their boxes it can be a security/relations issue too. If the trafic is forced through the corp net it probobly will be detected. But if the box at the same time can connect to an open Wifi net you can't be sure wich way the trafic takes.</p> <p>Currently we have an uggly soloution to this wich smply dissables any nic besides the lan adapter then the Lan adapter changes status to up </p>

  • <p>I use hardware profiles to automatically disable my wirelss when my I'm docked, so I get around the problem of having to manually disable wireless when docked.</p>

  • <p>Fred and Daniel both make excellent points. &nbsp;I find leaving wireless enabled when mobile (and I don't need network connectivity) significantly shortens my battery life as well. &nbsp;I simply have two batch files (wlanon.bat and wlanoff.bat) in my path that use devcon to disable/enable my wireless interface. &nbsp;Takes about two seconds to click Start | Run and toggle the radio.</p>

  • <p>Notebooks I know of are utilized with a powerswitch for the build-in wireless adapter. Turning off the wireless hardware does indeed lowers power consumption and minimizes its security risk. </p>

  • <p>Dan-- That applications still get confused is a bit surprising to me. Can you give me some examples? Typically, client applications don't reach that far down into the stack to know that multiple connections are active. When my PC is on the wired and wireless networks, the wired interface always has a lower metric (meaning more preferred), so the stack directs outbound traffic through that NIC.</p> <p>Fred-- once the computer is infected with malware, the game is already lost. Controlling what the malware can do by limiting the computer's available interfaces is the least of your worries.</p> <p>Sebastian-- some organizations use publicly routable IPs on client PCs, so address preservation is important to them.</p> <p>Daniel and Mats-- wireless interfaces should always have a higher metric than Ethernet interfaces. Therefore, traffic will use the Ethernet interface if its active. You might want to check that your computers haven't been changed from the default behavior.</p>

  • <p>I agree with you Steve that some organizations use publicly routable IPs on client PCs.</p> <p>These workstations on the organizations internal private network doesn't need to be globally available to every individual on the public internet. In most cases unrestricted or direct external access to such workstations (provided via public IP connectivity) is unnecessary and even undesirable for privacy/security reasons.</p> <p>Such workstations better use private IP addresses (RFC1918) that are unambiguous within an organization, but aren't publicly routable. </p> <p>Using public routable IPs for such workstations on the private network of an organization is more or less spoiling globally unique public IPv4 address space that is nearly exhausted. </p> <p>On the other hand I understand that older private TCP/IP networks could only exist by using public routable IP addresses for all its hosts and that it would take some effort to switch them over to addresses in the later reserved private IPv4 space, specifically meant for private networks.</p> <p>However, change may already be unevitable when people feel the urge to depend on an option hoping to be provided by a given computer operating system automaticly disabling a computer its wireless when its ethernet is in use for security reasons, reasons of address preservation, reasons of confused applications that fail or perform suboptimally when multiple network connections are available and other problems of another nature that needs solutions of another nature. For example private IPv4 address space and IPv6 in answer to the shortage of available globally unique public IPv4 addresses.</p> <p>Though, it actually make sense (automaticly) turning off a computer its build-in wireless adapter while its ethernet adapter is in use: to save power, to lower power consumption. A notebook its battery lasts longer without, and attached to a powercable a computer consumes less power without. For one computer the powersaving by turning off an unused device will be relatively small, but multiplied with hundreds, thousands or even millions of computers powersaving could be very interesting to people concerning about climate change and those concerned with the organizations power bill.</p> <p>Within the 'current climate' an operating system could not only help systems to be more power efficient, powersaving is an argument that sells too.</p>

  • <p>I too would like to see this be a feature in Windows (and managable by GPO) - I've been tasked with finding a way of doing just this. &nbsp;You mentioned in your initial post that there are third party utilities that will automatically detect when the machine is connected to a hard-wired Ethernet port and drop the WiFi connection - would it be possible to point me in the direction of where I could find those third parties? &nbsp;Even a good Google search argument that would lead me there would be nice as the best I've come up with just led me here.</p> <p>The reason we need to do it is we are running out of WiFi connections and it is primarily because people are docking their laptops but not turning off their wireless.</p>

  • <p>Can anyone comment on the affect on a relatively small wireless network if all laptops have their wireless nics active, even if they have a wired connection? &nbsp;What kind of overhead does this have on access points?</p>

  • <p>Can't understand Microsoft: Why do they ignore featrure requests that customers wish since years?</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment