Non-broadcast Wireless Networks with Microsoft Windows
Published: November 02, 2005 | Updated: April 19, 2007
Writer: Joe Davies
On This Page
Abstract
Introduction
Why Non-broadcast Networks are not a Security Feature
Non-broadcast Network Behavior with Windows XP and Windows Server 2003
Non-broadcast Network Behavior with Windows Vista and Windows Server 2008
Connecting to Non-broadcast Wireless Networks from the Connect to a Network Wizard in Windows Vista
Abstract
Wireless access points (APs) of a non-broadcast or hidden wireless network do not broadcast their Service Set Identifier (SSID). Because non-broadcast wireless networks are not visible during an active scan, users need to know the SSID and configure a preferred wireless network before they can connect. This article describes non-broadcast networks, why Microsoft® recommends against their use, and the support for non-broadcast networks in Microsoft Windows®.
Introduction
Many wireless hardware vendors design wireless APs that can be configured to not broadcast their SSID (also known as their wireless network name). This feature is enabled with the goal of preventing unauthorized users from being able to detect the wireless network from their wireless clients. Wireless APs can conceal their SSIDs by sending out a Beacon frame with the SSID set to NULL.
Because the wireless APs of non-broadcast networks do not broadcast their SSID, they do not appear in the list of available wireless networks by default on Windows-based wireless clients. Therefore, users need to know the SSID and create a preferred wireless network with the SSID of the non-broadcast network. After the preferred wireless network has been created with the correct SSID, the Wireless Auto Configuration facility in Windows will be able to connect to it.
Why Non-broadcast Networks are not a Security Feature
Wireless security consists of two main elements: authentication and encryption. Authentication controls access to the network and encryption ensures that malicious users cannot determine the contents of wireless data frames. Although having users manually configure the SSID of a wireless network in order to connect to it creates the illusion of providing an additional layer of security, it does not substitute for either authentication or encryption.
A non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server® 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.
Therefore, using non-broadcast networks compromises the privacy of the wireless network configuration of a Windows XP or Windows Server 2003-based wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks. When non-broadcast networks are used to hide a vulnerable wireless network—such as one that uses open authentication and Wired Equivalent Privacy—a Windows XP or Windows Server 2003-based wireless client can inadvertently aid malicious users, who can detect the wireless network SSID from the wireless client that is attempting to connect. Software that can be downloaded for free from the Internet leverages these information disclosures and targets non-broadcast networks.
This behavior is worse for enterprise wireless networks because of the number of wireless clients that are periodically advertising the non-broadcast network name. For example, an enterprise wireless network consists of 20 wireless APs and 500 wireless laptops. If the wireless APs are configured to broadcast, each wireless AP would periodically advertise the enterprise’s wireless network name, but only within the range of the wireless APs. If the wireless APs are configured as non-broadcast, each of the 500 Windows XP or Windows Server 2003-based laptops would periodically advertise the enterprise’s wireless network name, regardless of their location (in the office, at a wireless hotspot, or at home).
For these reasons, it is highly recommended that you do not use non-broadcast wireless networks. Instead, configure your wireless networks as broadcast and use the authentication and encryption security features of your wireless network hardware and Windows to protect your wireless network, rather than relying on non-broadcast behavior.
Non-broadcast Network Behavior with Windows XP and Windows Server 2003
You can use Windows XP and Windows Server 2003-based wireless clients to connect to non-broadcast networks. In Windows XP or Windows Server 2003, users can connect to non-broadcast networks by configuring a preferred wireless network (either manually or through Group Policy) and specifying the non-broadcast network SSID. Wireless Auto Configuration then uses the configuration to connect to the non-broadcast network. The following figure shows an example of manually configuring a preferred wireless network.
Wireless Auto Configuration goes through the available networks list and attempts to match them to the wireless networks in the preferred networks list in descending order. If there is a match and the preferred wireless network is configured for an automatic connection (from the Connect when this network is in range checkbox on the Connection tab), Wireless Auto Connection will try to connect to it. If there is no match, Wireless Auto Configuration will actively probe for the networks in the preferred networks list in descending order. It is during the active probes that Wireless Auto Configuration will attempt to connect to a non-broadcast network if it is in range.
This behavior of Wireless Auto Configuration means that broadcast networks will be connected to before non-broadcast networks. Therefore, even if a non-broadcast network is higher in the preferred list than a broadcast network, if they are both in range and configured to automatically connect, Wireless Auto Configuration will connect to the broadcast network first. For more information, see Wireless Auto Configuration.
Another consequence of this behavior is that users must configure the preferred wireless networks corresponding to non-broadcast networks to automatically connect. If not, Wireless Auto Configuration will not automatically try to connect, and the user will have no way of manually connecting to the non-broadcast network because it does not appear in the Choose a wireless network dialog box.
For computers running Windows XP with SP2 and the Wireless Client Update for Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 2, you can now configure wireless networks as broadcast networks or as non-broadcast networks. Additionally, Wireless Auto Configuration sends probe requests only for non-broadcast networks. You can specify a wireless network as non-broadcast on the Connections tab for the properties of the wireless network. You can also configure this new setting through Group Policy from a computer that is running Windows Vista™.
Non-broadcast Network Behavior with Windows Vista and Windows Server 2008
In Windows Vista and Windows Server 2008 (now in beta testing), an additional wireless network configuration setting has been added that indicates whether a wireless network is broadcast or non-broadcast. This setting can be configured locally through the Manually connect to a wireless network dialog box, the properties of the wireless network, at the command line with commands in the netsh wlan context, or through Group Policy. The following figure shows an example of the Connection tab for the default properties of a wireless network in Windows Vista.
The Connect even if the network is not broadcasting check box determines whether the wireless network broadcasts (cleared, the default value) or does not broadcast (selected) its SSID. When selected, Wireless Auto Configuration sends probe requests to discover if the non-broadcast network is in range.
Because configured wireless networks are now explicitly marked as broadcast or non-broadcast, Windows Vista and Windows Server 2008-based wireless clients only send probe requests for wireless networks that are configured for automatic connection (the Connect automatically when this wireless network is in range check box on the Connection tab) and as non-broadcast. This behavior allows Windows Vista and Windows Server 2008-based wireless clients to detect non-broadcast networks when they are in range. Therefore, even though the wireless APs are not broadcasting the name of their wireless network, they will appear in the list of available wireless networks when they are in range. Because the wireless client detects whether the automatically-connected, non-broadcast networks are in range based on responses to the probe request, Wireless Auto Configuration now attempts to connect to the wireless networks in the preferred networks list order, regardless of whether they are configured as broadcast or non-broadcast. By only sending probe requests for automatically-connected, non-broadcast networks, Windows Vista and Windows Server 2008-based wireless clients reduce the number of situations in which they disclose their wireless network configuration.
Additionally, users can configure manually-connected, non-broadcast wireless networks and control exactly when to send probe requests. Manually-connected, non-broadcast wireless networks are always displayed in the list of available networks, allowing users to initiate connections as needed.
Despite the improvements in non-broadcast network support in Windows Vista and Windows Server 2008, Microsoft recommends against using non-broadcast wireless networks due to the security and privacy concerns described in the “Why Non-broadcast Networks are not a Security Feature” section of this article.
Connecting to Non-broadcast Wireless Networks from the Connect to a Network Wizard in Windows Vista
Windows Vista allows users to connect to non-broadcast networks from the Connect to a network wizard. When the wireless client receives a Beacon message with a NULL SSID, Windows Vista adds the wireless network to the available network list with the title “Unnamed Network.”
If a user attempts to connect to the “Unnamed Network,” they are prompted to type the name of the non-broadcast network. After the user enters the network name, Wireless Auto Configuration sends a probe request for the wireless network with the provided name. If the provided network name matches the SSID of the non-broadcast network, the wireless AP sends a probe response and the wireless client and the wireless AP continue the wireless connection process.