N/A - KB917021

Microsoft is releasing this security advisory to inform customers about an update that enables Wi-Fi Protected Access 2 (WPA2) support for Wireless network Group Policy settings in Windows XP Service Pack 2. This update is being released to provide parity between Windows XP Service Pack 2 (before a broad release vehicle, like a service pack, is released) and the upcoming release of Windows Server 2003 Service Pack 2. With this update, customers can create Wireless network Group Policy settings to simultaneously manage WPA2 on systems running Windows XP Service Pack 2 and for any versions of Windows targeted by the upcoming Windows Server 2003 Service Pack 2.

Also included in this update are Wireless client behavior changes for non-broadcast and ad-hoc networks. These defense-in-depth changes are intended to help prevent systems from connecting to networks other than those a user intends to connect to.

The reason these defense-in-depth changes are included in this update in addition to the WPA2 support for Wireless network Group Policy is to provide parity between the two Windows versions. This makes it possible to manage WPA2 settings for wireless clients on different Windows versions using the same Wireless Group Policy.

These defense-in-depth changes will be included in Windows 2003 Service Pack 2 as part of the same WPA2 support for Wireless network Group Policy settings. For more information about the upcoming Windows 2003 Service Pack 2 see the Windows Service Pack Road Map. The broad release vehicle is still considered to be a service pack for Windows XP for the defense-in-depth changes included in update 917021.

What is the scope of the advisory?
This advisory is being released to call out the fact that update 917021 also includes the same defense-in-depth changes made to Wi-Fi Protected Access 2 (WPA2) in the upcoming Windows 2003 Service Pack 2. For more information about this update, see Microsoft Knowledge Base Article 917021. For more information about the upcoming Windows 2003 Service Pack 2, see the Windows Service Pack Road Map.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. This is an update that enables Wi-Fi Protected Access 2 (WPA2) support for Wireless network Group Policy settings in Windows XP Service Pack 2. The type of defense-in-depth changes also carried in the update would typically not be made outside of service packs.

What is Wi-Fi Protected Access 2?
Wi-Fi Protected Access (WPA) is an interim standard adopted by the Wi-Fi Alliance to provide more secure encryption and data integrity while the IEEE 802.11i standard was being ratified. WPA supports authentication through 802.1X (known as WPA Enterprise) or with a preshared key (known as WPA Personal), a new encryption algorithm known as the Temporal Key Integrity Protocol (TKIP), and a new integrity algorithm known as Michael. WPA is a subset of the 802.11i specification.

Wi-Fi Protected Access 2 (WPA2) is a product certification that is available through the Wi-Fi Alliance. WPA2 certifies that wireless equipment is compatible with the IEEE 802.11i standard. The WPA2 product certification formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA.

For more information about WPA2, see this TechNet Web page.

What defense-in-depth improvements are included in this update?
The defense-in-depth changes included in this update help prevent systems from connecting to networks other than those a user intends to connect to. There are changes made to how clients behave in non-broadcast networks and in Ad Hoc networks. In addition, changes are made to the default “parking behavior”. These changes are discussed in more detail in Microsoft Knowledge Base Article 917021.

Why are defense-in-depth improvements included in this update?
This update is being released to provide parity between Windows XP Service Pack 2 and the upcoming release of Windows Server 2003 Service Pack 2. With this update, customers can create Wireless network Group Policy settings to simultaneously manage WPA2 on systems running Windows XP Service Pack 2 and for any versions of Windows targeted by the upcoming Windows Server 2003 Service Pack 2. In addition to Windows Server 2003 versions, this also includes Windows XP Professional x64 Edition. By also including these defense-in-depth changes in this update, we make it possible to manage WPA2 settings for wireless clients on different Windows versions using the same Wireless network Group Policy.