Windows 7 Wireless Network Security Key easily shown with a click of the mouse
Dear All, Our company is now thinking of implementing Windows 7, however I encounter a BIG security issue with this O/S. ( I thought Win7 suppose to be tight in Security) Wireless Network Security Key Flaw When the Wireless Lan Network Keys have already been entered into the system. A normal user with administrative rights (to the local machine) can in fact goes into the Wireless network properties and view the entered Network Security Key. (See Picture 1 and 2) This is due to a checkbox located conveniently below the Network Security Key, named Show Characters. By clicking on this checkbox, the user actually can have the network security key displayed in clear text! Now, isn't that convenient? Links to pictures as below: (pics slightly small) http://i68.servimg.com/u/f68/13/98/44/65/networ14.jpg http://i68.servimg.com/u/f68/13/98/44/65/networ15.jpg anyone got advise on how to remove the checkbox? Thank you in advance. Adam
March 20th, 2010 6:57am

Hi, Janata is corret. The feature is by design and the "Show Characters" box cannot be disabled. Please understand that the feature is designed for some user who may forget the password and it can easy to recover. However, it can only be configured by administrator. The Standard user does not have privilege to access it. By the way, for product design questions, you can share your opinions in Microsoft Feedback & Idea Center. Thanks, Novak
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2010 10:34pm

Dear Novak, I do understand that this is by "Design". However, as IT Administrator of the company's notebooks, I do not require this feature as I do not think that I'd ever forget the WPA key. And yet, our users require administrator rights because we are a solution provider company, and our users tends to travel so often that they will require the rights to their local administrator for software installation, and such. If the MS Feedback & Idea Center is the only option, then I'd proceed that way.. Thank you.
March 24th, 2010 5:33am

Hi Adamis, I fully understand the inconvenience this issue has caused. If there is any feedback or suggestion, please feel free to share the opinions in Microsoft Feedback and I'm sure that your concerns will be addressed. Regards, Novak
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2010 2:31am

Hi, Janata is corret. The feature is by design and the "Show Characters" box cannot be disabled. Please understand that the feature is designed for some user who may forget the password and it can easy to recover. However, it can only be configured by administrator. The Standard user does not have privilege to access it. By the way, for product design questions, you can share your opinions in Microsoft Feedback & Idea Center. Thanks, Novak Dear Novak, The links in the MS Feedback & Idea Center is invalid. Any other links?
April 7th, 2010 4:31am

Hello there! I have the same problem here. I am the network admin here in our university. as part of our security, we require our students to register their device. we are the ones who types the passkey so that no unregistered device can access our wifi. Ever since the windows 7 came out, we noticed that there are a lot of unregistered devices in our network already. We found out about this issue recently. Now, we are no longer accepting pc with windows 7 OS. Some of the students went back to vista and xp just to be able to access the school resources. I do hope that you would try to fix this issue. and if you say that "the feature is by design", well, you better redesign this feature. Please let me know if there is a service pack for this. Email me please! (richter.robin.vecina@hotmail.com) By the way, a security flaw can't be fix through additional security in the network! And Adamis is right! The links in the MS Feedback & Idea Center is invalid.
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2010 12:08am

In general, pre-shared keys are not very secure. Microsoft is sending you the message. WEP and WPA are very suspectible to attack. WPA uses SSID as salt, but that means you can easily create rainbow tables for a given SSID. They are also vulnerable to dictionary attacks / weak passphrases. If you can capture an authentication session, you can crack the network. There are code out there to brute-force WPA2-PSK, also code for NVIDIA graphics cards, so 100 times faster than current Intel CPU's. Switch to something secure. WPA2 enterprise mode is way better.
July 1st, 2010 4:42am

This is just a cop-out. I have users with their own PCs on our wireless network - they can access the Administrator account (as it is their own PC...) and therefore the Wireless Network Key - in Windows 7 - which was never available to them before in previous operating system versions. We, as network administrators must be given a way of turning this "feature" off. Excuses as to why WPA keys are vulnerable anyway just does not cut it.
Free Windows Admin Tool Kit Click here and download it now
December 21st, 2010 7:08pm

Same issue/problem here and I can't agree with you more that is a cop-out. Why don't we have a checkbox or method that allows a user to see their local or domain password? or even other users' passwords (if you are Admin) just in case they forget them? We use WPA2 PSK with a complex 31 character passkey. Creating rainbow tables or brute forcing a pass phrase like that is not possible at this time as far as we know. I think this is a very poor "design decision" in the first place but it is even worse that there is no way, even with a GPO, to disable it. Yes it could be disabled if we do not make our users local Admins but I don't have a year to figure out how to make the multitude of applications that we run at our organization with user privileges. This issue is so critical to us that it has totally halted our Windows 7 deployment. I found this link for Windows7 feedback http://mymfe.microsoft.com/Windows%207/Feedback.aspx?formID=195 and posted my concerns there. I also sent an email to secure@microsoft.com If there is a better way to let MS know about this egregious security breach please post. TekMason
January 24th, 2011 9:55pm

I got a reply in response to my email to secure@microsoft.com this morning. They are hiding behind the "design feature" argument as well. Thank you for your message. This is a by design feature of the Windows 7 operating system and is not something we consider to be a vulnerability. If this is a significant issue my best recommendation is to upgrade to an enterprise level wireless solution. I responded back with: Because of the Windows7 "design feature" our passkey has been revealed and we have all kinds of rogue devices connecting to our wireless network. I've heard that "by design" argument before. Surely this would be a very easy issue for Microsoft to address. Please the link that I sent you which explains in more detail as to why this is a very bad/insecure "design feature". If it is acceptable "by design" to reveal passwords then...Why do we not have that ability to show a user's domain or local machine password? We have an Enterprise class Wireless network with about 50 lightweight, centrally managed APs accross 12 sites. It was perfectly secure prior to connecting Windows7 PCs up to it. From a financial and manageability perspective it is not feasible to setup servers at each site that will provide 802.11x authentication for WPA2-Ent. This issue has halted our deployment of Windows7 as it has with other organizations. I hope I can get some attention to this issue from Microsoft before it gets the attention of the security community. I have filed a vulnerability report to Secunia and asked them what their opinion is on this issue. I'll continue to communicate with other security organizations if we don't get an acceptable solution. I would urge others to do the same. TekMason Network and Security Architect
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 11:13am

Still quiet?"When you hit a wrong note it's the next note that makes it good or bad". Miles Davis
July 2nd, 2011 11:41am

Sorry about the Above post I hit the wrong Key while moving the keyboards. I believe I have come across a register change that solves this issue . Quoted from Bernard : "I have found a solution, which is not very elegant but it works. The way is to find the key in the registry where you can unlock the viewing of the WIFI Key. For that, you have to find a Key where the value is "CElevateWlanUi" In my case, it was in HKEY_CLASSES_ROOT\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE}. Under this key you have 3 values : The first one (default) with the value "CElevateWlanUi" The second one AccessPermission of type Reg_Binary with a binary value (does'nt matter to understand what it means) The third one is called DllSurrogate with a null value. The way I solved the problem is to setup the authorizations of the main Key {86F80216-5DD6-4F43-953B-35EF40A35AEE} by a right-click, then "autorizations". After you have to take possession of this key. I setup the owner as our domain administrator. For that click on the the button "Advanced" then on the tab "owner" and replace TrustedInstaller by the administrator of my domain. Then, I came back to the main panel of authorizations of the main key. I deleted the entry LAP505\administrators and the entry LAP505\domain users, and added the entry for my domain administrator with all rights. (LAP505 is the computer name) I applied all the modifications. I repeated the operation for the second occurence of the key : HKEY_LOCAL_MACHINE\Software\classid\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE} And when I logged on with a user with local admin privileges, I could connect to WIFI network, I could access to the network center but I could'nt unmark the "Hide caracters". It works! Second point : As my users want also to connect their laptop at home on their box, I checked the possibility to add a WIFI connection and it worked also! The only restriction is that they can't see the key once it is entered (for modification, they have to delete the connection a re-create it. I hope it will help you!"
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2011 5:45pm

An easier solution is to use Group Policy to disable looking at the connection of a LAN Connection. If they cannot get to the page, they cannot see the password or the checkmark. You can also disable the network and sharing center in the control panel. Users can still add wireless networks, but they cannot go back and upadate a network key if it changes for some reason. Still though, this isn't a solution for universities where students are admins and can undo any security settings that you set on their machines. Even the above solution can be undone if you have ambitious student and it only takes 1.
July 11th, 2011 3:22pm

True , but one the Changes are done we will use Deepfreeze to maintain the settings and registries. It is a temp solutions at the moment for this deployment .
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2011 11:42am

Has MS come any closer to fixing this? Will they even admit it is a security risk?
December 8th, 2011 12:19pm

This just makes no sense to me what so ever. Instead of leaving like it was in previous versions they change it and then the fix is to create more management over head with group policies or third party software that could also add additional costs. I have been a MS guy forever but it's stuff like this that has me starting to look at other options for my client computers. MS REALLY dropped the ball here in my opinion. I just can't believe their "developers" thought this was a good idea.
Free Windows Admin Tool Kit Click here and download it now
December 28th, 2011 3:45pm

I totally agree with the criticism. My home WIFI network used to be secure, and it was possible to grant my kids' visiting friends WiFi access without compromising access control to the network. Suggesting enterprise solutions is totally irrelevant in this context, and the current situation with Win7 WiFi setup is equivalent to posting the password on the bulletin board at the local mall. You'd think somebody with half a brain could figure out the downsides of the new solution prior to releasing it. A fix is overdue, and hiding behind "by design" and "use enterprise solutions" does definitely not cut it!
January 6th, 2012 10:19am

This is great, however... we tried it but then try this: Go and lower the UAC to the minimum restart and you are back to square one... any other suggestions anyone?
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2012 9:43am

There is NO solution whatsoever. We spent hours trying proposed solutions. The registry hack does not work either. Setting people to power users is not an option with our team as well. The only viable option is to stick with XP, or buy an enterprise solution.
February 24th, 2012 4:28pm

i have also same problem and i try to this reg editor idea but i am fail. .........but after i think this wireless password can see all people because i am log on computer as administrator after i make one user account and always use computer with this user login,if i am using this user account then in network properties the wireless network password is not display really..... this is the simple idea to hide wireless network password in window 7, thanks
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2012 8:54am

Even logged in as a Domain Admin, it says I don't have write access to the [DllSurrogate] REG entry. I need to perform this task via Batch command similar to the following.: START REGEDIT /S "\\192.168.6.20\NETLOGON\REGFILES\HIDEPASSWORD.REG"
July 17th, 2012 1:58pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics