Windows 7 Wireless Network Security Key easily shown with a click of the mouse
Dear All, Our company is now thinking of implementing Windows 7, however I encounter a BIG security issue with this O/S. ( I thought Win7 suppose to be tight in Security) Wireless Network Security Key Flaw When the Wireless Lan Network Keys have already been entered into the system. A normal user with administrative rights (to the local machine) can in fact goes into the Wireless network properties and view the entered Network Security Key. (See Picture 1 and 2) This is due to a checkbox located conveniently below the Network Security Key, named Show Characters. By clicking on this checkbox, the user actually can have the network security key displayed in clear text! Now, isn't that convenient? Links to pictures as below: (pics slightly small) http://i68.servimg.com/u/f68/13/98/44/65/networ14.jpg http://i68.servimg.com/u/f68/13/98/44/65/networ15.jpg anyone got advise on how to remove the checkbox? Thank you in advance. Adam
March 20th, 2010 1:57pm

Hi, it is Built-In function > I think, that good way is implement additional security to your network (MAC adresses and/or 802.XX security).
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2010 11:24am

Hi, Janata is corret. The feature is by design and the "Show Characters" box cannot be disabled. Please understand that the feature is designed for some user who may forget the password and it can easy to recover. However, it can only be configured by administrator. The Standard user does not have privilege to access it. By the way, for product design questions, you can share your opinions in Microsoft Feedback & Idea Center. Thanks, Novak
March 23rd, 2010 5:35am

Dear Novak, I do understand that this is by "Design". However, as IT Administrator of the company's notebooks, I do not require this feature as I do not think that I'd ever forget the WPA key. And yet, our users require administrator rights because we are a solution provider company, and our users tends to travel so often that they will require the rights to their local administrator for software installation, and such. If the MS Feedback & Idea Center is the only option, then I'd proceed that way.. Thank you.
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 12:33pm

Hi Adamis, I fully understand the inconvenience this issue has caused. If there is any feedback or suggestion, please feel free to share the opinions in Microsoft Feedback and I'm sure that your concerns will be addressed. Regards, Novak
March 26th, 2010 9:31am

Hi, Janata is corret. The feature is by design and the "Show Characters" box cannot be disabled. Please understand that the feature is designed for some user who may forget the password and it can easy to recover. However, it can only be configured by administrator. The Standard user does not have privilege to access it. By the way, for product design questions, you can share your opinions in Microsoft Feedback & Idea Center. Thanks, Novak Dear Novak, The links in the MS Feedback & Idea Center is invalid. Any other links?
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2010 11:31am

Hello there! I have the same problem here. I am the network admin here in our university. as part of our security, we require our students to register their device. we are the ones who types the passkey so that no unregistered device can access our wifi. Ever since the windows 7 came out, we noticed that there are a lot of unregistered devices in our network already. We found out about this issue recently. Now, we are no longer accepting pc with windows 7 OS. Some of the students went back to vista and xp just to be able to access the school resources. I do hope that you would try to fix this issue. and if you say that "the feature is by design", well, you better redesign this feature. Please let me know if there is a service pack for this. Email me please! (richter.robin.vecina@hotmail.com) By the way, a security flaw can't be fix through additional security in the network! And Adamis is right! The links in the MS Feedback & Idea Center is invalid.
June 25th, 2010 7:08am

In general, pre-shared keys are not very secure. Microsoft is sending you the message. WEP and WPA are very suspectible to attack. WPA uses SSID as salt, but that means you can easily create rainbow tables for a given SSID. They are also vulnerable to dictionary attacks / weak passphrases. If you can capture an authentication session, you can crack the network. There are code out there to brute-force WPA2-PSK, also code for NVIDIA graphics cards, so 100 times faster than current Intel CPU's. Switch to something secure. WPA2 enterprise mode is way better.
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 11:42am

This is just a cop-out. I have users with their own PCs on our wireless network - they can access the Administrator account (as it is their own PC...) and therefore the Wireless Network Key - in Windows 7 - which was never available to them before in previous operating system versions. We, as network administrators must be given a way of turning this "feature" off. Excuses as to why WPA keys are vulnerable anyway just does not cut it.
December 21st, 2010 7:12pm

Same issue/problem here and I can't agree with you more that is a cop-out. Why don't we have a checkbox or method that allows a user to see their local or domain password? or even other users' passwords (if you are Admin) just in case they forget them? We use WPA2 PSK with a complex 31 character passkey. Creating rainbow tables or brute forcing a pass phrase like that is not possible at this time as far as we know. I think this is a very poor "design decision" in the first place but it is even worse that there is no way, even with a GPO, to disable it. Yes it could be disabled if we do not make our users local Admins but I don't have a year to figure out how to make the multitude of applications that we run at our organization with user privileges. This issue is so critical to us that it has totally halted our Windows 7 deployment. I found this link for Windows7 feedback http://mymfe.microsoft.com/Windows%207/Feedback.aspx?formID=195 and posted my concerns there. I also sent an email to secure@microsoft.com If there is a better way to let MS know about this egregious security breach please post. TekMason
Free Windows Admin Tool Kit Click here and download it now
January 24th, 2011 9:59pm

Same issue/problem here and I can't agree with you more that is a cop-out. Why don't we have a checkbox or method that allows a user to see their local or domain password? or even other users' passwords (if you are Admin) just in case they forget them? We use WPA2 PSK with a complex 31 character passkey. Creating rainbow tables or brute forcing a pass phrase like that is not possible at this time as far as we know. I think this is a very poor "design decision" in the first place but it is even worse that there is no way, even with a GPO, to disable it. Yes it could be disabled if we do not make our users local Admins but I don't have a year to figure out how to make the multitude of applications that we run at our organization with user privileges. This issue is so critical to us that it has totally halted our Windows 7 deployment. I found this link for Windows7 feedback http://mymfe.microsoft.com/Windows%207/Feedback.aspx?formID=195 If there is a better way to let MS know about this egregious security breach please post. TekMason
January 24th, 2011 10:00pm

I got a reply in response to my email to secure@microsoft.com this morning. They are hiding behind the "design feature" argument as well. Thank you for your message. This is a by design feature of the Windows 7 operating system and is not something we consider to be a vulnerability. If this is a significant issue my best recommendation is to upgrade to an enterprise level wireless solution. I responded back with: Because of the Windows7 "design feature" our passkey has been revealed and we have all kinds of rogue devices connecting to our wireless network. I've heard that "by design" argument before. Surely this would be a very easy issue for Microsoft to address. Please the link that I sent you which explains in more detail as to why this is a very bad/insecure "design feature". If it is acceptable "by design" to reveal passwords then...Why do we not have that ability to show a user's domain or local machine password? We have an Enterprise class Wireless network with about 50 lightweight, centrally managed APs accross 12 sites. It was perfectly secure prior to connecting Windows7 PCs up to it. From a financial and manageability perspective it is not feasible to setup servers at each site that will provide 802.11x authentication for WPA2-Ent. This issue has halted our deployment of Windows7 as it has with other organizations. I hope I can get some attention to this issue from Microsoft before it gets the attention of the security community. I have filed a vulnerability report to Secunia and asked them what their opinion is on this issue. I'll continue to communicate with other security organizations if we don't get an acceptable solution. I would urge others to do the same. TekMason Network and Security Architect
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 11:19am

Still quiet?"When you hit a wrong note it's the next note that makes it good or bad". Miles Davis
July 2nd, 2011 11:48am

Has any resolution been developed to eliminate this problem? I have been searching the internet and have been unable to find a solution. Thanks
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 4:01pm

Sorry about the Above post I hit the wrong Key while moving the keyboards. I believe I have come across a register change that solves this issue . Quoted from Bernard : "I have found a solution, which is not very elegant but it works. The way is to find the key in the registry where you can unlock the viewing of the WIFI Key. For that, you have to find a Key where the value is "CElevateWlanUi" In my case, it was in HKEY_CLASSES_ROOT\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE}. Under this key you have 3 values : The first one (default) with the value "CElevateWlanUi" The second one AccessPermission of type Reg_Binary with a binary value (does'nt matter to understand what it means) The third one is called DllSurrogate with a null value. The way I solved the problem is to setup the authorizations of the main Key {86F80216-5DD6-4F43-953B-35EF40A35AEE} by a right-click, then "autorizations". After you have to take possession of this key. I setup the owner as our domain administrator. For that click on the the button "Advanced" then on the tab "owner" and replace TrustedInstaller by the administrator of my domain. Then, I came back to the main panel of authorizations of the main key. I deleted the entry LAP505\administrators and the entry LAP505\domain users, and added the entry for my domain administrator with all rights. (LAP505 is the computer name) I applied all the modifications. I repeated the operation for the second occurence of the key : HKEY_LOCAL_MACHINE\Software\classid\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE} And when I logged on with a user with local admin privileges, I could connect to WIFI network, I could access to the network center but I could'nt unmark the "Hide caracters". It works! Second point : As my users want also to connect their laptop at home on their box, I checked the possibility to add a WIFI connection and it worked also! The only restriction is that they can't see the key once it is entered (for modification, they have to delete the connection a re-create it. I hope it will help you!"
July 8th, 2011 5:51pm

An easier solution is to use Group Policy to disable looking at the connection of a LAN Connection. If they cannot get to the page, they cannot see the password or the checkmark. You can also disable the network and sharing center in the control panel. Users can still add wireless networks, but they cannot go back and upadate a network key if it changes for some reason. Still though, this isn't a solution for universities where students are admins and can undo any security settings that you set on their machines. Even the above solution can be undone if you have ambitious student and it only takes 1.
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2011 3:28pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics