Planning for Recommended Wired Security Configurations
Applies To: Windows Server 2008, Windows Server 2008 R2
Microsoft recommends that you use one of the following combinations of security technologies. These security technologies are listed in order of most secure to least secure.
Extensible Authentication Protocol
Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) authentication and both user and computer certificates.
PEAP uses TLS to create an encrypted channel between an authentication PEAP access client, such as a wired or wireless computer, and a PEAP authentication server, such as a server running Network Policy Server (NPS). PEAP-TLS uses digital certificates to provide mutual authentication, in which the access client authenticates itself to the authentication server and vice versa. PEAP-TLS authentication requires a public key infrastructure (PKI) to issue certificates and keep them current. For the highest security, configure your PKI to issue both user and computer certificates for wired access.
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication and both user and computer certificates.
EAP-TLS also uses digital certificates to provide mutual authentication. EAP-TLS authentication requires a public key infrastructure (PKI) to issue certificates and keep them current.
PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) authentication and require strong user passwords.
EAP-TLS and PEAP-TLS provide stronger 802.1X authentication than PEAP-MS-CHAP v2. If a PKI deployment is not possible or feasible, however, you can use PEAP-MS-CHAP v2. PEAP-MS-CHAP v2 is a password-based authentication method in which the exchange of authentication messages is protected by using an encrypted TLS session, making it much more difficult for a malicious user to determine the password of a captured authentication exchange. You can use PEAP-MS-CHAP v2 to provide strong password-based authentication for your wired clients, but only when used in conjunction with strong user password requirements on your network.
If you are deploying PEAP-MS-CHAP v2 authentication, require the use of strong passwords on your network. Strong passwords are longer than 8 characters and contain a mixture of upper and lower case letters, numbers, and punctuation. In an Active Directory domain, use Group Policy settings in Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy to enforce strong user passwords requirements.
If you are planning to deploy Network Access Protection (NAP) on your network, you must deploy either PEAP-TLS or PEAP-MS-CHAP v2.
Wired authentication modes
Wired access clients can perform authentication using the following modes:
User re-authentication. (Recommended)
An 802.1X always uses security credentials based on the current state of the computer. Authentication is performed by using the computer credentials when no users are logged on to the computer. When a user logs on to the computer, authentication is always performed by using the user credentials.
Authentication is always performed by using only the computer credentials.
Specifies that when users are not logged on to the computer, authentication is performed by using the computer credentials. After a user logs on to the computer, authentication is still based on the computer credentials. If the user has a portable computer and travels to a new location on the wired network, then authentication is performed based on the user credentials.
Allows connection to the network that are regulated by the restrictions and permissions that are set for the guest account.
Media access control (MAC) address filtering
Microsoft recommends that you do not use media access control (MAC) address filtering. Some switches provide MAC address filtering, which allows you to configure a set of MAC addresses for allowed access clients. MAC address filtering adds administrative overhead to keep the list of allowed MAC addresses current and does not prevent a malicious user from spoofing an allowed MAC address.