NET-103 (Chapter 7)

802.1x

802.1x authentication uses usernames and passwords, certificates, or devices such as smart cards to authenticate wireless clients. Originally designed for Ethernet networks, the 802.1x standards have been adapted for use in wireless networks to provide secure authentication. 802.1x authentication requires the following components: A RADIUS or TACACS+ server to centralize user account and authentication information. A centralized database for user authentication is required to allow wireless clients to roam between cells but authenticate using the same account information A PKI for issuing certificates. At a minimum, the RADIUS server must have a server certificate. To support mutual authentication, each client must also have a certificate Use 802.1x authentication on large, private networks. Users authenticate with unique usernames and passwords.

Network Address Translation (NAT)

A method for remapping one IP address space into another by modifying network address information in packets' IP headers while they are in transit.

Dual-band access point

A network device that connects Wi-Fi devices to form a Wi-Fi network.

Wi-Fi protected setup (WPS)

A network security standard for wireless home networks/

Home network

A profile designed for networks in which you know and trust every device.

Public Network

A profile designed for use on unknown networks.

Work network

A profile designed to be used in a SOHO.

Secure Desktop

A security mode in Windows 10 that prevents any tasks from being performed on the system until the user responds to the UAC prompt for consent.

Small home/home office network (SOHO)

A small office/home office network.

Door Lock

A smart lock is an electromechanical lock that can be locked and unlocked using a smart phone. It uses a wireless protocol and a cryptographic key to execute the authorization process. It can also monitor access and send alerts related to the status of the device.

Digital Assistant

A smart speaker that controls your smart appliances and performs other actions through voice commands.

Switch

A smart switch is a device that allows you to control hardwired lights, ceiling fans, certain fireplaces, small appliances, and even the garbage disposal with an app on your phone or with your voice using a virtual assistant. Smart switches give smart home features to anything you turn on or off with the flip of a switch.

Ad hoc

A temporary peer-to-peer mode network.

Open authentication

A token-based authentication standard that requires a MAC address to use.

Access Token

A unique security key that contains credentials that are used by the system to determine the privilege level of the user.

Shared key authentication

A wireless network access protocol that uses WEP.

Wi-Fi Protected Access (WPA)

A wireless security based on 802.11i specifications.

Wi-Fi Protected Access II (WPA2)

A wireless security that adheres to 802.11i specifications.

Configure Encryption and Authentication

Add authentication to allow only authorized devices to connect. Use encryption to protect wireless communications from eavesdropping. Always use WPA2 when possible. If WPA2 isn't available, use WPA. Use pre-shared key (PSK) authentication with either AES (more secure) or TKIP (less secure) encryption for a SOHO network without a domain, Configure the shared secret (passphrase) value used with WPA2 or WPA. Each client needs to be configured with same secret value. Because WEP has several known security vulnerabilities and can be easily cracked, it should be used only as a last resort. When using WEP, never use shared key authentication; use only open authentication.

How UAC Works An access token is created for each user when logging in. This access token controls what actions can be performed by that user on the system.

Admin Approval Mode When a standard user logs on, a standard user token is created, but when an administrator logs on, two access tokens are created. Windows creates a standard user token, and then it also creates an administrator token. Admin Approval Mode is triggered if a standard user access token is not sufficient to perform a given task. The system, through UAC, will request privilege escalation, called prompt for consent. This requires you to click the Yes box to perform the action. After the task is performed, it will return to a standard user privilege level. Prompting for Credentials Prompting for Credentials happens if no administrator token exists for the user, then the system knows that the user is only a standard user. Before the task can be performed the user is prompted to enter a password.

Key User Account Control Concepts It's important to understand that the Application Information Service component has to be running for the UAC to work correctly. If you disable this service, you will receive Access Denied errors because the applications will be unable to request admin-level approval. Secure desktop makes the desktop of the system unavailable whenever a UAC prompt is triggered. This is done to ensure that malicious software is not able to alter the display of the UAC prompt or automatically respond to the prompt to consent to the elevation for you. This is the default behavior of UAC. If you want to, you can customize many aspects of how UAC works. To do this, you use the UAC settings in Control Panel to configure the sensitivity of UAC. UAC Security settings options include:

Always notify me This is the most secure option. When selected, a UAC prompt pops up when programs try to install software or make changes to your computer or make changes to Windows settings and the secure desktop is enabled for 150 seconds. No task can be performed until the user responds to the prompt. If nothing is selected in 150 seconds, UAC automatically denies the request. Notify me only when applications try to make changes to my computer When selected, a prompt pops up only when an application tries to make changes to the computer. The secure desktop is enabled, and you have 150 seconds to respond to the prompt. If no response happens, the request will again be denied. Notify me only when applications try to make changes to my computer (do not dim my desktop) This setting is the same as the Notify me only when applications try to make changes to my computer, except that the secure desktop is not enabled. This may be a little more convenient, but it is less secure. Never notify me With this setting, UAC prompting is disabled. If you are logged on as an administrator, then all actions are executed without prompting you to confirm them. You will not see the secure desktop. If you are logged in as a standard user with this setting, every action that requires privilege elevation will be automatically denied.

Zigbee

An IoT standard based protocol.

802.1x authentication

An authentication standard that uses username/passwords, certificates, or devices such as smart cards to authenticate clients.

Multiple-input multiple-output (MIMO)

An enhancement that allows multiple antennas to use the same radio frequency.

Multi-user multiple-input multiple-output (MU-MIMO)

An enhancement to MIMO that allows a set of devices with individual antennas, rather than just one device with an antenna, to communicate with each other.

Infrastructure wireless network

An infrastructure wireless network employs an access point that functions like a hub on an Ethernet network.

Wired Equivalent Privacy (WEP)

An optional component of the 802.11 specifications.

Bluetooth

Bluetooth uses radio waves in the 2.4 GHz frequency range for communication. Bluetooth uses ad hoc connections between devices to create personal area networks called piconets. A piconet can have up to 7 devices, and each device can participate in multiple piconets at the same time. By using adaptive frequency hopping (AFH), Bluetooth is able to automatically detect other devices in the area and avoid the frequencies used by those devices. It can switch between 79 channels to avoid interference. A 128-bit proprietary encryption mechanism is used to encrypt signals. Transmission speeds and max distance depends on the version and device class: Version 1.2 Speed 1 Mbps Version 2.0 Speed 3 Mbps Version 3.0 Speed 24 Mbps Version 4.0 Speed 24 Mbps Class 1 Distance 100 m Class 2 Distance 10 m Class 3 Distance 1 m Common applications for Bluetooth include the following: Connecting peripheral devices (e.g., keyboard and mouse) Wireless headphones and smart phone headsets Peer-to-Peer communications (e.g., sharing data between a smart phone, notebook, and tablet) Bluetooth is also able to transmit audio and video data signals

Enable MAC Address Filtering

By specifying which MAC addresses are allowed to connect to your network, you can prevent unauthorized devices from connecting to the access point. MAC address filtering can be implemented in one of two ways: All MAC addresses are allowed to connect to the network, except for those specified in the deny list. All MAC addresses are denied access, except for those specified in the allow list. MAC address filtering is considered a cumbersome and weak form of security. Permitted MAC addresses can be very easily captured and spoofed by even casual attackers.

Channel bonding

Combining channels into one to increase bandwidth.

Near-field communication (NFC)

Communication technology that enables communication between two devices in close proximity.

Infrared (IR)

Communication technology that uses invisible light waves.

Bluetooth

Communication technology that uses radio waves in the 2.4 ghz range.

SOHO Router Configuration The following table describes the general steps you would take to configure a SOHO router and set up the network:

Configure the Internet Connection Begin by connecting the router to the internet connection using the device's WAN port. For a DSL or ISDN router, connect the device directly to the DSL/ISDN line. For a cable, fiber optic, or satellite connection, connect the router to the Ethernet port on the modem or connection device. Many routers will automatically detect and configure the internet connection. If not, follow the ISP instructions for setting up the connection. This could include: Configuring the internet connection with a static IP address assigned by the ISP or configuring the device to use DHCP for addressing Configuring the protocol used for the connection. This will often be PPPoE for an always-on internet connection Configuring logon information (username and password) to access the internet Configuring a default gateway and DNS server addresses that the router will use in order to access the internet Configure the Router Before setting up the network, some basic settings on the router need to be configured. Most important is to change the default administrator username and password. Default usernames and passwords are easily guessed or discovered by checking the device documentation. By changing the password, you protect the system from unauthorized access. Enable NAT Small networks use a single public IP address to connect to the internet. This IP address is shared by all devices on the private network. Network address translation (NAT) is a protocol that allows multiple computers to share a single public IP address used on the internet. The internet is classified as a public network. All devices on the public network must have a registered IP address. This address is assigned by the ISP. The SOHO network is classified as a private network. All devices on the private network use private IP addresses internally, but share the public IP address when accessing the internet. A NAT router associates a port number with each private IP address. Communications with the private hosts from the internet are sent to the public IP address and the associated port number. Port assignments are made automatically by the NAT router. The private network can use addresses in the following ranges that have been reserved for private use (i.e., they will not be used by hosts on the internet): 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 Secure the SOHO Network Although the router should now be configured to connect hosts to the private network and provide internet access, the following steps should be taken to properly secure the network from external threats: Configure the firewall on the device. Enabling the basic firewall on the router provides an additional level of security for the private network. If necessary, configure exceptions on the firewall to allow specific traffic through the firewall. Configure content filtering and parental controls. Most SOHO routers provide content filtering and parental controls that prevent hosts from accessing specific websites or using a specific internet service, such as chat, torrent, or gaming applications. Physically secure the router. Anyone with physical access to the router can make configuration changes and gain access to the network. To prevent this, limit physical access to the router. For example, place the router and other networking equipment in a locked closet. Create a Whitelist and Blacklist When securing devices or navigation access, there are two options to create lists that either allow or deny access through the Firewall security: Whitelisting means that only the devices on the list are allowed access. Basically, everyone is blocked access except for the devices on the whitelist. Blacklisting means all devices are allowed access except for the ones on the blacklist. It's just the opposite of Whitelisting. Configure for a Network Environment Depending on the implementation, it may be necessary to take the following steps in order to configure the SOHO router for a particular network environment: Enable and configure a DMZ (demilitarized zone) host. Configuring a DMZ on a SOHO router causes all incoming port traffic to be forwarded to the specified DMZ host. Because this can open up the network to a variety of external threats, configure a DMZ only if you understand all the implications associated with it. Configure quality of service (QoS) settings. Most SOHO routers provide basic QoS functionality. When enabled, QoS prioritizes certain network communications over others. For example, VoIP network traffic would be given higher priority and more bandwidth than HTTP (web browser) traffic. Enable the Universal Plug and Play (UPnP) networking protocol. UPnP is a networking protocol that allows UPnP enabled devices to easily discover each other on the network and share data and media content.

Disable DHCP for Wireless Clients

Disabling DHCP on the wireless access points allows only users with a valid, static IP address in the range to connect. An attacker would have to be able to discover or detect the IP address range, subnet mask, and default gateway information to connect to the access point.

Antenna Orientation

For radio frequency wireless devices, the antenna orientation might have a small effect on signal strength. There are two types of antennas that are commonly used in wireless networks. Directional antenna Creates a narrow, focused signal in a particular direction, which increases the signal strength and transmission distance Provides a stronger point-to-point connection; is better equipped to handle obstacles Omnidirectional antenna Disperses the RF wave in an equal 360-degree pattern Provides access to many clients in a radius For other devices, such as infrared or satellite, the orientation of the receiving device is critical. For these types of devices, make sure the receivers have a line-of-sight path to communicate.

Configure the Wireless Protocol

If your access point supports multiple wireless protocols, select the protocols to support, such as 802.11n only or mixed mode (both 802.11n and 802.11g). Be aware that when using mixed mode, most access points will throttle all clients to the slowest connected protocol speeds (i.e. if a 802.11g client connects to the network, 802.11n clients will operate at 802.11g speeds).

Obstructions

In situations where there is no clear line-of-sight between transmitter and receiver due to obstructions (e.g., concrete or metal studs), the wireless signal is reflected along multiple paths before finally being received. This can cause phase shifts, time delays, and attenuation. To address this, implement antenna diversity, which uses two or more radio antennas to increase the quality and reliability of a wireless link. There are two common antenna diversity implementations: Spatial diversity uses multiple antennas that are physically separated from one another. Pattern diversity uses two or more co-located antennas with different radiation patterns.

Infrared (IR)

Infrared uses invisible light waves for communication. Infrared: Is a line-of-sight medium. Objects cannot be in the path of communications. Communicates at 9600 bps up to 4 Mbps and uses the resources of a COM port. Works best for devices within 1 meter, but can operate up to 30 meters in areas without ambient light interference. Offers no security for transmissions. Infrared is typically used for remote control devices or for sending data between two devices. Most smart phones have integrated IR capabilities.

Airplane Mode

Instead of a physical switch, some portable devices have a software-controlled switch called Airplane Mode. When in Airplane Mode, all wireless functionality is disabled. When in Airplane Mode, some wireless functionality (e.g., Wi-Fi or Bluetooth) can be manually enabled individually without needing to disable Airplane Mode.

Atmospheric and EMI Conditions

Interference from weather or EMI can degrade the signal and cause service interruptions.

Z-Wave

IoT standard based protocol. Simpler and less expensive than Zigbee.

Smart Speaker

Is a centralized source of information as well as a home assistant device. Depending on its model and brand, it can control all the smart appliances and systems in your home such as thermostat, lighting, door locks, window shades, security monitoring, and so on. Most companies in the industry tend to agree that smart speakers should incorporate compact size, music playback, internet, music streaming, Bluetooth, voice control, and home assistant. Not every brand includes all of the features mentioned above, but the best will include several. One thing people have expressed concern about regarding smart speakers is data security. It's true that voice hacking could be a possibility. This essentially means the user's voice would be mimicked or recorded to hijack their accounts. However, researchers are developing systems that can differentiate between real, genuine speech and recordings or mimicking. So we can expect that this technology will continue to improve and overcome this security challenge.

Smart Switch

Is a device that allows you to control hardwired lights, ceiling fans, electric fireplaces, small appliances, and even the garbage disposal with an app on your phone or a voice-controlled virtual assistant. Smart switches give smart home features to anything you turn on or off with the flip of a switch. Each brand and model offers different features, so you have to check the specifications to find the one that meets your needs.

Smart Lock

Is an electromechanical device that can be locked and unlocked using a smart phone. It uses a wireless protocol and a cryptographic key to execute the authorization process. It can also monitor access and send alerts related to the status of the device. Two types of smart locks are most popular. One is installed on a simple mechanical lock and physically upgrades the ordinary lock. The other is installed in place of an ordinary lock. But both have the same basic functions. Smart locks need two main parts to work, the lock and the key. In this case, the key is a smart phone that wirelessly authenticates to automatically unlock the door. You can also set up locks to grant third-party access through a virtual key. This key can be sent to the third party through messaging protocols such as email or SMS. Once this key is received, the third party will be able to unlock the smart lock during the time specified by the lock's owner. Smart locks also let you manage access remotely through a phone app. Many smart locks have a built-in Wi-Fi connection for remote access and management. They use Bluetooth SMART and SSL to communicate, encrypting communications using 128/256-bit AES. Some work with Z-Wave as well.

Line of Sight (LOS)

LOS mode uses a very narrow beam of infrared light. Because of this, LOS mode requires devices to have a direct line of sight with each other. There can't be any obstructions in between. Because the beam is so narrow, devices have to be lined up appropriately. LOS mode has a range of just under one meter.

Latency

Latency on wireless networks can be affected by several factors. Wireless communication operates in half-duplex (shared, two-way communication). Devices can both send and receive, but not at the same time. Therefore, devices must take turns using the transmission channel. Typically, once a device begins receiving a signal, it must wait for the transmitter to stop transmitting before replying. An unstable wireless network signal can increase the processing that is performed on the signal by both the hardware and software.

Change the Default SSID

Many manufacturers use a default SSID that contains identifying information (such as device manufacturer and model number), so it is important to change the device's SSID from the default. In addition to changing the default SSID, it is also possible to disable the SSID broadcast. This is known as SSID suppression or cloaking. With broadcasting disabled, the SSID needs to be manually entered into devices for them to connect to the network (the SSID will not show up in the list of available networks). Even with the broadcast disabled, it's relatively easy to identify the SSID of a network by using readily available applications. Because of this, SSID suppression should not be the only form of protection.

Desktop Application Management Installed applications are most commonly managed through the Apps link found on the home page of the Windows Setting app. When an application has been selected using this method, you'll have one or more of the following options available. Applications can also be managed through Programs and Features found in Control Panel.

Modify/Change/Repair You might run into a situation in which an application is crashing, behaves erratically, or is freezing. If this happens, it's possible that one or more of the files have been corrupted or accidentally deleted. In this type of situation, you can attempt to fix the application. Some application installers include a repair feature. If selected, the repair feature will search the files used by the application to find any that are missing or corrupt. It will then replace them using the original files from the installer. Depending on the application and whether you accessed it using the Settings > Apps options or Control Panel, you will have the option to modify, change, or repair the application. In most cases, these options are interchangeable, meaning that any one of these three options will perform the same task on the selected application. For example, when you use the Apps options found in the Settings app for the Adobe Acrobat Reader, selecting Modify gives you the same options you'll have when you access Adobe Acrobat Reader through Control Panel and select Change. With some applications, the Change option allows you to customize it by re-launching the application's installer and letting you can make whatever changes are needed during a reinstallation process. Uninstall At times you may need to delete the application. For example, you no longer use the app and want to reclaim the disk space it is using. Another situation is the installer either doesn't have a repair option or the repair option didn't solve the issue. The next best choice may be to uninstall the application and reinstall it. To uninstall an application, open the Settings app and then navigate to Apps > Apps & features. Select the desired application and click Uninstall. Advanced options When working from within the Settings app, some applications include an Advanced options link. Selecting this link allows you to view more details about the application as well as giving you the ability to perform other tasks, such as: Setting the default app Terminating the app Resetting the app Uninstalling the app Some applications and programs are built into Windows 10 and can't be uninstalled.

Near Field Communication (NFC)

NFC enables communication between two devices that are in very close proximity with each other. NFC operates in the 13.56 MHz frequency and has a maximum transmission speed of 424 Kbps. Special chips called NFC chips are used to send, receive, and store data. Devices using NFC operate in one of three modes: Reader/writer mode is used to read information stored on an NFC chip. Peer-to-Peer mode enables two devices to communicate and exchange information. Card Emulation mode emulates the functionality of a smart card in order to perform contactless payment or ticketing (this mode is typically used by smart phones). In order to communicate, devices must be within 2 inches of each other. Data transmissions can be secured by using encryption algorithms. NFC has seen widespread use in the following areas: Contactless payment (e.g., using a smart phone as a payment method) Identification (e.g., passports that contain an NFC chip) Video gaming Even though NFC has slower transmission speeds than Bluetooth, it consumes much less power and sets up connections much faster.

Open

Open authentication requires that clients provide a MAC address in order to connect to the wireless network. You can use open authentication to allow any wireless client to connect to the AP. Open authentication is typically used on public networks. You can implement MAC address filtering to restrict access to the AP to only known (or allowed) MAC addresses. Because MAC addresses are easily spoofed, this provides little practical security.

Z-Wave SoCs

Or systems on a chip, can also be placed into furniture and other hard-to-reach places, like inside walls, to make the mesh network stronger. Also, Z-Wave is backwards-compatible, so new 700 series devices can work well with devices from years ago. It should work with devices launched in the future as well.

Electromagnetic Interference (EMI)

Poor connectivity can also be caused by EMI. Many types of equipment in the work environment can generate enough EMI to disrupt your wireless network radio signals. Some examples include electric motors, electronic equipment, microwave ovens, power tools, and overhead power lines. Shielding can be used to absorb the EMI emissions of some types of equipment. However, the EMI in some environments is so strong that the only solution is to implement a wired network instead of a wireless network.

Bulb

Smart bulbs normally work with conventional lighting fixtures and bulb holders. That makes them easy to implement. They also come with wireless communication capabilities packed inside. Some of them use built-in Wi-Fi or Bluetooth which lets them communicate directly with your phone or tablet, eliminating the need for a hub or control device. There are even some higher-end bulbs that change colors, track motion, stream audio over Bluetooth, or double as connected cameras. On a small scale, that kind of plug-and-play simplicity is very convenient, but smart bulbs tend to be expensive so scaling up could be difficult depending on your budget. Also, smart bulbs won't work if the light is switched off; they're only smart when they're turned on.

Plug

Smart plugs automate anything with a plug on it. You can remotely turn on and off anything that's plugged into them using an app. They are an easy solution to making small appliances such as lamps, coffee makers, and toasters smart.

Speaker/Digital Assistant

Smart speakers/digital assistants work in the following way: Smart speakers use voice recognition software. Once they're on, smart speakers listen to all speech, waiting for what is known as a 'wake word' or 'hot word'. When they recognize this word, they begin to record your speech and send it over the internet. The speech file is sent to a voice recognition service in the cloud. The voice recognition service deciphers the speech and sends a response back to the smart speaker. The voice recognition service uses algorithms to familiarize itself with your way of speaking and choice of words. You can also send feedback to the voice recognition service about the accuracy of the responses that the smart speaker provides. When first setting up a smart speaker you are required to do a 'voice training' in which you read 20 to 30 key commands to your device and the voice recognition service starts to learn your speech patterns. Machines' ability to recognize speech is a complex process, especially when considering the huge variety of different speech patterns. But the simplified explanation of the process is recognizing sections of words known as 'phones'. Those phones build into 'phonemes' which can then be recognized as individual words.

Thermostat

Smart thermostats learn from your habits and schedule, give you the freedom to control the climate in your home remotely, show you energy consumption in real-time, and can even adjust themselves depending on ambient conditions like humidity.

Wireless On/Off Switch

Some portable devices have a physical wireless switch on the outside of the device. The wireless switch turns the device's integrated wireless network adapter on and off. When in the off position, no wireless networks are displayed as available.

Windows User Accounts There are two levels of privileges for Windows accounts: standard users and administrators.

Standard Standard users have rights to perform only the basic tasks, such as add a printer, change the time zone, and modify display settings. It's safest to use a standard user account for all day-to-day activities, even for administrators. This keep risks low if your system is attacked. Administrator Administrators can perform any action on the system. For example, they can turn off firewalls, configure Group Policy settings, and install drivers and software. The first user of a Windows system is made an administrator by default. When additional users are created, you decide whether to set them up as a standard user or administrator. For better protection against exploits, give users only standard-level accounts. It is best practice to create a standard user account for administrators to use for all their day-to-day activities. They should log into their admin accounts only when they need to perform administrative tasks. Windows 10 allows you to use User Account Control to automatically elevate privileges whenever necessary in order to complete an administrative-level task. You don't have to log off and log back on as an administrative user to complete the administrative task. Nor do you have to manually use the run option to perform tasks as an administrator. UAC takes care of all that for you.

Channel Interference

The 2.4 GHz frequency range is divided into 11 channels, with each channel having some overlap with the channels next to it. You might experience problems with your wireless network when other devices are trying to use the same or adjacent channels. There are also numerous devices that operate in the 2.4 GHz and 5 GHz ranges, which can create background noise and additional interference. Cordless telephones that operate in the 2.4 GHz range (900 MHz cordless phones do not cause interference) Other APs in the area (for example, each of your neighbors might have a wireless network, with each configured to use a similar channel) Microwave ovens Bluetooth devices Wireless game controllers To avoid interference, try changing the channel used on the AP. If the area has different wireless networks, configure each with a different channel, with at least two channels separating the channels in use (e.g., channels 1, 6, and 11). The strength of your Wi-Fi signal compared to the level of background noise is known as the signal-to-noise ratio (SNR). If the SNR is low, your wireless network will have problems with interference.

Amazon Echo

The Echo is a smart speaker that is controlled by voice. It responds to voice commands when you use a "wake word," which is normally Alexa. The device is capable of doing things such as playing music, making a to-do list, setting alarms, providing weather info, along with all sorts of other things. It can also be used in conjunction with other smart devices to control devices such as lights, security cameras, and so on. One of my favorite things to do at home is to use Bluetooth to pair Alexa with my surround sound system and stream music.

Home Network

The Home network location is designed for use on networks where you know and trust each device on the network. With the Home network location: Network discovery is enabled. This means other computers and devices on the network are able to see and connect to each other. Connected devices are able to join the network homegroup. The Windows firewall configuration is changed to allow certain types of network communication through. Because this network location is the least secure, select this location only if you know all the devices and people that are connected to the network.

Public Network

The Public network location is designed for use on unknown or public networks (e.g., a coffee shop or other public Wi-Fi network). With the Public network location: Network discovery is disabled. This means other computers on the network cannot see you and you cannot see them. Network sharing, such as printers and scanners, is disabled. The Windows firewall configuration is changed to block almost all inbound and most outbound communications. For applications to be able to communicate, they need to be manually allowed through the firewall. The Public network profile should be used when connecting to any unknown network location, such as a hotel's Wi-Fi network.

Configure Wi-Fi Protected Setup (WPS)

The WPS security protocol makes it easier for WPS-enabled devices (e.g., a wireless printer) to connect to the wireless network. WPS can use several methods for connecting devices, including the PIN method and the push button method. The method used to connect devices must be supported by both the access point and the wireless device. Because of the inherent security vulnerabilities with WPS, it is best to disable this feature on the access point.

Work Network

The Work network location is designed to be used in a SOHO environment or other small business network. With the Work network location: Network discovery is enabled; however, the computer is unable to create or join a homegroup. The Windows firewall configuration is changed to allow certain types of network communication.

Configure the Channel

The channel identifies the portion of the wireless frequency used by the access point and connected devices. You should use a channel that does not overlap or conflict with other access points in the area. A simple rule to minimize conflicts is to remember that the frequencies used by channels 2-5 compete with the frequencies used by channels 1 and 6, while the frequencies used by channels 7-10 compete with the frequencies used by channels 6 and 11. Many access points have an automatic channel feature that detects other access points and automatically selects the channel with the least amount of traffic.

/f command

The f stands for fix. You can use the question mark option here to view all the available options. If you scroll down, you can see that /f starts a repair.

IoT

The internet of things.

AP Placement

The location of the AP can affect signal strength and network access. Keep in mind the following: With omnidirectional antennas, radio waves are broadcast in each direction, so the AP should be located in the middle of the area that needs network access. Devices often get better reception from APs that are above or below. In general, placing APs higher up prevents interference problems caused by going through building foundations. For security reasons, APs should not be placed near outside walls. The signal will emanate beyond the walls. Placing the AP in the center of the building decreases the range of the signals available outside of the building.

Determine Best Access Point Placement

The location of the access point can affect signal strength and network access. Keep in mind the following recommendations: Place access points in central locations. Radio waves are broadcast in each direction, so the access point should be located in the middle of the area that needs network access. Place access point to take advantage of the fact that devices often get better reception from access points that are above or below. In general, place access points higher up to avoid interference problems caused by going through building foundations. For security reasons, do not place access points near outside walls. The signal will extend outside beyond the walls. Placing the access point in the center of the building decreases the range of the signals available outside of the building. Do not place the access point next to sources of interference, such as other wireless transmitting devices (cordless phones or microwaves) or other sources of interference (motors or generators).

Incorrect Configuration

The most common source of problems with wireless networking is incorrect configuration. Before considering other problems, verify that the correct SSID and WEP/WPA keys have been configured. Remember that WEP/WPA keys are not case sensitive, but passphrases are case sensitive. In the case of a standalone (or thick) configuration, make sure each individual AP is properly configured. With a controller-based (or thin) configuration, make sure each AP can communicate with the wireless controller. A similar form of an incorrect configuration is trying to access a wireless network that uses one standard (e.g., 802.11a) with a wireless card that supports a different standard (802.11b or 802.11g).

Service set identifier (SSID)

The network name.

msiexec command

This can be useful in situations where you need to repair an application on a remote system over a network connection.

UAC Group Policy Settings The following UAC Group Policy settings can be configured:

User Account Control: Admin Approval Mode for the built-in Administrator account This policy setting configures how Admin Approval Mode functions for the built-in Administrator account. You can configure the following options: When set to Enabled, the built-in Administrator account uses Admin Approval Mode. In this mode, the user will be prompted to approve any operation that requires privilege elevation. When set to Disabled, the built-in Administrator user runs applications with full administrative privileges. User Account Control: Allow User Interface Accessibility (UIA) applications to prompt for elevation without using the secure desktop This policy setting controls whether UIA applications (e.g., Remote Assistance) can automatically disable Secure Desktop. You can configure the following options: When set to Enabled, UIA applications are allowed to automatically disable Secure Desktop when prompting for privilege elevation. When set to Disabled, Secure Desktop can be disabled only by the end user. Even if this policy is enabled, a UIA program must be digitally signed before it will be allowed to respond to the UAC elevation prompt. By default, UIA programs can be run only from the following protected folders: C:\Program Files (including all subfolders) C:\Program Files (x86) (including all subfolders) C:\Windows\System32 You can use the User Account Control: Elevate only UIAccess applications that are installed in secure locations policy setting to allow UIA applications to be run from any folder, not just from protected folders. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. You can configure the following options: Elevate without prompting allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Prompt for credentials on the secure desktop causes the user to be prompted to enter an administrative user name and password on the secure desktop when an operation requires privilege elevation. Prompt for consent on the secure desktop causes the user to be prompted on the secure desktop to select either Permit or Deny when an operation requires elevation of privilege. Prompt for credentials causes the user to be prompted to enter an administrative user name and password when an operation requires privilege elevation. Prompt for consent causes the user to be prompted to select either Permit or Deny when an operation requires privilege elevation. Prompt for consent for non-Windows binaries causes the user to be prompted to select either Permit or Deny on the secure desktop when an operation for a non-Microsoft application requires privilege elevation. User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. You can configure the following options: Automatically deny elevation requests causes an Access Denied error message to be displayed when an operation requests privilege elevation. Prompt for credentials on the secure desktop causes the user to be prompted to enter an administrative user name and password on the secure desktop when an operation requires privilege elevation. Prompt for credentials causes the user to be prompted to enter an administrative user name and password when an operation requires privilege elevation. User Account Control: Detect application installations and prompt for elevation This policy setting configures the system to detect new application installations. You can configure the following options: When set to Enabled, the user is prompted to enter an administrative user name and password when an application installation is detected that requires privilege elevation. When set to Disabled, application installations are not detected and prompted for elevation. User Account Control: Only elevate executables that are signed and validated This policy setting enforces PKI signature checks for applications that request elevation of privilege. You can control the applications that are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. You can configure the following options: When set to Enabled, PKI validation must occur for a given executable file before it is permitted to run. When set to Disabled, PKI validation is not required for a given executable file before it is permitted to run. User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a UIAccess integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\Program Files\, including subfolders ...\Windows\system32\ ...\Program Files (x86)\, including subfolders for 64-bit versions of Windows You can configure the following options: When set to Enabled (Default), if an application resides in a secure location in the file system, it runs only with UIAccess integrity. When set to Disabled, an application runs with UIAccess integrity even if it does not reside in a secure location in the file system. User Account Control: Run all administrators in Admin Approval Mode This policy setting controls the behavior of all UAC policy settings. You can configure the following options: When set to Enabled, Admin Approval Mode is enabled. In this configuration, all related UAC policy settings must also be configured to allow the built-in Administrator account and all other administrative users (who are members of the Administrators group) to run in Admin Approval Mode. When set to Disabled, Admin Approval Mode is disabled, along with all other UAC policy settings. If you change this policy setting, you must restart the computer. User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the user's standard desktop or the secure desktop. You can configure the following options: When set to Enabled, all elevation requests are displayed on the secure desktop regardless of other policy settings that may have been configured for administrative and standard users. When set to Disabled, all elevation requests are displayed on the user's standard desktop. In this configuration, the policy settings configured for UAC prompt behavior for both administrative and standard users are used. When this policy setting is enabled, it overrides the User Account Control behavior of the elevation prompt for administrators in Admin Approval Mode policy setting. User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. You can configure the following options: When set to Enabled (Default), application write failures are redirected at run time to defined user locations for both the file system and registry. When set to Disabled, applications that write data to protected locations fail.

Desktop Application Installation Process The process for installing desktop applications in Windows 10 has four basic steps:

Verify compatibility Before starting the installation process, verify that the application is compatible with the version, edition, and architecture of the Windows operating system you're using. For example, if you're using a 32-bit version of Windows, you must install a 32-bit version of the application. However, if you're using a 64-bit version of Windows, you can usually install either the 32-bit or the 64-bit version of the same application. In most cases the 64-bit version is preferable because it likely offers better performance. Scan for malware Anytime you download an app from the internet there is risk involved. Applications need installers to be downloaded on your computer to be able to install the application. These installers can be ISO files that are burned on a disc, executable installer files, or even .MSI files. Regardless of the file type, you should always run a malware check on the installer before proceeding. Create restore points Since installations can sometimes cause system problems, you should capture a restore point before you begin installing the application. This quick step gives you the option to restore your system to its pre-installation state if something goes wrong during the process. This includes restoring system files, installed applications, Windows registry settings, and Windows system settings. Install application With the other steps complete, you are now ready to install the application. This is done using the installer file that is often an executable file. A good example is a setup.exe file. Once the installation wizard is launched, it will install the application on the system. Occasionally, the installer is in a compressed archive file. If this is the case, unzip the compressed file first, and then run the installer that was extracted.

Wired Equivalent Privacy (WEP)

WEP is an optional component of the 802.11 specifications that were deployed in 1997. WEP has the following weaknesses: A static pre-shared key (PSK) is configured on the AP and the client. It cannot be dynamically changed or exchanged without administration. As a result, every host on large networks usually uses the same key. Because key values are short and don't change, the key can be captured and easily broken. Because of the inherent security flaws, avoid using WEP whenever possible. If using WEP cannot be avoided, implement it only using open authentication. Shared key authentication with WEP uses the same key for both encryption and authentication, exposing the key to additional attacks.

Wi-Fi Protected Access (WPA)

WPA is the implementation name for wireless security based on initial 802.11i drafts that was deployed in 2003. It was intended to be an intermediate measure to take the place of WEP while a fully secured system (802.11i) was prepared. WPA: Uses Temporal Key Integrity Protocol (TKIP) for encryption Supports both pre-shared key (WPA-PSK or WPA Personal) and 802.1x (WPA Enterprise) authentication Can use dynamic keys or pre-shared keys Can typically be implemented in WEP-capable devices through a software/firmware update WPA keys can also be predicted by reconstructing the Message Integrity Check (MIC) of an intercepted packet, sending the packet to an AP, and observing whether the packet is accepted by the AP.

Wi-Fi Protected Access 2 (WPA2) or 802.11i

WPA2 is the implementation name for wireless security that adheres to the 802.11i specifications. It was deployed in 2005. It is built upon the idea of Robust Secure Networks (RSN). Like WPA, it resolves the weaknesses inherent in WEP. It is intended to eventually replace both WEP and WPA. WPA2: Uses Advanced Encryption Standard (AES) as the encryption method Supports both pre-shared key (WPA2-PSK or WPA2 Personal) and 802.1x (WPA2 Enterprise) authentication Can use dynamic keys or pre-shared keys.

Wi-Fi Protected Access 3 (WPA3)

WPA3 is a new authentication launched in 2018. It is a more resilient version of WPA2. WPA3: Uses password-based authentication Provides better protection against password guessing attempts by using Simultaneous Authentication of Equals (SAE) Offers 192-bit cryptographic strength, giving additional protection for networks dealing with sensitive data

Port Address Translation (PAT)

What PAT does is append a randomly selected port number between 49,152 and 65,535 to the end of the public IP address. For example, 51,400. The router then places an entry in its translation table to associate the random port number with the private IP address that was removed.

Wireless Security Cameras

Wireless Security Cameras transmit video through an RF transmitter. The video is sent to a receiver that connects to the viewing and recording device. That device gives easy access to all video footage recorded through the cameras. Many people use cloud storage to save the video footage for later viewing.

Security Camera

Wireless cameras transmit video through a RF transmitter. The video is sent to a receiver that connects to the viewing and recording device. That device gives easy access to all video footage recorded through the cameras. Many people use cloud storage to save the video footage for later viewing. Modern wireless camera technology tends to implement such features as motion detection, scheduled recording, remote viewing, and automatic cloud storage. But the extent to which these features are implemented may vary by company, model, and brand.

Range

Wireless standards have a limited range. Moving a notebook outside the effective range will weaken the signal and likely cause intermittent reception. Moving outside of the stated range can cause the connection to drop entirely.

Shared Key

With shared key authentication, clients and APs are configured with a shared key (called a secret or a passphrase). Only devices with the correct shared key can connect to the wireless network. All APs and all clients use the same authentication key. Shared key authentication should be used only on small, private networks. Shared key authentication is relatively insecure, as hashing methods used to protect the key can be easily broken.

Z-Wave

Z-Waves work in the following way: Z-Wave was created by a Danish company named Zensys. It is a simpler and less expensive alternative to Zigbee. It uses the same AES-128 symmetric encryption as Zigbee. But, unlike Zigbee that operates on 2.4GHz, which is a major frequency for Wi-Fi, Z-Wave operates on the 800-900 MHz radio frequency range, so it doesn't suffer any major interference issues like Zigbee does. Like Zigbee, Z-Wave devices all link up together to form a mesh network. There's one central hub that connects to the internet and then the devices themselves don't have Wi-Fi at all, they use Z-Wave connectivity to talk to the hub either directly or through the mesh network. This is called a "source-routed mesh network topology." Z-Wave allows up to 232 nodes on the mesh network.

Zigbee

Zigbee is a standards-based wireless technology that enables wireless machine-to-machine (M2M) and IoT networks. It is designed for low-data rate, low-power applications, and is an open standard. Zigbee is a specification based on IEEE 802.15.4 and the WPANs operate on 2.4 GHz, 900 MHz and 868 MHz frequencies. Its networks are secured by 128-bit symmetric encryption keys. Zigbee has a defined rate of 250 kbps, best suited for intermittent data transmissions from a sensor or input device. Currently, there are three Zigbee specifications: Zigbee PRO, Zigbee RF4CE, and Zigbee IP. The technology defined by the Zigbee specification is intended to be simpler and less expensive than other WPANs, such as Bluetooth, or more general wireless networks, such as Wi-Fi.

Internet Assigned Number Authority (IANA)

has assigned three IP address ranges for private use. These are 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.

User Account Control (UAC)

is a tool that alerts the user when a task or operation requires administrative privileges to be complete.