Hidding SSID in Enterprise Wireless Network - An Effective Control (Y/N) ?

Background:- Wireless access points (APs) of a non-broadcast or hidden wireless network do not broadcast their Service Set Identifier (SSID) (also known as their wireless network name). Non-broadcast networks are used to hide a vulnerable wireless network—such as one that uses open authentication and Wired Equivalent Privacy. This feature is enabled with the goal of preventing unauthorized users from being able to detect the wireless network from their wireless clients. Wireless APs can conceal their SSIDs by sending out a Beacon frame with the SSID set to NULL. Because the wireless APs of non-broadcast networks do not broadcast their SSID, they do not appear in the list of available wireless networks by default on Windows-based wireless clients. Therefore, users need to know the SSID and create a preferred wireless network with the SSID of the non-broadcast network. After the preferred wireless network has been created with the correct SSID, the Wireless Auto Configuration facility in Windows will be able to connect to it.
Microsoft Recommendation:- Microsoft recommends against the use of non-broadcast networks as Non-broadcast Networks are not a Security Feature for following reasons:-
a.       Wireless security consists of two main elements: authentication and encryption. Authentication controls access to the network and encryption ensures that malicious users cannot determine the contents of wireless data frames. Although having users manually configure the SSID of a wireless network in order to connect to it creates the illusion of providing an additional layer of security, it does not substitute for either authentication or encryption.
b.       Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server® 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.
c.        Therefore, using non-broadcast networks compromises the privacy of the wireless network configuration of a Windows XP or Windows Server 2003-based wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks. A Windows XP or Windows Server 2003-based wireless client can inadvertently aid malicious users, who can detect the wireless network SSID from the wireless client that is attempting to connect
d.       This behaviour is worse for enterprise wireless networks because of the number of wireless clients that are periodically advertising the non-broadcast network name. For example, an enterprise wireless network consists of 20 wireless APs and 500 wireless laptops. If the wireless APs are configured to broadcast, each wireless AP would periodically advertise the enterprise’s wireless network name, but only within the range of the wireless APs. If the wireless APs are configured as non-broadcast, each of the 500 Windows XP or Windows Server 2003-based laptops would periodically advertise the enterprise’s wireless network name, regardless of their location (in the office, at a wireless hotspot, or at home).
Eg:- In Windows Vista and Windows Server 2008 (now in beta testing), an additional wireless network configuration setting has been added that indicates whether a wireless network is broadcast or non-broadcast. This setting can be configured locally through the Manually connect to a wireless network dialog box. The following figure shows an example of the Connection tab for the default properties of a wireless network in Windows Vista.
The Connect even if the network is not broadcasting check box determines whether the wireless network broadcasts (cleared, the default value) or does not broadcast (selected) its SSID. When selected, Wireless Auto Configuration sends probe requests to discover if the non-broadcast network is in range. Because configured wireless networks are now explicitly marked as broadcast or non-broadcast, Windows Vista and Windows Server 2008-based wireless clients only send probe requests for wireless networks that are configured for automatic connection (the Connect automatically when this wireless network is in range check box on the Connection tab) and as non-broadcast. This behavior allows Windows Vista and Windows Server 2008-based wireless clients to detect non-broadcast networks when they are in range. Therefore, even though the wireless APs are not broadcasting the name of their wireless network, they will appear in the list of available wireless networks when they are in range. Because the wireless client detects whether the automatically-connected, non-broadcast networks are in range based on responses to the probe request, Wireless Auto Configuration now attempts to connect to the wireless networks in the preferred networks list order, regardless of whether they are configured as broadcast or non-broadcast. By only sending probe requests for automatically-connected, non-broadcast networks, Windows Vista and Windows Server 2008-based wireless clients reduce the number of situations in which they disclose their wireless network configuration.
For these reasons, it is highly recommended that you do not use non-broadcast wireless networks. Instead, configure your wireless networks as broadcast and use the authentication and encryption security features of your wireless network hardware and Windows to protect your wireless network, rather than relying on non-broadcast behaviour.
Reference Links:-
Rate this article: 
Average: 1 (3 votes)
Article category: 

There is 1 Comment

Thanks.A Good article.
There is one more 'shared key' setting that appears by name to be more secured than open authentication.
With shared key authentication, the AP sends the client a challenge text packet that the client must then encrypt with the correct WEP key and return to the AP.
If the client has the wrong key or no key, authentication will fail and the client will not be allowed to associate with the AP.
Shared key authentication is not considered secure, because the challenge is in clear text.
If hacker detects the clear-text & the same challenge encrypted with a WEP key, he can decipher the WEP key.
Hence In MS windows 8.1 the shared key Auth setting is deprecated.
Recommended to use WPA(TKIP+AES) or more secured WPA2(AES).