Laptops with WLAN interfaces must have the WLAN card radio set to OFF as the default setting.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4632	WIR0180	SV-4632r1_rule	ECSC-1	Medium

Description
Laptop computers with wireless interfaces particularly susceptible to the Windows XP wireless vulnerabilities. If a user has an active wireless interface with security disabled, a hacker could connect to the laptop without the user being aware of the connection. Most laptop vendors provide a software utility to manage WLAN connections for the embedded wireless interfaces. The utility usually provides a feature that allows a laptop user to turn off the WLAN radio.

Description

Laptop computers with wireless interfaces particularly susceptible to the Windows XP wireless vulnerabilities. If a user has an active wireless interface with security disabled, a hacker could connect to the laptop without the user being aware of the connection. Most laptop vendors provide a software utility to manage WLAN connections for the embedded wireless interfaces. The utility usually provides a feature that allows a laptop user to turn off the WLAN radio.

STIG	Date
WLAN Client Security Technical Implementation Guide (STIG)	2014-08-26

Details

Check Text ( C-16040r1_chk )
NOTE: This requirement does not apply to tactical WLAN systems where the WLAN client is configured to connect to only specific tactical access point(s). Have the SA or IAO demonstrate the configuration of the WLAN interface in the interface's management utility. 1. Observe that the interface is set to off by default upon boot-up of the WLAN client device. 2. Verify this is standard practice by checking a sample of WLAN laptops/PDAs (at least 2-3 should be checked). Laptops can be checked by verifying the status of the wireless interface upon boot-up in each profile used on the laptop. 3. Verify users have been trained on this requirement by reviewing the site training records and the signed User Agreement. 4. Mark as a finding any of the following is found: - The WLAN radio functionality (transmit/receive setting) is enabled upon system boot. - If the WLAN interface management utility does not provide the ability to set the radio to OFF by default. - Users have not received required training on how to disable a wireless interface.

Check Text ( C-16040r1_chk )

NOTE: This requirement does not apply to tactical WLAN systems where the WLAN client is configured to connect to only specific tactical access point(s).

Have the SA or IAO demonstrate the configuration of the WLAN interface in the interface's management utility.
1. Observe that the interface is set to off by default upon boot-up of the WLAN client device.
2. Verify this is standard practice by checking a sample of WLAN laptops/PDAs (at least 2-3 should be checked). Laptops can be checked by verifying the status of the wireless interface upon boot-up in each profile used on the laptop.
3. Verify users have been trained on this requirement by reviewing the site training records and the signed User Agreement.
4. Mark as a finding any of the following is found:
- The WLAN radio functionality (transmit/receive setting) is enabled upon system boot.
- If the WLAN interface management utility does not provide the ability to set the radio to OFF by default.
- Users have not received required training on how to disable a wireless interface.

Fix Text (F-6765r1_fix)
Change the default setting on each WLAN interface to OFF and train users on how to disable wireless interfaces after they are no longer in use.