Retaining Wireless Network Details on systems running Deep Freeze
Posted by Adam Zilliax, Last modified by Adam Zilliax on 26 February 2021 07:47 AM
This document will detail the installation and use of the WIFI Backup script provided at the link below;
Deep Freeze is a reboot to restore application that will remove any change made to a client machine when the system is rebooted. While effective at removing any unwanted changes customers may find that there are some pieces of information that need to be retained between sessions to ensure that the systems operate in a way that is acceptable to their end users.
One of the comments that we frequently hear from clients is that they would like to retain the information required to connect to WIFI Networks when the devices that their users are taking home are removed from the network. This information is not retained in the users profile if the customer maps the data in the profile to a thawed volume. In some versions of Windows (XP) this information was saved in the system registry, however later versions of Windows started saving this information in an alternative location preventing us from using Data Igloo to map this information to a thawed location.
In response a script has been developed that will export the existing wireless network settings to a XML file in a directory that the user specifies. A second script has been developed that will import all the wireless profiles in a given directory into the system making them ready for use.
Additionally a pair of template scheduled tasks and an installation script have been provided that allow the user to quickly configure the script based on a set of default settings that we have implemented.
Once implemented the system will run the backup script any time that an event is seen in the system logs indicating that the system has successfully connected to a wireless network. This ensures that the account information is captured as soon as we know that it works.
The second task will execute the script to restore the wireless network settings at system startup and at user logon. For some reason in testing we were unable to get the script to properly function at system startup - this may be something specific to the test environment that the author is working with so we have left both triggers into the script to ensure that it works as quickly as possible in the widest number of use cases.
The installation of the script can be automated using the INSTALL.BAT file. This will automatically copy the scripts into the pre-configured location and import the appropriate scheduled tasks for the script to trigger. This installation assumes the use of the D:\ volume as a thawed partition / ThawSpace and will use the directory “WLAN” as a folder for storage of the script and the profiles.
This installation folder can be changed by editing the installation script so that the folders are created in the right location, and by editing the scheduled task templates to allow them to execute the script from the correct location.
To uninstall the script remove the scheduled tasks from the Faronics folder in the Task Scheduler;
Once these triggers are removed the script, backup files, and directory can be deleted.
Limitations / Constraints
In the current state this script does not implement any error checking or handling. Any problems with the script will require modification to test out and determine the cause of any problem on a manual basis.
Security of Exported Profiles
At this time no security regarding the export of the existing wireless profiles has been implemented. As the export of the profiles is being done to an XML format this will leave the passphrases for the wireless networks in a human readable format on the system. If customers have devices connected to wireless networks where the passphrase needs to be kept secure this script should not be implemented as it will make this information more easily accessible to someone who may wish to do so.
In reality an attacker can simply run the same commands used in this script to export the wireless network details manually, but this does place the files in a centralized location automatically.
While it may be possible to restrict access to this folder using security options in the file system we have not tested this internally at this time.
Security of Imported Profiles
At this time we do not validate that the profiles being imported are ones that should be imported. Any valid XML file will be imported into the system - even if the user places the XML file there manually or edits the existing file to reflect alternative settings. This may allow the user to import wireless networks that the system administrator does not want them to have access to.
At this time we have not investigated what happens if you attempt to export a invalid profile, or one that has been specifically crafted for malicious purposes.
Types of Networks
At the time of writing this document we have only tested this script with WPA2 type networks configured with a passphrase for the purpose of authentication.
No testing has been done in situations where more advanced network configurations are implemented. No provision has been made to backup security certificates associated with some types of network connections.
At this time the script does not have a provision for removing wireless networks from the system. If users forget (remove) a wireless network on the system that we have already backed up, that wireless network will be added to the system again after the computer reboots.
To remove the wireless network the corresponding XML file will need to be manually deleted from the backup location.