"(E-Mail Removed)" <(E-Mail Removed)> wrote in
news:#(E-Mail Removed):
>
> Hello,
>
> I'm looking for a way to help lock down wireless settings on our domain
> clients.
> What I would like to have, is to have clients setup so that when they
> are plugged into a wired lan, the wireless interface is disabled or
> disallowed.
> The only time they should be able to use the wireless is if the LAN port
> is disconnected.
> Is there a way to accomplish this with group policy?
> Or perhaps I am taking the wrong approach.
>
> What I'm worried about is, having a user connected to our corporate LAN
> on the wired connection, then having their wireless connected to an open
> network, potentially allowing a machine to get compromised and creating
> a bridge to our lan.
>
Hi Andy --
I ran your questions by a member of the wireless team, and his response is
below:
There isn't an easy answer because of the number of Windows XP/Vista/7
client and WS03/WS08/WS08 R2 domain options.
I am not aware of any setting in either WS03 or WS08 Group Policy that
provides the described functionality. Also, I don't believe the behavior of
simultaneous wired and wireless connections has changed since XP. The
functionality is best described in the following Cable Guy article: Windows
XP and Windows Server 2003 Behavior When Connected to Both Wired and
Wireless Networks [
http://technet.microsoft.com/en-
us/library/bb878031.aspx].
Regardless of whether the domain is WS03 or WS08, they should configure the
settings to prohibit Home Networking features on their network, to help
limit their exposure. Links to the WS08 version of the product help for
these settings are: Group Policy settings that prohibit home and small
office networking on your domain [
http://technet.microsoft.com/en-
us/library/cc758455(WS.10).aspx]:
-- Enable or Disable Internet Connection Sharing by Using Group Policy
[
http://technet.microsoft.com/en-us/l...0(WS.10).aspx]
-- Enable or Disable the Network Bridge by Using Group Policy
[
http://technet.microsoft.com/en-us/l...3(WS.10).aspx]
Other pertinent settings:
In WS03-based Group Policy, on the Preferred Networks tab, they should
clear the check box for Automatically connect to non-preferred network to
ensure that clients connect only to network that specified on the Preferred
Network tab. This is described in the topic: Add, edit, or remove Active
Directory-based wireless network policies [
http://technet.microsoft.com/en-
us/library/cc787324(WS.10).aspx]
In WS08 and WS08 R2-based Group Policy, there are several settings to limit
client wireless connectivity in both the XP Wireless Group Policy, and the
Vista Wireless Group Policy. By prohibiting domain users from creating
all-user profiles, and by specifying that only wireless profiles configured
by Group Policy are allowed, the administrator can pretty well restrict
client access to their domain wireless LAN. Because of the number of
options, it is probably best to say that there are a variety of settings
that an administrator can select from to prevent their clients from
connecting to undesirable wireless networks. These options are described
briefly in the Foundation Network Companion Guide: Deploying 802.1X
Authenticated Wireless Access with PEAP-MS-CHAP v2
[
http://technet.microsoft.com/en-us/l...3(WS.10).aspx], in the
sections:
-- Configure Windows Vista Wireless Network (IEEE 802.11) Policies
[
http://technet.microsoft.com/en-us/l...6(WS.10).aspx]
-- Configure Windows XP Wireless Network (IEEE 802.11) Policies
[
http://technet.microsoft.com/en-us/l...8(WS.10).aspx]
Win7 wireless clients have an additional wireless feature (Wireless Hosted
Network) that is of concern, and which can only be managed through WS08 R2.
There's a conceptual article about the Hosted Network at: About the
Wireless Hosted Network [
http://msdn.microsoft.com/en-
us/library/dd815243(VS.85).aspx]. To allow or prohibit the Hosted Network
feature by using Group Policy in WS08 R2, they can follow the steps
provided in the topic Configure Network Permissions and Connection
Preferences [
http://technet.microsoft.com/en-us/l...dd759204.aspx].
Thanks --
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
Similar Threads
Linear Mode
