Windows XP Blocking 802.11 Wireless Network SSID
I'm a network administrator of a small school district and I need to find out how to block a rogue SSID.
Background Info:
I have four sites and have a wireless (WPA) network between the sites. My wireless is working very well, beside the small pockets of dead space due to concrete and metal.
We are a 2003/2008 AD with 100% XP SP2 and 70% of my end-users utilize the our school district's wireless through laptops. While my wireless SSID is "School_...." a neighbor of one of my sites is running an unsecured "Linsys" SSID.
Due to the amount of concrete and metal in our school the laptops are exposed to frequent but quick drops as staff move through the buildings. When the laptops drop the "School_.." SSID, it of course looks for the network and at times picks up the "Linksys" SSID instead.
My searching has found some solutions, but the main focus to these solutions is to turn off XP's Wireless Zero Config service. I started running a command line via a startup script to disable Wireless Zero (c:\windows\system32\net.e
This actually worked except now when my users experience the known drops in our network their laptops do not auto-connect to the "School_..." SSID as I would like them to.
So long story short my question is, "How do I block the rogue SSID "Linksys" from the neighbor?" Can I ban that from the laptops? And how to I ban it only when my users are on my network. They take their machines to other locations and there is a slim chance that one of those locations may have a network SSID of "Linksys" so I dont want to perma-ban the SSID.
Any help would be appreciated.
Background Info:
I have four sites and have a wireless (WPA) network between the sites. My wireless is working very well, beside the small pockets of dead space due to concrete and metal.
We are a 2003/2008 AD with 100% XP SP2 and 70% of my end-users utilize the our school district's wireless through laptops. While my wireless SSID is "School_...." a neighbor of one of my sites is running an unsecured "Linsys" SSID.
Due to the amount of concrete and metal in our school the laptops are exposed to frequent but quick drops as staff move through the buildings. When the laptops drop the "School_.." SSID, it of course looks for the network and at times picks up the "Linksys" SSID instead.
My searching has found some solutions, but the main focus to these solutions is to turn off XP's Wireless Zero Config service. I started running a command line via a startup script to disable Wireless Zero (c:\windows\system32\net.e
This actually worked except now when my users experience the known drops in our network their laptops do not auto-connect to the "School_..." SSID as I would like them to.
So long story short my question is, "How do I block the rogue SSID "Linksys" from the neighbor?" Can I ban that from the laptops? And how to I ban it only when my users are on my network. They take their machines to other locations and there is a slim chance that one of those locations may have a network SSID of "Linksys" so I dont want to perma-ban the SSID.
Any help would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unless they add the network themselves.
I have also worked in schools and had similar problems, in the end we contacted the owner of the network. Turns out they didn't even know anything about security and were happy for us to secure their router for them including hiding the SSID. End of problem.
End of problem, but just until another pops up. I like to take routes that permanently resolve the problem. The GPO is a pretty simple way to go, and with the CIPA requirements today, you wouldnt want a rogue AP to show up without you knowing. This can turn into a bad situation quick.
ASKER
You guys are great.
chuckycharms: Yes the GPO is definately the way to go, but the setup in the "Preferred Settings" for the wireless policy does not allow me to enter in the pre-shared key. All of the laptops currently have the school's network on them as its part of my imaging process, can I say in the policy simply that they should not connect to any new networks or do I still need to define the "School_.." SSID as an acceptible network?
chuckycharms: Yes the GPO is definately the way to go, but the setup in the "Preferred Settings" for the wireless policy does not allow me to enter in the pre-shared key. All of the laptops currently have the school's network on them as its part of my imaging process, can I say in the policy simply that they should not connect to any new networks or do I still need to define the "School_.." SSID as an acceptible network?
ASKER
jdecker89:
While I completely agree to consult the neighbors about their wireless security hole, it's difficult situation though. There are roughly 30 homes that it could be transmitted from and if I cannot find the owner of the AP in the end, I've inadvertantly advertised free internet to the rest of the neighbors. I'll let my administration decide.
While I completely agree to consult the neighbors about their wireless security hole, it's difficult situation though. There are roughly 30 homes that it could be transmitted from and if I cannot find the owner of the AP in the end, I've inadvertantly advertised free internet to the rest of the neighbors. I'll let my administration decide.
If the staff are allowed to take their notebooks off campus, then I would steer clear of defining the acceptable networks. As this GPO will still take affect when they leave the network. You still want them to be able to add their home AP or while traveling. If you have the pre-shared key already defined in the notebooks, then their really isnt a reason to define it in the GPO. If your like me, even though I have a large network managing this is pretty simple. Once the key and networks are in there from your intial setup, which they always will be, its not bad to troubleshoot a little here and there when a new laptop comes in or someone really botches their setup. Rarely happens.
ASKER
Hmm... well something didn't go well. I put the policy into effect for a portion of a site:
Wireless Network Policy:
"School_..." with the known SSID and unchecked "allow to connect to non-preferred".
and unfortunately it took the working machines off the wireless network. Not totally off, but as I went to the machines they still have the known SSID in their preferred, but its not connecting.
I think that the PSK got wiped for the saved network and they just sit there not communicating. Anyway around re-connecting those machines again via GPO or batch file?
Wireless Network Policy:
"School_..." with the known SSID and unchecked "allow to connect to non-preferred".
and unfortunately it took the working machines off the wireless network. Not totally off, but as I went to the machines they still have the known SSID in their preferred, but its not connecting.
I think that the PSK got wiped for the saved network and they just sit there not communicating. Anyway around re-connecting those machines again via GPO or batch file?
Oops, aye? Probably should test that on a small test group next time, :).
If you remove the GPO, good chance the previous connections will come back.
Check this out
http://technet.microsoft.com/en-us/library/cc784620(WS.10).aspx
If you remove the GPO, good chance the previous connections will come back.
Check this out
http://technet.microsoft.com/en-us/library/cc784620(WS.10).aspx
ASKER
Follow-up:
Actually yes test OU is always the way to go. Looks like I will end up having to touch each of the laptops to the network as once the GPO was applied it dropped them from the wireless and I'm had to connect them via cat-5 just to gather than the GPO was removed. (Ugh... headache)
So as I stumble through this process, I'm reading in other posts that the key cannot be presented through GPO as that is an inherent security risk. I'll have to create another question on how I should have setup my wireless. As my current "home config" type of PSK setup on the laptops obviously isn't AD/GP friendly.
I'll update after I touch the machines. At least I learned something new :)
Actually yes test OU is always the way to go. Looks like I will end up having to touch each of the laptops to the network as once the GPO was applied it dropped them from the wireless and I'm had to connect them via cat-5 just to gather than the GPO was removed. (Ugh... headache)
So as I stumble through this process, I'm reading in other posts that the key cannot be presented through GPO as that is an inherent security risk. I'll have to create another question on how I should have setup my wireless. As my current "home config" type of PSK setup on the laptops obviously isn't AD/GP friendly.
I'll update after I touch the machines. At least I learned something new :)
Sorry you had to go through that! The best will be to move to WPA, research that first. GP works really well with it, that is what I have implimented her in my district.
ASKER
We are running WPA-PSK, but I must have gone the SOHO route when setting things up instead of integrating into AD properly. I manually set the PSK to be the same on all the APs, it's actually working great except for today :) (learning lesson)...
Do you have any links that show how to properly setup the WPA so I can then have AD/GPO manage the wireless?
Do you have any links that show how to properly setup the WPA so I can then have AD/GPO manage the wireless?
ASKER
The wireless network policy is definately where AD can manage your user's wireless settings. Be sure to do some serious testing before implimentation though.
https://www.experts-exchange.com/questions/23845865/Use-Group-Policy-to-block-joining-of-certain-Wireless-SSID.html