Solved

Prevent mobile users from accessing unauthorized WiFi networks

Posted on 2006-06-27
13
574 Views
Last Modified: 2013-11-24
We want to prevent our mobile users from taking company laptops and connecting them WiFi networks that they have not been authorized to access (e.g. Starbucks, airports, hotels, etc).

Most users are running either Windows XP or Windows 2000.  

Anyway to do this?
0
Comment
Question by:markparr
  • 6
  • 5
  • 2
13 Comments
 
LVL 2

Accepted Solution

by:
abarneslouortho earned 125 total points
ID: 16993212
if you lock them down from being able to install another network adapter, and then disable their ability to change network settings through AD, that should do the trick.

you'll have to set their settings to have the ones you want them to be able to access set as preferred networks, then tell windows to not automatically connect to nonpreferred networks.  after that, like i said, just remove the right to change network settings.q
0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 16993771
If there is no other AP in the area use a non-standard channel like ch#3. At the NIC, specify a fix channel (disable autoscan). That way the laptop will be unable to connect anywhere else.
0
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16993793
true, until someone else has something set up on channel three.
0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 16994487
It should not because this is not a standard usable channel.  

The only 3 usable channels are 1, 6 and 11.  Using any other channel in a multi AP environnement will cause interference due to overlapping frequencies.  Then you will find any hotspot using other channels if designed by a professional.

0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 16994495
Ooops i meant:

...Then you WONT find any hotspot using other channels if designed by a professional
0
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16994510
well, the problem still lies within keeping the user from changing that setting back
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:markparr
ID: 16994528
The key thing for me is preventing them from messing w/ the wireless settings while they are out and about.  It's a management decision to prevent viruses, spyware, etc from getting on the laptops outside of our closed network.  The tighter the better.  We just want to say that SSID XXXXXX is the only one that they can access.
0
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16994573
here, at the end of this article, this is how to do what i was talking about
0
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16994580
0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 16995097
For most of my customers i use Ipsec encryption. All incoming/outgoing connection are denied except ipsec tunnel. Then wherever they will connect (wired or wireless) they are using corporate firewall as their default gateway.

For a basic wireless security you may use directory/registry security setting allowing write privilege to administrator account only. That way they won't modify NIC settings.

A lot of hotels still offer wired connection. Some hotels also give their own usb adapter that will overcomes adapter settings. they may connect at home too. This is why you should use a protocol based protection instead of adapter based.
0
 

Author Comment

by:markparr
ID: 16995615
More background:  There will be a variety of valid access points in our area that we are allowing laptop access back to the office network.  However, these laptops are not for surfing the net so we don't want the users getting them on another wireless access point some place (e.g. Starbucks) and getting out the Internet.  Obviously, there are some work arounds such as a wired connection but if we disabled and lock them down on all fronts -- wired and wireless -- hopefully it will be more of a hassle/deterent to use a valid computer for those purposes.

All laptops will be used locally so hotel access was only an example.
0
 
LVL 2

Expert Comment

by:abarneslouortho
ID: 16995874
if you look in your pointed question post, i have a link to an excellent lockdown tutorial, which actually seems to be pretty easy to do.... i am planning on doing this in my office now!!!  just do what it says for the wireless, and lockdown wired completely.
0
 
LVL 8

Expert Comment

by:Danny_Larouche
ID: 16995889
There is no way that i know to deny all but known (authorized) SSID. I recommend using ipsec tunneling as described in my previous post. The VPN server may accept tunnel connection from all or specific wired/wireless network and prevent users from browsing the web. Using IPsec will provide a secure access to your network.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now