Disable Laptop NIC when not connected to company network

Posted on 2009-02-08
Medium Priority
Last Modified: 2012-05-06

I need a way to disable the NIC on 50 laptops when they are not connected to the company network.

 They all must retain the ability to receive TCP/IP properties (DHCP) when transported to various remote locations on our company network. This part is already in place.

If they were to take the laptop home, the NIC  must be disabled or made inaccessible  somehow maybe using some local policy or multiple hardware profiles possibly..

Any help appreciated..
Question by:jammer310
  • 2
  • 2
LVL 23

Accepted Solution

Mysidia earned 668 total points
ID: 23584888
This is technically infeasible with standard OS tools.
Your computer can't determine if it's plugged into the company network or not, without the NIC being online.

You can configure an OU on your domain to deny user login (require domain verification for logon, and require login for unlock), except when a domain controller can be reached, and place the laptop machines'  Machine accounts in that OU.

Then the act of logging in to the computer won't be allowed when not plugged into the company network;  the downside is, troubleshooting tools will be unavailable, outside of safe mode/recovery mode/Boot CD, if the computer's network connection isn't operational.

You can configure the domain profile of the laptop to allow normal protocols in Group Policy settings for windows firewall,
and set the standard profile  to deny everything,
however this only effects incoming connections, not outgoing traffic.

What exactly are you trying to accomplish?

You could assign the network connections on laptops a static IP, instead of using DHCP.

Specify IP, Netmask, and default gateway.
Use an obscure IP range on your LAN, and the laptop cannot be plugged into other LANS, except ones that duplicate the unusual IP scheme.

Use group policy to deny non-admin access to network connection settings.
LVL 23

Assisted Solution

Mysidia earned 668 total points
ID: 23584906
*Deny access to network connections settings is a user policy however, and will effect users it applies to no matter what PC they login to.

I would consider making a separate domain for the laptops, and apply the extra lockdowns to users logging into that domain only.

Author Comment

ID: 23585564

Thanks for the reply!

I was trying to avoid reserving 50 IPs/gateways x 12 remote Domain controllers / supplying DHCP. Also not sure if there will be issues with multiple gateways and if there will be any performance issues.
The laptops have the DHCP client enabled so the users can travel to all 12 remote sites and just plug in.

I'm trying to find a solution to prevent communications (TCP/IP) outside the company LAN. If I had it my way, the laptops would never leave the property, but I'm dealing with an unreasonable IT Director that wants the users to be able to take the laptop home and use locally but no network access ( avoiding Virus/Trojans).

I was thinking of hardware profiles - one for comapny LAN and  non-company LAN which could disable the hardware but don't know if its possible. Or some type of policy. I like your proposed solution but allowing for local use introduces another complexity. It might be that I have to go with static IPs unless there are some policy tricks available.


Author Comment

ID: 23585820
Actually will something like this work..is it possible to create a local user account and using local computer policy disable the network card? So they can use there domain account when connected to the company LAN and their local user account when not connected to company LAN and network access controlled vial a local computer policy? Would something like this work?

LVL 16

Assisted Solution

by:Aaron Street
Aaron Street earned 332 total points
ID: 23586287
Sophos have a system called NAC (network access control) this is part of there anti virus solution. with this you can have the PC check if it is on a known network and if so allow access. If not it will disabable network access.

Or you can even have different fire wall setting epended on waht network it is connected to.

You can also set it up to denay access to the network if the machines antivirus is out of date, or its security settings are wrong.

ITs an expensive way to go but very secure and allows you a lot of control on the Net work access. you can also configure it to stop PC that should not have access to the network connecting.

There are a few different Network access solutions I jsut happen to know Sophos one.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question