Disable Laptop NIC when not connected to company network

Posted on 2009-02-08
Last Modified: 2012-05-06

I need a way to disable the NIC on 50 laptops when they are not connected to the company network.

 They all must retain the ability to receive TCP/IP properties (DHCP) when transported to various remote locations on our company network. This part is already in place.

If they were to take the laptop home, the NIC  must be disabled or made inaccessible  somehow maybe using some local policy or multiple hardware profiles possibly..

Any help appreciated..
Question by:jammer310
    LVL 23

    Accepted Solution

    This is technically infeasible with standard OS tools.
    Your computer can't determine if it's plugged into the company network or not, without the NIC being online.

    You can configure an OU on your domain to deny user login (require domain verification for logon, and require login for unlock), except when a domain controller can be reached, and place the laptop machines'  Machine accounts in that OU.

    Then the act of logging in to the computer won't be allowed when not plugged into the company network;  the downside is, troubleshooting tools will be unavailable, outside of safe mode/recovery mode/Boot CD, if the computer's network connection isn't operational.

    You can configure the domain profile of the laptop to allow normal protocols in Group Policy settings for windows firewall,
    and set the standard profile  to deny everything,
    however this only effects incoming connections, not outgoing traffic.

    What exactly are you trying to accomplish?

    You could assign the network connections on laptops a static IP, instead of using DHCP.

    Specify IP, Netmask, and default gateway.
    Use an obscure IP range on your LAN, and the laptop cannot be plugged into other LANS, except ones that duplicate the unusual IP scheme.

    Use group policy to deny non-admin access to network connection settings.
    LVL 23

    Assisted Solution

    *Deny access to network connections settings is a user policy however, and will effect users it applies to no matter what PC they login to.

    I would consider making a separate domain for the laptops, and apply the extra lockdowns to users logging into that domain only.

    Author Comment


    Thanks for the reply!

    I was trying to avoid reserving 50 IPs/gateways x 12 remote Domain controllers / supplying DHCP. Also not sure if there will be issues with multiple gateways and if there will be any performance issues.
    The laptops have the DHCP client enabled so the users can travel to all 12 remote sites and just plug in.

    I'm trying to find a solution to prevent communications (TCP/IP) outside the company LAN. If I had it my way, the laptops would never leave the property, but I'm dealing with an unreasonable IT Director that wants the users to be able to take the laptop home and use locally but no network access ( avoiding Virus/Trojans).

    I was thinking of hardware profiles - one for comapny LAN and  non-company LAN which could disable the hardware but don't know if its possible. Or some type of policy. I like your proposed solution but allowing for local use introduces another complexity. It might be that I have to go with static IPs unless there are some policy tricks available.


    Author Comment

    Actually will something like this it possible to create a local user account and using local computer policy disable the network card? So they can use there domain account when connected to the company LAN and their local user account when not connected to company LAN and network access controlled vial a local computer policy? Would something like this work?

    LVL 16

    Assisted Solution

    by:Aaron Street
    Sophos have a system called NAC (network access control) this is part of there anti virus solution. with this you can have the PC check if it is on a known network and if so allow access. If not it will disabable network access.

    Or you can even have different fire wall setting epended on waht network it is connected to.

    You can also set it up to denay access to the network if the machines antivirus is out of date, or its security settings are wrong.

    ITs an expensive way to go but very secure and allows you a lot of control on the Net work access. you can also configure it to stop PC that should not have access to the network connecting.

    There are a few different Network access solutions I jsut happen to know Sophos one.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
    This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now