Blocking Domain Computers from Public Wi-Fi

Quick question.. is there a way via script, registry entry, or GPO to block my laptop users from specifi Wi-Fi's around my office? We currently have a corporate encrypted wireless with radius server, authentication via GPO, etc etc, this also goes though my "Web Blocker" to aces the "bad" sites, (sports, youtube, porn..etc). The issue is they can just detach from the corporate wireless and attach to someones unencrypted, unsecured wi-fi and get too all kinds of good stuff. Im sure I can write a GPO that ONLY allows them to access my corporate wi-fi but then that pretty much makes their laptops usless outside the building.

Is there anyway I can add, like a list, of denied WI-FIs?

Thanks in advance
LVL 1
mkmcgohanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ThatSharepointGuyCommented:
Well, you could build yourself a Faraday cage, but...
http://en.wikipedia.org/wiki/Faraday_cage
 That's too expensive :)
 
 You could also get some fly-screen (aluminum only though).  Sort of like chicken-wire.
However, in order to do that you'd basically want to cover all the windows in your office, which isn't feasible, unless you're in a less-than-savory neighborhood.

You can't "block" someone else's signal....short of accessing their router and doing some less-than-friendly things to have it not broadcast.  But that's illegal, and not good.

One of the other things i can think of, and keep in mind, i've never done this...

Create a registry hack that will change the way the wireless works on your clients to only connect to preferred networks.  And then we'd have to find some way to disable the adding of networks to the preferred networks list.

So then your clients could ONLY connect to preferred networks, but couldn't add them without permission, thus leaving yours only.
0
network226637Commented:
Check this out:
http://www.pcworld.com/businesscenter/article/158288/block_wifi_intruders_with_a_secure_paint_job.html

They make a paint that can block wireless signals.  Might be too extreme but it would block outside laptops from getting into your network and inside laptops from getting outside of your building.

Just a suggestion.
0
naykamCommented:
Unfortunatly windows xp does not allow such feature, but windows vista and windows 7:

Inside group policy. Computer Configuration > Security Settings. You'll notice a node called Wireless Network (IEEE 802.11) Policies. When you create a new policy, you would setup the details of your wireless network. You also have the option to only connect to preferred networks. This will only allow the client to connect to the networks in the list.

Another thing you could do is give your wireless network and default gateway a strange IP range. Then you could give all wireless adaptors a fixed IP that the user cannot change. That way if they connect to another network, then they wont be able to get an address and route internet traffic.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our upcoming webinar!

naykamCommented:
Sorry i re-read the question.

But I still thing your problem is when users go home / away from the office. Because no matter how you lock it down, that has to be reversed for when they get home. It seems to be very messy and may involve alot of scripting (log off / log on )
0
mkmcgohanAuthor Commented:
Yes I think you answered your own question there naykam. At work, connected to my network and wireless I want them locked, at home or in some coffe shop they are free. Its a tough one, but I didnt think it would be so difficult. Im really trying to stay away from a VPN solution where all traffic must be tunneled to me. We are not that strick. A GPO setting stating if you authenticate to a DC (domain controller)  your wireless settings are under my control and they cannot change, but if you dont authenticate to a DC you are free to choose a Wi-FI connection. Uggh I feel a long and nasty script coming....
0
jparedisCommented:
What is your server version?
In Windows 2008 Active Directory, you can apply WMI filters to  a specified group policy object.

That way you can say: (for example): if the computer cannot reach the domain controller (by using a wmi type of "ping", then remove restrictions.
0
mkmcgohanAuthor Commented:
This does not seem too possible without writing a nasty script.
0
ThatSharepointGuyCommented:
Well, you were given "answers", however your choice in deciding not to use them does not constitute not assigning points to the Experts who offered their time and ideas to you.

This might just be me being antsy since it's almost time to go home for the day...but...

If you offer to pay me $5 to tell you how to bake a wonderfully delicious pizza, and I tell you...and then you choose NOT to pay me because you think it's going to be messy with so much sauce....that's not my fault.  I told you how to bake a pizza, so i deserve the $5...it's your choice whether you follow up on it or not.
0
mkmcgohanAuthor Commented:
Well if you gave me a recipe for the pizza Id give you the $5, but if I tell you Im hungry and you tell me to eat a pizza.... A Faraday cage? Magic paint? A wonderful script?
0
mkmcgohanAuthor Commented:
Did not receive a viable solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.