One of the things that always seems weird about wireless networking is that companies typically go to great lengths to make sure that their wireless networks are secure, but often times do nothing to ensure that employees are actually connecting to the correct network. In fact, I recently received an e-mail from someone who had worked diligently to make sure that their network was secure. One of the users on their network ended up with a rather serious malware infections. An inspection of the users browser cache revealed that the user had been surfing adult websites. At first, the administrator was a little bit confused because software was in place to prevent access to these types of sites. Further investigation revealed that the user was circumventing network security by simply attaching to an unsecured wireless network down the street. Fortunately, it is possible to prevent this type of behavior by setting some group policies. In this article, I will show you how.
How is it Possible?
The first time that I ever heard about wireless group policies, the concept kind of messed with my mind. After all, it seems a little bit strange to be able to set a group policy that regulates wireless access when the wireless access point is not even aware of your Windows domain, and is certainly not subject to any group policy settings.
The reason why group policies can be used to regulate wireless access, is that they can be applied to the end users PC. As such, the group policy does not control the access point, but rather how users PCs connect to the access point.
Relevant Group Policy Settings
It has actually been possible to regulate wireless connectivity for a group policy since Windows Server 2003. Unfortunately though, group policy settings related to wireless access could only be enforced on client machines that were running Windows XP. When Microsoft created Windows Server 2008, they extended the wireless network related group policy settings, and allowed those settings to be applied to both Windows XP and to Windows Vista.
To create a wireless security policy, open the Group Policy Management Editor (GPME.MSC). When prompted, choose the group policy that you want to edit, and click OK. Now, navigate through the console tree to Computer Configuration | Policies | Windows Settings | Security Settings | Wireless Network (IEEE 802.11) Policies. Be careful to choose the correct container, because as you can see in Figure A, there is a wired and a wireless network policy, and it's easy to accidentally choose the wrong one.
Figure A Choose the Wireless Network (IEEE 802.11) Policies container.
One of the things that you might have noticed in the figure is that there are no default settings related to the wireless network policy. The reason for this is that Microsoft requires you to maintain separate policies for Windows XP and Windows Vista clients. If you right-click on the Wireless Network (IEEE 802.11) Policies container, you will see a shortcut menu that gives you an option to create either a new Windows Vista policy or a new Windows XP policy. For the sake of demonstration, choose the Create A New Windows Vista Policy option from the shortcut menu. When you do, Windows will display the dialog box that is shown in Figure B.
Figure B This is what it looks like when you create a new Windows Vista policy.
As you can see in the figure, this dialog box requires you to enter a name for the policy that you're creating. I would also recommend that you fill in the optional Description field as a way of documenting what the new policy does.
The lower portion of the dialog box allows you to enter the names of the preferred wireless networks in the order that you want clients to attempt to connect to them. Simply click the Add button, and you will be prompted as to whether you want to add an ad hoc network or an infrastructure network. Assuming that you choose the option to add an infrastructure network, there are a number of associated security settings that you can include in the policy. I will show you the settings in the next part of this article series.
In this article, I have explained why it is important to control how clients connect to wireless networks. I also began showing you how to create a wireless network policy. I will conclude the process in the second part of this article series.