One of the things that always seems
weird about wireless networking is that companies typically go to great lengths
to make sure that their wireless networks are secure, but often times do
nothing to ensure that employees are actually connecting to the correct
network. In fact, I recently received an e-mail from someone who had worked
diligently to make sure that their network was secure. One of the users on
their network ended up with a rather serious malware infections. An inspection
of the users browser cache revealed that the user had been surfing adult
websites. At first, the administrator was a little bit confused because
software was in place to prevent access to these types of sites. Further
investigation revealed that the user was circumventing network security by
simply attaching to an unsecured wireless network down the street. Fortunately,
it is possible to prevent this type of behavior by setting some group policies.
In this article, I will show you how.
How
is it Possible?
The first time that I ever heard
about wireless group policies, the concept kind of messed with my mind. After
all, it seems a little bit strange to be able to set a group policy that
regulates wireless access when the wireless access point is not even aware of
your Windows domain, and is certainly not subject to any group policy settings.
The reason why group policies can be
used to regulate wireless access, is that they can be applied to the end users
PC. As such, the group policy does not control the access point, but rather how
users PCs connect to the access point.
Relevant
Group Policy Settings
It has actually been possible to
regulate wireless connectivity for a group policy since Windows Server 2003.
Unfortunately though, group policy settings related to wireless access could
only be enforced on client machines that were running Windows XP. When
Microsoft created Windows Server 2008, they extended the wireless network
related group policy settings, and allowed those settings to be applied to both
Windows XP and to Windows Vista.
To create a wireless security
policy, open the Group Policy Management Editor (GPME.MSC). When prompted,
choose the group policy that you want to edit, and click OK. Now, navigate
through the console tree to Computer Configuration | Policies | Windows
Settings | Security Settings | Wireless Network (IEEE 802.11) Policies. Be
careful to choose the correct container, because as you can see in Figure A,
there is a wired and a wireless network policy, and it's easy to accidentally
choose the wrong one.
Figure A Choose the Wireless Network (IEEE 802.11) Policies
container.
One of the things that you might
have noticed in the figure is that there are no default settings related to the
wireless network policy. The reason for this is that Microsoft requires you to
maintain separate policies for Windows XP and Windows Vista clients. If you
right-click on the Wireless Network (IEEE 802.11) Policies container, you will
see a shortcut menu that gives you an option to create either a new Windows
Vista policy or a new Windows XP policy. For the sake of demonstration, choose
the Create A New Windows Vista Policy option from the shortcut menu. When you
do, Windows will display the dialog box that is shown in Figure B.
Figure B This is what it looks like when you create a new Windows
Vista policy.
As you can see in the figure, this
dialog box requires you to enter a name for the policy that you're creating. I
would also recommend that you fill in the optional Description field as a way
of documenting what the new policy does.
The lower portion of the dialog box
allows you to enter the names of the preferred wireless networks in the order
that you want clients to attempt to connect to them. Simply click the Add
button, and you will be prompted as to whether you want to add an ad hoc
network or an infrastructure network. Assuming that you choose the option to
add an infrastructure network, there are a number of associated security
settings that you can include in the policy. I will show you the settings in
the next part of this article series.
Conclusion
In this article, I have explained
why it is important to control how clients connect to wireless networks. I also
began showing you how to create a wireless network policy. I will conclude the
process in the second part of this article series.
No comments:
Post a Comment