Forum Announcement

Welcome to the new CNET Forums! Please don't panic. You are not in the Twilight Zone, you are experiencing the new CNET forums platform! Please click here to read the details. Thanks!!

Windows Legacy OS

General discussion

restrict wifi access

by codyw725 / April 26, 2010 4:47 AM PDT

Long story short. I want to restrict my employees from logging into ANY wireless access point other than the one at our work. Employees have access to laptops for work use and I want to restrict them from being able to take the laptops home and using them on their home networks and then bringing them back to work to connect to the works network. This will reassure that they are not bringing viruses from home and putting them on our network. Unfortunately since they are considered a "work tool" I can not stop them from taking them away from work, but I would like to restrict them from connecting to any other access point other than ours at work. Any suggestions?

Post a reply
Discussion is locked
You are posting a reply to: restrict wifi access
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: restrict wifi access
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Not going to happen
by Jimmy Greystone / April 26, 2010 4:55 AM PDT
In reply to: restrict wifi access

It's not going to happen. I can think of a few ideas, but those can generally be worked around or will create other issues.

So what I'd propose is the following. Put out a memo about a new company policy. If a person takes their laptop home, connects it to some other wireless network, and it is then infested with malware, the costs associated with cleaning it will come out of their paycheck. You'll want to figure out some hourly rate to deal with this, and include it in the memo.

It's a reactionary measure as opposed to proactive, but Windows just isn't designed to be locked down like you want, so you're best bet is to seek other methods.

Collapse -
Have You Tried This???
by Grif Thomas Forum moderator / April 26, 2010 9:39 AM PDT
In reply to: restrict wifi access

You don't mention the operating systems of the laptops involved, bu this should get you started. It involves using Group Policy Editor to set up a a single allowable wireless network, a white list. Still, as mentioned previously, there may be ways around it.. You'll need to make sure that none of the users are admin users or they could change the policy. Unfortunately, I don't see this same setting on Windows XP.

How to Use Group Policy to Black/white List Wireless Networks in Vista & Windows 7

Hope this helps...

Grif

Collapse -
Thanks
by codyw725 / April 29, 2010 11:41 PM PDT
In reply to: Have You Tried This???

Thanks for your replies. I guess I should've mentioned a few things. First off the laptops are running windows XP professional. Second, the servers they are connection to are linux based servers and I'm utilizing samba to interact with one another. I do NOT put the laptops on the domain so they are just local users so the only policies I can set are local based policies and I don't have Active Directory thanks to the linux servers to implement any domain wide security restrictions. We do have a policy in place that is meant to "scare" end users from taking them home, but the bottom line is that unless someone does infect their laptop and then infects our network, I have no way of knowing for sure that someone isn't taking it home and I do not want to wait until our work network is infected before I find this out. Thanks for your posts.

Collapse -
Unfortunately
by Jimmy Greystone / April 30, 2010 1:32 AM PDT
In reply to: Thanks

Unfortunately, you have few options here. You can either wait, or just go in and lock the systems down individually and likely be called several nasty things by the users.

If you make sure they only have limited accounts, take away high risk programs like Internet Explorer, and make them present to you some kind of business related need for any program install (to be done by you after vetting the program) you will head off most of the common problems that will crop up, but also increase your workload.

The only other option is to just try and protect the servers as best you can, and wait for the inevitable infested laptop. Once word gets around about the consequences of such things, odds are it'll taper off a bit, but you're never going to prevent it entirely. Sorry, Windows is just designed to be too permissive.

Collapse -
FYI
by codyw725 / April 30, 2010 4:41 AM PDT
In reply to: Unfortunately

Just in case it might help anyone in the future, I've managed to find a work around that makes me happy in the mean time. I've installed prey from preyproject.com. Its basically a free opensource anti-theft program. I use it in standalone mode since I have my own webserver. Basically you set a specified time period it communicates with your webserver and looks for a .html page you specify (in this case I might the .html file relevant to that specific laptop so I know who is leaving the network). In my /var/www/html/access.log file of my server I can track when prey attempts to look for my .html file and it will list the IP address its coming from. I just wrote a simple script that sends me an email if the IP address its coming from is different than my network, then I know its coming from somewhere outside my network. Figured I'd post my solution in case it helps anyone else in the future.

Collapse -
Two remarks.
by Kees Bakker / April 30, 2010 5:43 AM PDT
In reply to: FYI

You were specifically asking for inhibiting wifi access. Don't these laptops have an ordinary wired Ethernet-connection? That wouldn't be affected by wifi-blocking? Easy to use the laptop at home then while wife and kids use the other ones: all you need is a cable to the router.

All your employees have to do now to be free to use the laptop at home: go into task manager and kill that program. Or rename the exe-file or dll or whatever it is, so it isn't even started (but then they need to remember to rename it back when using the laptop at work).

It's not really 100%.

Kees

Collapse -
Wifi
by codyw725 / May 2, 2010 9:45 PM PDT
In reply to: Two remarks.

Actually the ethernet port on the laptop has been completely disabled in the connection manager because we don't use the ethernet ports at all and I've gone into the registry and restricted them from being able to open the connection manager. Unfortunately that is not an option for the wifi because I as the admin need access and since we don't utilize AD I can only inplement local policies which in return affect the admin as well, no way around it. As for the program I use, it is 100%. If a user is given limited access user group, they aren't allowed to install and additional software, nor can they make any changes that will affect the system. The program I used actually works by utilizing a number of scripts to communicate back to my server. All you do is modify the security settings of the folder that has all the scripts and restrict access to the folder to everyone except the user you want to run the program, which in this case is administrator, so even if the end user tried to change the name of the folder, they can't. Then you just hide the folder, make sure you don't show hidden files and folders. I know if the user is saavy enough he can simply check the button to view the hidden files and folders, but since he can't modify it he can't change anything. So really it is 100% for me, just have to be smarter than your end users Happy

Collapse -
The firewall approach.
by R. Proffitt Forum moderator / May 2, 2010 10:33 PM PDT
In reply to: restrict wifi access

For your research. Consider the DNS. It's port 43. A good firewall could be set to only allow DNS use on the DNS IP of your choice. This simple rule would give you control over all DNS name to IP resolutions.

Bob

Collapse -
dns
by codyw725 / May 3, 2010 12:26 AM PDT
In reply to: The firewall approach.

That would work locally at the work place, but once they got home I could not enforce those rules because the only firewall I can control is the windows firewall built into xp professional, which doesn't really give me enough control to stop a user from accessing the internet from their home. I've found that some wireless adapter programs such as intel provide a setting that you can provide the mac address of the wireless access point and restrict the computer to that specific access point, but I do not have intel wireless cards, mine are dell.

Collapse -
Actually it does.
by R. Proffitt Forum moderator / May 3, 2010 1:01 AM PDT
In reply to: dns

We don't want to talk about the match of wits of user versus the admin that wants to control the machines. For example a boot off USB or other lets me run XP, Linux and many other OSes of my choice and access that hard drive.

You have to decide how far you must go in this match of wits.

In closing many shops are moving away from network shares and to web apps which don't have the problems you are trying to avoid.
Bob

Collapse -
Correct
by codyw725 / May 3, 2010 1:42 AM PDT
In reply to: Actually it does.

You are absolutely right, eventually the line has to be drawn to how locked down you make a computer, but you can never be too cautious. Unfortunately most car dealerships don't have much control over the shop programs because they are all controlled by chrysler so they have the final say so in what programs are used. Almost all their applications are web based now, which is why the user have laptops because most the web based applications interact with their diagnostics software and they need to have the laptop in the car to perform them so I'm stuck with the laptops for now Happy Thanks for all your inputs!

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech Tip

Tired of your tricky Wi-Fi password?

Stop trying to memorize a complicated sequence of numbers and letters. Learn how to change the default password.