Any way to lock a laptop to a specific SSID network? 1

[BobMCT]

As the subject states...
I've read seemingly both sides of this argument with some saying its possible and others saying its not.

In a small shop of 6 laptops I am looking for a way to lock the wireless network connection to a specific SSID. Any way to achieve this with XP Pro?

Thanks

 

[kjv1611]

One thing you could do (not ideal, really) is to select any of the networks you DON'T want to connect to, and set them to "do not connect automatically". I suppose what you'd have to do initially is attempt to connect, and configure that network, but once it is set, it should be set for good.

Then the one you want to automatically connect to, you leave it to "automatically connect when in range", and I'd imagine that'll do the job.

 

[Tatertot45]

Not sure if you are using Windows to manage the wireless connections, or some other program, but try setting up the preferred network as a profile, then set the application to only auto connect to connections that have a profile. Then make sure the setting that allows a computer to connect "to any available network that is within range" is unchecked, or turned off. Then... see if you can lock the application down from an administration standpoint. That is how I set my laptop. I have a few wireless signals that i truly trust, set them as a profile, then set every other signal to be manual.

Good luck...

 

[GrimR]

All my wireless devices allow you to deny access via mac address, so why not do that.

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[BobMCT]

GrimR:
The issue is NOT to deny access to the preferred network but to PREVENT the laptop from accessing any OTHER wireless network within range. Especially if/when the laptop is being used by someone with just a "little bit of knowledge".

These are training laptops and the desire is to keep them connected to ONLY the training SSID.

 

[aich69]

You could take a look at MS's product 'SteadyState' -

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

It might not let you lock down the wireless use directly but it would allow you to stop any changes being made by the user in regards to networking (or most anything else of your choosing). I used it to lock down PC's for public internet use at an organisation I worked for, locked them in to IE use only.

If these are training laptops it might be of even more benefit...lock down as much or a little as you like.

I used to have a handle on life... but it broke. Cpt. Red Bull

 

[cdogg]

I was curious and did a little research. Unfortunately I didn't find any real solution and instead a lot of suggestions that this is not natively supported in XP. Check the following link out. A post by BK Rogers shows how to block known SSID's. Of course, that doesn't prevent all access, but would allow you to enter a lot of common SSID's in an attempt to block most access. You could also investigate the network connections history over time and add ones that slip by to the list.

http://social.technet.microsoft.com...P/thread/baec52c0-d8c8-4420-a83b-86615be149fe

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Einstein
[tab][navy]For posting policies, click [/navy]here.

 

[goombawaho]

Solution here: Disable wireless card/radio, run CAT5 cable. No more relying on/connecting to ANY SSID.

I know - not what you asked, but that's the sure fire way to guarantee a connection to a specific network.

Or you could ask your wireless SSID neighbors to put security on their networks so that your users CANNOT connect.

This is more of a behavioral problem than a technical problem.

 

[flyboytim]

Something to try:
Disable the DHCP server on the training wireless router or access point.
Set up static IP addresses from the same range on wireless adapters on your training laptops, and on your wireless router - choose a range outside the most common choices from:

10.0.0.0 through 10.255.255.255
172.16.0.0 through 172.31.255.255
192.168.0.0 through 192.168.255.255

something like 172.17.172.0-255 is unlikely to be used anywhere else on neighbouring wifi networks.

Set up wireless security mode on all clients as normal.

 

[cdogg]

flyboytim,
That's definitely good advice but the problem here is how to prevent a particular laptop from connecting to other wireless networks.

 

[goombawaho]

Don't take this the wrong way, but are your users real jerks or what??? What's the real story about what's happening here in term of user behavior? Can you threaten them with termination if they don't adhere to a policy??

Ethernet cabling AND disabling (or removing) the wireless card is the only way you're going to prevent "wandering SSID" usage behavior.

 

[GrimR]

I think this is what you after

http://www.tomstricks.com/how-to-ma...-netsh-command-line-utility-in-windows-vista/

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[GrimR]

sorry that will only work on Vista, damn.

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[goombawaho]

I'm wondering if I'm talking to myself. Everyone is trying to solve this in terms of being a pure technical issue, but it's really not a technical issue.

Even if you had a WIRED network and removed their wireless card, they could bring a USB network card from home and start connecting again if they really wanted to. See what I mean??

 

[BobMCT]

Goombawaho: here's my $.02 USD worth...

You are absolutely correct (in a perfect world). But experience has shown that we all work in a different one. My original request specifically deals with eliminating the network wires in a portable facility setup/torn down daily, AND attempting to keep the laptop users OFF non-authorized networks. Not because of loyalty or attention. But for security compliance reasons. The information on the laptops is both proprietary AND confidential and even the slightest inkling of the ability for any user to connect to an unauthorized network could violate compliance.

Of course, I don't make the rules. I just have to assure they are being adhered to.

And yes, portable plug in adapters are a possibility and I might even have to consider a conductive metal screened in enclosure to house all these users!!! But, none the less, someone has to come up with a viable solution.

I was hoping, although not expecting, there was an easy technical way to achieve this.

B

 

[kjv1611]

What about a script... that runs on the PCs, and has a set list of "approved" SSIDs. As soon as it runs, finding someone to connecting to a "non-approved" SSID, it could disconnect them from that, and connect to the strongest "approved" SSID.

Well, that's just a guess at it, anyway. Of course someone would have to be able to write the script to begin with.

 

[goombawaho]

I'm not trying to be an idealist or a jerk and I do sympathize, but...... What about my "threat of termination" comment? Surely you can get YOUR management to put the fear of god into them and thus modify their behavior. Management should be especially accommodating to IT since they don't want to provide a proper wired network environment in which their users will operate. A wired network, by its very nature, ENSURES compliance to your policies.

A wired network is always preferable to wireless unless there is an absolute inability to route wires to a location.

So, tell them you can't fix the technical issue and they have to fix the behavioral issue. Or upgrade to Vista and use the tip above from GrimR (unconfirmed by me).

 

[flyboytim]

There's a discussion of this problem here:

http://searchnetworking.techtarget.com.au/tips/23307-Wireless-security-Defending-Wi-Fi-clients

 

[cdogg]

goombawaho,
In smaller organizations where the CEO knows most of the employees by name and worships the IT department (or IT guy), you just might have a slim chance in persuading management to put threats out there or spend money on infrastructure upgrades. Unfortunately that's just not as easy as it sounds in larger environments. Upper management is usually hell bent on maintaining a good PR image by avoiding harsh or threatening language in its policies. No one wants to hang a PR target on their back, no matter how effective it is in keeping employees in check. Besides, pushing back from IT onto leadership may come off sounding the wrong way as if you're saying, "Hey, this is your problem. You deal with it.".

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Einstein
[tab][navy]For posting policies, click [/navy]here.

 

[goombawaho]

I'm not buying that. It should be the other way around. Larger companies have more to lose by allowing employees to do as they please and it's harder to monitor them without sophisticated software to monitor/prohibit.

In smaller organizations, it's easier to use the big brother approach and look over shoulders.

PR isn't worth much if people are doing damage to the company's bottom line or getting secret data hacked.

IT has to be empowered by management to set and enforce policies. Your idea leads to chaos via wimpy IT management. I've seen it in action before - it's sad.