Managing a school can be challenging and you always have to keep up with new security. Students are now stick their cell phone in their bag with the hotspot turned on and then connecting the computers to their hot spot to get to websites like Facebook. There for it is necessary to control which wireless networks students can connect to. There are the more sophisticated ways such as setting up a RADIUS server but in this post I will describe the simplest way of forcing computers to connect to a defined list of wireless SSID’s and pushing them out via a Group Policy object (GPO).
Please note this works with Server 2008 and even Server 2003 if you have the updated version.
Steps to Control Wireless Networks using GPO:
- Fist put all the wireless computers you want to control into one organizational unit (OU).
- Now open the Group Policy Management Console.
- Navigate to the OU that contains the computers you wish to control
- Either create a new GPO and name it something like Wireless Policies or use a GPO already created for those computers.
- Edit the GPO and navigate to: Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Wireless Network (IEEE 802.11) Policies
- Right click the policy or in the window and click “Create a New Wireless Network Policy for Windows Vista and Later Releases”. You can also create XP policies but I am only going to go over Windows Vista/7 as you should be using Windows7 by now.
- Now there are 2 Tabs: General and Network Permissions
- In the General Tab: Give the policy a name and description
- Do not add your networks here. This would be for more advanced settings like 802.1X or Microsoft Protected EAP, etc.
- Now that the policy is named and has a description click on the “Network Permissions” Tab
- Under the “Network Permissions” Tab click “Add” and type in the SSID of the wireless network you want them to connect to. For network Type choose “Infrastructure” and for Permission choose “Allow”
- Now click ok and place check boxes next to the settings you need. I suggest enabling these settings:
Prevent Connectoin to ad-hock network
Prevent connections to infrastructure networks
Only use Group Policy Profiles for allowed networks
Don’t allow hosted networks
*note this settings will block them from connecting to new wireless networks. If there is a wireless network allowed through another GPO you will need to specifically disable that wireless network. To do that use the “Add” button to add the SSID and then choose deny permission to block users from connecting to that wireless network. In the below screen shot it will block users from connecting to the Linksys network while allowing access to the MySSID network. The check boxes this this screen shot keep the user from connecting to new wireless networks.
- Choose Ok and once all the computers update with the new GPO these settings will be applied.