How to use Group Policy to control wireless access

Group Policy can be used to control wireless access in Windows networks. Find out which Group Policy settings you should create to accomplish this in this tip.

In this article, you will learn why controlling wireless access is a good idea and how to use Group Policy to accomplish this. Find out how to prevent users from connecting to other wireless networks, how to create wireless network security Group Policies and how the right Group Policy settings can protect your network from both external and internal threats.

Several years ago I was attending a conference, and listening to a speaker who said something that really caught my attention.

The statement that he made was that your company has a wireless network in place whether you realize it or not.

He was talking about rogue access points.

Unfortunately, there is no Windows setting that prevents the installation of rogue access points. An access point is a hardware device with its own built in operating system completely outside of Window's control. At the same time, though, you can create a Group Policy setting that prevents workstations from connecting to any wireless networks other than the ones that you specify.

Why to control wireless access with Group Policy settings

These types of Group Policy settings accomplish two things. First, they actively discourage users from setting up rogue access points. After all, what's the point in setting up a rogue access point if you are not allowed to connect to it? Keep in mind, though, that a user could still set up a rogue access point, bring in his own laptop and try to use the access point to connect to the network. In such a case, the Group Policy settings that you have implemented would not stop the user from making the connection because those Group Policies would only apply at the domain, site or organizational unit level of the Active Directory. Since the user's laptop has not yet been joined to the Active Directory, none of these policies would apply. Nevertheless, you should have your network security set up so that only domain members have access to network resources. The combination of these factors should help discourage users from setting up rogue access points.

These Group Policy settings also prevent users from accidentally connecting to alternate wireless networks. In just about any environment, your users can probably see wireless networks that are located in other buildings and belong to other companies. Preventing users from connecting to these networks is important for at least two reasons. First, if you can prevent users from accidentally attaching to someone else's network, then you can probably reduce the number of help desk calls that you get. After all, a user is going to have trouble accessing certain resources if they are connected to the wrong network.

Second, and more important: When users connect to a network, they are potentially vulnerable to any security threats that may exist on that network.

Create a restrictive Group Policy

With this in mind, let's take a look at how you can create a Group Policy that restricts the wireless networks users are allowed to connect to. First, you need to know that Group Policy settings for limiting access to wireless networks are not built into Windows. In order to make those settings available, you have to extend your Active Directory schema. The procedure for doing so is rather involved and you can find the procedure in its entirety at

Once you have extended the Active Directory schema, open the domain security policy and then navigate through the Group Policy Object Editor to Computer Configuration > Windows Settings > Security Settings. When you expand the Security Settings container, you will see that it now contains a Wireless Network (IEEE 802.11) node, as shown in Figure A.

Figure A
Figure A: The Group Policy Object Editor allows you to edit wireless security settings.
Figure A: The Group Policy Object Editor allows you to edit wireless security settings. (Click on image for enlarged view.)

Since no wireless policies exist by default, right click on the Wireless Network (802.11) container and choose the Create Wireless Network Policy command from the resulting shortcut menu. When you do, Windows will launch the Wireless Network Policy Wizard. Click Next to bypass the wizard's Welcome screen and you will see a screen asking you to enter a name and a description for the policy you are creating. After doing so, click Next, followed by Finish. Windows will now open the properties sheet for the policy that you have created.

If you look at Figure B, you can see that the properties sheet's General tab is pretty basic. It allows you to control the types of wireless networks that clients are allowed to connect to, and you can control whether or not you want to use Windows to automatically configure network settings for wireless clients.

Figure B
The General tab allows you to configure the types of networks that you want to allow clients to connect to.
The General tab allows you to configure the types of networks that you want to allow clients to connect to.

The Preferred Networks tab, shown in Figure C, allows you to specify the list of preferred networks in the order that you want Windows to attempt to attach to them.

Figure C
The Preferred Networks tab allows you to specify your preferred networks in order of preference.

Figure C: The Preferred Networks tab allows you to specify your preferred networks in order of preference.

All of these settings are valid for computers running Windows XP. According to this article on Active Directory schema extentions for Windows Vista, there are special settings that apply only to clients running Windows Vista and Windows Server 2008. Those settings allow you to specify exactly which wireless networks your clients are allowed to access. According to the article, you can access the Vista specific settings by opening the default domain policy using a machine that's running Windows Vista or Windows Server 2008. Unfortunately, I was not able to do this because all of my Vista machines are running 64-bit operating systems, and there is no 64-bit version of the administrative tools.

Read more on Network monitoring and analysis