How to use Group Policy to black/white list wireless networks in Vista & Windows 7



I have seen an number of posts form IT Administrators on the Microsoft Group Policy forums asking how prevent their users from connecting to a wireless network. Maybe it is because they have an open WIFI network on the floor above that users keep connecting to so they can by pass the proxy server URL restrictions or they don’t want their users from accessing the internet from well known WIFI hot spots.

In the tutorial below I am going to show you how to block your laptops from connecting to specific wireless networks with the example SSID of “dlink”. This black list method is useful when you want to prevent users from connecting to networks such as “Free Public WiFi” which is nothing more than a trap set by hacker to steal people’s passwords.

Then I will go through the way will to block all wireless networks except for one called “private_ab” using the White List method. This is very useful if you only want your users to connect to wireless network you know are safe to use.

Lastly I will then quickly show you how to totally disable your wireless adapter from being able to connect to any networks.

The instructions below are specific to Vista and Windows 7 as there were a whole heap of new group policy settings that were introduced back when Vista was released.

How to Black List/White List Wireless Networks using Group Policy

Note: Steps 1 to 5 are common for setting up both black and white lists. Then the process branches and describes how to setup a black list then white list in steps 6 & 7.

Step 1. This is a computer based setting so edit a Group Policy Object (GPO) that is targeted to all the laptops in your network

Step 2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies

image

Step 3. Click on “Action” in the menu and then click on “Create A New Wireless Network Policy for Windows Vista and Later Releases”.

Note: You can only create one Windows Vista and later and one Windows XP wireless setting within each GPO.

image

Step 4. Now give the give the setting a Policy Name and Description. Ensure that the “Use Windows WLAN AutoCOnfig service for clients” is ticked so that Windows does not allow third-party software to control the wireless network adapter (e.g. Intel Wireless LAN configuration Tool).

image

Step 5. Now click on the Network Permission Tab and click “Add…”

image

Setting up a Wireless Network Black List using Group Policy

Step 6. Type in the name of the SSID you want to black list (e.g. “dlink”) then select the type of Network Type (e.g. Infrastructure) and select "Deny” from the Permission type then click “OK”

image

Step 7. Click “OK”

image

Now the user views all the wireless network the will no longer be able to connect the network that has been configured as Deny. (e.g. “dlink”)

wireless2


Setting up a Wireless Network White List using Group Policy

Step 6. Type in the name of the SSID you want to white list (e.g. “private_ab”) then select the type of Network Type (e.g. Infrastructure) and select "Allow” from the Permission type then click “OK”

image 

Step 7. Tick “Prevent connections to ad-hoc networks” and tick “Prevent connections to infrastructure networks” then click “OK”

image

Now you will ONLY be able to connect to the wireless network called “private_ab” and all other networks will be denied.

wireless3

Note: Configuring a white list will not configure a wireless profile to connect to the allowed network, it simple allows the user to configure a profile for that particular SSID.


How to disable your wireless networks access via Group Policy

Now if you want to totally deny you users from connecting to any network profile just skip step 6. from the White List procedure leave the “Prevent connections to ad-hoc networks” and “Prevent connections to infrastructure networks”.

image

You users will no longer be able to connect to any wireless networks and when they click on the network in they will receive the message “Your network administrator has blocked you from connecting to this network”.

wireless1

Note: Any network profile you have configured in the General tab will be automatically added as an allowed network having the two “Prevent connections” options tick will ensure that the user will not be able to connect to anything but your corporate wireless network.

image image

Author: Alan Burchill

Microsoft MVP (Group Policy)

46 thoughts on “How to use Group Policy to black/white list wireless networks in Vista & Windows 7

  1. Thanks so much for the extensive explanation and the screen shots (I’m more of a visual type when it comes to learning). I’ve recently been appointed IT Administrator, but I still have a long way to go and a lot to learn. I spend a lot of time online and try to learn something new every day. Trust me, not a lot people take their explanations step by step like you. Cheers!

  2. Good Write up. Way ahead of your time for this post. Most companies haven’t even thought about 2008 or Windows 7 and haven’t even seen GPMC in 2008. I imagine this post will start getting hit hard soon 🙂

  3. Thank you for this! We have students that are required to use a government network with all it’s restrictions, and I found a student on a website that I know the government blocks – then realized he was connecting through the local coffee shop downstairs. This worked like a charm

  4. Excellent write up. Including the pictures really make it easy to follow. Explained options clearly. Thank you for the taking the time and effort to post.

  5. when click on “create a new wireless…” I am getting this message “the specified directory service attribute does not exist. a newer version of the active directory schema may be required”

  6. Is there a way to allow the AD users to connect to one network connection (Ethernet cable or wireless) at a time
    Most of the corporate users have laptops and they carry them to home, I would like to make sure they can not connect to other network if they are connected to the company network, but if they are not connected to the company network, they are free to connect to any wired or wireless
    Thank you

  7. How will prevet them from accessing the Guest Wireless network(which is open security) when the production wireless is in range, but still allow connection to any outside wireless network?
    Would Different IP Scopes on the Wireless networks be a better option as most facilities are recieving their guest wireless via DSl while the production network is on MPLS?

    1. If I understand this correctly, as long as the guest network ssid doesn’t change you can add it under the ‘Network Permissions’ tab as a deny. This would effectively block any wireless network with that ssid.

  8. Is there a way to initiate a Local Group policy for a local user, disabling connecting to any wireless network for a non administrator user, but for administrator users, when connected to a wireless network, the connection persists for other users? I hope that was clear.

    So, a non admin user cannot connect to any wireless access points, whereas an admin user can, and when they do, it’s set even if the admin logs off, or reboots the computer. Thanks!

  9. I do not have “Wireless Network (IEEE 802.11) Policies” in Computer Configuration > Policies > Windows Settings > Security Settings >… I have only about 7 options there. Where could be the problem? I am running Windows Vista x86, not in domain, just one laptop. Thanks for help.

    1. Sorry this is a new feature for Windows Vista and above only…

  10. I have a Windows 7 Enterprise box 64bit, that I cant put in the domain and have to lock to just one SSID. This policy is not present! What gives?

  11. Hello!

    I did the whitelist process, but the clients still showing other wireless network, the GPO is applying normally by GPRESULT. I’m using the last Schema AD (Sch47.ldf) in the Windows 2008 R2. Any idea?

  12. Thanks for the writeup. One doubt. The idea is to restrict any other SSID apart from the Corporate one – lets say – as in this example – it is set to “work”. What stops me from creating an SSID of the same name in my personal Home AP or on my Mobile Hotspot. In other words – I can setup my Mobile hotspot to broadcast the same SSID – “work” and it would latch on as it is permitted. Is there any unique identifier which will distinguish this “fake” mobile hotpot from impersonating the corporate SSID?

    1. Hi Kunal

      The use of certificate authentication can enable mutual authentication so that the client can prove the access point it is connecting to is not spoofed.

  13. Thank you very much for this great article – a perfect explanation and solution for this important issue… !!! Chris

  14. These policies are among the basic things that the operating system should provide the user. Wireless networking does not need any overview, but this time there are some issues that must be discussed. In windows 7 there is a way for the person to make an ad-hoc connection. That makes the computer a work like a router and thus wireless networking can be performed.

  15. @hannan – Actually there are a lot of things you can do with Win 7 wireless networking. So yes, there does need to be an overview. Please don’t leave bigus links either.

  16. This work perfect in Domain environment, what about when people take their laptop at home? As per my understanding they will not connect to their home network as well.

    Please comment!

  17. Hi,

    This is just what I need. Is there a specific ADMX file I need to load? I seem to be missing the “Create A New Wireless Network Policy for Windows Vista and Later Releases” option. I am running 2008 R2 Functional Domain.

    Many thanks.

  18. TRENDnet’s N300 Out of doors PoE Access Point, product TEW-739APBO, offers blanket out-of-doors Wifi N300 on-line regarding mileage all the way to four kilometer (2.5 miles)*. Various installation situations are generally caused along with Access Point (AP), Wifi Submission System (WDS), Repeater, and CPE + AP processes.

  19. This is a very good post. I have the same question Kunal asked about fake SSID’s
    Do you have any docs describes how to setup mutual authentication using certificate ?

  20. Thanks so much for this wonderful article.

    Ref:
    >Hi Kunal
    >
    >The use of certificate authentication can enable mutual authentication so that the client can prove >the access point it is connecting to is not spoofed.

    Are there any links on how to set this up ? The specific scenario I had in mind was as the original question – that wifi is enabled on the laptop but it can only connect to a specific access point. The question was as to what prevents the user from setting up his phone as a hot spot with the same name as the “white listed” one and connecting to it. SO i assume something needs to be set on the client which in this case would be a Windows laptop.
    Any help or pointers would be much appreciated

  21. Hi
    We had deployed couple of Wi-Fi profiles using group policy. Now we would like to remove one of them from all laptops. We have removed that particular Wi-Fi profile setting from group policy. However, still that Wi-Fi profile exist in all laptop. Since it is an group policy based Wi-Fi profile, we have no option to remove that profile manually. Could you please help on this.

  22. For some reason this didnt work in our test environment (win 7 enterprise machines). What did was to prevent the WLAN (wireless lan service) from starting preventing the connection of any wireless networking.

Leave a Reply