Saturday, February 2, 2013

Locking Down wifi on Windows without Active Directory

This is a cool trick I've learned recently, and it doesn't seem easily found through Google (but if you know of netsh, you may be able to discover it).

Windows management is best done through group policy, or at least most easily done through it. In fact, you can blacklist/whitelist wifi networks via group policy for Windows Vista+. The problem is that it's only available via AD group policy, not local group policy. At work I don't have Active Directory (but am hoping to by the end of the year), so I can't use this. Still, I'd like to block wifi networks on our wifi-enabled Windows computers. My desire for this came from the fact that someone in the office thought it'd be all right to take a laptop without permission for the purpose of working on public wifi during lunch. As a rule,  laptops shouldn't be just taken without properly being checked out, but sometimes people just think something not-ok is OK. Luckily the person didn't end up using the laptop on who-knows-what public wifi network, but it was a close call and made me look into this.

I found out it was possible with a couple of ye olde netsh commands. I'll show them off on my crappy laptop with a dead battery that I never use because I hate laptops (maybe I'll go into that another time). Before firing them off on my laptop, Windows saw these wireless networks:

Donnerschlag is my wireless network, so let's make it so that's the only option for this laptop to connect to. Open up the command prompt as administrator:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>netsh wlan add filter permission=denyall networktype=adhoc
Followed by:
C:\windows\system32>netsh wlan add filter permission=denyall networktype=infrastructure
That will block all wireless connections, let's see what Windows says:

Looking good, but now I need to add my whitelisted connections:
C:\windows\system32>netsh wlan add filter permission=allow ssid=Donnerschlag networktype=infrastructure
Aaaaand now:

Success! Here's some other useful netsh commands for wireless networks:

Show current filters:
netsh wlan show filters
Which returns something like:
Allow list on the system (group policy)

Allow list on the system (user)
    SSID: "Donnerschlag", Type: Infrastructure

Block list on the system (group policy)

Block list on the system (user)
    SSID: "", Type: Adhoc
    SSID: "", Type: Infrastructure
You may want to blacklist just certain wireless networks, this is done by setting the ssid as appropriate and permission to block
netsh wlan add filter permission=block ssid=somewifinetwork networktype=infrastructure
There's also the ever-important delete filter command. syntax after netsh wlan delete filter needs to match the same syntax you used to add that filter.

TechNet Library for Netsh wlan


Post a Comment