No announcement yet.

Win 7 GPO/reg to disable wireless settings

  • Filter
  • Time
  • Show
Clear All
new posts

  • Win 7 GPO/reg to disable wireless settings

    Hi everyone,

    Long time reader, first time poster. Great site/forum btw

    I have a problem with some Windows 7 laptops we have just received. The issue is, as a local admin you can click on the WLAN profile properties then 'show characters' or 'copy this network profile to a USB flash drive". Both are fairly major security issues. All users have a local admin account too. Good fun!

    Now before you say 'why does anyone have local admin rights' - it is company policy (I am working on my manager - he is a twit!!) to have a local admin user that staff can do anything they want to the laptop basically. Great fun to work with let me tell you! The Altiris console gets a work-out!!

    So I THINK my options are the following..

    1) GPO settings to disable/hide those 2 settings
    2) Registry settings to disable/hide those 2 settings
    3) Install RADIUS on a server and use computer accounts rather then users (so they can't add any old device to the WLAN)
    4) Find a way of restricting the WLAN profile to the domain user only (if it can be done!)

    I have done some googling but haven't found anything substantial, does anyone have any suggestions or other ideas??

    Any help would be much appreciated as I am dire need of advise!

    Kind Regards,

  • #2
    Re: Win 7 GPO/reg to disable wireless settings

    Well you've identified and are working on the major issue (Admin Rights for users) so I'll ignore that one for now. I would also be working on an acceptable use policy with your boss (or an edit to the existing one) prohibiting the use of non-domain member machines on the corporate network. It completely bypasses edge security and is an obvious route to virus infection.

    I definitely think RADIUS is the way to go, provided you already have an internal Certificate Authority. You can then configure auto-enrollment of Machine Certificates via GPO so that only domain member machines can connect to the wireless network. Using PEAP will also require that each user authenticates to the RADIUS server with their domain username and password. It is highly unlikely that most average users, even with admin rights, would know how to obtain and install a machine certificate on a non-domain member machine.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    Cruachan's Blog