Monday, February 22, 2010

How to disable SoftAP (aka Windows 7 Wireless Hosted Networks) via Group Policy

Windows 7 comes with a nifty feature that allows it to function as a wireless hotspot. For home users and technical enthusiasts, it's a cool feature. For paranoid network admins like me that feature is a problem. You don't want users opening up wireless APs inside your building or if they're remote, functioning as conduits for outsiders to piggyback into your networks.

To disable this function via group policy, create a new group policy or modify and existing one and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network (IEEE 802.11) Policies. right click on there and Create a new policy.



Now be careful what you select in here or else you'll wind up causing havoc for your wireless users.

Name your Wireless policy whatever you want, then go to the "Network Permissions" tab. Select the checkbox for "Don't allow hosted networks" and that will block the SoftAP feature.


Do not check the other boxes that I've marked in blue unless you want to lock down your users to only using your wireless APs (which will also block APs at airports, starbucks, etc). That "Only use group policy..." setting is bad news for your traveling employees.

Once these settings go into effect, the windows 7 clients may require a reboot or two before the changes kick in. These changes also will only work if they are using the default built in wlan client that comes with windows 7. (See checkbox setting on first tab of that policy window).

For more details on what these settings are:
http://msdn.microsoft.com/en-us/library/dd815243(VS.85).aspx

No comments: