In my last post, I introduced Clonezilla as an easy way to deploy Windows-based workstations into a corporate environment. But once a workstation enters the corporate network, what sort of policy applies to it? What sort of actions can a user take on their workstation? One powerful way to control this is through Group Policy. Group Policy allows full control over Windows-based workstations. From preventing unauthorized software installations to reminding users that their password is going to expire when they login, it can do it all. In this post, I’m going to detail how we at SPK and Associates, IT engineering experts, setup a Group Policy to configure wireless intranet and internet access for one of our clients.
When we were brought in at this client, wireless access was provided for users and their laptops, but users complained often that they lost connection, or couldn’t get a connection to the wireless networks in the building. One of the first things we did as part of SPK’s network management consulting service was to unify the various wireless networks into a single one that could be accessed anywhere in the building. The wireless network needed to authenticate users based on their Active Directory account rather than a single authentication key. This prevents unauthorized users from gaining access to the internal network. Wireless security is essential, as with most company networks, confidential or proprietary information is stored on internal file servers and unauthorized access could lead to a disaster for the company.
Here’s a quick overview of the various ways to protect a wireless network from unauthorized use:
Network Security Method | Advantages | Disadvantages |
Wi-Fi Protected Access (WPA) | Very secure. Can be combined with 802.1X authentication for enhanced network security. | Incompatibility with older hardware. WPA also has a larger performance overhead and increased data packet size which can lead to longer transmissions. |
Wired Equivalent Privacy (WEP) | Generally well supported by most, if not all wireless capable devices and wireless adapters. Provides basic security to prevent unauthorized access.Typical use of this is for a “Guest” wireless network, where no company intranet is exposed. | Very easy to crack the WEP key. If the key is changed often, it can prove to be a management nightmare having to change the key for all users. |
None | Extremely easy to setup. | Anyone can use the network, possibly for malicious intent. Not recommended for company use. |
For our client, we used WPA2-Enterprise security which is WPA2 based along with 802.1X authentication. This method works for a variety of reasons. One, we get strong data encryption with WPA2 which is stronger encryption than the original WPA. Second, with 802.1X authentication, only authorized users in Active Directory will be allowed to use the wireless network. Even if an outside attacker tried to get on to the network, they would need a user account to actually authenticate. Finally, we set a user-level authentication policy in Active Directory that only users who had the Remote Access setting to Allow would be allowed to connect to the wireless network. This works great if you have a company with contractors who need an account on the system, but might not necessarily be allowed to access the network remotely or in this case, via wireless.
After setting up 2 wireless access points to provide broad coverage for the building, we needed to configure all of the laptops to use this network. There’s 2 ways to accomplish this, the traditional method which is sending out a document to the company detailing how to setup wireless, or the SPK way: Create a Group Policy, deploy it, and all laptops will be configured automatically with no user intervention required! This also allows users to add their own personal wireless networks and use them as well without affecting the corporate wireless configuration.
The end result of all of this was a very happy client. Users no longer complained about wireless access, the wireless network was very secure, and folks were able to get their work done efficiently from anywhere in the building.
Subscribe to the blog to keep informed on Engineering Applications, remote server management, and other topics of interest to IT and engineering professionals.
Bradley Tinder
Systems Integrator, SPK