Concerned about deploying both a public Wi-Fi hotspot and private Wi-Fi service
We are deploying both a public Wi-Fi hotspot and private Wi-Fi service on the same floor, and we are concerned about "bridging" between the hotspot and corporate LAN. Is it possible for a Win2000 or 2003 Server to push a policy that will not allow multiple network cards to operate simultaneously? Or is there is any other way to prevent this?
Windows 2000/2003 Group Policy Objects (GPOs) can be used to centrally-configure registry keys that control certain aspects of Windows behavior. For example, the GPO called HKLM SoftwarePoliciesMicrosoftWindows Network Connections!NC_AllowNetBridge_NLA determines whether a user can add/configure a network bridge. Network bridges are Layer 2 MAC bridges that bind two or more network connections together. If you add this GPO, users will be unable to create new network bridges, but this GPO does not remove any existing network bridges from user PCs. Also check out Wireless Network (IEEE 802.11) Policies, which can be used to configure Windows XP WLAN client settings like Preferred Networks. To learn more about these policy objects, visit Microsoft's website
Alternatively, you can centrally-enforce a "one active network" policy using something like Senforce's Endpoint Security Suite Connectivity Control. According to Senforce's website, "SCC ensures all endpoint devices comply with corporate security policies governing wired and Wi-Fi network connectivity" and "can disallow Wi-Fi usage when users connect to a wired network." If your company already uses personal firewall and/or VPN client software, ask your vendor(s) about "endpoint security" alternatives that may be supported by their product(s).
This was first published in August 2005