topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday October 3, 2024, 8:35 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Create a profiles for users on a Workgroup and disable Homegroup options & wifi  (Read 9048 times)

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
Sorry this is long but i have never seen anything like this before.

The solution would be pretty simple on a Domain but not so easy on a Work-group.  The situation is this:

It is an office environment where 20 users all connect to the work-group with laptops that run Windows 7, Windows 8 and windows 8.1.    I need a way to configure a network profile that, when chosen,  would connect each system to prefigured settings that would have their static IP, sub-net, gateway and DNS  for their IPV4 on the Hardwired connections locked in.  In addition I need to completely disable all WiFi capability ( reason further down )   This would be akin to a WORK profile on a Domain.  Having this would allow for them to change to a Home Profile when leaving and open up their WiFi for use outside the office

As the 2nd part, I would like a simple (Hah!) way to disable all HOME-GROUP options and capability and if possible permanently remove all capability for creating or joining one.  These are all office systems which the users DO take home but they do not belong to them so disabling Home-groups should not be an issue.

WHY I want to do this: during a Recent network problems, I found today that one person had resorted to using her laptop's WiFi to connect to her I-phone Hot-spot to get on the Internet.    As it was explained to me, she had also allowed some of her friends to also use her hot-spot.  I do not have all the details as they do not seem to be eager to discuss the issue but one of the people she gave permission to is about 150 ft away from, her desk.  I have seen (and used) the WiFi hot-spots that are built into a smartphone and I have yet to find one that would carry over 15 ft.  Much less 100 ft!

After investigating I found that all of the users who did manage to connect are on the same network switch.  That switch connects over 20 people and printers to a line coming from the Office router.  In this case, the input to the router had been cut so there was no Internet but apparently the connection through the Switch enabled this one person to in some way use the switch in a "back-flow" manner with her Iphone providing Input to allow these other people 100+feet away to be able to piggy-back onto her I-phone.  Most switches are now "smart" such that any port can be the "input" so the switch just took what it was given and distributed it

To make matters worse, when I started shutting them all down to try to reconnect the router into the network, several of the systems popped up messages saying that it I rebooted it would break their connection to the >>HOME-GROUP<< they were in!

This <<Home-group>> turned out to belong to yet another user who did not know she was connected to anyone through anything.  Much less providing a Full Home-group connection to share ...??? i don't even know what.  That mystery I am still trying to resolve.  This same procedure also happened on two others systems and they were connected to even more Home-groups owned by people who also did not know they were connected to anyone by anything.  No one remembers anything about any kind of questions about permissions or passwords

I have never seen this type of behavior before but I must find a way to put an end to it!

My Preference would be deleting all Home-Group capability on all systems!  No one uses it and most people honestly did not even know what it was.  But the possibility for serious problems provided by people being interconnected "in the  background" as it were, looks to me like an open invitation to all kinds of bad things.  

Since this is a Work-group and not a domain, I have no control over what, if any, security software each person uses or doesn't use.  Viruses and Malware would have a field day in a setup like that where many systems are already on a "hidden in plain site" sub-group which neither the users nor the owners of had any idea they were connected to.  They have no use for ir but Something! obviously did.

It could have been this way for months  When they go home, most just shut down Windows and leave.  I cannot believe it has been like this for very long or I would have seen it at least once.  I found a total of 4 separate systems that were broadcasting invitations to join their Home-group.  Yet I have never seen an "invitation" to join anything and no one else says they have either.  

None of these people are very Tech-Savvy and none of them even knew what I meant or the risks involved.  None of them even knew (or would admit to) having said YES to any kind of connection but I have seen what a Home-group Invite looks like and it is innocuous enough that i doubt anyone would say NO if invited even though they have NO idea what it is.

I have found a multitude of methods for disabling various parts of the Home-group thing but no single solution.  Some of them involve changes in the Registry that involve elevating the permissions to the SHELL group so that a change can be made at all.  It is EASY to turn off WORK-groups so why is it so hard to disable HOME-groups?

Sorry this was so long, I should have made it two questions but I have been at this all day and I have a bad feeling that if i don't find a solution soon, the problems are going to get worse.  I have run multiple Malware and AV scans and actually did turn up several PUPs on one system but those are not the kind of thing I would send up a lot of red-flags over although they should not have ANY.  Malwarebytes found and removed those very easily.  If they are all back again tomorrow  THEN I get worried!

In closing.  The first and foremost I need is the Profile utility  I have found a few on Source-Forge and I a trying to see if any can be configured from what I need.

I could do part of it with a script (disable all WiFi) and that would leave only the hard-wired NIC to deal with.  Is there a net-use command to disable WiFi>?  and re-enable it afterward?

Please excuse typos and other.  It is late and I am totally distraught.


Thanks for anyone who took the time to read this.  
« Last Edit: May 13, 2014, 01:54 AM by questorfla, Reason: left off the first part »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,759
    • View Profile
    • Read more about this member.
    • Donate to Member
A computer will automatically try to join a homegroup during the installation of the OS (at least on Windows 7) if it detects one on the network.

If you want a Windows 7 computer to leave a homegroup it is a part of, follow these instructions:

1. Press the Windows button on the keyboard (or open the start menu) and type "HomeGroup" (without quotes) and press Enter.

HomeGroupStep1.png

2. You will see a window that looks like this:

HomeGroupStep2.png

3. Click the "Leave the homegroup..." button. You'll get a popup asking you to confirm, at which point the computer will be removed from ALL homegroups it may be connected to.




And finally, you may want to click on the "Change advanced sharing settings..." on the HomeGroup screen. The bottom section of the advanced settings is related to HomeGroup connections. Changing that to require accounts and passwords rather than HomeGroups may solve the problem of these computers mysteriously re-joining the Homegroups again.

HomeGroupAdvancedSettings.png
« Last Edit: May 13, 2014, 02:30 AM by Deozaan »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
I see only two ways to do this, with a domain, and the wrong way.

You will waste an excruciating amount of time trying to duct tape 3rd party solutions together in an attempt to gain control. A domain based solution OTOH would be comparably cheap if you look at the long term cost savings in just man hours of administrative overhead alone.

Yes, I'm admittedly biased ... But it's based on experience. ;)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,858
    • View Profile
    • Donate to Member
+1 with Stoic . (We have similar jobs so we have similar biases. ;D) The only good (i.e. effective and reliable) way is using a domain and group policies. Workgroups are bad ju-ju and not worth struggling with.

Have you looked into using something like Windows Server 2012 - either Foundation or Essentials? Dell and some other suppliers can set you up with a preconfigured entry-level server for under a grand. This wouldn't be "enterprise by any stretch. But for 20 or so users it would solve 98% of all your security issues and give you some attached storage space as well.

Something to think about. :Thmbsup:

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
To add to the answer given by Deo for your second question:

After leaving the HomeGroup you can also disable the facility by disabling the services required for it:

HomeGroupListener
HomeGroupProvider

As described here: How to Disable “HomeGroup” Feature in Windows 7?

This can be done via command line:

sc stop HomeGroupListener
sc config HomeGroupListener start=disabled
sc stop HomeGroupProvider
sc config HomeGroupProvider start=disabled

Also works in Windows 8/8.1

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,930
    • View Profile
    • Donate to Member
First of all, a domain would be your best bet. An old PC with a properly configured Untangle (or similar product) might do the trick as well.

However, if macguyvering is your only option, you could think about the following concept and steps to take (fooling your users a bit).
Make a virtual LAN on your switch that is not allowed internet access. I do hope you have a DHCP server that "parks" every known and unknown computer/smartphone" in that virtual LAN. Then there should be a script available to anyone that should suggest it has to run to grant internet access. That script should then assign (hard-coded) IP numbers in a different subnet with internet access on a first come, first serve basis. With 20 or so users that shouldn't be too hard. This script should also disable HomeGroup (as 4wd has shown you) and whatever else you need/want.

This goof-of-concept might work for you. But most of all, you should have learned by know that Workgroups are an administration nightmare on the best of days. Get a domain server is really the best way to go if you want a windows-only solution. Or invest time in doing networking on Linux. Untangle is based on Linux and its web-interface makes management tasks quite easy.

Oh, before I forget, learn to work with 'sc', that is a powerful toy to play with. :)

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
If your users have admin rights on their boxes then anything you do is subject to being undone, of course.

That said you might look at something like Argon Switcher to set up a couple network profiles. I haven't used this (yet  ;)) but it looks like it might help immensely:

Argon is an open source utility with the aim to supply multiple network configuration in Windows XP and Windows 7. It's usefully when you move your notebook from a network to others. For each network you can select the network card to use and store configuration as "profile". For each profile you can configure many things as: Network card configuration, Proxy configuration, A set of application to run when the profile start, A set of windows services to start or to stop, Set the default printer, Map the necessary network drive, Disable network cards, Enable/disable network card.

You can set up the addresses you want and save the profiles. Disable the wireless card. Also, if you're just working locally, you could maybe set the netmask to 1.0.0.0 and set no gateway, set the proxy to localhost, etc, so the boxes know that everything is local and there's no need to go through a router.

Edit: You could also try IP Switcher or TCP/IP Manager for the network profile part if you see issues with Argon, its Sourceforge rating was only 3 stars.  :o
vi vi vi - editor of the beast
« Last Edit: May 17, 2014, 07:41 AM by x16wda »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Damn it Shades, now you got me started thinking about junkyard design options.

First of all, a domain would be your best bet. An old PC with a properly configured Untangle (or similar product) might do the trick as well.

This actually has potential, but I'll come back to that.

However, if macguyvering is your only option, you could think about the following concept and steps to take (fooling your users a bit).
Make a virtual LAN on your switch that is not allowed internet access. I do hope you have a DHCP server that "parks" every known and unknown computer/smartphone" in that virtual LAN. Then there should be a script available to anyone that should suggest it has to run to grant internet access. That script should then assign (hard-coded) IP numbers in a different subnet with internet access on a first come, first serve basis. With 20 or so users that shouldn't be too hard. This script should also disable HomeGroup (as 4wd has shown you) and whatever else you need/want.

Okay, bear with me as I play devil's advocate/hacker here. An isolated VLAN isn't going to stop devices from accessing a hot spot. The DHCP angle also goes up in smoke due to it only having the ability to control devices that ask it for an IP address. The problem child hotspot has DHCP capabilities too. Then there is the 20 users x how many devices x at least 2 NICs = how many MAC addresses needing to be tracked? *Shudder*

Here's the problem, even if you completely lock down all but one network adapter/path there still is one. And that one can be modified to do what ever someone wants it to (like connect to multiple networks) if they know how. Now the really horrific part is that if the don't know how and try to give it a go anyway ... And/or follow a "reasonably tech savvy" friends advice they could easily end up creating a vortex that sucks the entire network into the Chinese petting palace universe. This scenario -which I've seen play out many times - with local administrative rights is really the biggest danger IMO.

HomeGroup membership at this point actually becomes rather irrelevant when the thing you're really trying to block is the (technically completely unrelated because it is on a totally different layer of the OSI model) TCP/IP network connectivity to the internet.

But we're not totally screwed ... Yet!

Untangle is based on Linux and its web-interface makes management tasks quite easy.

Getting back to the gateway fortification method. If the users do actually need to be connected to the internal network to perform their jobs. We can leverage that in our favor with a wee bit of static routing based shenanigans.

Here's the thing. Have you ever encountered a Cisco VPC client install that was setup by a hyper paranoid asshole that blocked access to everything except the remote target network? It's both infuriating to troubleshoot...and - being ephemerally session based - exactly what we want. Because all you really need is a DHCP server that will toss in a few rather restrictive static routes, and nothing the users do or try will allow them to get to anything while they are on the company network because the IP routing table won't allow it. Sure they can connect to anything, within a first hop broadcast zone ... But any attempt to go past that will - via the routing table - auto-magically fail.

And ultimately that is really what is needed. An environment that will transparently allow them just enough room to realize that they have failed...so that they give up and go back to work.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,858
    • View Profile
    • Donate to Member
If you have a small enough device pool accessing the WAP you can also restrict access by device MAC Addresses.

Royal PITA to stay on top of with more than a dozen or so devices. But it's a pretty effective (and free) access security boost in an SMB/SOHO environment. Keeps people's personal smartphones off the company network if nothing else.

And while it's true you can spoof MAC, doing so is beyond the knowledge level of the bulk of the people you'd want to restrict. Keeping out a real pro hacker is a whole 'nother smoke - but that's for another discussion. Usually one you'd have to pay someone to have with you. ;) :)

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,930
    • View Profile
    • Donate to Member
Stoic's alternative solution is indeed an improvement over my too friendly concept. After all you're the admin and your users should feel the power that comes with that position. Applying routing tables will keep your users in check and discouraged.

But make sure to get those tables right, because if you don't, you have only added to your headaches. Here are two links that are springboards for study: Linux and Windows

For both a domain server or Untangle an old single-core Pentium 4 with 512MByte/1GBYte of RAM and 2 network cards (preferably not on-board) is already sufficient. So it really can be an old clunker, so the extra hardware cost shouldn't be an issue. Untangle and its alternatives, both commercial and open source/free.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
That said you might look at something like Argon Switcher to set up a couple network profiles.

You can also use the Windows netsh command - set things up how you want, then 'netsh dump >worknet.cmd'

The resultant command file will allow you to restore the network configuration at any time.

Low-tech but it works.

questorfla

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 570
  • Fighting Slime all the Time
    • View Profile
    • Donate to Member
Thanks guys, these are all great ideas.  I like the one about the DOMAIN as I have fought for that right for years  Ii is amazing how CHEAP  companies  who make several mil$ per year can be!!  Would you believe my only option to provide remote support for the employees was the FRE  HOME ONLY TeamViewer?

Thank GOD TeamV put the "boot" on 'em the past few todays and BANNED them  :)  RIGHT when they needed it most,  I have a great laugh over that as I have pushed for years to get this done,  I ask then if they would work very long of very hard for FREE???

They still would not say yes and resorted to AMMYY  I got fed up and just used the company credit card and bought a license for TV! 
That is also the reason they have Spyware and Malware and viruses.
NONE of the employees know anything.  They are had Outdated AV software (IF they have anything at all.

On  more pressing issue;  We have had some recent changes in our Internet provided and I need to shift gears again.
This is a more interesting topic that brings up some issues that I find are not so ay to get answers to.
So while this is still an ongoing issue that threw another wrench into the mx and I feel it better to start another thread but I am not through with this one either.
It is also network related though so any who can offer suggestions.

See:  Best way to maintain high speed Internet through multiple switches in this same forum
Thanks and I am going to try all of the above answers,