Disabling Network Bridging in Windows 7

If an organization has stringent security policies in place that control network traffic and LAN connections, and does not control the users’ ability to bridge the organizational internal network to an insecure wireless network then the organization may fail its objectives to secure its internal assets appropriately. Laptop users connected to the wired LAN can also connect to a neighbouring insecure wireless network and create a bridge between the networks’ segments which allow the laptop users to expose internal resources to external third-parties.

However, the same organization may want to allow laptop users to connect to unknown wireless networks and does not want to disable this functionality! In such cases, the organization has to disable the users’ ability to install and configure a network bridge on their laptops.  A network bridge is a Layer 2 Media Access Control (MAC) connection between two or more physical network segments.

To disable the Network Bridge functionality on a single laptop you can use Local Group Policy while, for multiple laptops in an enterprise environment use Group Policy Management. In this procedure we will follow the steps associated with Local Group Policy as shown below:

  1. Open the Local Group Policy Editor snap-in by typing gpedit.msc in the Start search text box and press enter.
  2. Go to the Computer Configuration\Administrative Templates\ Network\Network Connections node – this setting is location-aware, that is, it applies only to the same DNS domain network it was connected to when the setting was refreshed on that computer.
  3. On the right side, find and double click Prohibit installation and configuration of Network Bridge on your DNS domain network
  4. To enable the Group Policy setting, and disable the Network Bridge setting, click Enabled
  5. Click OK

It is important to remember that although this policy blocks users from bridging the secure internal LAN to an insecure wireless network, still they have other means to share data between both networks! Therefore, the best practice would be to disallow users connecting to unknown and insecure wireless networks while they are connected to an internal network! Also, users’ laptops that are allowed to store organizational sensitive data need to be protected through additional security tools and controls.