I have recently been given the task of addressing an audit finding as follows:
Finding WIF02 Ad-hoc Wireless Client Probes
While conducting a “war-walk” exercise multiple laptops were found to be searching for the last associated access point (SSID). These are typical signs of client wireless cards that are enabled and actively hunting for a wireless connection. Since
the device could not connect to the corporate wireless solution, potentially due to an authentication issue, it reverted to the last access point it associated with. These types of ad-hoc wireless probes can lead to client-to-client or “evil-twin” attacks
for any attacker within range of the probing client. “Evil Twin” attacks mimic access point SSID’s that clients have previously connected to. The client then connects to the “evil-twin” network which may include internal network traffic as well as public Internet
requests (dependent upon the configuration and scenario).
From my interpretation, the only remediation to this would be to disable the "Connect Automatically" option for "remembered" Wi-Fi networks. Is there any way to effectively disable this for all domain machines using group policy? This would force users to explicitly connect when a Wi-Fi network when it's in range.
Thanks in advance to anyone who can help! :)