We get questions from customers asking how they can disable a wireless connection when they are connected to a physical network. There can be various reasons for wanting to do this but they are often misguided.
First let me say – Windows does not currently have the ability to disable a Wireless connection when connected to a physical network. There are 3rd party solutions and some hardware will have this ability in the BIOS/Advanced settings of the NIC.
While there are legitimate reasons for doing this, really what you should be asking first is, “why?” What is it you are really trying to accomplish? The answers usually come down to either performance or security.
First let’s tackle performance
This usually comes across as something like, “We are concerned that users are connecting over a slower wireless connection when there is a faster physical connection available.”
In reality this should not be an issue as the interface is automatically given a metric when a route is added to the route table and that metric helps decide which route to use if there is more than one path.
Here is a KB article about how XP handles this:
299540 An explanation of the Automatic Metric feature for Internet Protocol routes
Note: It is done the same way in Vista and Windows 7 but the metric is more granular.
If you are experiencing this type of behavior, you should really be looking closer at the route table and gateway configuration to see if there is an issue there.
There can be times where you have, say, a gigabit network and a wireless N connection that will get the same metric because they essentially report the same speed. If the physical and the wireless network are both on the same subnet and they both have the same gateway Windows can’t determine which interface to use because the metric is the same. So it uses the first one listed in the route table. While you could change the bindings it is not really a good solution and is difficult to automate. You could also change the metric manually with the route command but again this is difficult to automate.
Really you should be considering why the wireless network is in the same subnet. If your wireless network is given its own subnet you will have much better control of the routing in your network and you won’t see these types of issues.
So what if they aren’t in the same subnet? Then it will depend on what is returned via name resolution and the Destination IP address selection process documented here.
Now let’s talk about security
This usually sounds something like “We are concerned users will connected to an unmanaged network in the vicinity and expose the physical network to traffic from said network.” In Windows XP this was a more legitimate concern but in Windows Vista and Windows 7 this is not as applicable because of various security improvements but most specifically the strong host model. You can read more about this at the following link:
Further, with Windows Vista and Windows 7, administrators can use Network Permissions in the Wireless GPO to prevent connections to Ad Hoc networks, neighboring networks, or any non-GPO mandated network.
Another concern is just that users will connect to the unmanaged network and send sensitive data over it. The problem with this concern is that all a user has to do is unplug the physical network and they could do the same thing. The truth is that if it is possible to reach the resource over the unmanaged network you can never be sure this won’t happen. You need to either address the routing issue or encrypt the sensitive data. Disabling the wireless NIC is not going to be a complete solution and you could break connectivity in other places that you are not in control of.
So when would you want to disable wireless?
As suggested earlier there are legitimate reasons for wanting to disable the Wireless connection. Perhaps you have a limited number of access points and no ability to expand the wireless side of the network so you want to ensure all physically connected machines use the wired connection. Or maybe your wireless connection only has a limited number of IPs. Again there are other ways to address these issues but if this is the solution you want, 3rd party solutions are currently the best bet.
In a world that is increasingly connected, disabling connectivity is only going to cause you problems down the road. While there are ways to disable a wireless connection when a machine is plugged into a physical network, you should really think more about why you are trying to do this and address the root of the problem instead. If you find that you do still require this functionality, you will want to research the 3rd party software/hardware options available.
- David Pracht