Appendix E: Internet Connection Sharing, Windows Firewall, and Network Bridge

  • Article

(Note: This topic describes not just Windows XP Professional with Service Pack 2, but also Windows XP Professional with Service Pack 3.)

On This Page

Overview: Internet Connection Sharing, Windows Firewall, and Network Bridge
Using Internet Connection Sharing, Windows Firewall, and Network Bridge in a Managed Environment
Controlling the Use of Internet Connection Sharing, Windows Firewall, and Network Bridge

Overview: Internet Connection Sharing, Windows Firewall, and Network Bridge

Internet Connection Sharing, Windows Firewall, and Network Bridge are features designed for home and small office networks. These features are included in Windows XP with SP2. Information about these features is presented here so you as an IT administrator can be aware of these potential capabilities within your organization’s network when you install Windows XP with SP2.

Note   Windows Firewall was formerly called Internet Connection Firewall or ICF.

The features for implementing and administering small networks are described as follows:

  • Internet Connection Sharing (ICS)

    With ICS, users can share a public Internet connection with a private home or small business network. In an ICS network, a single computer is chosen to be the ICS host. The ICS host has at least two network adapters: one connected to the Internet, one or more connected to the private network. All Internet-destined traffic flows through the ICS host. ICS uses DHCP to assign private IP addresses on the network, and Network Address Translation (NAT) to allow multiple computers on the private network to connect to the public network through the ICS host.

    There are security benefits in using ICS. Only the ICS host is visible from the Internet. The private network is “hidden.” Also, NAT blocks any network traffic that did not originate from the private network or is a response to traffic originating from the private network.

    In addition, ICS provides name resolution to the home network through a DNS proxy.

    Note   You should not use Internet Connection Sharing in an existing network with Windows Server 2003 domain controllers, Domain Name System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses.

  • Windows Firewall

    Windows Firewall provides protection against network attacks for computers on which it is enabled. Windows Firewall does this by checking all communications that cross the connection and selectively blocking certain communications, according to the configuration settings you specify.

    For more information about Windows Firewall, see the link to “Deploying Windows Firewall Settings for Windows XP SP2” on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=23354

    Note   Another feature in Windows XP with SP2 is the Security Center in Control Panel. The Security Center monitors the status of firewalls including Windows Firewall, the status of virus protection, and the status of the Automatic Updates setting. The Security Center notifies the user when the computer might be at risk by providing an icon and balloon message in the notification area. When the computer running Windows XP with SP2 is part of a domain (the usual scenario for a managed environment), by default these notifications are not displayed. For more information, see the explanatory text in the Group Policy setting, Turn on SecurityCenter (domain PCs only). This setting is located in Computer Configuration\Administrative Templates\Windows Components\Security Center.

  • Network Bridge

    Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. Network Bridge forwards traffic among the multiple LAN segments, making them appear to be a single IP subnet.

    Caution   If neither Windows Firewall nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either Windows Firewall or ICS is enabled, this risk is mitigated.

Using Internet Connection Sharing, Windows Firewall, and Network Bridge in a Managed Environment

Windows Firewall is enabled by default on Windows XP with SP2. Internet Connection Sharing and Network Bridge are not enabled by default, and Internet Connection Sharing (ICS) is available only on computers that have two or more network connections. An administrator or user with administrative credentials can enable ICS by clicking the Advanced tab on network connections (Control Panel\Network Connections). Also, when running the New Connection Wizard, administrators can choose to enable ICS. ICS lets administrators configure a computer as an Internet gateway for a small network, and it provides network services such as name resolution through Domain Name System (DNS). It also provides addressing through Dynamic Host Configuration Protocol (DHCP) to the local private network.

Using Windows Firewall, an administrator can enable a firewall to protect the public connection of a small network or single computer that is connected to the Internet. Windows Firewall is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that it handles.

The Network Bridge menu command Bridge Connections is available only when two or more network adapters are present. By default, Network Bridge is disabled, but administrators can use Bridge Connections to enable Network Bridge.

In a domain environment, you should not allow these features to be enabled or configured. See the following subsection for information about how to disable them.

It is important to be aware of all the methods users and administrators have for connecting to your networked assets, and to review whether your security measures provide in-depth defense (as contrasted with a single layer of defense, more easily breached).

Controlling the Use of Internet Connection Sharing, Windows Firewall, and Network Bridge

You can block administrators and users from accessing ICS, Windows Firewall, and Network Bridge by using answer files during initial installation and Group Policy post-deployment.

Using Answer Files for Unattended or Remote Installation

Using standard methods for preparing an unattended or remote installation, you can make entries in the [Homenet] section of the answer file. This section includes entries for installing home and small office networking settings for network adapters, Internet Connection Sharing, Windows Firewall, and Network Bridge. For example, to prevents users and administrators from enabling Internet Connection Sharing by using an answer file, the entry is as follows:

[Homenet]
EnableICS = No

For additional configuration options for [Homenet] entries for the answer file, and for more information about unattended installation, see the references listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

Using Group Policy to Disable Internet Connection Sharing, Windows Firewall, and Network Bridge

Group Policy settings for disabling small office networking features in your domain environment are as follows.

Note For more details about any of the Group Policy settings, use a Group Policy interface to navigate to the setting and then click the Extended tab, or open the setting and then click the Explain tab. For other sources of information about Group Policy, see Appendix B, "Learning About Group Policy and Updating Administrative Templates."

  • Prohibit use of Internet Connection Sharing on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.

    If you enable this policy setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. In the Advanced tab in the Properties dialog box for a local area network (LAN) or remote access connection, under Internet Connection Sharing, it says “Internet Connection Sharing has been disabled by the Network Administrator.”

    Also, if you enable this policy setting, the Internet Connection Sharing page is removed from the New Connection Wizard.

  • Windows Firewall: Protect all network connections, located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile.

    If you disable this policy setting, Windows Firewall does not run and cannot be started.

    Note that in Computer Configuration\Administrative Templates\Network\Network Connections, the setting called Prohibit use of Internet Connection Firewall on your DNS domain network still exists. This setting has no effect if Windows Firewall: Protect all network connections is enabled or disabled. However, if Windows Firewall: Protect all network connections is set to Not Configured, you can still prevent Windows Firewall from running by enabling Prohibit use of Internet Connection Firewall on your DNS domain network. (Internet Connection Firewall is the former name for Windows Firewall.)

  • Prohibit installation and configuration of Network Bridge on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.

    When you enable this policy setting, administrators cannot create a Network Bridge. Enabling this policy setting does not remove an existing Network Bridge from a computer.

    Important   Any of the preceding policy settings that have “DNS” in the name of the setting are dependent on the network context that the computer is in. They apply only when a computer is connected to the same DNS domain network it was connected to when the policy setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the policy setting was refreshed, the policy setting does not apply.

For more information about home and small office networking features, see Help and Support Center in Windows XP with SP2.