Appendix F: Internet Connection Sharing and Related Networking Features (Windows Server 2003)

Applies To: Windows Server 2003 with SP1

Internet Connection Sharing, Internet Connection Firewall, and Network Bridge are features designed for home and small office networks. These features are offered in some of the Microsoft Windows Server 2003 family operating systems. Information about these features is presented here so you as an IT administrator can be aware of these potential capabilities within your organization's network.

These home and small office features are included only with Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition. These features are not included with Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; or the 64-bit versions of the Windows Server 2003 family.

This appendix includes the following information:

  • An overview of Internet Connection Sharing and related networking features.

  • How Internet Connection Sharing and related features can be used in a large organization's network.

  • How to control or prevent the use of Internet Connection Sharing and related features.

The features for implementing and administering small networks are described as follows:

  • Internet Connection Sharing (ICS)

    ICS provides Internet access for a home or small office network by using one common connection as the Internet gateway. The ICS host is the only computer that is directly connected to the Internet. Multiple ICS clients simultaneously use the common Internet connection and benefit from Internet services as if the clients were directly connected to the Internet service provider (ISP). Security is enhanced when ICS is enabled because only the ICS host computer is visible to the Internet. The addresses of ICS clients are hidden from the Internet rendering ICS clients invisible to the Internet. In addition, ICS simplifies the configuration of small networks by providing local private network services, such as name resolution and addressing.

    Note

noteNote
You should not use Internet Connection Sharing in an existing network with Windows 2000 Server domain controllers, Domain Name System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses.
</div></td>
</tr>
</tbody>
</table>
  • Internet Connection Firewall (ICF)

    With ICF, the firewall checks all communications that cross the connection between your network and the Internet and is selective about which responses from the Internet it allows. ICF protects only the computer on which it is enabled. If ICF is enabled on the Internet Connection Sharing (ICS) host computer, however, ICS clients that use the shared Internet connection for Internet connectivity are protected because they cannot be seen from outside your network. For this reason, you should always enable ICF on the ICS host computer. In addition, if there are clients on your network with direct Internet connections, or if you have a stand-alone computer that is connected to the Internet, then you should enable ICF on those Internet connections as well.

  • Network Bridge

    Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. With Network Bridge, multiple LAN segments become a single IP subnet, even if the LAN segments are of mixed network media types. Network Bridge automates the configuration and management of the address allocation, routing, and name resolution that is typically required in a network that consists of multiple LAN segments.

Warning

If neither ICF nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either ICF or ICS is enabled, this risk is mitigated.

Internet Connection Sharing, Internet Connection Firewall, and Network Bridge are not enabled by default, and Internet Connection Sharing (ICS) is available only on computers that have two or more network connections. An administrator or user with administrative credentials can enable ICS by clicking the Advanced tab on network connections (Control Panel\Network Connections). Also, when running the New Connection Wizard, administrators can choose to enable ICS. ICS lets administrators configure a computer as an Internet gateway for a small network, and it provides network services such as name resolution through Domain Name System (DNS). It also provides addressing through Dynamic Host Configuration Protocol (DHCP) to the local private network.

Using Internet Connection Firewall, an administrator can enable a firewall to protect the public connection of a small network or single computer that is connected to the Internet. ICF is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that it handles.

Any organization that uses domain controllers, DHCP, DNS, and other elements of network infrastructure should not use ICS and ICF, but can instead use a firewall designed for the entire organization.

The Network Bridge menu command Bridge Connections is available only when two or more network adapters are present. By default, Network Bridge is disabled, but administrators can use Bridge Connections to enable Network Bridge. In a domain environment you should not allow the capability to enable or configure these features. See the following subsection for information about how to disable them.

It is important to be aware of all the methods users and administrators have for connecting to your networked assets, and to review whether your security measures provide in-depth defense (as contrasted with a single layer of defense, more easily breached).

You can block administrators from accessing ICS, ICF, and Network Bridge by using answer files during initial installation and Group Policy post-deployment.

Using answer files for unattended or remote installation

Using standard methods for preparing an unattended or remote installation you can make entries in the [Homenet] section of the answer file. This section includes entries for installing home and small office networking settings for network adapters, Internet Connection Sharing, Internet Connection Firewall, and Network Bridge. For example, to prevents users and administrators from enabling Internet Connection Sharing by using an answer file, the entry is as follows:

[Homenet]
EnableICS = No

For additional configuration options for [Homenet] entries for the answer file, and for more information about unattended installation, see the references listed in Appendix A: Resources for Learning About Automated Installation and Deployment (Windows Server 2003). Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

Using Group Policy

Group Policy settings for disabling small office networking features in your domain environment are described as follows:

  • Prohibit use of Internet Connection Sharing on your DNS domain network

    This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature on a connection. It also determines if ICS can run on a computer when the computer is connected to the DNS domain in which the policy setting is applied.

  • Prohibit use of Internet Connection Firewall on your DNS domain network

    This policy setting determines whether administrators can enable and configure the Internet Connection Firewall feature on a connection.

  • Prohibit installation and configuration of Network Bridge on your DNS domain network

    This policy setting determines whether administrators can enable and configure Network Bridge on your domain.

Important

These policy settings are dependent on the network context that the computer is in. They apply only when a computer is connected to the same DNS domain network it was connected to when the policy setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the policy setting was refreshed, the policy setting does not apply.

These policy settings are located in Computer Configuration\Administrative Templates\Network\Network Connections. Configuration options are described in the following table.

Group Policy settings for controlling ICS, ICF, and Network Bridge

Policy setting Description

Prohibit Use of Internet Connection Sharing on your DNS domain network (enabled)

If you enable this policy setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a local area network (LAN) or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled.

Prohibit Use of Internet Connection Sharing on your DNS domain network (disabled or not configured)

If you disable this policy setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the Properties dialog box for a LAN or remote access connection is available. In addition, the administrator is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)

Prohibit Use of Internet Connection Firewall on your DNS domain network (enabled)

If you enable this policy setting, Internet Connection Firewall cannot be enabled or configured by administrators, and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled.

Prohibit Use of Internet Connection Firewall on your DNS domain network (disabled or not configured)

If you disable this policy setting or do not configure it, the Internet Connection Firewall is disabled when a LAN connection or virtual private network (VPN) connection is created, but administrators can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have Internet Connection Firewall enabled.

Prohibit installation and configuration of Network Bridge on your domain network (enabled)

When you enable this policy setting administrators cannot create a Network Bridge. Enabling this policy setting does not remove an existing Network Bridge from a computer.

Prohibit installation and configuration of Network Bridge on your domain network (disabled or not configured)

If you disable this policy setting or do not configure it, an administrator will be able to create and modify the configuration of a Network Bridge.

For more information about home and small office networking features, see Help and Support Center for the Windows Server 2003 family.