Appendix H: Network Connectivity Status Indicator and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2

Applies To: Windows 7, Windows Server 2008 R2

In this appendix

Benefits and purposes of the Network Connectivity Status Indicator

Overview: Using NCSI in a managed environment

How NCSI communicates with an Internet site

Controlling communication between NCSI and an Internet site

Procedures for controlling communication between NCSI and an Internet site

Additional references

Benefits and purposes of the Network Connectivity Status Indicator

Windows® 7 and Windows Server® 2008 R2 include a feature called Network Connectivity Status Indicator (NCSI), which is part of a broader feature called Network Awareness. Network Awareness collects network connectivity information and makes it available through an application programming interface (API) to services and applications on a computer running Windows 7 or Windows Server 2008 R2. With this information, services and applications can filter networks (based on attributes and signatures) and choose the networks that are best suited to their tasks. Network Awareness notifies services and applications about changes in the network environment, thus enabling applications to dynamically update network connections.

Network Awareness collects network connectivity information such as the Domain Name System (DNS) suffix of the computer and the forest name and gateway address of networks that the computer connects to. When called on by Network Awareness, NCSI can add information about the following capabilities for a given network:

  • Connectivity to an intranet

  • Connectivity to the Internet (possibly including the ability to send a DNS query and obtain the correct resolution of a DNS name)

NCSI is designed to be responsive to network conditions, so it examines the connectivity of a network in a variety of ways. For example, NCSI tests connectivity by trying to connect to https://www.msftncsi.com, a simple Web site that exists only to support the functionality of NCSI.

Overview: Using NCSI in a managed environment

In a managed environment, you might choose to use NCSI because of the way it supports services and applications that require network connectivity. However, you can disable NCSI through Group Policy.

How NCSI communicates with an Internet site

The following list describes how NCSI might communicate with a Web site to determine whether a network has Internet connectivity:

  • Specific information sent or received:

    Type of Request that NCSI Sends What NCSI Expects to Receive if Connectivity Exists

    A request for https://www.msftncsi.com/ncsi.txt

    and https://ipv6.msftncsi.com/ncsi.txt

    A page called ncsi.txt, which contains the following line of text with no terminating new line or other non-printing characters:

    Microsoft NCSI

    (Page headers disable caching.)

    A request for DNS name resolution of dns.msftncsi.com

    The resolution of the DNS name to:

    131.107.255.255

    fd3e:4f5a:5b81::1

  • Default setting and ability to disable: By default, Network Awareness (which includes NCSI) is enabled. NCSI can be disabled by using Group Policy.

  • Triggers: Network Awareness and its features gather information flexibly—that is, by using complex algorithms that respond to changing network conditions. This means that triggers can vary, but the following are examples of typical triggers that can cause NCSI to communicate across the Internet:

    • Someone first logs on after the computer has been restarted.

    • The computer connects to a different network.

    • The computer is brought into a hot spot (public wireless access area) that requires a sign-in.

  • User notification: NCSI does not notify the user before attempting to collect information. It does notify the user or the application when there are changes in connectivity (for example, loss of Internet connectivity). An application that uses NCSI can be written to include user notifications if appropriate to the design and function of the application.

  • Logging: NCSI does not log events in Event Viewer.

  • Privacy, encryption and storage: NCSI does not use encryption (the requests it sends and the responses it receives are standardized, as shown in the table earlier in this subsection). Internet Information System (IIS) logs are stored on a server at www.msftncsi.com. These logs contain the time of each access and the IP address that is recorded for that access. These IP addresses are not used to identify users, and in many cases, they are the address of a network address translation (NAT) computer or proxy server, not a specific client behind that NAT computer or proxy server.

  • Transmission protocol and port: NCSI uses HTTP over port 80. For DNS requests, NCSI uses the DNS port, which by default is port 53.

Controlling communication between NCSI and an Internet site

You can use a Group Policy setting to prevent NCSI from connecting to https://www.msftncsi.com. If you use Group Policy to prevent NCSI from connecting to https://www.msftncsi.com, applications that perform checks for the existence of Internet connectivity might work more slowly. Also, if a computer running Windows 7 or Windows Server 2008 R2 is brought into a hot spot that requires a sign-in, the computer might not detect the hot spot. The following procedure explains how to control this behavior.

Procedures for controlling communication between NCSI and an Internet site

The following procedure describes how to use Group Policy to prevent NCSI from communicating across the Internet.

To use a Group Policy setting to prevent NCSI from communicating across the Internet

  1. See Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2 for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer that is running Windows Server 2008 R2 with the Group Policy Management feature installed or a computer that is running Windows 7 and contains the Group Policy Management Console (GPMC) that is included in Remote Server Administration Tools for Windows Server 2008 R2.

  2. Click Start, type gpmc.msc, and then press ENTER. Select an appropriate Group Policy object (GPO).

  3. Expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.

  4. In the details pane, double-click Turn off Windows Network Connectivity Status Indicator active tests, and then click Enabled.

Important

You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication Group Policy setting. This setting is located in Computer Configuration or User Configuration, in \Administrative Templates\System\Internet Communication Management.
For Windows 8, the APIs for programs to report the network connectivity status are driven by this feature, and disabling it impacts network connectivity of all programs.
For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows 7 and Windows Server 2008 R2.

Additional references

For more information see Network Awareness on Windows Vista on the Microsoft® Web site.