Share via


Appendix K: Network Connectivity Status Indicator and Resulting Internet Communication in Windows Server 2008

Applies To: Windows Server 2008

In This Appendix

Benefits and Purposes of the Network Connectivity Status Indicator

Overview: Using NCSI in a Managed Environment

How NCSI Communicates with a Site on the Internet

Controlling Communication Between NCSI and a Site on the Internet

Procedures for Controlling Communication Between NCSI and a Site on the Internet

Additional References

Benefits and Purposes of the Network Connectivity Status Indicator

Windows Server 2008 includes a feature called Network Connectivity Status Indicator (NCSI), which is part of a broader feature called Network Awareness. Network Awareness collects network connectivity information and makes it available through an application programming interface (API) to services and applications on a computer running Windows Server 2008. With this information, services and applications can filter networks (based on attributes and signatures) and choose the networks best suited to their tasks. Network Awareness notifies services and applications of changes in the network environment, thus enabling applications to dynamically update network connections.

Network Awareness collects network connectivity information such as the Domain Name System (DNS) suffix of the computer and the forest name and gateway address of networks that the computer connects to. When called on by Network Awareness, NCSI can add information about the following capabilities for a given network:

  • Connectivity to an intranet

  • Connectivity to the Internet (possibly including the ability to send a DNS query and obtain the correct resolution of a DNS name)

NCSI is designed to be responsive to network conditions, so it examines the connectivity of a network in a variety of ways. For example, NCSI tests connectivity by trying to connect to https://www.msftncsi.com, a simple Web site that exists only to support the functionality of NCSI.

Overview: Using NCSI in a Managed Environment

In a managed environment, you might choose to use NCSI because of the way it supports services and applications that require network connectivity. However, you can disable NCSI through Group Policy.

How NCSI Communicates with a Site on the Internet

The following list describes how NCSI might communicate with a Web site to determine whether a network has Internet connectivity:

  • Specific information sent or received:

    Type of Request that NCSI Sends What NCSI Expects to Receive if Connectivity Exists

    A request for https://www.msftncsi.com/ncsi.txt

    A page called ncsi.txt containing the following line of text with no terminating new line or other non-printing characters:

    Microsoft NCSI

    (Page headers disable caching.)

    A request for DNS name resolution of dns.msftncsi.com

    The resolution of the DNS name to:

    131.107.255.255

  • Default setting and ability to disable: By default, Network Awareness (which includes NCSI) is enabled. NCSI can be disabled by using Group Policy.

  • Triggers: Network Awareness and its subfeatures gather information flexibly—that is, by using complex algorithms that respond to changing network conditions. This means that triggers can vary, but the following are examples of typical triggers that can cause NCSI to communicate across the Internet:

    • Someone first logs on after the computer has been restarted

    • The computer connects to a different network

    • The computer is brought into a hot spot (public wireless access area) that requires sign-in

  • User notification: NCSI does not notify the user before attempting to collect information. It does notify the user or the application when there are changes in connectivity (for example, loss of Internet connectivity). Note that an application that uses NCSI can be written to include user notifications if appropriate to the design and function of the application.

  • Logging: NCSI does not log events in Event Viewer.

  • Privacy, encryption and storage: NCSI does not use encryption (both the requests it sends and the responses it receives are standardized, as shown in the table earlier in this subsection). Internet Information System (IIS) logs are stored on the server at www.msftncsi.com. These logs contain the time of each access and the IP address recorded for that access. These IP addresses are not used to identify users, and in many cases, they are the address of a network address translation (NAT) computer or proxy server, not a specific client behind that NAT computer or proxy server.

  • Transmission protocol and port: NCSI uses HTTP over port 80. For DNS requests, NCSI uses the DNS port, which by default is port 53.

Controlling Communication Between NCSI and a Site on the Internet

You can prevent NCSI from connecting to https://www.msftncsi.com by using Group Policy. The following subsections provide more information.

How Preventing NCSI from Communicating Across the Internet Can Affect Users and Applications

If you use Group Policy to prevent NCSI from connecting to https://www.msftncsi.com, applications that perform checks for the existence of Internet connectivity might work more slowly. Also, if a computer running Windows Server 2008 is brought into a hot spot that requires sign-in, the computer might not detect the hot spot.

Procedures for Controlling Communication Between NCSI and a Site on the Internet

The following procedure describes how to use Group Policy to prevent NCSI from communicating across the Internet.

To Prevent NCSI from Communicating Across the Internet by Using Group Policy

  1. See Appendix B: Resources for Learning About Group Policy for Windows Server 2008 for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Server 2008 (with the Group Policy Management feature installed) or running Windows Vista with SP1 and containing the Group Policy Management Console (GPMC) that is included in Remote Server Administration Tools for Windows Server 2008. Open GPMC by running gpmc.msc, and then edit an appropriate Group Policy object (GPO).

Note

You must perform this procedure on a computer running the software described in this step.

  1. Expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.

  2. In the details pane, double-click Turn off Windows Network Connectivity Status Indicator active tests, and then click Enabled.

Important

You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting. This setting is located in either Computer Configuration or User Configuration, in Policies\Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Server 2008.

Additional References

For more information about how applications can use Network Awareness in Windows Server 2008, see the MSDN Web site at:

https://go.microsoft.com/fwlink/?LinkId=108692