Appendix G: Internet Connection Sharing and Network Bridge in Windows Vista
In This Appendix
Overview: Internet Connection Sharing and Network Bridge
Internet Connection Sharing and Network Bridge are features designed for home and small office networks. These features are included in Windows Vista. Information about these features is presented here so you as an IT administrator can be aware of these potential capabilities within your organization’s network when you install Windows Vista.
Internet Connection Sharing and Network Bridge provide the following functionality:
Internet Connection Sharing: With ICS, users can share a public Internet connection with a private home or small business network. In an ICS network, a single computer is chosen to be the ICS host. The ICS host has at least two network adapters: one connected to the Internet and one or more connected to the private network. All Internet-destined traffic flows through the ICS host. ICS uses Dynamic Host Configuration Protocol (DHCP) to assign private IP addresses on the network, and it uses Network Address Translation (NAT) to allow multiple computers on the private network to connect to the public network through the ICS host.
Only the ICS host is visible from the Internet. The private network is "hidden." Also, NAT blocks any network traffic that did not originate from the private network or is a response to traffic originating from the private network.
In addition, ICS provides name resolution to the home network through a DNS proxy.
Note You should not use Internet Connection Sharing in an existing network with Domain Name System (DNS) servers, gateways, DHCP servers, or systems configured for static IP addresses.
Network Bridge: Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. Network Bridge forwards traffic among the multiple LAN segments, making them appear to be a single IP subnet.
Caution If neither Windows Firewall nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either Windows Firewall or ICS is enabled, this risk is mitigated.
Using ICS and Network Bridge in a Managed Environment
ICS and Network Bridge are not enabled by default, and ICS is available only on computers that have two or more network connections. An administrator or user with administrative credentials can use Control Panel to open Network Connections, through which ICS settings can be viewed or changed as described in "Viewing ICS Settings on a Computer Running Windows Vista," later in this appendix. ICS lets administrators configure a computer as an Internet gateway for a small network, and it provides network services such as name resolution through Domain Name System (DNS). It also provides addressing through Dynamic Host Configuration Protocol (DHCP) to the local private network.
The Network Bridge menu command Bridge Connections is available only when two or more network adapters are present. By default, Network Bridge is disabled, but administrators can use Bridge Connections to enable Network Bridge.
In a domain environment, you should not allow these features to be enabled or configured. See the following subsection for information about how to disable them.
It is important to be aware of all the methods users and administrators have for connecting to your networked assets, and to review whether your security measures provide in-depth defense (as contrasted with a single layer of defense, which is more easily breached).
Controlling the Use of ICS and Network Bridge
This subsection provides information about:
Viewing ICS settings on a computer running Windows Vista.
Disabling ICS and Network Bridge by using an answer file for unattended or remote installation.
Disabling ICS and Network Bridge by using Group Policy.
Viewing ICS Settings on a Computer Running Windows Vista
The following procedure describes how to view the settings for ICS in Windows Vista.
Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center and then, on the left, click Manage network connections.
Right-click a connection, and then click Properties.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
In Local Area Connection Properties, click the Sharing tab and view the settings for ICS.
Disabling ICS and Network Bridge by Using an Answer File for Unattended or Remote Installation
If the answer files that you use for unattended or remote installation exclude all lines that would enable ICS or Network Bridge, then ICS and Network Bridge will be disabled, because this is the default. To exclude these lines, make sure that your answer file has no lines that contain the strings EnableICS or Bridge.
For more information about unattended installation, see the references listed in Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Vista.
Disabling ICS and Network Bridge by Using Group Policy
Group Policy settings for disabling small office networking features in your domain environment are as follows.
|For more details about any of the Group Policy settings, use a Group Policy interface to navigate to the setting and then click the Extended tab, or open the setting and then click the Explain tab. For other sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows Vista.|
Prohibit use of Internet Connection Sharing on your DNS domain network located in Computer Configuration\Administrative Templates\Network\Network Connections.
If you enable this policy setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. In the Advanced tab in the Properties dialog box for a local area network (LAN) or remote access connection, under Internet Connection Sharing, it says "Internet Connection Sharing has been disabled by the Network Administrator."
Prohibit installation and configuration of Network Bridge on your DNS domain network located in Computer Configuration\Administrative Templates\Network\Network Connections.
When you enable this policy setting, administrators cannot create a Network Bridge. Enabling this policy setting does not remove an existing Network Bridge from a computer.
Important Policy settings that have "DNS" in the name of the setting are dependent on the network context that the computer is in. They apply only when a computer is connected to the same DNS domain network it was connected to when the policy setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the policy setting was refreshed, the policy setting does not apply.
For more information about home and small office networking features, see Help and Support topics in Windows Vista. You can search Help topics for Windows Vista on the Microsoft Web site at: