The Cable Guy - May 2004

Network Determination Behavior for Network-Related Group Policy Settings

By The Cable Guy

The networking components of Microsoft Windows Server 2003 or Windows XP must determine whether or not the computer is attached to a managed network containing the domain controllers of the domain to which the computer belongs or another network in order to correctly apply a set of network-related Group Policy settings. There are Computer Configuration Group Policy settings to enable or disable Internet Connection Sharing (ICS), the Internet Connection Firewall (ICF), and the Network Bridge, and settings to enable, disable, or configure the Windows Firewall, depending on whether the computer is attached to a managed organization network.

Group Policy Settings That Use Network Determination

This section describes the following Computer Configuration Group Policy settings:

• Prohibit use of Internet Connection Sharing on your DNS domain network at Computer Configuration\Administrative Templates\Network\Network Connections
• Prohibit use of Internet Connection Firewall on your DNS domain network at Computer Configuration\Administrative Templates\Network\Network Connections
• Prohibit installation and configuration of NetworkBridge on your DNS domain network at Computer Configuration\Administrative Templates\Network\Network Connections
• Windows Firewall settings for Windows XP Service Pack 2 (SP2) at Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall

These settings use network determination to specify the behavior and configuration of network services.

Prohibit Use of Internet Connection Sharing on Your DNS Domain Network

This setting determines whether local administrators—users whose accounts are members of the local Administrators security group—can enable and configure ICS on an Internet connection. ICS lets local administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network.

If you enable this setting, ICS cannot be enabled or configured by users (including local administrators). If you disable this setting or do not configure it and have two or more connections, local administrators can enable ICS.

Prohibit Use of Internet Connection Firewall on Your DNS Domain Network

This setting determines whether users can enable ICF on a connection. ICF is a host-based stateful firewall in Windows XP with Service Pack 1 (SP1) and Windows XP with no service packs installed for home and small office users to help protect themselves from Internet network attacks.

If you enable this setting, ICF cannot be enabled or configured by users (including local administrators). If you disable this setting or do not configure it, ICF is disabled when a LAN connection or VPN connection is created, but local administrators can use the Advanced tab in the connection's properties to enable it.

Prohibit Installation and Configuration of Network Bridge on Your DNS Domain Network

The setting determines whether a user can install and configure the Network Bridge. The Network Bridge allows users to create a Layer 2 transparent bridge, enabling them to connect two or more LAN segments together to create a single network segment (subnet). This connection appears in the Network Connections folder.

If you enable this setting, Network Bridge cannot be enabled or configured by users (including local administrators). The option to enable the Network Bridge through the context menu of LAN connections is removed. Enabling this setting does not remove an existing Network Bridge from the user's computer.

If you disable this setting or do not configure it, a local administrator will be able to create or modify the configuration of a Network Bridge.

Windows Firewall Settings for Windows XP SP2

To centralize the configuration of large numbers of computers in an organization network that use the Active Directory directory service, Windows Firewall settings for computers running Windows XP with SP2 can be deployed through Computer Configuration Group Policy. A new set of Computer Configuration Group Policy Windows Firewall settings allow a network administrator to configure Windows Firewall operational modes, excepted traffic, and other settings using a Group Policy object.

When using the new Windows Firewall Group Policy settings, you can configure two different profiles at Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall:

• Domain profile

  The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the managed network. For example, the domain profile might contain settings for excepted traffic for the applications and services needed by a managed computer in an enterprise network.

• Standard profile

  The standard profile is the set of Windows Firewall settings that are needed when the computer is connected to another network. A good example is when an organization laptop computer is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop computer is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.

For more information about Windows Firewall Group Policy settings, see the Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 white paper.

How Network Determination Works

For the Group Policy settings described in this article, the behavior or configuration of a network service is based on determining whether the computer is connected to a managed network containing the Windows domain to which the computer is a member or another network. This determination is based the following:

• When a computer running Windows Server 2003 or Windows XP receives a Group Policy update, it records the connection-specific DNS suffix of the connection over which the Group Policy update was received in the registry. This setting is known as the last-received Group Policy update DNS name.
• The connection-specific DNS suffixes of the connected connections of the computer (those that are assigned an IP address) that are not Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP)-based (such as dial-up or virtual private network connections).

The network determination algorithm performs the following analysis:

• If the computer is not a member of a domain, it is always attached to another network.
• If the last-received Group Policy update DNS name matches any of the connection-specific DNS suffixes of the currently connected connections on the computer that are not PPP or SLIP-based, then the computer is attached to a managed network.
• If the last-received Group Policy update DNS name does not match any of the connection-specific DNS suffixes of the currently connected connections on the computer that are not PPP or SLIP-based, then the computer is attached to another network.

Windows uses this network determination process during start up and when it is informed by the Network Location Awareness service that network settings on the computer have changed.

The connection-specific DNS suffix of the connection over which the last set of Group Policy updates were received is determined from its TCP/IP configuration, which is typically configured using Dynamic Host Configuration Protocol (DHCP) and the DNS Domain Name DHCP option (DHCP option number 15). You can also manually configure connection-specific DNS suffixes from the DNS tab in the advanced properties of the Internet Protocol (TCP/IP) component, available from the properties of the connection in the Network Connections folder.

For example, a laptop computer with only a wireless LAN connection that is a member of the corp.example.com domain connects to its organization network. DHCP servers on the organization network assign the DNS domain name corp.example.com using the DNS Domain Name DHCP option. When the computer or user logs on to the domain, it receives a Group Policy update over its wireless LAN connection and the DNS domain name of corp.example.com is recorded in the registry. Because the last-received Group Policy update DNS name matches the connection-specific suffix of the wireless LAN connection, Windows determines that the computer is connected to the managed network.

That same laptop computer is taken to a local coffee shop, where the computer user uses the coffee shop's wireless LAN to connect to the Internet. For this configuration, the wireless LAN connection is configured using DHCP, however the value of the DNS Domain Name DHCP option assigned by the Internet service provider (ISP) is isp.example.com. Because the last-received Group Policy update DNS name (corp.example.com) no longer matches the connection-specific DNS suffix of the wireless LAN connection (isp.example.com), Windows determines that the computer is connected to another network. Because the domain controllers for the corp.example.com domain are not available across the Internet, there will not be any Group Policy updates while the computer is connected to the Internet. Therefore, last-received Group Policy update DNS name recorded in the registry remains set to corp.example.com.

Although this network determination algorithm works well in most situations, configuration variations can cause Windows to determine that it is always attached to the managed network or create temporary configuration problems when roaming between different portions of the same managed network that assign different DNS suffixes with DHCP.

Always Attached to the Managed Network

If the connection-specific DNS suffixes for the computer's connections are manually configured, then the manually specified value overrides the value from the DNS Domain Name DHCP option. If the manually configured DNS suffix matches the last-received Group Policy update DNS name, then Windows will always determine that the computer is attached to the managed network.

This can create the following types of problems:

• For the Group Policy settings for ICS, ICF, and Network Bridge, the user on the computer will not be able to enable these services when they attach to another network, such as the Internet or a home network. Not allowing the user to enable ICF when connected to the Internet can make the computer vulnerable to network attacks.
• For the Windows Firewall Group Policy settings, an administrator for the managed network might decide to disable the Windows Firewall when the computer is attached to the managed network (this practice is highly discouraged unless another host-based firewall is being used) and to enable the Windows Firewall when the computer is attached to another network. If Windows always determines that the computer is attached to the managed network, Windows Firewall is disabled when the computer is attached to the Internet, once again making the computer vulnerable to network attacks.

Roaming Between Different Portions of the Same Managed Network

Temporary network determination problems can also occur when computers roam between portions of a managed network that assign different DNS domain names using DHCP.

For example, a laptop computer with only a wireless LAN connection is a member of the noam.corp.example.com Active Directory domain. DHCP servers in all of the offices of the organization in North America assign the DNS name noam.corp.example.com. However, in Europe, the Active Directory domain is europe.corp.example.com and the DNS servers assign the DNS name europe.corp.example.com. When the user connects their laptop computer to the wireless network in an office in Europe, the computer's last-received Group Policy update DNS name no longer matches the DNS suffix of the computer's wireless connection and Windows determines that the laptop computer is on another network, even though the laptop computer is connected to a portion of the managed network.

However, this condition only lasts as long as it takes for Group Policy settings to be updated. When the computer updates Group Policy settings, the last-received Group Policy update DNS name is reset to the new connection-specific DNS suffix and the computer is then determined to be on the managed network.

Continuing our example, the laptop computer updates Group Policy settings from a domain controller in the noam.corp.example.com domain and the last-received Group Policy update DNS name is set to europe.corp.example.com, which now matches the connection-specific DNS suffix of the wireless connection. When the network determination algorithm is run again, it determines that the computer is connected to a managed network.

The workaround for this issue is to have all of the DHCP servers in an organization network assign a common DNS domain name, rather than a region-specific DNS domain name. For our example, the workaround is to have all the DNS servers assign the name example.com. Therefore, the last-received Group Policy update DNS name will always match the connection-specific DNS suffix of a LAN connection that is attached to the organization network.

The problem of temporarily determining that the computer is on another network when it is actually on the managed network can also occur with the following configurations:

• The DNS Domain Name DHCP option is changed, assigning a domain suffix that does not match the last-received Group Policy update DNS name.
• The DNS Domain Name DHCP option is removed, resulting in a blank connection-specific DNS suffix for the computer's LAN connection.
• The connection-specific DNS suffix for the computer's LAN connection is manually configured and does not match the last-received Group Policy update DNS name.

For More Information

For more information about Group Policy settings and Windows XP SP2, consult the following resources:

• Using Group Policy Settings with Windows XP Home Networking Features
• New Networking Features in Windows XP Service Pack 2, the January 2004 The Cable Guy article
• Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 white paper

For a list of all The Cable Guy articles, click here.