Appendix F: Internet Connection Sharing, Network Bridge, and HomeGroup in Windows 7 and Windows Server 2008 R2
Applies To: Windows 7, Windows Server 2008 R2
In this appendix
Overview: Internet Connection Sharing, Network Bridge, and HomeGroup
Using ICS, Network Bridge, and HomeGroup in a managed environment
Controlling the use of ICS, Network Bridge, and HomeGroup
Overview: Internet Connection Sharing, Network Bridge, and HomeGroup
Internet Connection Sharing (ICS), Network Bridge, and HomeGroup are features that are designed for home and small office networks. These features are included in Windows® 7 and Windows Server® 2008 R2.
Internet Connection Sharing, Network Bridge, and HomeGroup provide the following functionality:
Internet Connection Sharing: With ICS, users can share a public Internet connection with a private home or small business network. In an ICS network, a single computer is chosen to be the ICS host. The ICS host has at least two network adapters: one connected to the Internet and one or more connected to the private network. All Internet traffic flows through the ICS host. ICS uses Dynamic Host Configuration Protocol (DHCP) to assign private IP addresses on the network, and it uses Network Address Translation (NAT) to allow multiple computers on the private network to connect to the public network through the ICS host.
Only the ICS host is visible from the Internet. The private network is "hidden." Also, NAT blocks any network traffic that did not originate from the private network or that is a response to traffic originating from the private network.
In addition, ICS provides name resolution to the home network through a DNS proxy.
Note
You should not use Internet Connection Sharing in an existing network with Domain Name System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses.
- Network Bridge: Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. Network Bridge forwards traffic among the multiple LAN segments, making them appear to be a single IP subnet.
Warning
If Windows Firewall or ICS are not enabled on your network, do not set up a network bridge between the public Internet connection and the private network connection. Setting up a network bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When Windows Firewall or ICS is enabled, this risk is mitigated.
- HomeGroup: HomeGroup is a feature in Windows 7 that allows you to connect two or more computers that are running Windows 7. This enables you to share your Music, Pictures, Video, and Document libraries, in addition to printers, with others in your home. HomeGroup automatically sets up sharing so that all media that is shared with the homegroup is accessible from Windows Media Player, Windows Media Center, and other compatible media devices in the home.
Using ICS, Network Bridge, and HomeGroup in a managed environment
ICS, Network Bridge, and HomeGroup are not enabled by default. However, it is important to be aware of all the methods that are available to users and administrators to connect to networked assets, and to review whether your security measures provide in-depth defense (as contrasted with a single layer of defense, which is more easily breached).
ICS is available only on computers that have two or more network connections. An administrator or user with administrative credentials can use Control Panel to open Network Connections, through which ICS settings can be viewed or changed as described in Viewing ICS settings on a computer running Windows 7 or Windows Server 2008 R2 later in this appendix. ICS lets administrators configure a computer as an Internet gateway for a small network, and it provides network services such as name resolution through DNS. It also provides addressing through DHCP to the local private network.
The Network Bridge menu command Bridge Connections is available only when two or more network adapters are present. By default, Network Bridge is disabled, but administrators can use Bridge Connections to enable Network Bridge.
HomeGroup is available in all editions of Windows 7 and Windows Server 2008 R2. However, a homegroup can only be created from a computer that is not joined to a domain. A domain-joined computer can join a homegroup to access data from other homegroup members, but data on a domain-joined computer cannot be accessed from other computers joined to the homegroup. Domain and local administrators can configure additional homegroup restrictions on a domain-joined computer.
Controlling the use of ICS, Network Bridge, and HomeGroup
This subsection provides information about:
Viewing ICS settings on a computer running Windows 7.
Disabling ICS and Network Bridge by using an answer file for unattended or remote installation.
Disabling ICS and Network Bridge by using Group Policy.
Managing HomeGroup settings for domain-joined computers.
Viewing ICS settings on a computer running Windows 7 or Windows Server 2008 R2
The following procedure describes how to view the settings for ICS in Windows 7 and Windows Server 2008 R2.
To view ICS settings
Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, and then click Change adapter settings.
Right-click a connection, and then click Properties.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
In Local Area Connection Properties, click the Sharing tab and view the settings for ICS.
Note
The Sharing tab will not appear unless the computer has at least two network adapters.
Disabling ICS and Network Bridge by using an answer file for unattended or remote installation
If the answer files that you use for unattended or remote installation exclude all lines that would enable ICS or Network Bridge, then ICS and Network Bridge are disabled (this is the default). Make sure that your answer file has no lines that contain the strings EnableICS or Bridge.
For more information about unattended installation, see the references listed in Appendix A: Resources for Learning About Automated Installation and Deployment for Windows 7 and Windows Server 2008 R2.
Disabling ICS and Network Bridge by using Group Policy
You can use the following Group Policy settings to disable small office networking features in your domain environment.
Note
For more details about any of the Group Policy settings, use a Group Policy interface to navigate to the setting, and then click the Extended tab, or open the setting, and then click the Explain tab. For other sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2.
Prohibit use of Internet Connection Sharing on your DNS domain network located in Computer Configuration\Administrative Templates\Network\Network Connections.
If you enable this policy setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer.
Prohibit installation and configuration of Network Bridge on your DNS domain network located in Computer Configuration\Administrative Templates\Network\Network Connections.
When you enable this policy setting, administrators cannot create a Network Bridge. Enabling this policy setting does not remove an existing Network Bridge from a computer.
Important
Group Policy settings that have "DNS" in the name of the setting are dependent on the network context of the computer. They apply only when a computer is connected to the same DNS domain network that it was connected to when the policy setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the policy setting was refreshed, the policy setting does not apply.
For more information about home and small office networking features, see the Help and Support topics in Windows 7.
You can also search Help topics for Windows 7 on the following Microsoft® Web site: Windows 7 Help and How-to.
Managing HomeGroup settings for domain-joined computers
There are a number of configuration settings that you can use to manage how a domain-joined computer can be used in a homegroup. These settings include the following:
For a computer to participate in a homegroup, certain firewall ports must be open. If you use Windows Firewall, the required ports are opened by default when a user selects the network location. If a non-Microsoft firewall is deployed or customized settings are used, additional ports must be opened for the user’s home network. For more information, see Appendix G: Windows Firewall in Windows 7 and Windows Server 2008 R2 in this document.
For proper HomeGroup functionality, organizations with IPsec deployments should use domain-based Group Policy settings to deliver IPsec policies. You should include a rule that allows hosts without IPsec from the 192.168.x.x range to contact the computer on TCP 3587 (Peer-to-Peer Grouping) and UDP 3540 (PNRP).
Depending on the specifics of the employees’ home network configuration (specifically, if addresses are delivered through DHCP), IT administrators might need to add additional addresses to the allowed list for these ports. If this rule is not deployed, the work computer will cause problems for other computers that attempt to join the homegroup. Specifically, when a new computer attempts to join a homegroup that is advertised by a computer from work, the connection will time out. For more information, see Internet Protocol Version 6, Teredo, and Related Technologies in Windows 7 and Windows Server 2008 R2 in this document.
There are three Group Policy settings in the Group Policy Management Console that IT administrators can use to control computers that are members of a domain at work and are joining a homegroup:
- Require domain users to elevate when setting a network’s location. To join a Homegroup, a user must be able to modify network location settings. By default in Windows 7 and Windows Server 2008 R2, a standard user can modify network location settings. However, a network administrator can restrict this permission by configuring and applying the Require domain users to elevate when setting a network’s location Group Policy setting.
Note
The full path of this node in the Group Policy Management Console is Computer Configuration\Administrative Templates\Network\Network Connections.
- **Prevent the computer from joining a homegroup**. This policy setting allows you to control the ability of users to join a homegroup. If you enable this policy setting, users cannot detect or join a homegroup. If you disable or do not configure (default setting) this policy setting, users can detect and join a homegroup.
Note
The full path of this node in the Group Policy Management Console is Computer Configuration\Administrative Templates\Windows Components\HomeGroup.
- **Point and Print Restrictions**. This policy setting allows you to control the installation of printer drivers from the homegroup. If you enable this policy setting, computers that are members of a homegroup can install only printer drivers from a remote computer in the same homegroup if the driver is already installed on the local computer. If you disable or do not configure (default setting) this policy setting, computers that are members of a homegroup will automatically discover and install printer drivers from other computers in the same homegroup.
Note
The full path of this node in the Group Policy Management Console is Computer Configuration\Administrative Templates\Printers.
For more information about configuring these options, see Settings to Allow Computers that are Members of a Domain to Join a Homegroup.