Appendix F: Internet Connection Sharing and Network Bridge
Applies To: Windows Server 2003 with SP1
Internet Connection Sharing and Network Bridge are features designed for home and small office networks, and can be used with Windows Firewall (formerly called Internet Connection Firewall or ICF). These features are included in some of the Microsoft Windows Server 2003 family operating systems. Information about these features is presented here so you as an IT administrator can be aware of these potential capabilities within your organization’s network.
The following list describes the editions and versions of Windows Server 2003 that do and do not include Internet Connection Sharing, Windows Firewall (formerly called Internet Connection Firewall), and Network Bridge:
Internet Connection Sharing and Network Bridge are not included in Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; and the Itanium-based versions of the original release of the Windows Server 2003 operating systems.
Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.
Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.
For more information about Windows Firewall, see Appendix E: Windows Firewall and Security Configuration Wizard.
This appendix includes the following:
An overview of Internet Connection Sharing and Network Bridge.
How Internet Connection Sharing and Network Bridge can be used in a managed environment.
How to control or prevent the use of Internet Connection Sharing and Network Bridge.
Overview: Internet Connection Sharing and Network Bridge
Internet Connection Sharing and Network Bridge provide the following functionality:
Internet Connection Sharing (ICS)
ICS provides Internet access for a home or small office network by using one common connection as the Internet gateway. In an ICS network, a single computer is chosen to be the ICS host. The ICS host has at least two network adapters: one connected to the Internet, one or more connected to the private network. All Internet-destined traffic flows through the ICS host. ICS uses DHCP to assign private IP addresses on the network, and Network Address Translation (NAT) to allow multiple computers on the private network to connect to the public network through the ICS host.
In a home or small office environment, there can be security benefits in using ICS. Only the ICS host is visible from the Internet. The private network is “hidden.” Also, NAT blocks any network traffic that did not originate from the private network or is a response to traffic originating from the private network.
In addition, ICS provides name resolution to the home network through a DNS proxy.
Note
You should not use Internet Connection Sharing in an existing network with Windows Server 2003 domain controllers, Domain Name System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses.
Network Bridge
Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. Network Bridge forwards traffic among the multiple LAN segments, making them appear to be a single IP subnet.
Warning
If neither Windows Firewall nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either Windows Firewall or ICS is enabled, this risk is mitigated.
Using Internet Connection Sharing and Network Bridge in a Managed Environment
On Windows Server 2003 with SP1, Internet Connection Sharing and Network Bridge are not enabled by default (and Windows Firewall is also not enabled by default). Also, Internet Connection Sharing (ICS) is available only on computers that have two or more network connections. An administrator or user with administrative credentials can enable ICS by clicking the Advanced tab on network connections (Control Panel\Network Connections). Also, when running the New Connection Wizard, administrators can choose to enable ICS. ICS lets administrators configure a computer as an Internet gateway for a small network, and it provides network services such as name resolution through Domain Name System (DNS). It also provides addressing through Dynamic Host Configuration Protocol (DHCP) to the local private network.
The Network Bridge menu command Bridge Connections is available only when two or more network adapters are present. By default, Network Bridge is disabled, but administrators can use Bridge Connections to enable Network Bridge.
In a domain environment, you should not allow these features to be enabled or configured. See the following subsection for information about how to disable them.
It is important to be aware of all the methods users and administrators have for connecting to your networked assets, and to review whether your security measures provide in-depth defense (as contrasted with a single layer of defense, more easily breached).
Controlling the Use of Internet Connection Sharing and Network Bridge
You can block administrators and users from accessing ICS and Network Bridge by using answer files during initial installation and by using Group Policy post-deployment.
Using Answer Files for Unattended or Remote Installation
Using standard methods for preparing an unattended or remote installation, you can make entries in the [Homenet] section of the answer file. If you make entries in the [Homenet] section, also investigate making entries in the [WindowsFirewall] section. Thes sections include entries for installing home and small office networking settings for network adapters, Internet Connection Sharing, Windows Firewall, and Network Bridge. For example, to prevent users and administrators from enabling Internet Connection Sharing by using an answer file, the entry is as follows:
[Homenet]
EnableICS = No
For additional configuration options for [Homenet] and [WindowsFirewall] entries for the answer file, and for more information about unattended installation, see the references listed in Appendix A: Resources for Learning About Automated Installation and Deployment. Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
Using Group Policy to Disable Internet Connection Sharing and Network Bridge
Group Policy settings for disabling Internet Connection Sharing and Network in your domain environment are as follows. For information about Group Policy settings for Windows Firewall, see Appendix E: Windows Firewall and Security Configuration Wizard.
Note
For more details about any of the Group Policy settings, use a Group Policy interface to navigate to the setting and then click the Extended tab, or open the setting and then click the Explain tab. For other sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy.
Prohibit use of Internet Connection Sharing on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.
If you enable this policy setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. In the Advanced tab in the Properties dialog box for a local area network (LAN) or remote access connection, under Internet Connection Sharing, it says “Internet Connection Sharing has been disabled by the Network Administrator.”
Also, if you enable this policy setting, the Internet Connection Sharing page is removed from the New Connection Wizard.
Prohibit installation and configuration of Network Bridge on your DNS domain network, located in Computer Configuration\Administrative Templates\Network\Network Connections.
When you enable this policy setting, administrators cannot create a Network Bridge. Enabling this policy setting does not remove an existing Network Bridge from a computer.
Important
The preceding policy settings (both with have “DNS” in the name of the setting) are dependent on the network context that the computer is in. They apply only when a computer is connected to the same DNS domain network it was connected to when the policy setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the policy setting was refreshed, the policy setting does not apply.
For more information about home and small office networking features, see Help for Windows Server 2003 with SP1 on the Microsoft Web site at: