Logo
programming4us
programming4us
programming4us
programming4us
 Windows XP
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server
programming4us
 Windows Phone
 
 
Windows Server

Windows Server 2003 : Protecting Hosts with Windows Host Firewalls - Internet Connection Sharing

12/5/2012 4:43:22 PM
Internet Connection Sharing (ICS) is not a part of firewall services on Windows systems. However, if ICS is implemented, a firewall should also be used. ICS allows a Windows computer to act as a router between other hosts on an internal network and an external network such as the Internet. It provides network address translation (NAT), DHCP, and name resolution (DNS Proxy) services for other computers on the local network. Users can access the Internet and use the Outlook Express application as if their computers were directly connected to the Internet. It can also be configured to allow Internet access to computers on the local network such as web servers. ICS is most often used in small business and home or home office networks. Using ICS in a larger organization is not recommended, because the ICS-enabled computer will respond to DHCP client requests. Enabling ICS is, therefore, enabling a rogue DHCP server and can interfere with communications on the local network. (Hosts may obtain ICS network addresses instead of those required to communicate with servers and clients on the local network.)


The Internet Connection Firewall (ICF) and the Network Bridge feature are available on Windows Server 2003 Standard Edition and the 32-bit version of Windows Server 2003. They are not available with Windows Server 2003 Web Edition, Datacenter Edition, or the 64-bit versions of Windows Server 2003. 

When used, the ICS computer is rarely a dedicated router. Instead, the computer running ICS is used for daily work and pleasure if it is a workstation, and for other services (such as file and print) if it is a Windows server. You should understand its function so that you can disable its use in your Windows domain when necessary, or to ensure that it is securely deployed if you decide to implement it.

To fully understand the capabilities of ICS, you should have an understanding of the following:

  • Enabling ICS

  • Enabling Internet access to local services

  • Using a network bridge with ICS

  • Securing ICS

  • Managing ICS via Group Policy

1. Enabling ICS

In the typical small network, all computers are connected to the same network and ICS is implemented to provide all computers access to the Internet. To set up ICS, select and configure one computer as the ICS computer. The ICS computer must have two network connections: an Ethernet connection to the local network and a connection to the Internet (via modem, ISDN, DSL, or cable modem). If these network connections are in place, and you have successfully tested the Internet connection, enable ICS as follows.

Click Start and select the Control Panel. Double-click Network Connections. Right-click the network connection to be shared and select Properties. Select the Advanced tab and click "Allow other network users to connect through this computer's Internet connection," as shown in Figure 1. In the figure, the network connection has been renamed to Internet.

Figure 1. ICS is enabled from the Advanced tab of the network connection Properties

Click OK. Configure clients on the network to dynamically obtain an IP address.

When ICS is enabled, the following changes are made:

  • The local network connection is assigned the IP address 192.168.0.1. Consequently, any connections to other computers on the network will be lost. In addition, any Internet connections must also be refreshed.

  • The ICS service is started.

  • A DHCP allocator is available to assign addresses with a default range of 192.168.0.0 with a subnet mask of 255.255.255.0. The ICS host address is reserved, and clients are assigned addresses in the range of 192.168.0.2 to 192.168.0.254.

  • A local DNS proxy is enabled.

  • Autodial is enabled.

You cannot disable the DHCP allocator or change the default range of addresses.

ICS can be used to enable all computers on a network to access a VPN connection. The VPN connected must be ICS-enabled. For other computers to share the connection, the VPN connection must first be created on the ICS computer.

2. Enabling Internet Access to Local Services

ICS uses NAT to provide computers on the internal network access to the Internet. While NAT is not meant to provide security for internal hosts, external hosts do not know the actual IP address of internal hosts. Therefore, if you want to provide access to services such as web services, FTP services, or SMTP services, you must explicitly configure access. Begin by clicking Start and selecting the Control Panel. Double-click Network Connections. Right-click the ICS network connection and select Properties. Select the Advanced tab and click the Settings button to display a list of services, as shown in Figure 2.

Figure 2. When ICS is enabled, access to services running on the private network can be configured

Click to select the service you wish to provide access to. On the Service Settings page enter the name of the host that offers this service, as shown in Figure 3, then click OK.

Figure 3. Identify the server that hosts the service to which you allow access

Click OK twice to exit the network settings Properties pages.

3. Using a Network Bridge with ICS

In a more complex small network, the ICS computer may have more than one private network connection. To enable ICS when the host computer is connected to multiple LAN segments, you must bridge the private networks before enabling ICS

Begin by clicking Start and selecting the Control Panel. Double-click Network Connections. Select and hold down the Shift key and then click each of the adapters for the connections that should be included in the bridge. Wireless network connections, Ethernet, IEEE-1394 adapters, and telephone line connections can be included in a bridge. Do not include the network connection to the Internet.

Release the Shift key. Click on the Advanced menu and select Bridge Connections. The bridge is added to the Network Connections page and identifies the network connections that are bridged, as shown in Figure 4.

Select the Internet network connection and enable ICS, as explained in the earlier section "Enabling ICS."

Do not bridge connections to the Internet. If you do so, you expose hosts on the internal network to the Internet. Some types of Internet connections (such as DSL, modem, and cable modem connections) cannot be added to a network bridge. Other connections (such as an Ethernet connection to a router that is connected to the Internet) can be bridged, but it should not be.

4. Securing ICS

ICS does not add security to the Internet connection. It does, however, provide NAT services that hide the IP address of the hosts on the internal network. Even so, it is

Figure 4. Private network connections can be bridged to allow access from all private network connections to the Internet over a shared public network connection

still possible for an Internet-based attack to be successful. It is also possible to misconfigure ICS and expose the ICS host and computers on the private network to the risk of compromise. Take the following steps to secure ICS services:

  • Implement a firewall. A separate firewall can be placed between the ICS host and the Internet, the Windows built-in firewall can be enabled, or some other personal firewall can be installed. Be sure not to set up ICS without turning on the Windows Firewall. If no other firewall sits between the ICS host and the Internet, then the Windows Firewall (or some other firewall) should be used.

  • When configuring ICS, ensure that ICS is enabled on the Internet connection, not on the connection to the private network. If ICS is configured on the private network connection, hosts on the internal network are subject to attack from the Internet if the ICS host is connected to the Internet.

  • If a network bridge is created, ensure that the Internet connection is not part of the bridge.

  • Avoid providing access to private network services. If they must be allowed, configure them via the Settings page for ICS, and only configure those services that are necessary.

  • Harden the ICS host computer and, if at all possible, dedicate it to this task.

5. Managing ICS via Group Policy

By default, management of ICS is not restricted via Group Policy. A local administrator can enable the ICS, on a member computer. A good practice is to disable this service using Group Policy. The following two location-aware Administrative template policies can be configured to do so:


Prohibit use of Internet Connection Sharing on your DNS domain network.

When enabled, administrators cannot enable ICS on the local computer. When disabled or not configured, administrators can enable ICS on the local computer.


Prohibit installation and configuration of Network bridge on your DNS domain network.

When enabled, administrators cannot create a network bridge on the local computer. When disabled or not configured, administrators can create a network bridge on the local computer.

Location-aware policies operate only when a computer is connected to the same DNS domain network as the one it was connected to when the policy was refreshed. This means that administrators of laptop computers will not be able to enable ICS when the laptop is connected to its domain, but they will be able to enable ICS when the laptop is connected to a different network (such as a hotel or conference network).
Other -----------------
- Windows Server 2003 : Protecting Hosts with Windows Host Firewalls - Firewall Basics
- Collaborating Within an Exchange Environment Using Microsoft Office SharePoint Server 2007 : Exploring Basic MOSS Features
- Collaborating Within an Exchange Environment Using Microsoft Office SharePoint Server 2007 : Understanding the History of SharePoint Technologies, Identifying the Need for MOSS 2007
- Managing SharePoint 2010 with Windows PowerShell : Managing SharePoint 2010 Web Applications
- Managing SharePoint 2010 with Windows PowerShell : Managing Permissions in SharePoint 2010, Managing Content Databases in SharePoint 2010
- BizTalk 2010 : ASDK SQL adapter examples (part 4) - Composite Operations
- BizTalk 2010 : ASDK SQL adapter examples (part 3) - Query notification and multiple result sets
- BizTalk 2010 : ASDK SQL adapter examples (part 2) - Select, Table Valued Function, and Execute Reader
- BizTalk 2010 : ASDK SQL adapter examples (part 1) - TypedPolling and debatching
- Microsoft Dynamics AX 2009 : Integration with Microsoft Office - Sending email using Outlook
 
 
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
 
programming4us
 Girls
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server
programming4us
 Windows Phone