Core Networking Improvements CHAPTER 25
1203
As with other versions of Windows, server-side support for SMB (sharing files and printers)
is provided by the Server service, and client-side support (connecting to shared resources) is
provided by the Workstation service. Both services are configured to start automatically, and
you can safely disable either service if you don’t require it. The security risks presented by
having the Server service running are minimized because Windows Firewall will block incom-
ing requests to the Server service on public networks by default.
Strong Host Model
When a unicast packet arrives at a host, IP must determine whether the packet is locally
destined (its destination matches an address that is assigned to an interface of the host). IP
implementations that follow a weak host model accept any locally destined packet, regardless
of the interface on which the packet was received. IP implementations that follow the strong
host model accept locally destined packets only if the destination address in the packet
matches an address assigned to the interface on which the packet was received.
The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak
host model. Windows Vista and Windows 7 support the strong host model for both IPv4 and
IPv6 and are configured to use it by default. However, you can revert to the weak host model
using Netsh. The weak host model provides better network connectivity, but it also makes
hosts susceptible to multihome-based network attacks.
To change the host model being used, use the following Netsh commands (and specify the
name of the network adapter).
Netsh interface IPv4 set interface "Local Area Connection" WeakHostSend=enabled
Ok.
Netsh interface IPv4 set interface "Local Area Connection" WeakHostReceive=enabled
Ok.
To return to the default settings, use the same command format but disable the
WeakHostSend and WeakHostReceive parameters.
Wireless Networking
In Windows Server 2003 and Windows XP, the software infrastructure that supports
wireless connections was built to emulate an Ethernet connection and can be extended

use Group Policy settings or the new Netsh wireless commands to configure single
sign-on profiles on wireless client computers. After a single sign-on profile is config-
ured, 802.1X authentication will precede the computer logon to the domain and users
are prompted for credential information only if needed. This feature ensures that the
wireless connection is placed prior to the computer domain logon, which enables
scenarios that require network connectivity prior to user logon, such as Group Policy
updates, execution of login scripts, and wireless client domain joins.
n
Behavior when no preferred wireless networks are available In earlier versions of
Windows, Windows created a random wireless network name and placed the network
adapter in infrastructure mode if no preferred network was available and automatically
connecting to nonpreferred networks was disabled. Windows would then scan for pre-
ferred wireless networks every 60 seconds. Windows Vista and Windows 7 no longer
creates a randomly named network; instead, Windows “parks” the wireless network
adapter while periodically scanning for networks, preventing the randomly generated
wireless network name from matching an existing network name.
n
Support for hidden wireless networks Earlier versions of Windows would always
connect to preferred wireless networks that broadcast a Service Set Identifier (SSID)
before connecting to preferred wireless networks that did not broadcast that identifier,
even if the hidden network had a higher priority. Windows Vista and Windows 7 con-
nect to preferred wireless networks based on their priority, regardless of whether they
broadcast an SSID.
n
WPA2 support Windows Vista and Windows 7 support Wi-Fi Protected Access 2
(WPA2) authentication options, configurable by either the user (to configure the stan-
dard profile) or by AD DS domain administrators using Group Policy settings. Windows
Vista and Windows 7 support both Enterprise (IEEE 802.1X authentication) and Personal
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Improved APIs CHAPTER 25

that can adapt to changing network conditions has been difficult for developers. Network
Awareness enables applications to sense changes to the network to which the computer is
connected, such as closing a mobile PC at work and then opening it at a coffee shop wireless
hotspot. This enables Windows Vista and Windows 7 to alert applications of network changes.
The application can then behave differently, providing a seamless experience.
For example, Windows Firewall with Advanced Security can take advantage of Network
Awareness to automatically allow incoming traffic from network management tools when the
computer is on the corporate network but block the same traffic when the computer is on a
home network or wireless hotspot. Network Awareness can therefore provide flexibility on
your internal network without sacrificing security when mobile users travel.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1206
Applications can also take advantage of Network Awareness. For example, if a user discon-
nects from a corporate internal network and then connects to his or her home network, an
application could adjust security settings and request that the user establish a VPN connec-
tion to maintain connectivity to an intranet server. New applications can go offline or online
automatically as mobile users move between environments. In addition, software vendors can
integrate their software into the network logon process more easily because Windows Vista
and Windows 7 enable access providers to add custom connections for use during logon.
Network Awareness benefits only applications that take advantage of the new API and
does not require any management or configuration. For Network Awareness to function, the
Network Location Awareness and Network List Service services must be running.
Improved Peer Networking
Windows Peer-to-Peer Networking, originally introduced with the Advanced Networking
Pack for Windows XP and later included in Windows XP SP2, is an operating system platform
and API in Windows Vista and Windows 7 that allow the development of peer-to-peer (P2P)
applications that do not require a server. Windows Vista and Windows 7 include the following
enhancements to Windows Peer-to-Peer Networking:
n

Services Used by Peer-to-Peer Networking
Windows Peer-to-Peer Networking uses the following services, which by default start
manually (Windows will start services automatically as required):
n
Peer Name Resolution Protocol (PNRP)
n
Peer Networking Grouping
n
Peer Networking Identity Manager
n
PNRP Machine Name Publication Service
If these services are disabled, some P2P and collaborative applications might not function.
Managing Peer-to-Peer Networking
Windows Peer-to-Peer Networking is a set of tools for applications to use, so they don’t
provide capabilities without an application. You can manage Windows Peer-to-Peer
Networking using the Netsh tool or by using Group Policy settings:
n
Netsh tool Commands in the Netsh p2p context will be used primarily by developers
creating P2P applications. Systems administrators should not need to troubleshoot or
manage Windows Peer-to-Peer Networking directly, so that aspect of the Netsh tool is
not discussed further here.
n
Group Policy settings You can configure or completely disable Windows Peer-to-
Peer Networking by using the Group Policy settings in Computer Configuration
\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking
Services. You should need to modify the configuration only if an application has
specific, nondefault requirements.
HoW it WoRKS
Peer-to-Peer Name Resolution
I

forwarding it. When the response is sent back through the return path, its contents
are also used to populate node caches. This name resolution mechanism allows
clients to identify each other without a server infrastructure.
EAPHost Architecture
For easier development of EAP authentication methods for IEEE 802.1X-authenticated wireless
connections, Windows Vista and Windows 7 support a new EAP architecture called EAPHost.
EAPHost provides the following features that are not supported by the EAP implementation
in earlier versions of Windows:
n
Network Discovery EAPHost supports Network Discovery as defined in the “Identity
selection hints for Extensible Authentication Protocol (EAP)” Internet draft.
n
RFC 3748 compliance EAPHost will conform to the EAP State Machine and address
a number of security vulnerabilities that are specified in RFC 3748. In addition, EAPHost
will support additional capabilities such as Expanded EAP Types (including vendor-
specific EAP methods).
n
EAP method coexistence EAPHost allows multiple implementations of the same
EAP method to coexist simultaneously. For example, the Microsoft version of Protected
EAP (PEAP) and the Cisco Systems, Inc. version of PEAP can be installed and selected.
n
Modular supplicant architecture In addition to supporting modular EAP methods,
EAPHost also supports a modular supplicant architecture in which new supplicants can
be added easily without having to replace the entire EAP implementation.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Improved APIs CHAPTER 25
1209
For EAP method vendors, EAPHost provides support for EAP methods already developed
for Windows Server 2003 and Windows XP, as well as an easier method of developing new
EAP methods. Certified EAP methods can be distributed with Windows Update. EAPHost also

LSP installations.
n
A new installation API (WSCInstallProviderAndChains) provides simpler, more reliable
LSP installations.
n
New facilities categorize LSPs and allow critical system services to bypass LSPs. This can
improve reliability when working with flawed LSPs.
n
A diagnostics module for the Network Diagnostics Framework allows users to selectively
remove LSPs that are causing problems.
Windows Sockets Direct Path for System Area Networks
Windows Sockets Direct (WSD) enables Winsock applications that use TCP/IP to obtain the
performance benefits of system area networks (SANs) without application modifications.
SANs are a type of high-performance network often used for computer clusters.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1210
WSD allows communications across a SAN to bypass the TCP/IP protocol stack, taking
advantage of the reliable, direct communications provided by a SAN. In Windows Vista and
Windows 7, this is implemented by adding a virtual switch between Winsock and the TCP/IP
stack. This switch has the ability to examine traffic and pass communications to a SAN
Winsock provider, bypassing TCP/IP entirely. Figure 25-13 illustrates this architecture.
Application
Winsock
Switch
User
Kernel
SAN NDIS MiniPort
SAN Network Adapter
SAN Winsock

any number of computers running Windows in your organization to connect to your
internal wireless networks.
n
From the command line or by using scripts Using the Netsh tool and commands
in the netsh wlan context, you can export existing wireless network profiles, import
them into other computers, connect to available wireless networks, or disconnect a
wireless network.
After a wireless network is configured, the Wireless Single Sign-On feature executes 802.1X
authentication at the appropriate time based on the network security configuration, while
simply and seamlessly integrating with the user’s Windows logon experience. The following
sections describe each of these configuration techniques.
Configuring Wireless Settings Manually
Windows 7 makes it very easy to connect to a wireless network using the enhanced View
Available Networks (VAN) feature included in the platform. For example, to configure a
wireless network that is currently available, follow these steps:
1.
Click the networking icon in the notification area.
note
The WLAN AutoConfig service must be started for wireless networks to be
available. This service by default is set to start automatically.
2.
Click the network to which you want to connect and then click Connect, as shown in
Figure 25-14.
FIGURE 25-14
The Network Connection Details dialog box
provides graphical access to IP configuration settings.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1212
note

mand (where Dist_Name_of_AD_Domain is the distinguished name of the AD DS
domain whose schema is being modified; an example of a distinguished name is
DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com AD DS domain).
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X Dist_Name_of_AD_Domain
4.
Restart the domain controller.
After you extend the schema, you can configure a wireless network policy by
following these steps:
1.
Open the Active Directory GPO in the Group Policy Object Editor.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure Wireless Settings CHAPTER 25
1213
2.
Expand Computer Configuration, Windows Settings, Security Settings, and then click
Wireless Network (IEEE 802.11) Policies.
3.
Right-click Wireless Network (IEEE 802.11) Policies and then click Create A New
Windows Vista Policy. The Wireless Network Properties dialog box appears.
4.
To add an infrastructure network, click Add and then click Infrastructure to open the
Connection tab of the New Profile Properties dialog box. In the Network Names list,
click NEWSSID and then click Remove. Then, type a valid internal SSID in the Network
Names box and click Add. Repeat this to configure multiple SSIDs for a single profile.
If the network is hidden, select the Connect Even If The Network Is Not Broadcasting
check box.
5.
On the New Profile Properties dialog box, click the Security tab. Use this tab to config-
ure the wireless network authentication and encryption settings. Click OK.
note

a network. If you have previously connected to a network, the computer will have a profile
for that network saved. If a computer has never connected to a wireless network, you need
to save a profile before you can use Netsh to connect to it. You can save a profile from one
computer to an Extensible Markup Language (XML) file and then distribute the XML file to
other computers in your network. To save a profile, run the following command after manu-
ally connecting to a network.
Netsh wlan export profile name="SSID"
Interface profile "SSID" is saved in file ".\Wireless Network
Connection-SSID.xml" successfully.
Before you can connect to a new wireless network, you can load a profile from a file. The
following example demonstrates how to create a wireless profile (which is saved as an XML
file) from a script or the command line.
Netsh wlan add profile filename="C:\profiles\contoso1.xml"
Profile contoso1 is added on interface Wireless Network Connection
To connect to a wireless network quickly, use the netsh wlan connect command and
specify a wireless profile name (which must be configured or added previously). The following
examples demonstrate different but equivalent syntaxes for connecting to a wireless network
with the Contoso1 SSID.
Netsh wlan connect Contoso1
Connection request is received successfully
Netsh wlan connect Contoso1 interface="Wireless Network Connection"
Connection request is received successfully
Note that you need to specify the interface name only if you have multiple wireless net-
work adapters—an uncommon situation. You can use the following command to disconnect
from all wireless networks.
Netsh wlan disconnect
Disconnection request is received successfully
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure Wireless Settings CHAPTER 25
1215

\WLAN-AutoConfig event log. You can also use this log to determine the wireless
networks to which a client is connected, which might be useful when identifying the
source of a security compromise. For more information, see Chapter 31.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1216
How to Configure TCP/IP
You can use several different techniques to configure TCP/IP. Most environments use DHCP
to provide basic settings. Alternatively, you can configure TCP/IP settings manually using
graphical tools. Finally, some settings are configured most easily using scripts that call
command-line tools such as Netsh. You can use logon scripts to automate command-line
configuration. The following sections describe each of these configuration techniques.
note
For wireless networks, you will need to first connect the wireless adapter to the
wireless network and then configure the TCP/IP settings. However, wireless networks
almost always have a DHCP server available.
DHCP
Almost all client computers should be configured using DHCP. With DHCP, you configure
a DHCP server (such as a computer running Windows Server 2003) to provide IP addresses
and network configuration settings to client computers when they start up. Windows 7 and
all recent Windows operating systems are configured to use DHCP by default, so you can
configure network settings by simply setting up a DHCP server and connecting a computer to
the network.
As the number of mobile computers, traveling users, and wireless networks has increased,
so has the importance of DHCP. Because computers may have to connect to several differ-
ent networks, manually configuring network settings would require users to make changes
each time they connected to a network. With DHCP, the DHCP server on the local network
provides the correct settings when the client connects.
Some of the configuration settings you can configure with DHCP include the following:
n

has been leased to the client for a specific amount of time. The client can now begin
using the IP address settings.
In addition, client computers will attempt to renew their IP addresses after half the DHCP
lease time has expired. By default, computers running Windows Server 2003 have a lease time
of eight days. Therefore, client computers running Windows attempt to renew their DHCP
settings after four days and will retrieve updated settings if you have made any changes to
the DHCP server.
Because client computers retrieve new DHCP settings each time they start up, connect to
a new network, or a DHCP lease expires, you have the opportunity to change configuration
settings with only a few days’ notice. Therefore, if you need to replace a DNS server and you
want to use a new IP address, you can add the new address to your DHCP server settings, wait
eight days for client computers to renew their DHCP leases and acquire the new settings,
and then have a high level of confidence that client computers will have the new server’s IP
address before shutting down the old DNS server.
If a client computer does not receive a DHCP address and an alternate IP address configu-
ration has not been manually configured, Windows client computers automatically configure
themselves with a randomly selected Automatic Private IP Addressing (APIPA) address in the
range of 169.254.0.1 to 169.254.255.255. If more than one computer running Windows on a
network has an APIPA address, the computers will be able to communicate. However, APIPA
has no default gateway, so client computers will not be able to connect to the Internet, to
other networks, or to computers with non-APIPA addresses. For information about IPv6, refer
to Chapter 28.
You can use the following techniques to determine whether a client has been assigned an
IP address and to troubleshoot DHCP-related problems:
n
IPConfig From a command line, run IPConfig /all to view the current IP configura-
tion. If the client has a DHCP-assigned IP address, the DHCP Enabled property will be
set to Yes, and the DHCP Server property will have an IP address assigned, as the fol-
lowing example demonstrates.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

If you are troubleshooting a client connectivity problem and notice that the IP
address begins with 169.254, the DHCP server was not available when the client com-
puter started. Verify that the DHCP server is available and the client computer is prop-
erly connected to the network. Then, issue the ipconfig /release and ipconfig /renew
commands to acquire a new IP address. For more information about troubleshooting
network connections, see Chapter 31.
n
Network And Sharing Center In Network And Sharing Center, click the name of the
connection (such as Local Area Connection) to open the connection status. Then, click
Details to open the Network Connection Details dialog box, as shown in Figure 25-15.
This dialog box provides similar information to that displayed by the IPConfig /all
command.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure TCP/IP CHAPTER 25
1219
FIGURE 25-15
The Network Connection Details dialog box provides graphical access to IP
configuration settings.
n
Event Viewer Open Event Viewer and browse the Windows Logs\System Event Log.
Look for events with a source of Dhcp-Client for IPv4 addresses or DHCPv6-Client for
IPv6 addresses. Although this technique is not useful for determining the active
configuration, it can reveal problems that occurred in the past.
Configuring IP Addresses Manually
The alternative to using DHCP is to configure IP address settings manually. However, because
of the time required to configure settings, the likelihood of making a configuration error, and
the challenge of connecting new computers to a network, manually configuring IP addresses
is rarely the best choice for client computers.
To configure an IPv4 address manually, follow these steps:
1.

Right-click the network adapter and then click Properties.
4.
In the Properties dialog box, click Internet Protocol Version 6 (TCP/IPv6) and then click
Properties.
5.
Click Use The Following IPv6 Address and configure the computer’s IP address, subnet
prefix length, default gateway, and DNS servers. TCP/IPv6 does not support an alternate
configuration, as TCP/IPv4 does.
6.
Click OK twice. The configuration changes will take effect immediately, without
requiring you to restart the computer.
You can prevent users from accessing these graphical tools. Most important settings
require administrative credentials, so simply not giving users local administrator access to
their computers will prevent them from making most important changes. You can also use
the Group Policy settings located in User Configuration\Policies\Administrative Templates
\Network\Network Connections to restrict the user interface further (but this will not neces-
sarily prevent a user from using other tools to make changes).
Command Line and Scripts
You can also configure network settings from the command line or from a script using the
Netsh tool and commands in the Netsh interface ipv4 or Netsh interface ipv6 contexts. For
example, to configure the standard network interface to use DHCP and to use the DNS
servers provided by DHCP, you could issue the following commands.
Netsh interface ipv4 set address "Local Area Connection" dhcp
Netsh interface ipv4 set dnsserver "Local Area Connection" dhcp
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How to Configure TCP/IP CHAPTER 25
1221
note
Windows XP also included the Netsh tool. However, the Windows XP version of
Netsh uses different commands. For example, you would use Netsh interface ip set dns to

from a command prompt.
Netsh ?
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1222
diReCt FRoM tHe SoURCe
Automate Network Interface Card Configuration Using Netsh
Don Baker, Premier Field Engineer
Windows Platform
D
uring the years I worked as a consultant, it was not uncommon to connect my
laptop to several different networks in the same day. In some cases, they were
DHCP-enabled, so connection was easy. For others, I would have to configure the
network adapter manually. Ugh!
Enter the Netsh commands. You can use the Netsh command to modify the network
configuration on computers running Windows 2000 and later versions. It’s not the
friendliest syntax to use, but it is a real time-saver once you learn to use it. The fol-
lowing sample scripts use Netsh to set STATIC IP entries on an adapter and to set
the adapter back to DHCP mode so the settings can be obtained automatically. To
use the code, type it into a batch file, modify "name=" to the name of the adapter in
quotation marks, and change the IP addresses.
Static IP
netsh interface ipv4 set address name="Wireless Network Connection"
source=static addr=192.168.0.100 mask=255.255.255.0 gateway=192.168.0.250
gwmetric=0
netsh interface ipv4 set dnsserver name="Wireless Network Connection"
source=static addr=192.168.0.2 register=NONE
REM netsh interface ipv4 set wins name="Wireless Network Connection"
source=static addr=10.217.27.9
REM OR if no WINS server