Reading
2
Comments
How to set the default location for NLA.
Problem:
Users do not have Internet access after connecting to wireless networks. Network Location Awareness (NLA) appears to hang on identifying network.Additionally, defining the default location is important because it directly impacts firewall rules. It’s not prudent policy to open client ports on an untrusted hotspot.
Solution:
Use Group Policy to pre-define the default network location for unidentified AND identifying networks.GPO: Computer Configuration → Policies →Windows Settings → Security Settings →Network List Manager Policies → (a) Unidentified Networks and (b) Identifying Networks.
Network Name:
Choose either
the Private or Public network:
- Outbound: Most outbound traffic permitted.
- Inbound: Unsolicited SMB (e.g., file and print sharing).
- Outbound: Most outbound traffic permitted. No SMB traffic permitted.
- Inbound: No unsolicited traffic permitted.
N.B., Err on the side of caution. Consider, do we really want unidentified
networks to permit unsolicited traffic? The
Private network location invites common SMB replay attacks that steal credentials. Further adjust client firewall rules to align
with your organization’s security policies.
That’s It!
2 Comments
If the firewall is already active, does the default location really matter?
ReplyDeleteNetwork locations are confusing. When Windows detects a new network it requests its location: Public or Private. Setting the default location takes the guess work out of this decision. It ensures that the public firewall is always enforced on untrusted networks.
DeleteConsider what happens if someone accidentally chooses the private location instead. The private firewall uses permissive rules that open vulnerable ports. In a nutshell, the private firewall permits malicious traffic that can interact the system.