Network Location Awareness
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Windows Vista® and later versions of Windows support network location awareness, which enables network-interacting programs to change their behavior based on how the computer is connected to the network. In the case of Windows Firewall with Advanced Security, you can create rules that apply only when the profile associated with a specific network location type is active on your computer.
How Network Location Awareness works
The following diagram shows the network location types that can be detected by Windows.
Computers that are running Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 detect the following network location types:
Public. By default, the public network location type is assigned to any new networks when they are first connected. A public network is considered to be shared with the world, with no protection between the local computer and any other computer. Therefore, the firewall rules associated with the public profile are the most restrictive.
Private. The private network location type can be manually selected by a local administrator for a connection to a network that is not directly accessible by the public. This connection can be to a home or office network that is isolated from publicly accessible networks by using a firewall device or a device that performs network address translation (NAT). Wireless networks assigned the private network location type should be protected by using an encryption protocol such as Wi-Fi Protected Access (WPA) or WPAv2. A network is never automatically assigned the private network location type; it must be assigned by the administrator. Windows remembers the network, and the next time that you connect to it, Windows automatically assigns the network the private network location type again. Because of the higher level of protection and isolation from the Internet, private profile firewall rules typically allow more network activity than the public profile rule set.
Domain. The domain network location type is detected when the local computer is a member of an Active Directory domain, and the local computer can authenticate to a domain controller for that domain through one of its network connections. An administrator cannot manually assign this network location type. Because of the higher level of security and isolation from the Internet, domain profile firewall rules typically permit more network activity than either the private or public profile rule sets. On a computer that is running Windows 7 or Windows Server 2008 R2, if a domain controller is detected on any network adapter, then the Domain network location type is assigned to that network adapter. On computers that are running Windows Vista or Windows Server 2008, then the Domain network location type is applied only when a domain controller can be detected on the networks attached to every network adapter.
Windows Firewall with Advanced Security stores its setting and rules in profiles, and supports one profile for each network location type. The profiles associated with the currently detected network location types are the ones that are applied to the computer. If the network location type assigned to a network changes then the rules in the profile associated with the new network location type automatically apply.
When you have multiple network adapters attached to your computer, you can be attached to networks of different types. Computers that are running Windows 7 and Windows Server 2008 R2 support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
Computers that are running Windows Vista, Windows Server 2008, Windows XP, and Windows Server 2003 support only one active network location type at a time. Windows automatically selects the network location type for the least secure network so that it can apply the profile that provides the maximum amount of protection. For example, if a computer has two active connections, one to a public network and one to a private network, Windows selects the public network type and applies it to all network adapters on the computer to enable the more rigorous security rules in its profile to protect the computer.
If the computer is also a DirectAccess client, then the computer also verifies whether it can connect to a DirectAccess network location server as part of the detection process for the domain profile. DirectAccess provides transparent access to an organization intranet from the Internet. A network location server is a Web server that is only available to DirectAccess clients that are directly attached to the organization’s internal network. Because internal domain controllers are always available to Internet-connected DirectAccess clients over the DirectAccess connection, an additional check for the network location server is needed to distinguish external Internet-connected DirectAccess clients from internally-connected DirectAccess clients. This means that for a DirectAccess client, the domain profile is assigned only when a domain controller is reachable and the network location server URL is also reachable. Both conditions are true only when the client is connected to the internal network. DirectAccess runs on computers that are running Windows 7 Enterprise Edition or Ultimate Edition, or Windows Server 2008 R2 only.
The Windows Firewall that is available in Windows XP and Windows Server 2003 support a domain profile that is identical in concept to the one described previously. However, instead of supporting both a private and public profile, these earlier versions of Windows support only a 'standard' profile. So if you create rules by using the Windows Firewall node in the Administrative Templates section of the Group Policy editor then you can only specify that they apply to the domain and standard profiles. If you specify the standard profile and then apply these rules to a computer that is running Windows Vista or later version of Windows, then the rules apply when the computer’s network location profile is set to either private or public. The rules in the domain profile still apply only when the computer’s network location profile is set to domain.
For more information about network location awareness and its use in Windows Firewall with Advanced Security, see the section "Network location-aware host firewall" in Getting Started with Windows Firewall with Advanced Security at http://go.microsoft.com/fwlink/?linkid=64343.
Next topic: Host Firewall