Network Location Awareness NLA

Many time I have already tried finding a way to change the network location in Server 2008. On Windows 7 Computers, you get asked for the Network type on the first time of a connection. Server 2008 decides this by an automatic calculation.

If you connect a crossover cable from one server to another – for example on configuring a Cluster – the network is automatically configured as public. And this means, the firewall blocks almost all incoming traffic by default.

I found further information in the TechNet basics about NLA and the following Technet Forum Post about this issue:


By default, Windows Server 2008 and Windows Server 2008 R2 useNetwork Location Awareness service (nlasvc) to identify networks and find the associated saved settings for the network, the NLA service will use a Default Gateway or SSID to identify a network. This identification is conducted by system automatically due to security consideration. We cannot change the network profile manually. Otherwise, the server will be unsafe if a local administrator right is leak even we have domain group policy to define firewall settings in public profile. A hacker can change a public profile to domain profile to allow unwanted traffic.

In Windows 7 and Windows Server 2008 R2, more than one profile can be active at the same time according to which networks the computer is connected. As a result, if the server cannot contact the domain via the public NIC, it will not be identified to connect to domain network.

But also good to know, there’s a Group Policy about NLA, but only valid for Clients (if I right understood).

…group policy to allow the editing of locations (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Network List Manager Policies, All networks, network location -> User can change location)

I found further Tricks in Kurt Roggens Blog:

Because you will be connecting to many different networks, Windows stores network profiles of each network using the network’s DNS suffix and gateway MAC address. These are stored in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures as Managed (domain) and Unmanaged (non-domain) networks.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s