11

I have a domain joined Windows Server 2012 R2 box that has the OpenVPN 2.3.13 client software installed on it. When the VPN connection is active the "Ethernet 2" (TAP interface) connection is placed into the Domain Network category alongside the main LAN NIC by NLA. Ideally I want to be able to assign the VPN interface to the Public category. I've tried via PowerShell, but get this error constantly:

Unable to set the NetworkCategory due to one of the following possible reasons: not running PowerShell elevated; the NetworkCategory cannot be changed from 'DomainAuthenticated'; user initiated changes to NetworkCategory are being prevented due to the Group Policy setting 'Network List Manager Policies'. At line:1 char:1 + Set-NetConnectionProfile -InterfaceIndex 15 -NetworkCategory Public + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (MSFT_NetConnect...72AADA665483}"):root/StandardCi...nnectionProfile) [Set-NetConnectionProfile], CimException + FullyQualifiedErrorId : MI RESULT 2,Set-NetConnectionProfile

15 is the interface number of "Ethernet 2"

Its worth noting, I am running this command in an elevated PowerShell session and have I tried all the available GPO policies but the error is constantly thrown. Most information about NLA suggest switching between Private and Public should work, but DomainAuthenicated seems a little bit different.

The registry method doesn't have an actual profile for Ethernet 2, so it can't be changed that way either.

Is there anyway to force the TAP adapter to be Public? The OpenVPN connection itself does not override the default gateway of the main NIC and uses the 10.0.0.0/8 subnet. The fact I use route-nopull and override the routes might be part of the problem with the way NLA detects the networks.

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix  . :
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%xx
IPv4 Address. . . . . . . . . . . : 10.xx.xx.xx
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

The main reason for needing to assign the Public profile is for firewall rules, I am having trouble preventing certain applications from only using the VPN interface, being able to write network profile based firewall rules seems to work best in this case, I've tried writing rules based on the local IP address but this didn't work.

James White
  • 674
  • 3
  • 18
  • 32
  • 1
    `user initiated changes to NetworkCategory are being prevented due to the Group Policy setting 'Network List Manager Policies` - This would seem to imply that user initiated changes are prevented via Group Policy. In order to allow user initiated changes then the GPO needs to be configured to allow that. Have you located the domain GP where this is configured? – joeqwerty Nov 12 '16 at 17:52
  • @joeqwerty I've looked into the GPO locally and via domain at Computer Configuration / Windows Settings / Security Settings / Network List Manager Policies, none of settings allow the change. – James White Nov 12 '16 at 22:59
  • It sounds like your elevated account is missing the right to change the NetworkCategory. You may need to add this, or remove/relax a restriction on it. https://technet.microsoft.com/en-us/library/jj966256(v=ws.11).aspx. But it sounds like you can only set the user permission objects for 'unidentified' networks. – Jeter-work Nov 16 '16 at 23:54
  • Also, `When the VPN connection is active the "Ethernet 2" (TAP interface) connection is placed into the Domain Network category alongside the main LAN NIC by NLA.` Isn't this the whole point of VPN? If you wish to increase the security for VPN users, set their settings higher in the `DomainAuthenticated` category, and even higher in `Public`. – Jeter-work Nov 16 '16 at 23:59
  • I've tried modifying that GPO it doesn't allow the change still, both locally and via domain policy and running `gpupdate /force` I can't get round that error no matter what settings I change. – James White Nov 17 '16 at 08:47
  • Why don't you just add executable-based firewall rules? – Lenniey Nov 17 '16 at 15:27
  • @Lenniey I can but I wanted to use Network Profiles in addition to using scope and program based rules. I.e. domain and public, its easier to control that way. Using IP scope alone won't work currently based on the subnets, I need one NLA profile to be different. Its interesting because I had the OpenVPN client setup on another domain connected machine before and it assigned it as Public straight away. – James White Nov 19 '16 at 10:42
  • @Pandorica Try not setting a default gateway on your OpenVPN adapter. It should become public. After that set a gateway and see what happens. – Lenniey Nov 21 '16 at 08:26
  • @Lenniey, by default the VPN interface does not get a default gateway value set. I've updated the original post. – James White Nov 21 '16 at 10:22
  • Could you please try using get-ciminstance and see if that sticks? Code to get is here: – Tim Haintz Nov 22 '16 at 12:48
  • get-ciminstance -Namespace root/StandardCimv2 -ClassName MSFT_NetConnectionProfile -Filter "interfacealias='Ethernet 2'" – Tim Haintz Nov 22 '16 at 12:49
  • You may need to leave -Filter off to see what your actual 'interfacealias' name is. From there, you should be able to | to set-ciminstance -property @{NetworkCategory="Public"} – Tim Haintz Nov 22 '16 at 12:52
  • In the information above the Connection-specific DNS Suffix is empty, is it really empty or have you removed it to hide it? – Drifter104 Nov 22 '16 at 13:43
  • @Drifter104 Not obfuscated by myself, it is empty. – James White Nov 22 '16 at 18:36
  • Add a random, non-existent one in via the dns tab on the connection properties. This should leave it in a private/public state. – Drifter104 Nov 22 '16 at 22:57
  • @Drifter104 Tried that and disabled and enabled the connection, hasn't changed the profile. – James White Nov 23 '16 at 12:53
  • Strange, basically domain authenticated is determined using a registry key. If the value in the registry matches the value in the connection and an ad server is found for the same name you get that profile. Changing the registry key would do it but it is a single key, not per connection. So I thought changing the connection suffix would suffice. Did you also restart the NLA service after chaning the suffix? – Drifter104 Nov 23 '16 at 13:02
  • @Drifter104 I did, no change sadly. – James White Nov 23 '16 at 16:30

3 Answers3

2

The below will use WMI/CIM.

get-ciminstance -Namespace root/StandardCimv2 -ClassName MSFT_NetConnectionProfile -Filter "interfacealias='Ethernet 2'" | set-ciminstance -property @{NetworkCategory="1"}
Tim Haintz
  • 486
  • 1
  • 3
  • 8
  • 1
    Sorry, got the same error. This is the error if you try and set it to DomainAuthenticated. – Tim Haintz Nov 22 '16 at 13:09
  • 1
    Set-CimInstance : Unable to set NetworkCategory to 'DomainAuthenticated'. This NetworkCategory type will be set automatically when authenticated to a domain network. At line:1 char:124 + ... lias='Ethernet 2'" | Set-CimInstance -Property @{NetworkCategory='2'} + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (MSFT_NetConnect...5A09504828DA}"):CimInstance) [Set-C imInstance], CimException + FullyQualifiedErrorId : MI RESULT 4,Microsoft.Management.Infrastructure.CimCmdlets.SetCimInstan ceCommand – Tim Haintz Nov 22 '16 at 13:10
  • 1
    Unfortunately, I still get the same error in regards to domain policies blocking the change, as I'm running as PowerShell Admin as before. In this case I am trying to move Ethernet 2 away from being set to DomainAuthenicated, but it looks like in my case this is forced and cannot be changed. – James White Nov 22 '16 at 18:39
  • 1
    @Pandorica as you mentioned, it appears that once you join a domain, NetworkCategory is locked into DomainAuthenticated. – Tim Haintz Nov 22 '16 at 20:05
  • @Pandorica are both your NICs set to DomainAuthenticated? In some of the web examples (http://windowsitpro.com/powershell/how-force-network-type-windows-using-powershell) with two NICs, one is set to public, the other to DomainAuthenticated. Can you change one and not the other? – Tim Haintz Nov 22 '16 at 20:11
  • Both are set to DomainAuthenticated, neither can seemingly be overridden. – James White Nov 22 '16 at 20:12
  • @Pandorica is your second NIC registering in DNS? I'm wondering if that registration is causing it to be DomainAuthenticated? This blogpost also has some interesting information which might be relevant. – Tim Haintz Nov 24 '16 at 14:22
  • I have already disabled this option as I thought it might be related. I can't see the blog post link you are referring to. – James White Nov 24 '16 at 20:39
  • Sorry @Pandorica Ctrl+V didn't work for me at midnight.... http://evansblog.thebarrs.info/2013/02/windows-server-force-your-network.html Thanks, Tim. – Tim Haintz Nov 24 '16 at 22:21
  • 2
    I've come across that article in my searches also. In most cases however, it seems to be the reverse of what I'm trying to achieve, switching from rather than to DomainAuthenicated. I may just have to accept its probably not possible. – James White Nov 25 '16 at 10:44
0

Removing the adresses of the 'public' adapter from the list of listening addresses of your DNS server would do the trick.

Edu Schol
  • 1
0

Review the third option "Using the Firewall" on this page: https://evansblog.thebarrs.info/2013/02/windows-server-force-your-network.html

You can prevent DomainAuthenticated network profile by using the Windows Firewall to create an Outbound rule to block the Windows service "Network Location Awareness". Make sure to specify the Local IP of the VPN adapter in the rule so it doesn't affect other adapters. The VPN adapter should now be classified as "Public" network profile.

user474264
  • 1