"No Internet Access" icon on Server 2016

We have WPAD disabled on all of our systems due to the known security risks. It has been this way for a few years and I have not had any issues. Recently we deployed several Windows Server 2016 servers with Terminal Services. They are replacing our Windows Server 2012 servers with Terminal Services.  

The issue I am having is that after the nightly reboot, the network connection on these 2016 servers has a yellow warning icon and if you hover over it, it says "No Internet Access". The internet is working perfectly fine, and as far as I can gather this error is being displayed because the function that detects the internet is dependent on the WPAD service. Hopefully I'm wrong, so someone please correct me.

Normally I wouldn't care about this "No Internet Access" icon which is mostly harmless and inaccurate, but Outlook will NOT connect to the local exchange server while it thinks there is "No Internet Access". So I get calls in the early morning that Outlook/Exchange is down when really it is not down at all. The odd thing is that if I simply click on the network icon in the system tray, the error immediately clears and all users suddenly have access to Exchange again until the next reboot. Any user can click on the network icon in the system tray, it does not have to be an administrator.

How can I fix this?
LVL 1
AaronSSHIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ITSysTechSenior Systems AdministratorCommented:
Have you tried to temporally enable WPAD on one of the servers to verify that the "No Internet Access" error goes away?
0
ITSysTechSenior Systems AdministratorCommented:
Take a look at this article.

"If you are able to access the internet but the Network Connectivity Status Indicator (NCSI) still shows a warning, something may be blocking its probes. Likely culprits are third-party antivirus and firewall/security applications. If possible, remove or disable these temporarily and observe whether the NCSI warning disappears. You may restart the Network Location Awareness service or physically disconnect and reconnect the network adapter to force NCSI to initiate a probe."
0
AaronSSHIT ConsultantAuthor Commented:
It appears that the "Network Location Awareness" service is responsible for this issue, so I have disabled it. NLA makes sense for mobile and wireless systems, but not for a fixed server. Does anyone know of any downsides to disabling NLA? So far everything appears to be working properly.
0
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Cliff GaliherCommented:
Don't disable these services. They contain core functionality and APIs that applications can expect to use.

Your research was incomplete. WPAD had o me security vulnerability that was patched during its disclosure. Only. On-tech blogs have hyped this as an issue.

https://support.microsoft.com/en-us/help/3165191/ms16-077-security-update-for-wpad-june-14--2016
0
AaronSSHIT ConsultantAuthor Commented:
Disabling NLA did cause problems with Policies being applied, so it has already been re-enabled.

Instead of disabling NLA, I have set it to Delayed Start to see if that fixes the issue. Since the problem only occurs after a reboot and never returns until the next reboot, maybe the Delayed Start will help.
0
ITSysTechSenior Systems AdministratorCommented:
"I have set it to Delayed Start to see if that fixes the issue."

That was good thinking to set it to Delayed Start. Let us know what the outcome was.
0
AaronSSHIT ConsultantAuthor Commented:
Unfortunately "Delayed Start" for NLA Service did not resolve the issue. It was back again this morning.
0
Cliff GaliherCommented:
Again, why not just leave the services as originally configured put of the box?
0
McKnifeCommented:
I agree. What are you referring to with "We have WPAD disabled on all of our systems due to the known security risks"?
0
AaronSSHIT ConsultantAuthor Commented:
To answer the question of why no WPAD, as far as I understand it, that WPAD patch does not address this attack vector. It is inherent to WPAD:
https://pentest.blog/what-is-llmnr-wpad-and-how-to-abuse-them-during-pentest/

While my server is less likely to experience this attack method, our mobile laptop users are certainly more vulnerable and have good reason to disable WPAD. Because we do not use WPAD and have had it disabled for well over a year, I do not see a reason to introduce this weakness into our systems.
0
McKnifeCommented:
Your own link says "First solution for this attack is, create DNS entry with “WPAD” that points to the corporate proxy server. So the attacker won’t be able to manipulate the traffic."
So please let's not debate this. It is no risk.
0
AaronSSHIT ConsultantAuthor Commented:
You haven't thought this through fully. If a mobile user is out and about, their WiFi will pick DNS servers via DHCP, therefore it doesn't matter if I have a WPAD DNS entry back home that mitigates the WPAD vulnerability locally -- if the mobile user is served by a rogue DHCP server that points them to malicious DNS server designed to compromise WPAD, it's game over. There is not a good reason to open this attack vector for use, hence WPAD is disabled.
0
McKnifeCommented:
A mobile user? I thought we were talking about an issue on your server? There is no risk in configuring the server to use wpad, no matter how the server is being used.
0
Cliff GaliherCommented:
You're basing your argument on a single internet article with a very flawed testing methodology.

If the user is out and about and connecting through an untrusted network, they are already subject to MitM attacks via that network. Abusing WPAD is actually extra unnecessary attack vector when there are so many easier ways.  I can show you how to take a basic wifi bridge the size of a quarter (available on amazon for cheap), have it rebroadcast a known SSID, and capture any wifi connection. It can then inject whatever it wants into any unencrypted HTTP stream without needing to capture proxy traffic via WPAD.

And if they capture proxy traffic via WPAD, encrypted traffic is still encrypted.   Any attacks about unencrypting and re-encrypting traffic would require trusted certificates. Which if they manage to have, again no longer requires capturing via WPAD.

Legitimate attacks like this get a lot of traction via Black Hat, etc.  Yet even a basic google search on this is crickets.  And the article managed to generate one whole comment from a person who couldn't figure out how to make it work.

In short, I can show you blog posts about fake moon landings, the illuminati, and how blood tests prove we are all decedents from ancient Martians.  Know thy source.   This just isn't a security vulnerability as it is being presented to be.  You're hacking up your machines for no good reason, and that can have unintended consequeneces. Just because you haven't noticed any yet doesn't justify doing so.
0
AaronSSHIT ConsultantAuthor Commented:
Ok, I have enabled WPAD. Let's see how it goes.
0
AaronSSHIT ConsultantAuthor Commented:
WPAD is enabled and the service is starting correctly, but unfortunately WPAD had no impact to this problem either way. After a reboot, I still see the yellow icon on the network icon in the system tray, and when hovering over it I still see "No Internet Access". Clicking on it once immediately clears it, but until I click on it, Outlook will not open and connect to Exchange. It will remain in that state for hours if I let it, even though the internet works fine and all webpages are loading.
0
McKnifeCommented:
Very interesting behavior and problem.

I guess I cannot add much, but this: we have no internet access here - for security reasons, workstations browse only using a remoteapp browser. However, windows' little icon reports "internet access", when hovering over it. In other words, the mechanism used to determine internet access is (at least a little) broken and I wouldn't be surprised if any applications relying on that mechanism will have problems. We use wpad, we use exchange, everything works.

I would offload it directly to microsoft.
0
AaronSSHIT ConsultantAuthor Commented:
There is a Group Policy setting that has solved this issue for us:

Computer Configuration \ Administrative Templates \ System \ Internet Communication Management \ Internet Communication settings
Enable the policy Turn off Windows Network Connectivity Status Indicator active tests
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
For completeness, could you please share your outlook client version, windows client version as well as exchange version, please?
0
AaronSSHIT ConsultantAuthor Commented:
Windows Server 2016.
Outlook 2016.
Exchange 2016.
0
McKnifeCommented:
And what OS was outlook running on? If win10, please add the build number. Thanks again.
0
AaronSSHIT ConsultantAuthor Commented:
Outlook 2016 is running on Server 2016 (terminal services host)
0
AaronSSHIT ConsultantAuthor Commented:
No one else provided a workable solution. It was my own trial and error that determined the solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.