Network Location Awareness Services
Sniffing some traffic shows DNS calls to dns.msftncsi.com and pulling
a ncsi.txt file from www.msftncsi.com.
This is a default global setting on all MS operating systems 2k8 and
Windows 7 and later.
So these Windows clients will query dns.msftncsi.com for www.msftncsi.com and expect an ip of 131.107.255.255.
Then pull www.msftncsi.com/ncsi.txt and expect the content "Microsoft NCSI"
All for a network status icon. If everything goes well, green. If it cannot proceed for whatever reason the icon changes.
The client expects that some intervention is involved like in a web cafe or that the network is not available.
This little amount of traffic can add up in a corporate environment with thousands of clients running this through a firewall.
From a small environment this could be tweaked to obtain IP addresses from your clients, or missing laptops to your own web server.
A possible threat may be simple arp poisoning and having the ncsi.txt be something larger than expected and perform a buffer overflow and maybe remote code execution. Just theoretical for now. No idea what Microsoft is doing with all the collected IIS logs on millions of Windows systems. But here is what to change if you want to modify your home computers or make a Group Policy in your production environment
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveDnsProbeContent
Value type REG_SZ
Value data (IP Address of your web server)
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveDnsProbeHost
Value type REG_SZ
Value data (your dns server to query)
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbePath
Value type REG_SZ
Value data (text file to pull)
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbeHost
Value type REG_SZ
Value data (fqdn of your web server)
HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbeContent
Value type REG_SZ
Value data (contents of the text file)
Creation of /(text file) on your web server
