Eliminating sources and causes of unwanted network traffic
The goal of client network optimization and tuning is to find the sources of unwanted network traffic and to take steps to correct or eliminate the root causes in order to enhance network performance and help avoid future problems. We have created a single GPO that can be linked to help control this traffic. It is called _PUBLIC-Client Network Citizenship. Below are details of the different traffic that has been seen and what the GPO does to limit it.
Observed Network Behavior
Some of the things that are negatively impacting network performance that have been observed on the campus network are:
Bogus ARP Traffic
- Client systems are broadcasting while asleep
- Packets serve no useful purpose
- Negative impact on campus routers
- The GPO runs a startup script that sets a few NIC settings to take care of this
- The GPO disables the problematic services in Windows.
DHCPv6 Duplicate DUID
- Creates IPv6 address conflicts
- An enterprise fix is not in the GPO, but is provided for SCCM users. It can also be handled on a case-by-case basis.
If Dropbox is installed, disable the LAN Sync setting. LAN Sync generates broadcast traffic from each client that, with the University's fast Internet connectivity, isn't beneficial. The default configuration when Dropbox is installed or upgraded has LAN Sync enabled. This link summarizes the LAN Sync features.
The GPO disables LAN Sync by blocking outgoing traffic on the port it uses. Dropbox will sense this port is blocked and disable LAN Sync. Unfortunately, this is the only enterprise way to control the setting.
Remove Unnecessary Network Protocols
To see the currently installed network clients, protocols and services, follow these steps:
- Click Start, point to Settings, and then click Control Panel.
- Double-click Network Connections to display the network connections on the computer.
- Right-click Local Area Connection (or the entry for your network connection), and then click Properties to display the properties dialog box for the network connection.
- To remove an unnecessary item, select it and click Uninstall. To disable an item, simply clear the checkbox associated with the item.
If you are unsure about the effects of uninstalling an item for the connection, then disable the item rather than uninstalling it. Disabling items allows you to determine which services, protocols and clients are actually required on a system. When it has been determined that disabling an item has no adverse effect on the server or workstation, the item can then be uninstalled.
In many cases, the following components are required for operation on a standard TCP/IP based network:
- Client for Microsoft Networks
- File and Printer Sharing for Microsoft Networks
- Internet Protocol Version 4 (TCP/IPv4)
- Internet Protocol Version 6 (TCP/IPv6)
However, depending on the network driver/ system other network components may be beneficial or essential for optimal network configurations
Disable Specific Protocols
SSDP (Simple Service Discovery Protocol) - Used to discover Plug & Play devices, with uPnP (Universal Plug and Play) features.
SSDP Discovery is disabled in the GPO.
For non-domain or unmanaged systems information on how to disable network discovery can referenced at the following link:
Multicast DNS (mDNS)- There is a mDNSResponder.exe process that belongs to the Bonjour Service in Windows, which is Apple’s “Zero Configuration Networking” application, typically installed automatically by iTunes, Skype and others.
Windows – The Bonjour Service is disabled in the GPO
Mac - Edit mDNSResponder service to stop multicast. Click here for the mDNSResponder off package. (Hawk ID authentication required)
For non-domain or unmanaged systems information on how to disable mDNS traffic please review the following links:
Link Local Multicast Name Resolution (LLMNR)- Allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
LLMNR is disabled in the GPO
For non-domain or unmanaged systems, create local Group Policy using GPEdit.msc with the following setting:
Group Policy = Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution. (Enabled = Don't use LLMNR)
For more information on Link Local Multicast Resolution please review the following link:
Browser (Computer Browser Service) - Computer Browser service is the mechanism that collects and distributes the list of workgroups and domains and the servers within them
This service is disabled in the GPO
For non-domain or unmanaged systems, follow this guide: Disable the Computer Browser Service
NetBIOS Name Service (NBNS)- The NetBIOS Name Service is part of the NetBIOS-over-TCP protocol suite
This service is disabled in the GPO by running a script. This script is also available in a public SCCM package. Public-Utility - Disable NetBIOS over TCPIP & WINS (vbscript)
For non-domain or unmanaged systems, check this guide to see where the settings are located: Microsoft KB313314
For more information on NetBIOS Naming Service please review the following link:
Disabling Network Discovery/Network Resources
What is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
How to benefit from Link-Local Multicast Name Resolution
NetBIOS Name Service (NBNS)
Fine Tuning Network Drivers
Recommendations for Filtering ICMPv6 Messages in Firewalls