Is Windows 10 eliminating network browsing?

[Guest asrequested]

Hey there all you networking geniuses. With the last update to 1703, not all of my machines are showing up on all of my machines, when browsing the network in windows explorer. After a little research it appears that microsoft maybe getting rid of this feature. Can you guys confirm this? And if it is true, what is a good way to do this? Here's a link to what I am referring.

 

https://social.technet.microsoft.com/Forums/en-US/1e223ed7-e65d-466e-b7de-a3735c467967/windows-10-cannot-see-or-connect-to-network-computers?forum=win10itpronetworking

 

If you scroll to the bottom, there's a post that would seem to be explaining it.

 

Advice would be appreciated. I use this feature, a lot.

[PrincessClevage 173]

“Do not confuse the computer browser service and network discovery. They work differently and they work independently.

The computer browser service is an NT legacy app, and that is what provides the info for the browse list in Network Neighborhood. Stopping the computer browser service does not prevent a machine from appearing in a browse list. That is controlled by whether Netbios over TCP/IP is enabled or not. Disabling the browser service prevents the machine from becoming a browse master.

IPv6 does not support Netbios, so the computer browser service is being phased out. Network Discovery is essentially the replacement for it.

If you rely on the computer browser service, make sure that all machines you want to appear in the browse list have Netbios over TCP/IP enabled. If you have a segmented network, make sure that you run WINS and that all machines register with WINS. The browser service fails on a segmented network without WINS (because routers block LAN broadcasts). Browse masters need WINS to communicate across routers. “

https://social.technet.microsoft.com/Forums/windowsserver/en-US/1d63fa1a-f7b1-4856-a42d-dda821889a64/cant-figure-out-what-servers-get-listed-in-network-browse-list

[Guest asrequested]

I think you're misunderstanding. I don't have an issue with discovery. I can gain access, I just can't browse the network. I have a workaround, and have mapped the drives, but I want the ability to browse my entire network.

[PenkethBoy 2063]

@

 

do you mean that the "other" computers do not show up in the left hand pane of explorer under network?

 

or that \\Doofuspc does not work in explorer?

[jordy 284]

I'm experiencing something similar.

 

I can see my network PCs in the explorer window in left panel, and in the Network Window along the top of screen. However, I have trouble when clicking on a particular pc with windows displaying a msg saying it cannot find the pc on the network. Running the troubleshooter provides no explanation, but after running the troubleshooter, suddenly all of the shared folders on that pc are visible and accessible

 

I have 3 Windows 10 pcs and one windows 7. two of the win 10 are on the fall update v1709. the other one is still on v1703.

[PrincessClevage 173]

I think you're misunderstanding. I don't have an issue with discovery. I can gain access, I just can't browse the network. I have a workaround, and have mapped the drives, but I want the ability to browse my entire network.

Network discovery is a network setting that affects whether your computer can see (find) other computers and devices on the network and whether other computers on the network can see your computer. By default, Windows Firewall blocks network discovery, but you can enable it.

[Happy2Play 8281]

I'm experiencing something similar.

 

I can see my network PCs in the explorer window in left panel, and in the Network Window along the top of screen. However, I have trouble when clicking on a particular pc with windows displaying a msg saying it cannot find the pc on the network. Running the troubleshooter provides no explanation, but after running the troubleshooter, suddenly all of the shared folders on that pc are visible and accessible

 

I have 3 Windows 10 pcs and one windows 7. two of the win 10 are on the fall update v1709. the other one is still on v1703.

 

I got the same error, but after an additional restart everything worked fine.  My systems just updated to 1709.

[Guest asrequested]

@

 

do you mean that the "other" computers do not show up in the left hand pane of explorer under network?

 

or that \\Doofuspc does not work in explorer?

On one machine in the left pane, they are all there. On another, only one shows up, but not itself. On the last one, only itself is there. The network is functioning, using the IP I have full access and I'm able to map the drives. According to that link I provided, Microsoft is removing that ability.

[Guest asrequested]

Network discovery is a network setting that affects whether your computer can see (find) other computers and devices on the network and whether other computers on the network can see your computer. By default, Windows Firewall blocks network discovery, but you can enable it.

I'll check the firewall, but they were there, and now they aren't. And I have access to everything.

[ThePaladinTech 22]

I've had Windows upgrades change my network type to 'public network' - which causes all kinds of issues. 

[Guest asrequested]

I haven't really done an end to end check of my network, and tightened the nuts and bolts. Up until yesterday, my HTPC showed all computers, and then suddenly only showed itself. Seemed like a windows thing. And my server, since I rebuilt it, only shows my HTPC and not even itself. I was having an install issue with sophos home, but it was like that prior. My backup server shows them all. It's really inconsistent. I was trying to avoid resetting the network, but I may have to do that, and reconfigure my settings.

[Tur0k 143]

So a lot of this auto config networking view is carry over from the M$ windows millennium/XP days. It is very M$ service centric, and not very compatible with IPv6. Additionally, many of these legacy networking services will require a WINS server to be supported across subnets (ex: in the event that you have multiple subnets across separate VLANS). If you need this to work my advice would be:

1. Make sure that your computers are in the same workgroup (control panel (large icons view)- system- advanced system properties - computer name tab). Note this will require a reboot if changed.

2. Allow network discovery through windows firewall on private networks. (Control panel (large icons view) - windows defender firewall - allow an app or feature through...)

3. Allow file and printer sharing through windows firewall on private networks. (Control panel (large icons view) - windows defender firewall - allow an app or feature through...)

4. Confirm that the "client for M$ networks" feature is enabled (checked) on your NIC/WNIC Control panel (large icons view) - network and sharing center - change adapter settings - <select your adapter> - select properties)

5. Confirm that the "file and print sharing for M$ networks" feature is enabled (checked) on your NIC/WNIC (Control panel (large icons view) - network and sharing center - change adapter settings - <select your adapter> - select properties)

6. For good measure, setup your "home group" (Control panel (large icons view) - network and sharing center - home group). I have found that this isn't really needed in my environment.

 

The above works in my environment and is fun for less then 10 machines. I am actually planning on picking up a copy of M$ home server 2016 to replace this method and build a domain network in my home to centralize user, computer, and ACL permissions.

 

It is important to note that there are some security considerations you need to be aware of:

 

A. There is an association between the windows firewall and the network connection. Domain, private, and public zones are used to allow the firewall to behave differently depending on the network connection. This was added in for mobile devices (laptops and tablets). When you connect to a new network be aware to put your firewall in an appropriate zone. guest networks should be associated with the public firewall zone. Your private home network should be in the private firewall zone. Be very careful not to pass vulnerable services (ex: file and print sharing) on the public firewall zone. Be very careful not to entirely disable your windows firewall unless you know what you are doing.

B. You will be prompted when connecting to new networks on mobile devices. Do not enable network discovery on untrusted networks (guest networks).

 

I also agree with @@ThePaladinTech. This wouldn't be the first time Windows updates changed firewall zone or network discovery settings on a computer's local LAN.

 

Sent from my iPhone using Tapatalk

Edited November 7, 2017 by Tur0k

[Guest asrequested]

[Tur0k 143]

I will note I haven't taken the fall update on my network yet, but have had the SMB1.0 vulnerability patch installed on my systems since march. I will have to plan on my fall update upgrade and possibly identifying one of my PCs as master browser if I run into the same problem.

 

 

Sent from my iPhone using Tapatalk

[Guest asrequested]

I need to look at my network in more detail. I haven't paid much attention to it because I continually reconfigure my hardware, and I didn't want to have to keep changing my network config. I can't help fiddling lol. That's why I haven't wanted to have layers of security. If I ever get hacked, I'm quite happy to wipe and reinstall. But my network is about to expand, so I do want to isolate and secure my private network. I've just added a guest wireless network for someone. I want to isolate my network from that, and I'll limit that network to his mac address.

[jordy 284]

I got the same error, but after an additional restart everything worked fine.  My systems just updated to 1709.

Problem for me is that it occurs regularly. It's usually just for the same pc every time (win10 - 1703) but occasionally it affects the win7 too. I have just found out that if I wait a minute after the failed access, it will come good without using the Network troubleshooter. Go figure...

[Guest asrequested]

So a lot of this auto config networking view is carry over from the M$ windows millennium/XP days. It is very M$ service centric, and not very compatible with IPv6. Additionally, many of these legacy networking services will require a WINS server to be supported across subnets (ex: in the event that you have multiple subnets across separate VLANS). If you need this to work my advice would be:

1. Make sure that your computers are in the same workgroup (control panel (large icons view)- system- advanced system properties - computer name tab). Note this will require a reboot if changed.

2. Allow network discovery through windows firewall on private networks. (Control panel (large icons view) - windows defender firewall - allow an app or feature through...)

3. Allow file and printer sharing through windows firewall on private networks. (Control panel (large icons view) - windows defender firewall - allow an app or feature through...)

4. Confirm that the "client for M$ networks" feature is enabled (checked) on your NIC/WNIC Control panel (large icons view) - network and sharing center - change adapter settings - <select your adapter> - select properties)

5. Confirm that the "file and print sharing for M$ networks" feature is enabled (checked) on your NIC/WNIC (Control panel (large icons view) - network and sharing center - change adapter settings - <select your adapter> - select properties)

6. For good measure, setup your "home group" (Control panel (large icons view) - network and sharing center - home group). I have found that this isn't really needed in my environment.

 

The above works in my environment and is fun for less then 10 machines. I am actually planning on picking up a copy of M$ home server 2016 to replace this method and build a domain network in my home to centralize user, computer, and ACL permissions.

 

It is important to note that there are some security considerations you need to be aware of:

 

A. There is an association between the windows firewall and the network connection. Domain, private, and public zones are used to allow the firewall to behave differently depending on the network connection. This was added in for mobile devices (laptops and tablets). When you connect to a new network be aware to put your firewall in an appropriate zone. guest networks should be associated with the public firewall zone. Your private home network should be in the private firewall zone. Be very careful not to pass vulnerable services (ex: file and print sharing) on the public firewall zone. Be very careful not to entirely disable your windows firewall unless you know what you are doing.

B. You will be prompted when connecting to new networks on mobile devices. Do not enable network discovery on untrusted networks (guest networks).

 

I also agree with @@ThePaladinTech. This wouldn't be the first time Windows updates changed firewall zone or network discovery settings on a computer's local LAN.

 

Sent from my iPhone using Tapatalk

 

I haven't worked through all of these, yet, but I have my network browsing, back.

 

1.  I re-affirmed the workgroup IDs

 

2. This was already in place

 

3. Turned this on

 

6. This may have been the issue. When I did this on the server machine, it re-established a network connection, or something (I'm tired and I forgot what specifically it did). I also ran that on my HTPC, and everything showed up on both machines. 

 

The curious thing is, on the third machine everything is there, but it won't accept the password to join the homegroup.

[Tur0k 143]

The curious thing is, on the third machine everything is there, but it won't accept the password to join the homegroup.

All devices are being detected and viewable now? Yea, homegroup is a half baked idea imho... I had trouble with it consistently and couldn't discern any real benefit to having it working. To diag I would try the following;

 

1. Make sure that you force it to leave any homegroup that is already on there.

2. I think there is a way to delete any old homegroups from registry but I don't remember where it was.

3. Make sure that you only have one device hosting the home group and that the member devices always have access to it.

4. Additionally, the devices will likely need to be on the same subnet.

 

 

Sent from my iPhone using Tapatalk

[Guest asrequested]

All devices are being detected and viewable now? Yea, homegroup is a half baked idea imho... I had trouble with it consistently and couldn't discern any real benefit to having it working. To diag I would try the following;

 

1. Make sure that you force it to leave any homegroup that is already on there.

2. I think there is a way to delete any old homegroups from registry but I don't remember where it was.

3. Make sure that you only have one device hosting the home group and that the member devices always have access to it.

4. Additionally, the devices will likely need to be on the same subnet.

 

 

Sent from my iPhone using Tapatalk

 

Tomorrow's check list

 

I really appreciate the help. Networking is something I'm poorly educated, on.

 

Here's a question. I've made a guest wireless network, should I consider using a VLAN for that? I figured just making it a guest network would isolate it from my network? 

Edited November 8, 2017 by Doofus

[ebr 14910]

I've had Windows upgrades change my network type to 'public network' - which causes all kinds of issues. 

 

You checked this, right?  I have had that happen to me as well.

[Guest asrequested]

You checked this, right? I have had that happen to me as well.

Yes, it's private. But I'm a noob to networking, I need to verify that my guest Wi-Fi network is truly separate. I wish I had a laptop. How can I test with my Android phone?

[Tur0k 143]

Tomorrow's check list

 

I really appreciate the help. Networking is something I'm poorly educated, on.

 

Here's a question. I've made a guest wireless network, should I consider using a VLAN for that? I figured just making it a guest network would isolate it from my network?

When I talk "Isolation" I make sure that it is interpreted more as a spectrum than a state.

 

On one extreme of the spectrum there is no isolation,

A. all network nodes can talk to each other.

B. all network equipment is shared.

C. All network equipment is co-located.

D ther is a connection the the big "I" (Internet)

 

On the other extreme there is full isolation

A. No nodes can talk to each other

B. Physically different network infrastructure to host both subnets.

C. All equipment is housed in separate closets and racks and work spaces.

D. The internal network has no physical uplink to the big "I".

 

The amount of isolation you need depends on your risk appetite. Risk to your internal network is high on the totally open network design and very low on the other extreme. Most organizations will fit somewhere in the middle of the the spectrum.

 

Unifi has the ability to logically separate your guest network nodes from the rest of your internal nodes using ACL rules that block IPv4 communication between your guest network clients and other RFC 1918 private IP ranges:

10.0.0.0/8 (or 10.0.0.0 - 10.255.255.255)

172.16.0.0/8 or (172.16.0.0 – 172.31.255.255)

192.168.0.0/16 or (192.168.0.0 – 192.168.255.255)

The benefits of this implementation are that it is relatively simple and cheap to setup. And your guest network is never allowed to to send packets to the internal network.

 

The draw backs are:

1. The same packets cross the same subnet. So there is some bleeding of guest traffic on the internal network.

 

There is some risk involved with this. Methods to reduce this risk further is to disable multicast and broadcast traffic on wifi networks, and downlinks to access points and guest LAN devices.

 

2. the ACLs (Access Control List) are enforced in the logic on the access point. Classically, this is better done on a firewall because these are made for this activity.

 

3. What happens if you have LAN devices you want to isolate (ex: I have a work VOIP phone I have relegated to my guest VLAN).

 

4. The IPv6 equivalent to RFC 1918 private IPs has been deprecated and will not be enforced. How will this software defined ACL policy be applied to IPv6 traffic.

 

The next solution up the isolation spectrum is to stand up a separate guest VLAN and create a new subnet for it. Then create ACL rules that disallow traffic between the VLANS.

 

Benefits of this are that the networks are logically separate. You can build rules to account for your IPv6 subnets in the event that you dual stack your network.

 

There are some draw backs. Mainly they are related to complexity. You have to be careful for VLAN bleeding. Good rules to follow are:

1. Do not assign any network equipment a guest network IP address (except the end firewall device).

2. Disallow Internal IP addresses on the guest network.

3. Work to disallow inbound traffic from internal networks to the guest and from the guest network to internal network.

4. Build an ACL list of what you want to allow the disallow all else.

 

 

 

Sent from my iPhone using Tapatalk

Edited November 9, 2017 by Tur0k

[Guest asrequested]

I created the WiFi guest network on the Unifi Gateway. I imagine it's pretty isolated, but I just wanted to test it. The guy that will be using it, is a cop 

[Tur0k 143]

I created the WiFi guest network on the Unifi Gateway. I imagine it's pretty isolated, but I just wanted to test it. The guy that will be using it, is a cop

So what you are talking about is hardening your configuration and vulnerability testing.

 

Are you running IPv6 on your LAN? Also I assume that you didn't create a new VLAN and subnet for this. Please confirm.

 

Good tools to do the test are wireshark, an ip scanning tool, and NMAP. You will likely need 2 computers for this. One on your guest wifi and the other on your internal LAN. If you support IPv4 and IPv6 on your LAN (this is called dual stacking) you will need to test on both protocol suites. Make sure that you disable any system firewalls for the test (windows firewall) so that you can be sure that you are testing your network's ACL rules.

 

1. Use wireshark on each computer

A. From the computer on the guest network, see if you can see any internal sourced traffic (excluding traffic from shared resources like default gateway, DHCP, or DNS servers).

B. From the computer on the internal LAN network, see if you can see any guest sourced traffic (filter by the guest computer's IP address while say streaming video or downloading a large file).

 

This gives you an idea of how much traffic bleeding you have between your internal and guest network.

 

2. use NMAP or an ip scanning tool to see if you can access devices (computers, servers firewallls, routers, switches, and access points) on the internal network from guest. Then test from your internal LAN computer. Make sure that you have some shared resources on the LAN you are testing (ex telnet server, FTP, file and print sharing, web server, etc). When scanning also test common ports like ftp (21), 22 (SSH/telnet), HTTP (80/8080/8085), file and print sharing (137-139, 445), HTTPS (443), ftps (990), 1433 (sql), RDP (3389), custom Emby 8096/8920, custom unifi web UI HTTPS 8443 etc. this will tell you how good the access point is blocking communication between the networks.

 

3. See if you can logically break rules. An example of this would be if you had two VLANs (a and b ) with two separate ip subnets (a and . Subnet a is used for connectivity to VLAN a. Subnet b is used for VLAN b. Would you be able to break through the ACL rules if you connected to VLAN aand assigned yourself a static IP on subnet b.

 

 

 

 

Sent from my iPhone using Tapatalk

Edited November 9, 2017 by Tur0k

[mastrmind11 717]

I created the WiFi guest network on the Unifi Gateway. I imagine it's pretty isolated, but I just wanted to test it. The guy that will be using it, is a cop 

yeah, just specify a different subnet w/ a completely different ip range than your internal network.  super easy to do from the controller.  I assume that's what you did anyhow.