How to maintain a healthy network infrastructure in Windows

  • Configure and optimize Windows (IPv4, network profiles, TCP/IP and DoH) for stability and control.
  • Adjust the NIC (offloads, RSS, buffers, power) and TCP stack to maximize performance and minimize latency.
  • Design by zones (DMZ, internal, testing) and apply Zero Trust with AAA, modern encryption and segmentation.
  • Maintain a continuous plan: patches, backups, monitoring, and documentation for high availability.
Pablo

14 minutes

Network infrastructure in Windows

Managing a network in Windows today is not just about connecting computers: it's about keeping it agile, secure, and ready for whatever comes next. A healthy network infrastructure It reduces downtime, prevents incidents, and allows you to maximize performance in both home and corporate environments.

In this guide you will find key Windows settings, adapter optimization techniques, high-level security recommendations, a reference design for a Windows infrastructure with critical services, and a step-by-step maintenance plan. We integrate practical configuration, performance, best practices, and hardening. so that your network remains stable and healthy in the long term.

Network and Internet Settings in Windows: Quick Access and Status

In Windows, the Network and Internet panel brings together everything you need to connect, customize, and diagnose. To open it You have two very convenient shortcuts: use Start and type settings to enter Settings > Network & Internet, or right-click the Network or Wi-Fi icon in the taskbar and choose Network & Internet settings.

From that panel, you'll see the connection status at the top, with access to frequently used functions such as Wi-Fi, Ethernet, VPN, data usage, or network properties. It's the most direct way to confirm at a glance if everything is linked correctly.

How to see your IP address in Windows

If you need to identify your IP address on the local network, Windows makes it easy from the interface properties. Follow this path to find the IPv4 address in use.

  1. Open Network & Internet and choose the appropriate interface: Wi ‑ Fi for wireless networks (select the network you are connected to) or Ethernet for cable.
  2. In Properties, look for the IPv4 Address line to see the assigned IP address. With that IP You will be able to diagnose or configure internal access.

Usage control: set data limit

If you're using a metered data plan (tethering, 4G/5G or capped connections), Windows can warn you when you approach the limit and even when you exceed it. Set a limit It helps to avoid surprises and optimize traffic.

  1. Sign in Network and Internet Settings.
  2. Choose Use of data in the active network state.
  3. Select Enter limit, define the type of limit, complete the fields and save. From there You will receive automatic notifications.

Airplane mode: when and how to turn it on

Airplane mode disables Wi-Fi, mobile network, Bluetooth, and NFC at once. It is useful to save battery or meet requirements in specific environments.

  • Click on Network, Volume, or Battery in the taskbar and activate Airplane Mode.
  • Or go to Network & Internet > Airplane mode and use the switch. With a touch You turn the whole radio off or on.

Public or private network: choose the right profile

When you connect for the first time, Windows 11 sets the network as public by default. That profile minimizes exposure And it's the recommended one unless you're going to share resources in a trusted environment.

  • Public networkThe device remains hidden from other devices; it is not intended for sharing files or printers.
  • Private networkThe device is discoverable and allows sharing. Use it only if you trust users and devices in that segment.

To change the profile, go to Network & Internet settings, choose Wi-Fi and select the current network (or Ethernet if using a cable) and, under Profile type, check Public or Private. The profile indicates the level of exposure and the firewall's behavior.

TCP/IP and DNS settings in Windows

TCP/IP defines how computers communicate with each other and with the Internet. The most comfortable and robust It's usually done by using DHCP so that the router assigns IP and DNS automatically, but you can also configure everything manually.

  1. In Network and Internet, for Wi-Fi networks, enter Wi-Fi > Manage known networks and choose the network; for Ethernet, select the active connection.
  2. En IP Assignment, press Edit.
  3. Choose Automatic (DHCP) or Manual. Automatic Let the router manage IP and DNS; with Manual you can define IP, mask, gateway and DNS servers.

If you want to protect DNS queries, Windows supports DNS over HTTPS. You have three modes available: Off (plain text), On with automatic template (discovers the configuration), or On with manual template (you define the DoH template). You can enable or disable the fallback to plain text: if enabled, the unencrypted query will only be made if HTTPS is not possible; if disabled, there will be no query if encryption fails.

Secure network settings in Windows

Network adapter optimization in Windows Server

Proper NIC tuning can make a difference in server loads: more performance, less latency, and better CPU utilization. The optimal configuration It depends on the adapter, the load, the hardware, and the objectives.

Enables network offloads such as TCP, LSO, and RSS checksums. These features offload work to the card and relieve the CPU, although on adapters with limited resources certain downloads could limit the sustainable peak; if that limit is acceptable, it is advisable to enable them anyway.

RSS distributes incoming traffic across multiple logical processors, which is key when there are fewer NICs than CPUs. Check the RSS feed (default NUMAStatic) and increases the number of queues if the adapter allows it to improve parallelization.

If the controller allows adjusting resources, it raises the receive and send buffers. Low values In the RX they cause packet loss and lower performance, especially in high receive flows.

Regarding moderating interruptions, seek a balance. Fewer interruptions Save CPU at the cost of latency; more interrupts reduce latency but consume CPU. If buffer merging is available, increasing the number of interrupts helps when native interrupt moderation is unavailable.

Microsecond-sensitive networks: reducing latency

For environments that measure latency in microseconds, it is advisable to adjust the platform. Effective tricks: set the BIOS to High performance and disable C-states (or allow the OS to manage power), set the system power plan to High performance (powercfg command if appropriate), enable static offloads (UDP/TCP Checksums and LSO), enable RSS in multithreaded streams and disable interrupt moderation if lower latency is paramount (at the expense of CPU).

Manage the NIC's interrupt and DPC affinity so that they share cache with the user thread that processes the packets. Use the same core For ISR, DPC and application it can saturate it; distribute intelligently with RSS and affinity.

Be aware of SMIs (system management interruptions). They are of the highest priority. and can introduce spikes of more than 100 µs. If latency is critical, request a low-latency BIOS or one with minimized SMI from your vendor; the OS cannot handle them.

TCP receive window auto-adjustment

Windows dynamically negotiates the receive window size per connection to maximize performance. It used to be fixed (65.535 bytes) and limited throughput; with self-adjustment, the stack adapts to latency and bandwidth.

For reference, throughput per connection is TCP Window in bytes multiplied by 1 divided by latency. Classic exampleAt 1 Gbps with 10 ms latency, a static window would give about 51 Mbps; with well-sized auto-tuning, a 1 Gbps line can be achieved.

If the app does not define a window, Windows allocates by speed: less than 1 Mbps uses 8 KB, between 1 and 100 Mbps 17 KB, from 100 Mbps to 10 Gbps 64 KB, and 10 Gbps or more 128 KB. This is how it is used the link without touching the application.

Available levels: Normal (factor 0x8), Disabled (no scaling), Restricted (0x4), Highly Restricted (0x2) and Experimental (0xE). Packet captures They will display WindowsScaleFactor with ShiftCount 8, none, 4, 2 or 14 respectively, typically maintaining a negotiated window of 64K on the SYN according to the NIC bitrate.

You can check or change the level using PowerShell or netsh. Adjust the level to your scenario: Normal usually fits almost all, and Experimental is for extreme environments.

Obsolete filtering platform and parameters

The Windows Filtering Platform allows third-party software to inspect and filter traffic in the stack. It is key to safetyHowever, poorly implemented filters degrade server performance; validate and optimize them.

Older Windows Server 2003 values ​​such as TcpWindowSize, NumTcbTablePartitions, and MaxHashTableSize are no longer used. In modern versions They are ignored even if they appear in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters.

Network maintenance: definition, advantages and challenges

Network maintenance involves checking and ensuring that network hardware, software, configuration, performance, and security are in good condition, identifying and resolving faults or risks. It is a continuous process which prevents interruptions, strengthens protection and ensures business continuity.

Clear benefits: improved connectivity and collaboration, greater protection against breaches, savings by sharing resources and reducing downtime, mobility with wireless devices, and a better user experience due to lower latency and greater availability. It all adds up for more efficient operations.

Common challenges: compatibility after updates, growth and scalability, uncertified maintenance teams, human error, and managing old, unsupported hardware. Plan and train is essential to mitigate them.

A network connects devices to share data and resources using protocols over wired or wireless media. The data comes in packets.Switches manage traffic within the network and routers between networks, searching for efficient routes.

Most common network types by range: LAN (office or building), PAN (nearby devices), MAN (metropolitan area) and WAN (large area, even countries). Each type This involves different requirements and risks.

Key benefits of well-executed maintenance

In addition to the technical aspects, solid maintenance impacts continuity and results. High availability Thanks to reviews and prevention, there are fewer incidents, optimized hardware and software, and improved regulatory compliance through controls and audits.

Step-by-step plan to maintain the network

1) Preparation: evaluates the architecture and current state, reviews diagrams and recent changes, and checks that all documentation (topologies, configurations, vendor data) is up to date.

2) SecurityIt audits firewalls and IPS, updates antivirus and antimalware, and applies patches using a management system that automates and verifies the process. It also searches for vulnerabilities and misconfigurations.

3) Hardware and softwareIt monitors the health of servers and routers (memory, CPU, disk, errors), and validates the correct configuration of switches and access points for optimal operation.

4) PerformanceIt analyzes bandwidth and traffic patterns to detect bottlenecks and monitors latency within acceptable thresholds, adjusting where necessary.

5) Backups and recoveryVerify that backups are complete and up-to-date, review the disaster recovery plan, adapting it to new systems or changes, and consult a Guide to repairing your system after a virus.

6) Documentation: updates documents with all changes made (configurations, patches) and records incidents with their cause, resolution and lessons learned.

Third-party support: typical services

Having a specialized third-party maintenance (TPM) provider can strengthen your hardware and availability strategy. Its services They typically cover corrective repair, 24x7 support, global coverage, quality refurbished spare parts, and multi-brand expertise.

Service Description
Corrective maintenance Certified technicians diagnose and repair faults or at-risk components.
24/7 Support Remote and on-site assistance at any time to minimize downtime.
Global reach Presence in numerous countries to provide service wherever your company is located.
High-quality spare parts (SpaaS) Refurbished parts that reduce costs and promote a circular economy.
Multi-brand experience Support for different manufacturers and models, even those not listed in the catalog.

Detection and Response: From EDR to XDR

Total prevention is not possible, and the response is critical. EDR provides visibility and endpoint response, but it usually leaves out network devices, storage, printers, BYOD, cloud or IoT, and does not see vectors like email at the OS layer.

To fill these gaps, domain-specific solutions are emerging, and in an integrated way, XDR aims to unify detection and response across endpoints, network, and cloud. The concept is still maturingThere is debate about log ingestion, threat intelligence, analytics, and automation.

Adopting XDR requires a long-term strategy, choosing the right providers, and starting with the most established (usually EDR) before expanding coverage to network and cloud. machine learning It already complements signatureless detection and can accelerate investigations.

Reference design: Secure Windows infrastructure for enterprise

Imagine you need a mail system, a public website, user file storage, production and test databases (not exposed to the Internet) and two applications (client-server and web) with prod and test environments. A zoned design Redundancy and segmentation are the foundation.

  • Zones and networkInternet, DMZ (exposed services), internal production network, internal test/lab network, management network, and backup network. Segment into VLANs, apply ACLs between segments, and protect flows with a perimeter firewall and internal firewall, plus a WAF in front of public web applications.
  • Identity and foundations2 domain controllers (AD DS) per site, with integrated DNS and redundant DHCP (or reservations in the core). Synchronizes time and applies group policies for hardening. The identity It is the layer that supports the rest.
  • E-mail: 2 mailbox servers (Exchange) in DAG on the internal network and 1-2 Edge Transport in DMZ for secure relay, or a cloud service with secure connectors. Filter spam and malware at the perimeter and applies TLS for transport.
  • Public website: 2 IIS servers in DMZ behind load balancer and WAF, with TLS 1.2 or higher and robust ciphers. No direct access to internal databases; all exposed logic must be stateless and deployed via CI/CD.
  • File storage: 2 clustered file servers (SOFS/DFS-R) with quotas, deduplication and backup network copies. Control permissions with ACLs and labeling of sensitive data.
  • DatabasesProduction with 2 SQL Server nodes in Always On AG and testing on 1–2 separate and isolated instances in a lab VLAN. No links from the Internet or DMZ to these DBs.
  • Internal applications: 2 servers for the internal web app and 2 for the client-server app (pools per prod and per test), all connected to their databases via VLAN and restricted ports. Restricts traffic to a minimum (port and origin/destination).
  • Management and security: 2 AAA/RADIUS (NPS) servers for admins and Wi-Fi, SIEM for logs, IDS/IPS, WSUS and monitoring platform. backups on a separate network with retention and periodic restoration testing.
  • Additional controlsVPN with MFA for remote administration, jump servers, service hardening, and East-West segmentation with micro-segmentation where appropriate. The goal It is about limiting lateral movement and containing incidents.

Infrastructure security best practices (Zero Trust model)

A secure architecture adds perimeter and internal layers with segmentation by function. Zero Trust It assumes that no request is trustworthy from the outset and requires verifying each access with consistent policies.

Integrity and configuration: verifies OS and firmware hashes before and after updating. Example: verify /sha512 <PATH:filename>Implement change control, compare with recent copies, and remove unnecessary files or old versions with delete <PATH:filename>. Ensures persistence of changes with copy running-config startup-config on network equipment.

UpdatesMaintain stable and supported versions of software and firmware, planning for hardware upgrades when manufacturer support expires. Without patches as known, the risk skyrockets.

AAA centralizedConfigure two AAA servers for high availability and use robust pre-shared keys. Example: aaa group server radius <GROUP_NAME> + server-private <IP_ADDRESS_1> key <KEY_1> y server-private <IP_ADDRESS_2> key <KEY_2>. Centralize It simplifies and provides traceability.

Accounts and passwords: removes default and shared accounts, creates unique users, and uses secure hashing for storage, for example username <NAME> algorithm-type sha256 secret <PASSWORD>. strong passwords 15+ characters with uppercase letters, lowercase letters, numbers and symbols, unique per device and role, and changed when there are indications of compromise.

Secure remote administration: disables Telnet and HTTP, migrates SNMP to v3 (example: no snmp-server community y no snmp-server host), SSH v2 force (ip ssh version 2) and HTTPS (ip http secure-server). Robust keys to crypto key generate rsa modulus 3072 and approved encryption suites.

Restricts access to services: limits the origins with ACLs, for example access-list 10 permit 192.168.1.0 0.0.0.255 and apply it to VTY lines with access-class 10 in. Reduce the surface area to the essentials.

Sessions and inactivity: configure timeouts (ip ssh time-out 300 y exec-timeout 5 0) and enables TCP keep-alives (service tcp-keepalives-in y service tcp-keepalives-out). Avoid orphaned sessions and kidnappings.

Blocks chaining: prevents outgoing connections from administrative sessions with transport output none on VTY lines. Restricts movements from management teams.

Routes and interfaces: disables source routing (no ip source-route), activates uRPF (ip verify unicast source reachable-via rx) and authenticates routing: OSPF with area 0 authentication message-digest and BGP with neighbor <IP_ADDRESS> password <PASSWORD>. Avoid false routes and impersonations.

Secure Layer 2: disables dynamic trunking by configuring switchport mode access y switchport nonegotiate when a trunk is not required. Apply port-security (switchport port-security, maximum 2, violation shutdown), turns off unused ports (interface range ... + shutdown) and disable CDP where it is not needed (no cdp enable). Control who enters for each port.

Advertisement bannersAdd legal notices before login with banner login and MOTD messages, for example: banner login # Acceso solo a usuarios autorizados. Actividad monitorizada. #. Save changes to write memory and verify legal compliance with your legal team.

Monitoring and auditingIt records accesses (successful and failed) and periodically reviews the logs looking for anomalous patterns. A SIEM It will help you correlate events in real time.

Quick Glossary

AAAAuthentication, authorization, and accounting to control who accesses, what they can do, and what is recorded.

Zero Trust: model that verifies each access, assuming that there may be threats both inside and outside the network.

URPF: verification that the source route is reachable, useful against IP spoofing. Filter traffic not legitimate on the edge.

With a balanced combination of Windows tuning, adapter optimization, layered security controls, intelligent segmentation, a redundant Windows services design, and a disciplined maintenance program, Your network infrastructure remains stable, fast, and secure, prepared to scale and respond to incidents without losing momentum.

windows 11 slow
Related article:
How to prevent Windows 11 from getting slower and slower