Windows Firewall: Cannot establish Network Isolation - Require Inbound Require Outbound for Domain Controller

Victor Mosley 0 Reputation points
2023-02-16T08:59:22+00:00

I have a Domain Controller, and I wish to establish network Isolation with Windows Firewall, Connection Security Rules.

When the DC Authentication is set to Request Inbound, Request Outbound, using the Default method.,

And the workstation Authentication is set to Require Inbound, and Request Outbound using the Default method,

Then the connection works, I can see in Windows Firewall > Monitoring > Security Associations > Main and Quick mode that there are connections.

However when DC Authentication is set to Require Inbound. Require Outbound, using the Default method. I cannot see any connections in the Main and Quick modes.

So, I don't see what security I gain when DC is using Request Inbound Request Outbound. Because any workstation can connect to it, even if that workstation has no connection security rule.

I think in order to get Network Isolation for the DC, the Authentication needs to be set at Require Inbound Require Outbound. Am I correct?

And I think that IPSEC is optional and has nothing to do with Network Isolation, correct ?

I am just hoping that Network Isolation is achievable, it seems to promise that nobody outside the domain can talk to the DC. Hence, no data leaks, no RATs etc.

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Gary Nebbett 6,216 Reputation points
    2023-02-17T10:19:22.0433333+00:00

    Hello Victor,

    Here are some of my thoughts on your post; feel free to ask follow-up questions.

    IPsec is not optional - connection security rules depend on the IKEv1 and AuthIP protocols to negotiate cryptographic parameters and keys ("security associations") and IPsec (normally ESP (Encapsulating Security Payload) but perhaps also AH (Authentication Header)) to use/carry the authentication information in each packet.

    "Require inbound and outbound" authentication of a system will cut it off from other systems not under your control such as software updates, time synchronization, etc. - this needs to be a well-considered setting.

    Whether authentication is requested or required should not affect the creation of Main and Quick Mode security associations. If authentication is requested or required then an attempt will be made to negotiate security associations; "required" just means that traffic not sent over IPsec will be rejected (with a few "infrastructure" exemptions, such as IKEv1/AuthIP, ICMP and a few others).

    "Request inbound and outbound" authentication is useful for testing connection security rules without unintentionally breaking connectivity and can also be useful to provide additional security (integrity/privacy) between cooperating systems.

    Gary

    0 comments No comments

  2. Victor Mosley 0 Reputation points
    2023-02-18T23:29:13.1433333+00:00

    Hi Gary,

    Surely IPSec is optional. If not, why is it offered as a checkbox? And also, I was able to connect client to PDC without it. And MainMode and QuickMode shows traffic.


  3. Victor Mosley 0 Reputation points
    2023-02-22T02:30:03.2+00:00

    OK. I get it. Just like TCPIP4 in Network Adapter Properties is a checkbox, which allows you to uncheck it, it is a required item always. So IPSEC is required.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.