Server and Domain Isolation Using IPsec and Group Policy

Published: March 17, 2005   |   Updated: July 24, 2006


Download this Solution Accelerator

Click here for Server and Domain Isolation Using IPSec and Group Policy.

About This Solution Accelerator

This guide is designed to support a server and domain isolation solution through all stages of the IT life cycle, starting at the initial evaluation and approval phase and continuing through to deployment, testing, and management of the completed implementation

The advent of wireless networks and wireless connection technologies has made network access easier than ever. This increased connectivity means that domain members on the internal network are increasingly exposed to significant risks from other computers on the internal network, in addition to breaches in perimeter security.


Figure 1.1 Infrastructure areas and network defense layers


The concept of logical isolation this guide presents embodies two solutions—server isolation to ensure that a server accepts network connections only from trusted domain members or a specific group of domain members, and domain isolation to isolate domain members from untrusted connections. These solutions can be used separately or together as part of an overall logical isolation solution.

At its core, server and domain isolation enables IT administrators to restrict TCP/IP communications of domain members that are trusted computers. These trusted computers can be configured to allow only incoming connections from other trusted computers or a specific group of trusted computers. Active Directory Group Policy centrally manages the access controls that control network logon rights. Nearly all TCP/IP network connections can be secured without application changes, because Internet Protocol security (IPSec) works at the network layer below the application layer to provide authentication and per-packet security, end-to-end between computers. Network traffic can be authenticated, or authenticated and encrypted, in a variety of customizable scenarios.

Included in the Download

The Server and Domain Isolation Using IPSec and Group Policy Accelerator includes the following components:

  • Server and Domain Isolation Using IPSec and Group Policy.doc
  • Server and Domain Tools and Templates

In More Detail

Chapter 1: Introduction to Server and Domain Isolation

This chapter introduces server and domain isolation using IPSec and Group Policy and includes a brief overview of each chapter. The chapter also outlines the Woodgrove Bank scenario used throughout the guide.

Chapter 2: Understanding Server and Domain Isolation

This chapter is designed for technical decision makers and technical architects who will be responsible for designing a customized server and domain isolation solution for an organization. It describes how to identify trusted computers, provides a terminology refresher, and considers how to deploy server and domain isolation.

Chapter 3: Determining the Current State of Your IT Infrastructure

This chapter provides information about obtaining the information necessary to plan for and deploy a server and domain isolation solution. It discusses the process of understanding and documenting the computers that might function as "trusted" computers within the solution.

Chapter 4: Designing and Planning Isolation Groups

This chapter provides complete guidance for defining isolation groups that fulfill the business security requirements discussed in Chapter 2. The Woodgrove Bank scenario demonstrates the essential details of how an organization can turn its security requirements into deployed isolation groups.

Chapter 5: Creating IPSec Polices for Isolation Groups

This chapter provides instructions for implementing the server and domain isolation design. It provides complete guidance for applying the security requirements of domain isolation and the server isolation groups designed in Chapter 4..

Chapter 6: Managing a Server and Domain Isolation Environment

This chapter provides guidance for managing a server and domain isolation solution after it has been successfully deployed into a production environment. The information provided in this chapter is designed for developing well-documented and well-communicated solution management processes.

Chapter 7: Troubleshooting IPSec

This chapter provides information about how to troubleshoot IPSec, such as server and domain isolation scenarios, and is based on the experience of the Microsoft IT team. Whenever possible, this chapter refers to existing Microsoft troubleshooting procedures and related information.

Appendix A: Overview of IPSec Policy Concepts

This appendix provides a detailed overview of IPSec terms, processes, and concepts. It is designed to provide the prerequisite level of understanding for IPSec as described in this guide.

Appendix B: IPSec Policy Summary

This appendix provides a concise listing of information about all policy settings for the isolation groups used in the IPsec solution.

Appendix C: Lab Build Guide

This appendix provides complete guidance for building the required infrastructure to support isolation groups that use IPSec. It also provides the instructions that are used to implement the baseline IPSec policy for the Woodgrove Bank scenario that is presented throughout this guide.

Appendix D: IT Threat Categories

This appendix provides a list of potential threats and attacks that can affect an organization and explains how a server and domain isolation solution can help mitigate them.

Tools and Templates

The downloadable version of this guide includes scripts and additional tools to make it easier for your organization to implement an IPSec policy.

Related Resources

See other Solution Accelerators that focus on security at the Security Solution Accelerators site on Microsoft TechNet.

Community and Feedback

About Solution Accelerators

Solution Accelerators are authoritative resources that help IT professionals plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.

Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as

  • Communication & Collaboration
  • Security, Data Protection, & Recovery
  • Deployment
  • Operations & Management

Download This Accelerator

Click here for Server and Domain Isolation Using IPSec and Group Policy.