Share via


Checklist: Configuring Rules for an Isolated Server Zone

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see Checklist: Implementing a Standalone Server Isolation Policy Design.

In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or computers who are authenticated members of a network access group (NAG). Computers that are running Windows 2000, Windows XP, or Windows Server 2003 can restrict access in IPsec only to computers that are members of the NAG, because IPsec and IKE in those versions of Windows do not support user-based authentication. If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer.

Computers that are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 can identify both computers and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. For more information, see “AuthIP in Windows Vista” (https://go.microsoft.com/fwlink/?linkid=69843).

The way in which you configure these rules and settings depends on whether the computers to which the GPO applies are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 or an earlier version of Windows.

The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server.

In this topic:

  • Creating rules for Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

  • Creating rules for Windows XP, Windows Server 2003, and Windows 2000

Checklist: Configuring rules for isolated servers for computers running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Note

The GPOs for computers running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 7, make a copy of it for Windows Server 2008 R2, and then follow the steps in this checklist to make the few required changes to the copy.

  Task Reference

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone.

Copy a GPO to Create a New GPO

Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Exempt ICMP from Authentication on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Configure the key exchange (main mode) security methods and algorithms to be used.

Configure Key Exchange (Main Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption.

Configure Data Protection (Quick Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Configure the authentication methods to be used.

Configure Authentication Methods on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Create an Authentication Exemption List Rule on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Create a rule that requests authentication for all network traffic.

Important
Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.

Create an Authentication Request Rule on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Create the NAG to contain the computer or user accounts that are allowed to access the servers in the isolated server zone.

Create a Group Account in Active Directory

Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG.

Restrict Server Access to Members of a Group Only

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Link the GPO to the Domain

Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.

Add Test Computers to the Membership Group for a Zone

Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.

Checklist: Creating rules for isolated servers for computers running Windows XP, Windows Server 2003, or Windows 2000

Note

The GPOs for computers running Windows Server 2003, Windows XP, and Windows 2000 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy. For example, create and configure the GPO for Windows XP, create a copy of it for Windows Server 2003, and then follow the steps in this checklist to make the few required changes to the copy.

  Task Reference

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to ensure that it is constructed in a way that meets the needs of the server isolation zone.

Copy a GPO to Create a New GPO

Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Add registry settings that optimize IPsec behavior to the GPO.

Configure Settings to Optimize IPsec Behavior on Earlier Versions of Windows

Create a new IP Security policy in the GPO.

Important
If IPsec policies exist, do not modify them. They are links to the IPsec policies available to all GPOs. Changes made to one will affect all GPOs that use that IPsec policy.

Create a New IP Security Policy in a GPO for Earlier Versions of Windows

Configure the key exchange (main mode) security methods and algorithms to be used.

Configure Key Exchange (Main Mode) Settings on Earlier Versions of Windows

Create IP filter lists for ICMP traffic, the exemption list, and all other inbound IP traffic.

Create Filter Lists for Isolated Domain Computers and Isolated Servers Running Earlier Versions of Windows

Create filter actions to allow traffic, request authentication, and require authentication and, optionally, encryption.

Create Filter Actions on Earlier Versions of Windows

Combine the filter lists and filter actions into the rules required for an isolated server zone.

Create IPsec Rules for an Isolated Domain on Earlier Versions of Windows

Assign the IPsec policy to your GPO.

Assign an IPsec Policy to a GPO for Earlier Versions of Windows

Grant the Access this computer from the network user right to only computers or users who are authenticated members of the NAG.

Restrict Server Access to Members of a Group Only

Add your test computers to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.

Add Test Computers to the Membership Group for a Zone

Verify that the IPsec rules are protecting your network traffic.

Verify That Network Traffic Is Authenticated

Do not change the rules for any of your zones to require authentication until all of the zones have been configured and are operating correctly.

Now follow the steps in Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone. When you have finished the tasks in that checklist, you should have at least one computer in the client membership group that you can use to test your ability to connect to servers in the isolated server zone.