Introduction to Server and Domain Isolation
Applies To: Windows Server 2008, Windows Vista
This paper is organized as follows:
About server and domain isolation
Server and domain isolation solutions
Related documents
Additional references
The proliferation of networking technologies poses additional opportunities and risk. The same ease of connectivity that allows users to access networked resources at any time from almost anywhere also allows malicious programs (such as viruses and worms) and malicious users to attack computers or their resources with the same ease. Although your company needs to allow access to resources, this access should be permitted to authenticated and authorized users and computers only. Protecting your network requires a layered defense-in-depth security model. Your network must be isolated, not only from the Internet, but also from unauthorized and unmanaged computers on your intranet.
With the Microsoft® Windows® operating systems, you can isolate your domain and server resources to limit access to authenticated and authorized computers. For example, you can create a logical network consisting of computers that share a common Windows-based security framework and a set of requirements for secure communication. Each computer on the logically isolated network can provide authentication credentials to the other computers on the isolated network to prove membership. Requests for communication that originate from computers that are not part of the isolated network are ignored.
Network isolation is based on the Internet Protocol security (IPsec) and Windows Firewall with Advanced Security suite of security protocols. Windows-based isolated networks do not require ongoing maintenance based on changes in network topology or computers moving to different switch ports. The result is an isolated network that leverages your existing Windows infrastructure with no additional costs associated with network reconfiguration or hardware upgrades.
Figure 1 shows an example of an isolated network.
In Figure 1, the entire organization network is isolated from the Internet by a firewall, a proxy server, or some other type of security system. A subset of the network's computers is located on the isolated network. The computers on the isolated network are protected from the other computers on the organization network.
For example, many types of viruses and worms cannot propagate into an isolated network. Malicious users and software from outside the isolated network cannot successfully attack isolated network computers because they lack the authentication credentials with which to establish communication.
The security requirements of the isolated network can optionally include data encryption. By requiring data encryption for the traffic exchanged between isolated network members, you can satisfy business partner and regulatory requirements to encrypt data when it traverses a network.
This section is organized as follows:
Prerequisites for server and domain isolation
Active Directory Domain Services
Domain isolation
Server isolation
To create an isolated network, you need to separate the various types of computers on the organization network according to the type of access you want the computers to have.
The communication requirements are the following:
Computers on the isolated network can initiate communication with any computer (whether that computer is on the isolated network or not).
Computers that are not on the isolated network:
Can initiate communication with computers that are not on the isolated network.
Cannot initiate communication with computers on the isolated network.
Computers on the isolated network will ignore all requests to initiate communication from computers that are not on the isolated network.
To create an isolated network, you must have the following:
Authentication credentials
The computers on the isolated network use security credentials when initiating communications to authenticate themselves (prove their identity) to other computers on the isolated network.
Network policy settings
The computers on the isolated network use network policy settings to require authentication for incoming communication requests, to secure communications and, if needed, to provide encryption.
With a single authentication infrastructure and policy distribution mechanism, you can:
Implement server and domain isolation
Create a Windows-based network
Configure and manage your network from a single location
By leveraging Active Directory® Domain Services (AD DS) domain membership and Group Policy settings, everything that is required to create an isolated network is available on computers running the following operating systems:
Windows Vista®
Windows Server® 2008
Microsoft® Windows® XP
Microsoft® Windows Server® 2003
Microsoft® Windows® 2000 Server
When joining an Active Directory domain, the computer is issued a set of credentials. On an ongoing basis after joining the domain, the computer receives centrally configured network policies through Group Policy. Network administrators use Group Policy to distribute computer and user settings to the member computers of an Active Directory domain. With the appropriate Group Policy settings to require authentication before communication, a domain member computer sends its credentials to authenticate a communication attempt, which can then be verified by any domain controller.
After you have added computers as members of your domain, you must configure the appropriate Group Policy settings to:
Require authentication for incoming communication attempts.
Secure data traffic.
Encrypt data traffic (option).
After you have configured and applied the appropriate Group Policy settings, you add a new computer to the isolated network by making it a member of the Active Directory domain.
Figure 2 shows an example of an isolated network using an Active Directory domain.
In Figure 2, the computers on the isolated network are members of an Active Directory domain, which includes computers that are locally connected to the organization network through wireless or wired LAN connections, for example—or are remotely connected to the organization network, through a remote access dial-up connection or a virtual private network (VPN) connection across the Internet (not shown). The computers on the organization network that are not part of the isolated network include stand-alone computers running Windows—such as those that are members of workgroups or other untrusted domains—or other computers that do not support Active Directory, such as Apple Macintosh computers or UNIX-based computers.
If business operational requirements exist, options are available to enable non-Windows hosts to participate in the isolated network. For example, workstations and departmental servers running Linux, Mac OS X, and Solaris can be configured to communicate directly with an isolated domain. Alternatively, using Network Policy Server (NPS) as a Windows Firewall with Advanced Security proxy, communication to isolated domains can also be configured for systems that do not natively support Windows Firewall with Advanced Security or for mainframes for which Windows Firewall with Advanced Security is not normally implemented.
Server and domain isolation provides an extra layer of security and access control that compliments other host- and network-based security technologies, such as antivirus, anti-spyware, firewall, 802.1X and intrusion detection, to enable greater resiliency in the presence of network security threats. This solution extends the value of Active Directory and Group Policy. Logical isolation Group Policy settings are created, distributed, and managed centrally using Active Directory Group Policy by using existing Active Directory-based credentials (e.g. Kerberos or security certificates). This solution also results in a zero-touch deployment experience for IT administrators, and an unchanged experience for end-users. No additional end-user training is required; nor is there a need to install new software or visit each computer during deployment.
After you have deployed an Active Directory domain, you can configure server and domain isolation.
To isolate a domain, you use an Active Directory domain and domain membership to enforce the following network policy: domain member computers accept only authenticated and secured communications from other domain member computers. This network policy isolates domain member computers from non-domain-member computers. With domain isolation, the isolated network consists, in the majority of cases, of the set of computers that belong to an Active Directory domain, as Figure 2 shows.
To configure domain isolation, use Group Policy settings to require that all incoming communication requests be authenticated using Active Directory and that domain member computers can initiate unprotected communications with non-domain-member computers. Optionally, you can require that all communication within the isolated domain be encrypted. You can also configure exemptions so that specific trusted computers that are not domain members can initiate unprotected communications with domain member computers.
Domain Isolation provides many benefits by:
Restricting incoming communications to domain member computers.
Domain member computers use their domain credentials to authenticate communication attempts and network policy settings to secure traffic with each other. This helps mitigate the risk of rogue or unmanaged devices from exploiting potentially un-patched vulnerabilities, propagating malicious software (malware) threats like viruses, worms or spyware, or disrupting business operations through denial-of-service attacks. Non-domain-member computers do not have domain credentials and, therefore, cannot authenticate communication attempts with protected computers.
Supplementing other security mechanisms designed to prevent unwanted communications.
Domain isolation provides end-to-end security that supplements the security mechanisms already deployed on your network, providing defense-in-depth. For example, if you deployed domain isolation and your firewall was compromised, malicious Internet users could not directly initiate communications with protected computers.
Encouraging domain membership.
By placing critical organization servers, such as database servers, on the isolated network, you prevent users on the organization network from connecting to them from a non-domain-member computer. To receive valid domain credentials for communicating with organization servers, computers must be joined to the domain. After a computer has been joined to the domain, you can manage it in other ways, such as by ensuring that it has the latest operating system and antivirus updates. These proactive measures also help increase system reliability and security, while reducing the risk of network-based attacks and lowering ongoing maintenance costs.
Securing traffic between domain member computers.
Traffic sent between domain member computers is secured so that the receiving computer can verify that an authenticated computer sent the packet and that the packet was not modified in transit. Optionally, the traffic between domain member computers can be encrypted, providing protection from malicious users on your organization network who attempt to capture and interpret network traffic.
For more information about domain isolation, see "Domain Isolation with Microsoft Windows Explained" (https://go.microsoft.com/fwlink/?LinkId=94632).
To isolate a specific server or servers, sensitive data, and associated clients, you use an Active Directory domain and domain membership to enforce the following network policy: specific server computers that are domain members accept authenticated and secured communications only from other domain member computers. This network policy isolates specific servers from non-domain-member computers. For example, to protect database traffic, you would configure and deploy server isolation Group Policy settings to require secured traffic between domain member client computers and their database servers. With server isolation, the isolated network consists of the server computers and domain member client computers, both of which belong to an Active Directory domain.
You can also create the following group-specific server isolation network policy: specific server computers that are domain members will accept authenticated and secured communications only from other domain member computers that are members of specific Active Directory security groups. Group-specific server isolation provides an additional layer of authorization and isolates specific servers from both non-domain-member computers and unauthorized domain member computers. Only an authorized domain member computer that has the business need can access the isolated server. With group-specific server isolation, the isolated network consists of the server computers and the group of authorized domain member client computers.
For example, you can configure group-specific server isolation settings so that a server that contains sensitive medical information allows secure communications only with computers that meet the following criteria:
They are domain members.
They are members of the Confidential Medical Active Directory security group.
After you have configured the appropriate Group Policy and server settings, you can allow a new computer to access this server by joining the computer to the domain and then adding the computer account of the new computer to the Confidential Medical Active Directory security group.
You can also use group-specific server isolation in conjunction with domain isolation to define and enforce tiered network access restrictions based on business objectives and policy versus network topology. For example, you can use domain isolation to better protect your entire Windows environment from rogue or unmanaged computers. Then, you can add another layer of protection through Server Isolation to further restrict access to specific networked resources to only the user requiring this access for business reasons.
Server Isolation provides many benefits by:
Supplementing other security mechanisms designed to prevent unwanted communications.
Encouraging domain membership.
Non-domain-member computers cannot communicate with critical isolated servers unless they join the Active Directory domain.
Protecting traffic sent to and from isolated servers.
The isolated server can verify that an authenticated computer sent the packet and that it was not modified in transit. Optionally, traffic to and from the isolated servers can be encrypted, providing protection from malicious users on your organization network who attempt to capture and interpret network traffic.
Protecting applications that cannot protect themselves.
Applications running on isolated servers that do not have facilities for enforcing access control or security can benefit from server isolation to enforce authentication, authorization, and communication security.
For more information about Server Isolation, see "Server Isolation with Microsoft Windows Explained" at (https://go.microsoft.com/fwlink/?LinkId=94793).
This paper is the first in a series of papers that describes server and domain isolation, and provides guidelines for planning their deployment.
The other papers include:
Domain Isolation with Microsoft Windows Explained (https://go.microsoft.com/fwlink/?LinkId=94632)
This paper explains how domain isolation protects domain member computers and the benefits of deploying domain isolation. It also provides a brief overview of how to deploy domain isolation.
Server Isolation with Microsoft Windows Explained (https://go.microsoft.com/fwlink/?LinkId=94793)
This paper explains how server isolation protects isolated servers and the benefits of deploying server isolation. It also provides a brief overview of how to deploy server isolation. It assumes that you are somewhat familiar with the Microsoft implementation of IPsec and would like more detailed information about using that technology to deploy server isolation.
Domain Isolation Planning Guide for IT Managers (https://go.microsoft.com/fwlink/?LinkId=44645)
This paper assists you in gathering the information required to develop a domain isolation deployment plan and to design your Windows Firewall with Advanced Security policies. It includes a step-by-step guide to the planning process, an overview of the deployment process, and links to resources that you can use to plan and design your deployment. However, it does not explain how to deploy domain isolation.
In addition to the papers described in the preceding section, see the following resources for more information.
For more information about Windows Firewall with Advanced Security, see:
Windows Firewall with Advanced Security Content Roadmap (https://go.microsoft.com/fwlink/?linkid=96525)
This topic describes the documents currently available in the Windows Technical Library for Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008.
Windows Firewall with Advanced Security - Diagnostics and Troubleshooting (https://go.microsoft.com/fwlink/?linkid=95372)
This article describes how Windows Firewall with Advanced Security works, what the common troubleshooting situations are, and which tools you can use for troubleshooting.
Windows Firewall (https://go.microsoft.com/fwlink/?linkid=95393)
This TechNet page contains links to a variety of documents available for Windows Firewall, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
For more information about IPsec, see:
IPsec (https://go.microsoft.com/fwlink/?linkid=95394)
This TechNet page contains links to a variety of documents currently available for Internet Protocol security (IPsec) for Windows XP, Windows Server 2003, and the version available as connection security rules in Windows Firewall with Advanced Security on Windows Vista and Windows Server 2008.
Simplifying IPSec Policy with the Simple Policy Update (https://go.microsoft.com/fwlink/?linkid=94767)
This article describes a downloadable update available for Windows XP SP2 and Windows Server 2003 SP1. The update changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases significantly reducing the number of required IP filters and their ongoing maintenance.
For more information about server and domain isolation, see:
Server and Domain Isolation (https://go.microsoft.com/fwlink/?linkid=95395)
This TechNet page contains links to documentation about the most common uses for IPsec: server and domain isolation. Documentation is available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Server and Domain Isolation Demo (https://go.microsoft.com/fwlink/?LinkId=107552)
This demonstration presents two server and domain isolation scenarios by using Microsoft® Virtual PC and Microsoft® Virtual Server 2005.
For more information about Group Policy, see:
Group Policy (https://go.microsoft.com/fwlink/?linkid=93542)
This page contains links to the documents currently available for Group Policy, for both the version available in Windows XP and Windows Server 2003, and the version available in Windows Vista and Windows Server 2008.
HOWTO: Leverage Group Policies with WMI Filters (https://go.microsoft.com/fwlink/?linkid=93760)
This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system version number.
In Windows Server 2008, organizations can use AD DS to manage users and resources, such as computers, printers, or applications, on a network. The ability to configure computers with firewall and connection security rules by using Group Policy is a key feature for firewall and server and domain isolation designs. Server and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication.
For more information about AD DS and related technologies, see:
Active Directory Domain Services (https://go.microsoft.com/fwlink/?linkid=102573)
Group Policy (https://go.microsoft.com/fwlink/?linkid=93542)
WMI Filtering Using GPMC (https://go.microsoft.com/fwlink/?linkid=93188)
For more information about networking, see:
Windows Server 2008 Networking (https://go.microsoft.com/fwlink/?LinkId=105691)
Windows Vista Networking (https://go.microsoft.com/fwlink/?LinkId=89051)