Export (0) Print
Expand All

Introduction to Server and Domain Isolation

Applies To: Windows Server 2008, Windows Vista

The proliferation of networking technologies that allow computers to freely communicate has ushered in a new age of productivity for businesses, governments, and individuals. People have around-the-clock access to e-mail, messages, files, databases, and Web pages. They can access this data through multiple types of connections, including wired (such as Ethernet), wireless, and remote access.

Unfortunately, the ease and ubiquity of connection poses new risks. The same ease of connectivity that allows users to access networked resources at any time from almost anywhere also allows malicious programs (such as viruses and worms) and malicious users to attack computers or their resources at any time and from anywhere. Although your company needs to allow access to resources, this access should be permitted to only authenticated and authorized users and computers. Protecting your network requires a layered defense-in-depth security model. Your network must be isolated, not only from the Internet, but also from unauthorized and unmanaged computers on your intranet.

To isolate the authorized and managed computers from the other computers on your network, you can create an isolated network; a set of network nodes whose grouping is independent of the physical network topology. You can create an isolated network based on the Physical layer of the Open Systems Interconnection (OSI) model, in which you run a separate cabling system for the isolated network. However, this type of isolated network is costly and difficult to maintain for large networks. You can also create an isolated network based on the Data Link layer of the OSI model, in which you use Layer 2 switches and virtual LAN (VLAN) technology to create logical network segments by grouping computers regardless of their physical connection to a set of switches. With VLAN technology, you can also create an isolated network based on the Network layer of the OSI model, in which you create logical subnets and define the routing between the subnets. However, for VLAN-based isolated networks, your switching fabric must support VLANs and the logical segments or subnets must be maintained over time as the topology of the network changes and computers move to different switch ports.

With the Microsoft® Windows® operating systems, you can logically isolate your domain and server resources to limit access to authenticated and authorized computers. For example, you can create a logical network consisting of computers that share a common Windows-based security framework and a set of requirements for secure communication. Each computer on the logically isolated network can provide authentication credentials to the other computers on the isolated network to prove its membership. Requests for communication that originate from computers that are not part of the isolated network are ignored.

Windows-based network isolation occurs at the Network layer of the OSI model. Therefore, the isolated network can span hubs, switches, and routers across the physical and geographical boundaries of your organization network.

By leveraging the authentication infrastructure of Windows-based computers, you can create an isolated network that does not depend on a separate cabling system or on the features of your switching or routing fabric. Additionally, Windows-based isolated networks do not require ongoing maintenance based on changes in network topology or computers moving to different switch ports. The result is an isolated network that leverages your existing Windows infrastructure with no additional costs associated with network reconfiguration or hardware upgrades.

Figure 1 shows an example of an isolated network.

An isolated network on an organization network

In Figure 1, the entire organization network is isolated from the Internet by a firewall, a proxy server, or other types of security systems. A subset of the network's computers is located on the isolated network. The computers on the isolated network are protected from the other computers on the organization network.

For example, many types of viruses and worms cannot propagate into an isolated network. Malicious users and software from outside the isolated network cannot successfully attack isolated network computers because they lack the authentication credentials with which to establish communication.

The security requirements of the isolated network can optionally include data encryption. By requiring data encryption for the traffic exchanged between isolated network members, you can satisfy business partner and regulatory requirements to encrypt data when it traverses a network.

Server and Domain Isolation Solutions

To create an isolated network, you need to separate the various types of computers on the organization network according to the type of access you want the computers to have. The communication requirements are the following:

  • Computers on the isolated network can initiate communications with all of the computers on the organization network, including those that are not located on the isolated network.

  • Computers that are not on the isolated network can initiate communications only with other computers that are not on the isolated network. They cannot initiate communications with computers on the isolated network.

Computers on the isolated network will ignore all requests to initiate communication from computers that are not on the isolated network. This helps provide protection against malicious programs and users outside the isolated network and decreases the exposure of computers on the isolated network to various types of network attacks (such as port scanning) and malicious software (such as viruses and worms). In addition, you can specify that traffic sent between the computers on the isolated network be encrypted.

To create an isolated network, you need the following elements:

  • Credentials

    The computers on the isolated network use security credentials when initiating communications to prove their identity and authenticate themselves to the other computers on the isolated network.

  • Network policy settings

    The computers on the isolated network use network policy settings to require authentication for incoming communication requests, to secure communications and, if needed, to provide encryption.

In an organization network, it is impractical to configure and administer credentials and network policy settings locally on individual computers. To create an isolated network that can be centrally configured and that scales as your organization grows, you need to manage the computers on your organization network. To centrally manage your network, you need an authentication and policy distribution infrastructure.

On a Windows-based network that is managed by a central IT department, computers use the authentication infrastructure and policy distribution mechanism to implement Server and Domain Isolation. A managed environment not only makes Server and Domain Isolation easier, it also provides the infrastructure that allows you to configure other security activities, such as distributing operating system updates and installing antivirus software.

In Windows, a computer can be a member of an Active Directory® directory service domain. During the process of joining an Active Directory domain, the computer is issued a set of credentials. On an ongoing basis after joining the domain, the computer receives centrally configured network policies through Group Policy. Network administrators use Group Policy to distribute computer and user settings to the member computers of an Active Directory domain. With the appropriate Group Policy settings to require authentication before communication, a domain member computer sends its credentials to authenticate a communication attempt, which can then be verified by any domain controller.

By leveraging Active Directory membership and Group Policy settings, everything that you need to create an isolated network is already available on computers running Windows Vista®, Windows Server® 2008 (currently in beta), Microsoft® Windows® XP, Microsoft® Windows Server® 2003, and Microsoft® Windows® 2000 Server operating systems. All that you need to do is to ensure that computers are members of your domain and to configure the appropriate Group Policy settings to require authentication for incoming communication attempts, to secure data traffic, and optionally, to encrypt data traffic. After you have configured and applied the appropriate Group Policy settings, you add a new computer to the isolated network by making it a member of the Active Directory domain. In contrast to cable or VLAN-based isolated networks, no new hardware or maintenance of the cabling system or switching fabric is required.

Figure 2 shows an example of an isolated network using an Active Directory domain.

An isolated network using Active Directory

In Figure 2, the computers on the isolated network are members of an Active Directory domain, which includes computers that are locally connected to the organization network—through Ethernet or Institute of Electrical and Electronic Engineering (IEEE) 802.11 wireless LAN connections, for example—or are remotely connected to the organization network, through a remote access dial-up connection or a virtual private network (VPN) connection across the Internet (not shown). The computers on the organization network that are not part of the isolated network include stand-alone computers running Windows—such as those that are members of workgroups or other untrusted domains—or other computers that do not support Active Directory, such as Apple Macintosh computers or UNIX-based computers.

If business operational requirements exist, options are available to enable non-Windows hosts to participate in the isolated network. For example, workstations and departmental servers running Linux, Mac OS X, and Solaris can be configured to communicate directly with an isolated domain. Alternatively, using ISA Server as an IPsec proxy, communication to isolated domains can also be configured for systems that do not natively support IPsec or for mainframes for which IPsec is not normally implemented.

Server and Domain Isolation provides an extra layer of security and access control that compliments other host- and network-based security technologies, such as antivirus, anti-spyware, firewall, 802.1X and intrusion detection, to enable greater resiliency in the presence of network security threats. This solution also further extends the value of Active Directory and the operational efficiency benefits of Group Policy. Logical isolation policies are created distributed and managed centrally using Active Directory Group Policy and existing Active Directory-based credentials (e.g. Kerberos or X.509 certificates). This results in a zero-touch deployment experience for IT administrators and an unchanged experience for end-users. No additional end-user training is required nor is there a need to install new software or visit each computer during deployment.

After you have deployed an Active Directory domain, you can configure Server and Domain Isolation.

Domain Isolation

To isolate a domain, you use an Active Directory domain and domain membership to enforce the following network policy: domain member computers accept only authenticated and secured communications from other domain member computers. This network policy isolates domain member computers from non-domain-member computers. With Domain Isolation, the isolated network consists, in the majority of cases, of the set of computers that belong to an Active Directory domain, as Figure 2 shows.

To configure Domain Isolation, use Group Policy settings to require that all incoming communication requests be authenticated using Active Directory and that domain member computers can initiate unprotected communications with non-domain-member computers. Optionally, you can require that all communication within the isolated domain be encrypted. You can also configure exemptions so that specific trusted computers that are not domain members can initiate unprotected communications with domain member computers.

Domain Isolation provides many benefits by:

  • Restricting incoming communications to domain member computers.

    Domain member computers use their domain credentials to authenticate communication attempts and network policy settings to secure traffic with each other. This helps mitigate the risk of rogue or unmanaged devices from exploiting potentially unpatched vulnerabilities, propagating malicious software (malware) threats like viruses, worms or spyware, or disrupting business operations through denial-of-service (DoS) attacks. Non-domain-member computers do not have domain credentials and, therefore, cannot authenticate communication attempts with protected computers.

  • Supplementing other security mechanisms designed to prevent unwanted communications.

    Domain Isolation provides end-to-end security that supplements the security mechanisms already deployed on your network, providing defense-in-depth. For example, if you deployed Domain Isolation and your firewall was compromised, malicious Internet users could not directly initiate communications with protected computers.

  • Encouraging domain membership.

    By placing critical organization servers, such as database servers, on the isolated network, you prevent users on the organization network from connecting to them from a non-domain-member computer. To receive valid domain credentials for communicating with organization servers, computers must be joined to the domain. After a computer has been joined to the domain, you can manage it in other ways, such as by ensuring that it has the latest operating system and antivirus updates. These proactive measures also help increase system reliability and security, while reducing the risk of network-based attacks and lowering ongoing maintenance costs.

  • Securing traffic between domain member computers.

    Traffic sent between domain member computers is secured so that the receiving computer can verify that an authenticated computer sent the packet and that the packet was not modified in transit. Optionally, the traffic between domain member computers can be encrypted, providing protection from malicious users on your organization network who attempt to capture and interpret network traffic.

For more information about Domain Isolation, see "Domain Isolation with Microsoft Windows Explained" at http://go.microsoft.com/fwlink/?LinkId=44642. For examples of how customers have deployed Domain Isolation, see the "Case Studies"section at http://go.microsoft.com/fwlink/?LinkId=79428.

Server Isolation

To isolate a specific server or servers, sensitive data, and associated clients, you use an Active Directory domain and domain membership to enforce the following network policy: specific server computers that are domain members accept authenticated and secured communications only from other domain member computers. This network policy isolates specific servers from non-domain-member computers. For example, to protect database traffic, you would configure and deploy Server Isolation Group Policy settings to require secured traffic between domain member client computers and their database servers. With Server Isolation, the isolated network consists of the server computers and domain member client computers, both of which belong to an Active Directory domain.

You can also create the following group-specific server isolation network policy: specific server computers that are domain members will accept authenticated and secured communications only from other domain member computers that are members of specific Active Directory security groups. Group-specific Server Isolation provides an additional layer of authorization and isolates specific servers from both non-domain-member computers and unauthorized domain member computers. Only an authorized domain member computer that has the business need can access the isolated server. With group-specific server isolation, the isolated network consists of the server computers and the group of authorized domain member client computers.

For example, you can configure group-specific Server Isolation settings so that a server that contains sensitive medical information allows secure communications only with computers that meet the following criteria:

  • They are domain members.

  • They are members of the ConfidentialMedical Active Directory security group.

After you have configured the appropriate Group Policy and server settings, you can allow a new computer to access this server by joining the computer to the domain and then adding the computer account of the new computer to the ConfidentialMedical Active Directory security group.

You can also use group-specific Server Isolation in conjunction with Domain Isolation to define and enforce tiered network access restrictions based on business objectives and policy versus network topology. For example, you can use Domain Isolation to better protect your entire Windows environment from rogue or unmanaged computers. Then, you can add another layer of protection through Server Isolation to further restrict access to specific networked resources to only the user requiring this access for business reasons.

Server Isolation provides many benefits by:

  • Supplementing other security mechanisms designed to prevent unwanted communications.

  • Encouraging domain membership.

    Non-domain-member computers cannot communicate with critical isolated servers unless they join the Active Directory domain.

  • Protecting traffic sent to and from isolated servers.

    The isolated server can verify that an authenticated computer sent the packet and that it was not modified in transit. Optionally, traffic to and from the isolated servers can be encrypted, providing protection from malicious users on your organization network who attempt to capture and interpret network traffic.

  • Protecting applications that cannot protect themselves.

    Applications running on isolated servers that do not have facilities for enforcing access control or security can benefit from server isolation to enforce authentication, authorization, and communication security.

For more information about Server Isolation, see "Server Isolation with Microsoft Windows Explained" at http://go.microsoft.com/fwlink/?LinkId=44641.

Overview of Server and Domain Isolation Documents

This paper is the first in a series of papers that describes Server and Domain Isolation and provides guidelines for planning their deployment. The other papers include:

  • "Domain Isolation with Microsoft Windows Explained" at http://go.microsoft.com/fwlink/?LinkId=44642

    This paper provides a detailed overview of Domain Isolation. It explains how Domain Isolation protects domain member computers and the benefits of deploying Domain Isolation. It also provides a brief overview of how to deploy Domain Isolation. This paper is intended for IT professionals in organizations that are investigating using the Microsoft implementation of Internet Protocol security (IPsec) in Windows to deploy Domain Isolation. It assumes that you are somewhat familiar with the Microsoft implementation of IPsec and would like more detailed information about using that technology to deploy Domain Isolation.

  • "Server Isolation with Microsoft Windows Explained" at http://go.microsoft.com/fwlink/?LinkId=44641

    This paper provides a detailed overview of Server Isolation. It explains how Server Isolation protects isolated servers and the benefits of deploying Server Isolation. It also provides a brief overview of how to deploy Server Isolation. This paper is intended for IT professionals in organizations that are investigating using the Microsoft implementation of IPsec in Windows to deploy Server Isolation. It assumes that you are somewhat familiar with the Microsoft implementation of IPsec and would like more detailed information about using that technology to deploy Server Isolation.

  • "Domain Isolation Planning Guide for IT Managers" at http://go.microsoft.com/fwlink/?LinkId=44645

    Designed for enterprise IT managers who are investigating using IPsec in Microsoft Windows to deploy Domain Isolation, this paper will help you and your IT staff to gather the information required to develop a Domain Isolation deployment plan and to design your IPsec policies. It includes an overview of the deployment process, a step-by-step guide to the planning process, and links to resources that you can use to plan and design your deployment. It does not explain how to deploy Domain Isolation.

  • "A Guide to Domain Isolation for Security Architects" at http://go.microsoft.com/fwlink/?LinkId=44643

    Designed for security architects of enterprise organizations that are investigating the use of IPsec in Microsoft Windows to deploy Domain Isolation, this paper describes the implications of deploying Domain Isolation in an enterprise environment and explains how to assess the enterprise environment and plan Domain Isolation. Read this guide after you have developed a working knowledge of Domain Isolation.

  • "Setting Up IPsec Server and Domain Isolation in a Test Lab" at http://go.microsoft.com/fwlink/?LinkId=44646

    This paper demonstrates how to set up IPsec Server and Domain Isolation in a limited test environment. It provides procedures for setting up a basic deployment, which you can use as the basis for your own deployment. This paper is designed for network architects who are investigating the use of IPsec in Microsoft Windows to deploy Server and Domain Isolation.

The size of your environment and IT staff will determine your planning and deployment requirements, which, in turn, will determine which of the server and domain deployment papers you will need to read.

For Enterprises and Large Businesses

For the purposes of these papers, an enterprise is a business or organization that has more than 100 servers and more than 500 desktop computers, comprises multiple organizational units, and has distributed branch offices. A large business is a business or organization that has more than 100 servers and more than 500 desktop computers and that might have multiple organizational units.

Typically, deployments in enterprises and large businesses require greater planning and more precisely defined processes. If you are planning Server and Domain Isolation deployment in an enterprise or large business, read the following papers in the order listed:

For Medium and Small Businesses

For the purposes of these papers, a medium business is a business or organization that has between 4 and 100 servers and 25 to 500 desktop computers, which might have only one organizational unit, and might have one or two distributed branch offices. A small business is a business or organization that has between 1 and 3 servers and 1 and 25 desktop computers, might not have a domain or has only one domain, and has no branch offices.

Typically, deployments in these organizations require less planning and less highly developed processes than larger deployments. If you are planning Server and Domain Isolation deployment in a medium or small business, read the following papers in the order listed:

Optionally, you might want to read the following papers:

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft