Export (0) Print
Expand All

Server Isolation with Microsoft Windows Explained

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

As described in "Introduction to Server and Domain Isolation with Microsoft Windows," server isolation uses an Active Directory® directory service domain, domain membership, and Group Policy to enforce a network policy requiring specific server computers that are domain members to accept only authenticated and secured communications from other domain member computers. This network policy isolates specific servers from computers that are not domain members.

For example, sensitive data on servers is typically protected by access control security at the Application layer. Before accessing the files on a file server that contains sensitive data, a user must provide security credentials, such as a user name and a password. However, by specifying access control lists (ACLs) at the Application layer, you do not protect the server from attacks against other services running on the server or other types of network-level attacks—such as denial of service, viruses, or worms—launched from computers that are not domain members on your intranet.

To provide another layer of protection for servers that store sensitive data, you can isolate them from computers that are not domain members by implementing additional authentication and security at the Internet layer with Internet Protocol security (IPsec). By using IPsec-based server isolation, computers that are not domain members cannot initiate Internet Protocol (IP)-based communication with isolated servers. Organizations that send sensitive data over their networks and that must provide extra protection for sensitive data assets — such as those in the financial services, health care, or government sectors — require this additional level of protection.

Server isolation provides many benefits by:

  • Restricting incoming communications to domain member computers.

    In the Microsoft® Windows® operating systems, you can manage a computer that is a member of an Active Directory domain by centrally configuring settings in Group Policy and applying those settings to all domain member computers. You can also apply other types of security updates, such as operating system updates and antivirus software signatures, to domain member computers. Domain member computers use their domain credentials to authenticate communication attempts with isolated servers. Computers that are not domain members — such as stand-alone, those that do not run Windows, unknown, and guest computers — do not have domain credentials and, therefore, cannot authenticate communication attempts with isolated servers.

  • Supplementing security mechanisms designed to prevent unwanted communications.

    Server isolation supplements the security mechanisms already deployed on your network, such as ACLs, Institute of Electrical and Electronic Engineers (IEEE) 802.1X, Secure Sockets Layer (SSL), and firewalls. For example, if you isolated your servers and then your Internet firewall was compromised, malicious users from the Internet could not initiate direct communications with the isolated servers.

  • Encouraging domain membership.

    By isolating critical organization servers, such as e-mail servers, you can prevent network users from accessing critical resources from a computer that is not a domain member. To receive valid domain credentials for authenticating with isolated servers, computers that are not domain members must join the domain. After being joined to the domain, these computers can be managed in other ways. For example, you can ensure that they have the latest operating system and antivirus updates.

  • Protecting traffic sent to and from isolated servers.

    Traffic sent to and from isolated servers is cryptographically protected, so that the receiving computer can verify that an authenticated computer sent the packet and that the packet was not modified in transit. Optionally, the isolated server traffic can be encrypted, providing protection from malicious network users attempting to capture and interpret network traffic.

  • Protecting applications that cannot protect themselves.

    Applications running on servers running Windows that cannot enforce access control or security at the Application layer can use server isolation to enforce authentication, authorization, and communication security at the Internet layer.

To isolate a server, you can configure Group Policy settings to require that all communication with isolated servers must be authenticated and protected by using IPsec. IPsec protects traffic from address spoofing, data injection, session hijacking, replay attacks, and other types of data tampering. Optionally, you can specify that packets are encrypted. You can also configure exceptions to specify that trusted computers, computers that are not domain members, or computers that are known as exempted computers, can initiate unprotected communications with isolated servers.

How Server Isolation Works

This section describes how Active Directory, Group Policy, and IPsec work together to implement server isolation.

Components of Server Isolation

To isolate a server, you need the following components:

  • An Active Directory domain. A domain includes domain controllers and the appropriate trust relationships to establish trust with other domains or the directory trees of an organization network.

  • Member computers. These are computers that have joined the Active Directory domain and received domain credentials.

  • Group Policy settings. These computer and user settings are automatically downloaded to member computers.

  • Active IPsec policy settings. These Group Policy settings determine the server isolation behavior of domain member computers.

In a simplified server isolation deployment, you configure and activate an IPsec policy with rules that define specific types of traffic and how the traffic should be handled. You then activate the IPsec policy for the appropriate Active Directory containers, such as sites, domains, and organizational units. The member computers in the Active Directory containers to which the Group Policy settings apply automatically download the Group Policy settings.

After the domain member computers have downloaded and applied the Group Policy settings, they have both the correct IPsec policy for server isolation and domain credentials that allow them to communicate securely with isolated servers. Computers that are not domain members, which do not have domain credentials or the correct IPsec settings, cannot initiate communications with isolated servers.

Communication Processes

When you implement server isolation by configuring domain member computers with the appropriate IPsec policy settings, communication between computers in your network differs depending on which type of computer (domain member or non-domain-member) initiates communication and which type of computer receives communication. This section describes how communication occurs:

  • When a domain member computer initiates communication with an isolated server.

  • When a computer that is not a domain member initiates communication with an isolated server.

  • When an exempted computer initiates communication with an isolated server.

The following figure shows the types of communication that occur when you deploy server isolation.

Types of communication for server isolation

Communication with an isolated server initiated by a domain member computer

When a domain member computer with both Active Directory credentials and server isolation IPsec policy settings (for example, COMPUTER1 in the figure) initiates communication with an isolated server (for example, SERVER1), the following occurs:

  1. The initial communication packet sent by COMPUTER1—for example, a Transmission Control Protocol (TCP) Synchronize (SYN) segment destined for the IP address of an e-mail server that is isolated—matches the rule of the active IPsec policy that specifies that the initiating computer must secure the traffic with IPsec.

  2. COMPUTER1 uses IPsec to perform mutual authentication with SERVER1 and to negotiate the use of IPsec protection.

  3. Because both COMPUTER1 and SERVER1 have domain credentials, the IPsec authentication process succeeds. Because COMPUTER1 has IPsec policy settings that match SERVER1, negotiation of IPsec protection also succeeds.

  4. COMPUTER1 sends the initial communication packet to SERVER1 with IPsec protection.

  5. SERVER1 sends the response to the initial communication packet—for example, a TCP SYN-Acknowledgement (SYN-ACK) segment—to COMPUTER1 with IPsec protection.

  6. Subsequent packets sent between COMPUTER1 and SERVER1 are protected by IPsec.

Domain member computers that have the appropriate IPsec policy settings authenticate and protect with IPsec communications to all isolated servers.

Communication with an isolated server initiated by a non-domain-member computer

When a non-domain-member computer (for example, COMPUTER2 in the figure) initiates communication with an isolated server (for example, SERVER1), the following occurs:

  1. Because COMPUTER2 does not have IPsec policy settings, it sends its initial communication packet—for example, a TCP SYN segment—without IPsec protection to SERVER1.

  2. On SERVER1, the initial communication packet sent by COMPUTER2 matches the IPsec policy rule for the server that requires IPsec protection for all incoming packets.

  3. Because SERVER1 does not accept unprotected packets, it silently discards the TCP SYN segment sent by COMPUTER2.

  4. SERVER1 also discards subsequent communication initiation packets sent by COMPUTER2.

  5. Eventually, COMPUTER2 ends its attempt to communicate with SERVER1.

The IPsec policy on SERVER1 causes unprotected communications to be dropped. Non-domain-member computers that attempt to communicate with an isolated server never receive a response and, therefore, cannot connect to the server. Even if a user on a non-domain-member computer was able to duplicate the IPsec policy settings of a domain member computer, communications with SERVER1 would fail because the non-domain-member computer does not have valid domain credentials.

Communication with an isolated server initiated by an exempted computer

When an exempted computer (for example, COMPUTER3 in the figure) initiates communication with an isolated server (for example, SERVER1), the following occurs:

  1. Because COMPUTER3 does not have IPsec policy settings, it sends its initial communication packet—for example, a TCP SYN segment—without IPsec protection to SERVER1.

  2. On SERVER1, the initial communications packet sent by COMPUTER3 matches the IPsec policy rule for the server that permits unsecured communication to its own IP address from the IP addresses of specific exempted computers.

  3. SERVER1 sends a response—for example, a TCP SYN-ACK segment—to COMPUTER3 without IPsec protection.

  4. Subsequent packets sent between COMPUTER3 and SERVER1 are sent without IPsec protection.

The specified IPsec policy allows exempted computers to communicate with isolated servers without requiring IPsec protection.

Group-Specific Server Isolation

The server isolation configuration described thus far allows all domain member and exempted computers to communicate with an isolated server. However, servers differ in the level of sensitivity of their data and whether they permit universal access or access only from specific computers. For example, e-mail servers typically must be available to all domain member computers in order to allow a user on any domain member computer to access e-mail. However, finance or legal department servers should only be available to a specific subset of computers.

To further isolate servers that store sensitive data and prevent unauthorized domain member computers from communicating with them, you can separate these servers and authorized computers by providing them with an IP address on a separate subnet, or by using a different authentication method, such as digital certificates. However, both solutions require additional administrative overhead.

For servers running Windows, you can use another method to enforce authorization. By applying the Access this computer from the network user right (a local Group Policy setting), you can specify the computer accounts or Active Directory security groups that you want to allow to access a server over the network. When IPsec processes the credentials of the computer requesting communications, Windows checks the Access this computer from the network user right.

Therefore, to further isolate servers that store sensitive data based on Active Directory group membership, you can do the following:

  1. Ensure that the servers have been added to the existing IPsec rule for isolated servers.

  2. Create an Active Directory security group and add the computer accounts of the authorized computers to the group.

  3. Configure the local Group Policy settings of each server that stores sensitive data and change the Access this computer from the network user right as follows:

    1. Click Computer Configuration, click Windows Settings, and then click Security Settings.

    2. Click Local Policies, and then click User Rights Assignment so that it contains only the Active Directory security group created in step 2.

For a file server that contains sensitive financial data, add the financial server to the IPsec rule of the isolated servers, create a ConfidentialFinancial security group, and then add the authorized computer accounts. Finally, change the Access this computer from the network user right on the financial file server to contain only the ConfidentialFinancial security group.

Overview of Server Isolation Deployment

To deploy server isolation, do the following:

  1. Determine the state of your network infrastructure.

    Before you can begin planning for server isolation, you must assess your organization's network. In your assessment, identify and document your network's physical topology (such as client and server computer configurations), logical topology (such as your Active Directory infrastructure including trust relationships and system container structure), and current use of Group Policy settings. You must also determine which computers to exempt.

  2. Design and test server isolation IPsec policy in a lab network.

    Create a scaled-down version of your network in a physically isolated lab that is not connected to your production network. Your test lab network should include domain member client computers, client computers that are not a member of the domain, and exempted computers. Then, configure the IPsec rules required to implement server isolation for your network. Use the test lab to ensure that the policies work as expected. Fine-tune your policy settings, as needed.

  3. Perform a pilot using a subset of computers.

    After verifying the IPsec policy settings in the test lab, configure and activate the server isolation IPsec policy on a subset of computers on your production network to test their behavior. For example, you might want to activate the IPsec policy for the computers in a specific Active Directory organizational unit.

  4. Roll out the IPsec policy in phases.

    After the pilot program is complete, begin activating the IPsec policy for other parts of your domain infrastructure in a phased roll out.

For more information about deploying server isolation, see "Server and Domain Isolation Using IPsec and Group Policy."

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft