Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Domain Isolation with Microsoft Windows Explained

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

As described in "Introduction to Server and Domain Isolation with Microsoft Windows," domain isolation uses an Active Directory® directory service domain, domain membership, and Group Policy settings to enforce a network policy that requires domain member computers to accept incoming communication requests only from computers that can authenticate themselves with domain credentials. This network policy isolates domain member computers from non-domain-member computers.

By isolating your domain, you provide an additional layer of protection for your network traffic. Security technologies, such as Institute of Electrical and Electronic Engineers (IEEE) standard 802.1X, require a computer to authenticate itself before sending frames on a network. However, 802.1X does not protect the traffic sent by an 802.1X-authenticated computer after it is on the network. Secure Sockets Layer (SSL) provides computer authentication and data confidentiality (encryption) for SSL-enabled client and server applications. However, SSL works only if the client and server application support SSL. Whereas 802.1X works at the Data Link layer (of the Open Systems Interconnections [OSI] model) and SSL works at the Application layer, domain isolation works at the Network layer, providing additional protection for IP-based traffic. Organizations that routinely send sensitive data on their networks and, therefore, must provide extra protection for data assets—such as those in the financial services or health care industries or government institutions—need this additional level of protection at the Network layer.

Domain isolation provides many benefits by:

  • Restricting incoming connections to domain member computers.

    In Microsoft® Windows®, you can manage a computer that is a member of an Active Directory domain by centrally configuring settings in Group Policy and by applying those settings to all domain member computers. You can also apply other types of security updates, such as operating system updates and antivirus software signatures, to domain member computers. Domain member computers use their domain credentials to authenticate communication attempts with each other. Computers that are not domain members — stand-alone, unknown, and guest computers — do not have domain credentials and, therefore, cannot authenticate communication attempts with domain member computers.

  • Supplementing other security mechanisms designed to prevent unwanted communications.

    Domain isolation supplements the security provided by security mechanisms already deployed on your network. For example, if you isolated your domain and then your firewall was compromised, malicious users from the Internet could not initiate direct communications with the isolated hosts.

  • Encouraging domain membership.

    By placing critical organization servers, such as e-mail servers, on the isolated domain, you prevent network users from connecting to any of those servers from a computer that is not a domain member. To receive valid domain credentials for authenticating with isolated organization servers, computers that are not domain members must be joined to the domain. After they have been joined to the domain, you can manage these computers in other ways, such as ensuring that they have the latest operating system and antivirus updates.

  • Protecting traffic between domain member computers.

    Traffic sent between domain member computers is cryptographically protected so that the receiving computer can verify that an authenticated computer sent the packet and that the packet was not modified in transit. Optionally, the traffic between domain member computers can be encrypted, providing protection from malicious network users who attempt to capture and interpret network traffic.

To deploy domain isolation, you configure Group Policy settings to require that all incoming connection requests and subsequent data be authenticated and protected by using Internet Protocol security (IPsec). IPsec protects traffic from address spoofing, data injection, session hijacking, replay attacks, and other types of data tampering. Optionally, you can specify that packets be encrypted. You also can configure exemptions so that specific computers that are not domain members can initiate communications with isolated hosts.

How Domain Isolation Works

This section describes how Active Directory, Group Policy, and IPsec work together to implement domain isolation.

Components of Domain Isolation

To isolate a domain, you need the following components:

  • An Active Directory domain. The domain includes domain controllers and the appropriate trust relationships to establish trust with other domains or the directory trees of an organization network.

  • Member computers. These are computers that have joined the Active Directory domain and received domain credentials.

  • Group Policy settings. These computer and user settings are automatically downloaded to domain member computers.

  • Active IPsec policy settings. These Group Policy settings determine the domain isolation behavior of domain member computers.

In a simplified domain isolation deployment, you configure and activate an IPsec policy with rules that define specific types of traffic and how the traffic will be handled. You then activate the IPsec policy for the appropriate Active Directory containers, such as sites, domains, and organizational units. The member computers in the Active Directory containers to which the Group Policy settings apply automatically download the Group Policy settings.

After the domain member computers have downloaded and applied the Group Policy settings, they have both the correct IPsec policy for domain isolation and the domain credentials that will allow them to communicate securely with each other and to communicate without security with non-domain-member computers. Computers that are not domain members, which do not have the correct IPsec policy settings for domain isolation or domain credentials, cannot initiate communication with isolated hosts.

Communication Processes

When you implement domain isolation, communication between hosts in your network differs depending on which type of host (isolated or non-isolated) initiates communication and which type of host the initiating host attempts to communicate with. This section describes how communication occurs:

  • When an isolated host initiates communication with another isolated host.

  • When a non-isolated host initiates communication with an isolated host.

  • When an isolated host initiates communication with a non-isolated host.

The following figure shows the types of communication that occur when you deploy domain isolation.

Types of communication for domain isolation

Communication with an isolated host initiated by another isolated host

When an isolated host with both Active Directory credentials and domain isolation IPsec policy settings (for example, COMPUTER1 in the figure) initiates communication with another isolated host (for example, COMPUTER2), the following occurs:

  1. The initial communication packet sent by COMPUTER1—for example, a Transmission Control Protocol (TCP) Synchronize (SYN) segment—matches the rule of the active IPsec policy that specifies that the initiating host must attempt to secure the traffic with IPsec.

  2. COMPUTER1 uses IPsec to perform mutual authentication with COMPUTER2 and to negotiate the use of IPsec protection.

  3. Because COMPUTER2 has domain credentials, the IPsec authentication process succeeds. Because COMPUTER2 has IPsec policy settings that match those on COMPUTER1, negotiation of IPsec protection also succeeds.

  4. COMPUTER1 sends the initial communication packet to COMPUTER2 with IPsec protection.

  5. COMPUTER2 sends the response to the initial communication packet—for example, a TCP SYN-Acknowledgement (SYN-ACK) segment—to COMPUTER1 with IPsec protection.

  6. Subsequent packets sent between COMPUTER1 and COMPUTER2 are also protected by IPsec.

Because they are domain members and have IPsec policy settings, isolated hosts authenticate and protect with IPsec communications initiated with other isolated hosts.

Communication with a non-isolated host initiated by an isolated host

When an isolated host with both Active Directory credentials and domain isolation IPsec policy settings (for example, COMPUTER1 in the figure) initiates communication with a non-isolated host (for example, COMPUTER3), the following occurs:

  1. The initial communication packet being sent by COMPUTER1—for example, a TCP SYN segment—matches the rule of the IPsec policy that specifies that the initiating host must attempt to secure the traffic with IPsec.

  2. COMPUTER1 attempts to use IPsec to authenticate COMPUTER3 and to negotiate the use of IPsec protection.

  3. Because COMPUTER3 does not have domain credentials, the IPsec authentication attempt fails.

  4. Because the rule matched in Step 1 allows unsecured communication with computers that fail the IPsec authentication, COMPUTER1 sends the initial communication packet without IPsec protection.

  5. COMPUTER3 sends the response to the initial communication packet sent by COMPUTER1 without IPsec protection.

  6. COMPUTER1 and COMPUTER3 send subsequent packets without IPsec protection.

An isolated host tries to authenticate non-isolated hosts. If it cannot authenticate a host, an isolated host sends packets without IPsec protection, allowing isolated hosts to initiate communications with non-isolated hosts.

Communication with an isolated host initiated by a non-isolated host

When a non-isolated host (for example, COMPUTER3 in the figure) initiates communication with an isolated host (for example, COMPUTER2), the following occurs:

  1. Because COMPUTER3 does not have IPsec policy settings, it sends its initial communication packet—for example, a TCP SYN segment—without IPsec protection to COMPUTER2.

  2. On COMPUTER2, the initial communications packet sent by COMPUTER3 matches the rule of the IPsec policy that requires incoming communication attempts to be protected by IPsec.

  3. Because the rule does not allow COMPUTER2 to accept incoming communication attempts that are not protected by IPsec, COMPUTER2 discards the initial communications packet sent by COMPUTER3.

  4. COMPUTER2 also discards subsequent incoming communication attempts from COMPUTER3.

  5. COMPUTER3 fails in its attempt to communicate with COMPUTER2.

Isolated hosts discard all initial communication packets sent by non-isolated hosts.

Overview of Domain Isolation Deployment

To deploy domain isolation, use the following basic procedure:

  1. Determine the state of your network infrastructure.

    Before you can begin planning for domain isolation, you must assess your organization's network. In your assessment, identify and document your network's physical topology (such as client and server computer configurations), logical topology (such as your Active Directory infrastructure including trust relationships and system container structure), and current use of Group Policy settings. You must also determine which computers to exempt.

  2. Design and test domain isolation IPsec policy in a lab network.

    Create a scaled-down version of your network in a physically isolated lab that is not connected to your production network. Then, configure the IPsec rules required to implement domain isolation for your network. Be sure to include isolated and non-isolated client computers in your test lab network. Use the test lab to ensure that the IPsec policies work as expected. Fine-tune your policy settings, as needed.

  3. Perform a pilot with a subset of computers.

    After verifying IPsec policy settings in the test lab, configure and activate the domain isolation IPsec policy on a subset of computers on your production network to test their behavior. For example, you might want to activate the IPsec policy settings for the computers in a specific Active Directory organizational unit.

  4. Roll out the IPsec policy in phases.

    After the pilot program is complete, begin activating the IPsec policy for other parts of your domain infrastructure in a phased rollout.

For more information about deploying domain isolation, see "Server and Domain Isolation Using IPsec and Group Policy." For an example of how Microsoft deployed domain isolation, see "Improving Security with Domain Isolation."

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.