Domain Isolation Planning Guide for IT Managers
Applies To: Windows Server 2003 R2, Windows Server 2003 with SP1
Plan your domain isolation using the step-by-step planning information in this guide. This guide is designed to help you work with your IT staff to gather the necessary information, design your IPsec polices, and to create a deployment plan.
This document is intended for IT professionals who are investigating using IPsec in Microsoft® Windows® to deploy domain isolation in their environments. This guide is designed to help you work with your IT staff to gather the necessary information, design your IPsec polices, and to create a deployment plan.
This guide includes an overview of the deployment process, a step-by-step guide to the planning process, and links to other resources that you can use in the planning and design process. The material in this guide covers the planning of the deployment but not the actual deployment process itself.
This guide provides material relevant only to Windows-based computers and is not intended as a guide for deploying domain isolation on operating systems other than Windows. This guide does not provide background information about IPsec and related technologies.
Terminology Used in This Guide
These terms are defined so that you can more clearly understand how they are used in this guide:
Domain isolation - The use of Internet Protocol security (IPsec) to require authentication, encryption, or both, among members of a Windows domain as well as between members of the domain and unknown or unauthorized computers.
Isolated host - A computer that is a member of an isolated domain.
Non-isolated computer - A computer that is not a member of an isolated domain.
Isolated domain - A domain or network that requires authentication, encryption, or both, by using IPsec before allowing any domain member to communicate with any other computer.
Boundary computer - A computer in the boundary group of an isolated domain that accepts secure communication from members of the isolated domain and unsecured communication from computers that are not members of the isolated domain.
Proxy server - A firewall component that manages Internet traffic to and from a local area network (LAN) and that can provide other features, such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as a popular Web page, and it can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files.
IT Roles Used in This Guide
The IT roles used in this guide are generalizations derived from the IT industry and should closely approximate those in your IT structure. Your roles might differ from these, but they are offered to help you assign tasks to your staff members.
| Role | Primary Responsibilities |
|---|---|
IT Manager |
Coordinates the deployment effort and communicates status to upper management. Manages the IT staff responsible for the infrastructure, desktop and server deployment, and server administration and operations. Evaluates the impact of the technology solution on core business and IT resources. Uses this guide to assign tasks to staff members, collect and collate information, guide the overall process of planning, and make the major decisions. |
Systems Architect |
Provides information and assists in IPsec policy design. Responsible for designing the overall server infrastructure for all systems. Develops server deployment strategies and policies. Contributes to networking connectivity design. Ensures that deployment policies are followed. Provides overall architectural guidance and assists in designing the isolated domains and policies for establishing these segments. |
Security Manager |
Provides information, assists in IPsec policy design, and assists IT Manager in planning. Responsible for determining and implementing server security policy. Evaluates new technology and its effects upon security and availability. Responsible for security issues and solutions. Is the primary source of information about what security levels are needed for segments, how segments might be designed around security needs, what current security policies and tools can be made obsolete by domain isolation, and what security concerns might arise in the design and implementation of domain isolation. |
Windows Systems Administrator |
Provides information and implements polices on Windows-based computers. Responsible for determining and implementing server security policy. Evaluates new technology and its effects upon security and availability. Responsible for security issues and solutions. Is the primary source of information about what security levels are needed for segments, how segments might be designed around security needs, what current security policies and tools can be made obsolete by domain isolation, and what security concerns might arise in the design and implementation of domain isolation. |
UNIX Systems Administrator |
Provides information and assists Helpdesk and Security Managers in planning. Responsible for configuration and administration of UNIX servers, including upgrades, backups, capacity monitoring, and planning and interoperability issues with Windows systems. Is the primary source of information about IPsec interoperability between UNIX and Windows. |
Network Administrator |
Provides information and assists in IPsec policy design and implementation. Responsible for overall connectivity for the entire network, including hardware. Manages connectivity between heterogeneous systems (Windows and UNIX). Troubleshoots all performance issues across the network. Provides significant input regarding how the network will influence the design of, or be affected by, IPsec policies. |
Database Administrator |
Provides information and assists in IPsec policy design. Also assists in the configuration and management of database solutions. Evaluates build images, deploys new databases and changes, and conducts server integration testing. Is the primary source of information about how domain isolation might affect database access and performance. |
Desktop Configuration Manager |
Provides information and assists in IPsec policy design and implementation. Responsible for provisioning desktop PCs and deploying service packs and updates to these PCs. Involved in setting the strategic direction for the desktop operating system and applications. Is the primary source of information about how IPsec polices might affect desktop configuration. |
Helpdesk Manager |
Provides information and creates user education and notification materials. Responsible for all Helpdesk operations. Is the primary contact for information about how users might be affected, or respond to, access issues during or after deployment, and how user education can help mitigate any issues that might arise. |
Introduction to Deployment Planning Phases
This section provides a brief overview of the different phases involved in the domain isolation planning process. This process is suggested as a way of making domain isolation deployment as effective and efficient as possible and to suggest how you can work with your IT team to gather the needed information, discuss domain isolation issues, create a deployment plan, design IPsec policies, and test/refine these polices to reduce any user and operations issues that might arise from domain isolation.
Collect Information About Your IT Environment
You and your team will gather information about network topology, security policy and implementation, server operating systems and applications, service level agreements (SLAs), user types, any interoperability issues or concerns, and regulations or other external constraints. This information will be used along with other information, such as IT polices and guidelines and any business needs, to determine what domain isolation needs you have and then to design the IPsec policies that will be used to fulfill these domain isolation needs.
Determine Your Domain Isolation Needs
You and your team will use the collected information and determine what kind of isolation needs you have, based upon business needs, regulatory influences, security requirements, Service Level Agreements, the IPsec technology, user needs, and other factors.
Design Your IPsec Policies
This is probably the most crucial phase and requires close attention to the details for designing IPsec filter lists, filter actions, rules, and policies for each segment. Carefully-designed policies will make the deployment process smooth and efficient, the isolation effective, the protection of your assets solid, and it will keep user problems to a minimum while still meeting all SLAs, regulatory requirements, and other criteria.
Deploy the Policies in a Test Environment
Your team can test the domain isolation deployment and discover any refinements that should be made to the IPsec policies and the deployment process before deploying to a large or business-critical segment. The test environment can be designed specifically for deployment testing, or it can be a small, non-business-critical domain environment.
Refine Policies
The test phase might highlight some connectivity, security, or administration issues that can be addressed by refinements to your IPsec policies, by adjustments in operations and administration, or by improvements in user education. This information is important for a smooth and effective deployment.
Create a Deployment Schedule
Once you have completed your plans and IPsec policies, your team can discuss and solidify how, when, and where you will implement domain isolation. This phase is where you can discuss any potential problems with the schedule and agree on the best plan for actual deployment.
Prepare for User and Infrastructure Support
Before deployment you can develop plans, documents, and tools to assist your Helpdesk staff to deal with pre-deployment notification and education, user issues during deployment, and any post-deployment issues that might arise as a result of domain isolation deployment.
Inform Team Members About IPsec
The planning and design of domain isolation will be more efficient and effective if your team has a good understanding of what IPsec is and how it can be used for domain isolation. The following table lists the type of IPsec information that might be useful before you begin the domain isolation planning phases.
| Action | Owner |
|---|---|
Review IPsec concepts. |
As needed |
Review examples of domain isolation deployment. |
IT Manager, Systems Architect, Security Manager |
Review IPsec limitations. |
IT Manager, Systems Architect, Security Manager, others as needed |
Review IPsec interoperability information. |
IT Manager, Systems Architect, Security Manager, others as needed |
Phase 1: Collect Information About Your IT Environment
Collect Computer Information
Because not all computers in your environment will implement IPsec the same way, you must document the operating systems and service pack versions on your computers, both servers and desktop computers.
| Action | Owner |
|---|---|
Identify IPsec-compatible Windows-based computers (Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server™ 2003). |
Windows Systems Administrator |
Identify IPsec-incompatible Windows-based computers (Microsoft Windows 98, Microsoft Windows Millennium Edition, and Microsoft Windows NT® 4.0). |
Windows Systems Administrator, Desktop Configuration Manager |
Identify IPsec-incompatible computers using operating systems other than Windows (UNIX, BSD UNIX, Macintosh OS X, Linux, IBM OS390, Sun Microsystems Solaris 8, etc.). |
UNIX Systems Administrator, Desktop Configuration Manager |
Collect Network Device Information
Network devices, such as routers or firewalls, are also involved in the domain isolation, and their IPsec capabilities must be documented to ensure that deployment planning takes them into account.
| Action | Owner |
|---|---|
Identify IPsec-compatible network devices (Cisco IOS, Lucent VPN Firewall Bricks, Lucent Access Point IP services routers, 3Com SuperStack 3 Firewall, Nortel VPN Gateways, etc.). |
Network Administrator |
Identify IPsec-incompatible network devices - these devices cannot allow IPsec-protected packets to traverse the network. |
Network Administrator, Systems Architect, UNIX Systems Administrator |
Collect Active Directory/Domain Information
Your IPsec policy design will be strongly influenced by your domain structure. Document your domain structure to identify organizational and business units that might require different levels of security and other information.
| Action | Owner |
|---|---|
Document your domain structure. |
Systems Architect |
Document your organizational units (OUs). |
Systems Architect, IT Manager |
Document your global security groups. |
Security Manager |
Collect Regulation and Other External Constraint Information
Your organization might be affected by regulations that require enhanced security, access to information, or other actions. By being aware of these impacts during the IPsec policy design, you can ensure compliance or plan for compliance issues.
| Action | Owner |
|---|---|
Identify any government regulations that might affect planning and design. |
IT Manager, Security Manager |
Identify any business partner regulatory requirements that might affect planning and design. |
IT Manager |
Identify any international regulatory requirements that might affect planning and design. |
IT Manager |
Identify any company policies that might affect planning and design. |
IT Manager |
Collect Security Information
Your IPsec policy design will be strongly influenced by your current security policies and practices, such as firewall configurations. IPsec policies will also affect and expand your security policies.
| Action | Owner |
|---|---|
Document your firewall configurations. |
Security Manager |
Document logon scripts or policies that might affect IPsec policies. |
Security Manager |
Document your software update policies and processes. |
Security Manager |
Document your application deployment policies. |
Security Manager |
Document your security response plan. |
Security Manager |
Collect Service Level Agreement Information
Your domain isolation planning process must be designed and deployed in a way that complies with your SLAs. By being aware of these SLAs during the planning and design process, you can ensure compliance or make plans for mitigating and dealing with any compliance problems.
| Action | Owner |
|---|---|
Identify any internal/direct SLA requirements that might affect planning and design. |
IT Manager, UNIX Systems Administrator, Database Administrator, Desktop Configuration Manager, Network Administrator |
Identify any business partner SLA requirements that might affect planning and design. |
IT Manager |
Identify any international SLA requirements that might affect planning and design. |
IT Manager |
Collect User and Partner Connectivity Information
You need to consider how domain isolation will affect user connectivity during and after the deployment. This information can guide you in designing and deploying IPsec policies or in training staff and informing users before and after deployment.
| Action | Owner |
|---|---|
Identify IT administrative staff that must have uninterrupted connectivity. |
IT Manager |
Identify knowledge workers. |
Desktop Configuration Manager |
Identify Helpdesk staff members that require detailed knowledge of the deployment. |
Helpdesk Manager |
Identify internal or external partners that require uninterrupted connectivity. |
IT Manager |
Document any applications that require uninterrupted connectivity. |
Desktop Configuration Manager, Windows Systems Administrator, Database Administrator |
Identify security personnel that must monitor security during the deployment. |
Security Manager |
Collect Interoperability Information
Understanding how your IPsec policy design and deployment might affect IPsec-incompatible computers and computers with other implementations of IPsec will help you to plan the security for these computers and to determine how they will connect to IPsec-incompatible computers.
| Action | Owner |
|---|---|
Identify any servers that are incompatible with the Microsoft implementation of IPsec but must access resources on Windows servers. |
UNIX Systems Administrator, Desktop Configuration Manager |
Identify any Windows servers that are incompatible with servers configured for a non-Microsoft implementation of IPsec but must access resources on these servers. |
Windows Systems Administrator |
Identify any applications that might require IPsec policy exemptions for business reasons. |
Desktop Configuration Manager, Windows Systems Administrator |
Phase 2: Determine Your Domain Isolation Needs
Business Needs
Your IPsec policies must also take into account your business needs and the financial impact that the deployment might have.
| Action | Owner |
|---|---|
Document how knowledge workers, internal customers, and partners will be affected by domain isolation deployment and the business impact of this. Document how these effects will be mitigated. |
Helpdesk Manager, Desktop Configuration Manager, Security Manager |
Document how the operations infrastructure will be affected by domain isolation deployment and the business impact of this. |
Security Manager, Systems Architect, IT Manager |
Regulation Needs
Government and international regulations might influence your IPsec policy designs. You should enumerate the regulations and restrictions you must comply with and take these into account during the design phase.
| Action | Owner |
|---|---|
Document the regulations you must comply with. |
IT Manager, Security Manager |
Determine the time-frame you have to comply. |
IT Manager |
Determine how you can use domain isolation to comply with these regulations. |
IT Manager, Security Manager, Systems Architect |
Security Management Needs
You might have sensitive data or servers that require additional security in your environment. You should enumerate these and take into account what levels and types of security you want domain isolation to provide.
| Action | Owner |
|---|---|
Document any effects of deploying domain isolation upon current security polices. |
Security Manager |
Identify whether any additional security administration will be required. |
Security Manager, Desktop Configuration Manager, IT Manager |
Determine whether any of your current security technologies are incompatible with domain isolation. |
Security Manager, Network Administrator, Systems Architect |
Identify where you will need boundary computers. |
Security Manager, Network Administrator, UNIX Systems Administrator |
Determine and document what additional security methods will be used to protect boundary hosts. |
Security Manager, Network Administrator, Systems Architect |
Service Level Agreement Needs
During the planning process, determine whether the deployment will negatively affect your SLAs.
| Action | Owner |
|---|---|
Determine how domain isolation will affect deployment and administration of SLAs. |
IT Manager |
Document how any effects on deployment and administration of SLAs will be measured. |
IT Manager |
Document how any effects on deployment and administration of SLAs will be mitigated or corrected. |
IT Manager, Security Manager |
Determine how any effects upon SLAs will be communicated to the appropriate parties. |
IT Manager, Helpdesk Manager |
IPsec Technology Needs
Some of the policy design decisions are based on the IPsec technology itself and how it secures traffic and data.
| Action | Owner |
|---|---|
Document which of the four IPsec-negotiated security modes will be used, where they will be used, and why. The four modes are:
|
Security Manager |
Identify where IPsec tunnel mode will be needed. |
Security Manager, Network Administrator |
Identify where data integrity using Authenticated Header (AH) will be needed. |
Security Manager, Systems Architect |
Identify where data integrity and encryption (using ESP) will be needed. |
Security Manager, Network Administrator |
Document which forms of encryption will be used and where. |
Security Manager |
Document which forms of authentication will be used and where. |
Security Manager |
Identify which infrastructure applications or servers, such as DNS and DCHP servers, will need to be added to the default exemptions so that all clients can access them. |
Security Manager, Systems Architect |
Identify which ports/protocols will need to be opened in firewalls for IPsec. |
Security Manager, Network Administrator |
Identify where no IPsec protection will be needed. |
Security Manager, Network Administrator, UNIX Systems Administrator, Desktop Configuration Manager |
User and Partner Needs
Your domain isolation design and deployment plans should also take into account how the process might affect the ability of users and partners to access information stored on your network.
| Action | Owner |
|---|---|
Determine how users might be affected by the deployment. |
Helpdesk Manager |
Determine what user education steps can be taken to prepare users for the deployment and any possible issues resulting from it. |
Helpdesk Manager |
Determine how partners might be affected by the deployment. |
IT Manager |
Determine what steps can be taken to prepare partners for the deployment and any possible issues resulting from it. |
IT Manager, Helpdesk Manager |
Interoperability Needs
If your environment includes computers that either cannot implement IPsec or whose implementation of IPsec is not the same as the Microsoft implementation, then you need to determine how, or even if, you will allow these computers to communicate with IPsec-incompatible computers.
| Action | Owner |
|---|---|
Determine how IPsec-incompatible servers and Macintosh clients will communicate. |
UNIX Systems Administrator, Security Manager |
Determine how IPsec-compatible computers will communicate with IPsec-incompatible Windows clients. |
Desktop Configuration Manager, Security Manager |
Document how any effects of denied communications will be mitigated or corrected. |
UNIX Systems Administrator, Desktop Configuration Manager, Security Manager |
Determine which Windows services cannot be used with higher levels of IPsec protection. |
Security Manager, Windows Systems Administrator |
Determine whether there are any current IPsec policies (local or global) that might conflict with ones being designed. |
Security Manager |
Phase 3: Design Your IPsec Policies
Review IPsec Policy Design Documentation
| Action | Owner |
|---|---|
Security Manager, Systems Architect |
|
Security Manager, Systems Architect |
|
Security Manager, Systems Architect |
|
Security Manager, Systems Architect |
|
Security Manager, Systems Architect |
|
Security Manager |
Create a Naming Convention
You can create a naming convention for policies, filter lists, and filter actions. A naming convention can make backing up, restoring, and managing changes to policies, much easier.
Policy names should include the isolated domain and the date issued, for example, "Accounting_3.28.2005." Filter list names should describe the type of network traffic they match, for example, "All ICMP Traffic." Filter action names should describe the level of security they provide and the type of negotiation they use, for example, "Request Security."
| Action | Owner |
|---|---|
Determine a naming convention for policies. |
Security Manager, Systems Architect |
Determine a naming convention for filter lists. |
Security Manager, Systems Architect |
Determine a naming convention for filter actions. |
Security Manager, Systems Architect |
Create an IPsec Policy Management Process
A policy management process can reduce confusion and make backing up, restoring, and managing changes to policies much easier.
If you plan to create policies for a Windows Server 2003-based computer, you should keep in mind that Windows Server 2003 incorporates some new features that are not available in Windows XP or Windows 2000. For more information, see "IPsec Policy Compatibility Considerations" in Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server.
| Action | Owner |
|---|---|
Document how policies will be created. |
Systems Architect |
Document where policies will be backed up. |
Systems Architect |
Document how policies will be backed up. |
Systems Architect |
Document how policies will be changed, adjusted, and deployed. |
Systems Architect |
Determine how changes and backups will be documented. |
Systems Architect |
Determine how policies will be secured. |
Security Manager |
Review Example IPsec Policies
Microsoft provides default IPsec policies with Windows, and also in the Windows Server 2003 Security Guide, that you might be able to use, with modifications, in your environment. These can also be used as examples in your policy design process.
| Action | Owner |
|---|---|
Review the default policies. |
Security Manager |
Determine whether any of these policies can be used with modifications for your environment. |
Security Manager |
Review the policies provided in the Windows Server 2003 Security Guide. |
Security Manager |
Determine whether any of these policies can be used with modifications for your environment. |
Security Manager |
Design IPsec Filter Actions
If the intranet traffic is to be secured, filter actions specify an ordered set of security methods (such as which integrity and encryption methods are used) and other settings. A combination of a filter action and a filter list make up a rule in an IPsec policy.
Try to create the fewest filter actions that meet your needs. For example, Microsoft IT was able to use only three for its environment. Your environment might be more diverse and might require more.
| Action | Owner |
|---|---|
Determine where encryption of packet contents is required. |
Security Manager |
If encryption is used, determine which encryption algorithm is appropriate. |
Security Manager |
If encryption is not being used, determine whether packet integrity (signing) is necessary or desired. |
Security Manager |
Determine whether the correct action is to block, permit, or negotiate security. |
Security Manager, Systems Architect |
Determine whether the negotiation allows unsecured connections with IPsec-incompatible computers or IPsec-compatible computers with which IPsec negotiations fail. |
Security Manager, Systems Architect |
Design IPsec Filters and Filter Lists
IP filters define matching criteria for a computer or a group of computers by specifying source and destination IP addresses, IP protocols, and source/destination TCP or UDP ports. Filter lists are a collection of one or more IP filters that logically belong together as a unit and that should have only one filter action associated with them. A rule combines a filter list with a filter action.
As a best practice use the Any IP address setting rather than the My IP address setting to mitigate problems with DHCP changing IP addresses. Additional best practices are provided in Improving Security with Domain Isolation.
| Action | Owner |
|---|---|
Determine which IP addresses or subnets should be included in the filter lists. |
Systems Architect, Security Manager |
Determine which protocol/port combinations belong in the filter lists. |
Systems Architect, Security Manager |
Determine where the filters within the filter lists should and should not be mirrored. |
Systems Architect, Security Manager |
Design IPsec Policy Rules
An IPsec policy rule combines a filter list with a filter action. If the filter action requires security, then the rule also specifies authentication methods, tunnel mode settings, and the types of interfaces to which this rule applies.
| Action | Owner |
|---|---|
Pair the filter lists with the appropriate filter actions to define the set of rules for the IPsec policy. |
Systems Architect, Security Manager |
Determine whether the default response rule needs to be enabled or disabled. |
Systems Architect, Security Manager |
For rules requiring security, determine which authentication methods the rule uses to establish trust. |
Systems Architect, Security Manager |
Design IPsec Policies
IPsec policies are a collection of one or more rules. Policies should group together all the rules that are appropriate for distribution to an organizational unit (OU), domain, or security group of the Active Directory® directory service.
Each segment will typically have an associated IPsec policy. The same policy might apply to many segments. Each computer can have only one policy assigned (active) at a time.
| Action | Owner |
|---|---|
Determine where the policy will be deployed. |
Security Manager, Systems Architect |
Determine which rules need to added to the policy. |
Security Manager, Systems Architect |
Determine which computers or subnets will need to be added to an exemption list. |
Security Manager, Systems Architect |
Phase 4: Deploy the Policies in a Test Environment
Determine the Appropriate Test Environment
The test environment will help you find and resolve any issues that could arise from your domain isolation deployment. The more closely the test environment represents your actual IT environment, the more effective this testing will be.
| Action | Owner |
|---|---|
Determine whether the current test environment is appropriate for testing domain isolation. |
Security Manager, Systems Architect, Network Administrator |
If the test environment is not appropriate, determine what changes need to be made to the test environment to properly test policy design and deployment. |
Security Manager, Systems Architect, Network Administrator |
Determine the cost/benefit of making changes to the test environment. |
IT Manager, Security Manager, Systems Architect, Network Administrator |
Determine whether testing can be accomplished in a smaller, non-critical domain or subdomain. |
IT Manager, Security Manager, Systems Architect, Network Administrator |
Deploy the Policies to the Test Environment
You should deploy the policies using the plan you have created. If you are also deploying non-Microsoft IPsec solutions, such as those for UNIX or Apple Macintosh computers, you should deploy the one with the largest operating base first and refine and stabilize it before deploying the other solutions. If you are using these solutions, be sure to test them all together before deploying to your IT environment.
| Action | Owner |
|---|---|
Deploy the least restrictive policy. |
Security Manager |
Monitor the communications in this segment for failures, etc. |
Network Administrator |
Correct any policy design issues (see "Refine Policies" below). |
Security Manager, Systems Architect, Network Administrator |
Continue to deploy, monitor, and correct until the deployment is successful. |
Security Manager, Systems Architect, Network Administrator |
Deploy other policies in order of increasing restriction. |
Security Manager, Systems Architect, Network Administrator |
Phase 5: Refine Policies
During your test deployment, you might have issues that require a change to existing policies or the addition of new policies. The testing and refining process might require more than one cycle to find all the issues and redesign your policies to fit your environment.
For more information about troubleshooting IPsec issues, see "Testing and Monitoring Successful IPsec Operation" in Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network Server.
| Action | Owner |
|---|---|
Determine whether any computers that should be able to connect are blocked. |
Network Administrator, Windows Systems Administrator, Desktop Configuration Manager |
Determine whether any computers that should be blocked can connect. |
Network Administrator, Security Manager |
Determine whether any computer's performance is significantly affected by the policies. |
Network Administrator, Database Administrator, Windows Systems Administrator |
Determine whether any computers already have a conflicting IPsec policy implemented. |
Network Administrator, Security Manager, Windows Systems Administrator, Desktop Configuration Manager |
Determine whether any computers need to be updated so they can implement IPsec properly (for example, computers running Windows 2000, Windows XP with no service packs installed, and Windows XP with SP1 need to be updated for IPsec NAT-T support). |
Network Administrator, Security Manager, Windows Systems Administrator, Desktop Configuration Manager |
Determine whether any computers or network devices that were thought to be IPsec-compatible are not. |
Network Administrator, Security Manager |
Determine whether any computers that can use IPsec must have policies changed to work correctly (for example, any VPN servers that are not domain members, and therefore cannot use Kerberos v5 authentication, must use a certificate or preshared key). |
Network Administrator, Security Manager |
Determine where VPN or other remote connections do not work with IPsec. |
Network Administrator, Security Manager |
Determine whether there are any features or configurations that will not work with IPsec. |
Network Administrator, Security Manager |
Phase 6: Create a Deployment Schedule
The policy testing and refinement processes will provide you with valuable information about how the deployment is best implemented for a given segment. You can also use the answers to the planning questions earlier to help you determine the best sequence of, and time frame for, IPsec deployment to your environment. Information based on the actions listed below might help you determine your deployment schedule.
As a best practice, Microsoft IT found that it worked for them to deploy to smaller, non-critical domains first, then to larger domains, and finally to mission-critical domains. They also deployed "Request Mode" first and then "Secure Mode." Additional best practices are provided in Improving Security with Domain Isolation.
| Action | Owner |
|---|---|
Document the order in which the segments will be deployed. |
IT Manager, Systems Architect, Security Manager |
Document the best date and time for the deployment. |
IT Manager, Systems Architect |
Document how you will monitor the segment to make sure it is working properly. |
Systems Architect, Security Manager |
Document a contingency plan if connectivity is blocked. |
Systems Architect, Security Manager |
Document how you will back-out a change if something goes wrong. |
Systems Architect, Security Manager |
Determine when all parties should be informed of a pending change. |
Helpdesk Manager |
Determine how you will know that the deployment is sound enough to be implemented on the next segment. |
Systems Architect, Security Manager, Helpdesk Manager |
Determine how you will know that the entire deployment is sound and the goals have been achieved. |
IT Manager, Systems Architect, Security Manager, Helpdesk Manager |
Phase 7: Prepare for User and Infrastructure Support
After you have finalized your deployment schedule, you can finalize when and how you will inform the operations staff, department heads, server owners, application owners, users, and partners of the pending changes. The availability of information about the process is important to a smooth deployment and the information should be available online (and in written form) well ahead of the actual deployment. The actions listed below might help you determine your Helpdesk needs.
| Action | Owner |
|---|---|
Inform the Helpdesk staff of the changes, what they need to do to prepare for them, what they can expect to experience, and who to contact in case of problems. |
Helpdesk Manager |
Train Helpdesk staff using simulation drills with problems that are likely to arise. |
Helpdesk Manager |
Inform the Helpdesk staff about IPsec and the deployment process, possible problems that might arise, resources for helping users with these problems, and escalation of problems. |
Helpdesk Manager |
Inform the following groups of the changes, what they need to do to prepare for them, what they can expect to experience, and who to contact in case of problems:
|
Helpdesk Manager, Windows Systems Administrator |
Document confirmation of compliance from all parties, signifying that they understand and have made all changes necessary for compliance. |
Helpdesk Manager, IT Manager |
Other Resources
IPsec concepts and overview
Examples of IPsec deployments
Using Microsoft Windows IPsec to Help Secure an Internal Corporate Network (Foundstone paper)
IPsec interoperability
Description of the Microsoft L2TP/IPsec Virtual Private Networking Client for Earlier Clients - Microsoft Support Article 324915
"Soft Associations" Between IPsec-Enabled and Non-IPsec-Enabled Computers - Microsoft Support Article 234580
IPsec limitations
IPsec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios (Windows 2000) - Microsoft Support Article 811832
Traffic That Can--and Cannot--Be Secured by IPsec (Windows 2000) - Microsoft Support Article 253169
Designing IPsec policies
Windows Server 2003 Security Guide (The downloaded guide is in PDF format. Sample scripts for building IPsec policies from the command line are available in the "Tools and Templates\Security Guide\Sample Scripts" folder of the downloaded guide.)
IPsec implementation details
IPsec testing
IPsec troubleshooting
How to Disable IPSEC for Clients That Are Running an Earlier Version of Windows - Microsoft Support Article 323311