Export (0) Print
Expand All

Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone

Updated: January 27, 2010

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone.

Computers that are running Windows 2000, Windows XP, or Windows Server 2003 can restrict access only to computers that are members of the NAG because IPsec and IKE in those versions of Windows do not support user-based authentication. Computers that are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 can identify both computers and users in the NAG because those versions of IPsec support AuthIP in addition to IKE. AuthIP adds support for user-based authentication.

The way in which these rules and settings are configured depends on whether the computers to which the GPO applies are running Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2 or an earlier version of Windows.

The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.

In this topic:

Checklist Checklist: Configuring rules for isolated servers running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

noteNote
The GPOs for computers running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 7, make a copy of it for Windows Server 2008 R2, and then follow the steps in this checklist to make the few required changes to the copy.

 

  Task Reference

Checkbox

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Checklist topic Checklist: Creating Group Policy Objects

Checklist topic Copy a GPO to Create a New GPO

Checkbox

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended.

Procedure topic Modify GPO Filters to Apply to a Different Zone or Version of Windows

Checkbox

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic Exempt ICMP from Authentication on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic Create an Authentication Exemption List Rule on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic Configure Key Exchange (Main Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic Configure Data Protection (Quick Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional.

Procedure topic Configure Authentication Methods on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Create a rule that requests authentication for all inbound network traffic.

ImportantImportant
Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.

Procedure topic Create an Authentication Request Rule on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it.

Procedure topic Configure the Rules to Require Encryption on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Checkbox

Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers.

Procedure topic Create a Group Account in Active Directory

Checkbox

Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zone’s NAG.

Procedure topic Restrict Server Access to Members of a Group Only

Checkbox

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic Link the GPO to the Domain

Checkbox

Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic Add Test Computers to the Membership Group for a Zone

Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested.

Checklist Checklist: Creating rules for isolated servers running Windows XP, Windows Server 2003, or Windows 2000

noteNote
The GPOs for computers that run Windows Server 2003, Windows XP, and Windows 2000 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO. For example, create and configure the GPO for Windows XP, make a copy of it for Windows Server 2003, and then follow the steps in this checklist to make the few required changes to the copy.

 

  Task Reference

Checkbox

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist, you can create a copy of it.

Checklist topic Create a Group Policy Object

Checklist topic Copy a GPO to Create a New GPO

Checkbox

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended.

Procedure topic Modify GPO Filters to Apply to a Different Zone or Version of Windows

Checkbox

Add registry settings that optimize IPsec behavior to the GPO.

Procedure topic Configure Settings to Optimize IPsec Behavior on Earlier Versions of Windows

Checkbox

Create a new IP Security policy in the GPO.

ImportantImportant
If IPsec policies exist, do not modify them. They are links to the IPsec policies available to all GPOs. Changes made to one will affect all GPOs that use that IPsec policy.

Procedure topic Create a New IP Security Policy in a GPO for Earlier Versions of Windows

Checkbox

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic Configure Key Exchange (Main Mode) Settings on Earlier Versions of Windows

Checkbox

Create IP filter lists for ICMP traffic, the exemption list, and all inbound IP traffic.

Procedure topic Create Filter Lists for Isolated Domain Computers and Isolated Servers Running Earlier Versions of Windows

Checkbox

Create filter actions to allow traffic, request authentication, and require authentication. If you require both authentication and encryption in your isolated server zone, then also create a filter action for that behavior.

Procedure topic Create Filter Actions on Earlier Versions of Windows

Checkbox

Create the IPsec rules that combine the filter lists and filter actions.

Procedure topic Create IPsec Rules for an Isolated Server Zone on Earlier Versions of Windows

Checkbox

Assign the IPsec policy to your GPO.

Procedure topic Assign an IPsec Policy to a GPO for Earlier Versions of Windows

Checkbox

If you have not already done so, create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers.

Procedure topic Create a Group Account in Active Directory

Checkbox

Grant the Access this computer from the network user right to only computers or users who are authenticated members of the NAG.

Procedure topic Restrict Server Access to Members of a Group Only

Checkbox

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic Link the GPO to the Domain

Checkbox

Add your test computers to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic Add Test Computers to the Membership Group for a Zone

Checkbox

Verify that the IPsec rules are protecting your network traffic.

Procedure topic Verify That Network Traffic Is Authenticated

Do not change the rules for any of your zones to require authentication until all of the zones have been configured and thoroughly tested.

At this point, you can follow the steps in Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone. When you have completed the tasks in that checklist, you should have at least one computer in the client NAG that you can use to test your ability to connect to servers in the isolated server zone.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft