Isolating a Server by Requiring Encryption and Group Membership
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Domain isolation restricts domain-member computers to requiring authentication when communicating with other domain-member computers, and rejecting inbound connections that are not authenticated. This helps improve the security of most of the computers in your organization. Some servers, however, contain sensitive data, such as personal data, medical records, or credit card data that must be guarded even more carefully. In many cases government regulations specify that this data must be protected to make sure that only those users who have business need can physically get access to the data. You can use IPsec to provide this additional layer or protection in the form of server isolation. By using server isolation, you can further restrict access to sensitive data not just to unspecified domain member computers and users, but only those users and computers that have a legitimate business need. Often such data must also be encrypted during transmission to prevent eavesdropping.
By using Windows Firewall with Advanced Security, you can specify that specific network connections can be accessed only by specific users, based on their group membership. You can also specify that access is permitted only by specific computers based on computer account membership in a group. Both types of restriction are based on the authentication methods demonstrated in the previous section. Finally, you can also specify that these network connections must be encrypted by using one of several encryption algorithms.
For more information about server isolation, see:
Introduction to Server and Domain Isolation at https://go.microsoft.com/fwlink/?LinkID=94631
Server Isolation with Microsoft Windows Explained at https://go.microsoft.com/fwlink/?LinkID=94793
Steps for creating connection security rules to enforce server isolation
In this section, you create inbound firewall rules that specify that only users who are members of a specific group can access MBRSVR1. You also configure the rules to require encryption for all connections to the specified server.
Step 1: Creating the Security Group
Step 2: Modifying a Firewall Rule to Require Group Membership and Encryption
Step 3: Creating a Firewall Rule for the Client to Support Encryption
Step 4: Testing the Rule When Admin1 Is Not a Member of the Group
Step 5: Adding Admin1 to the Group and Testing Again
Note
In some environments, you might want to implement server isolation without domain isolation. This guide demonstrates server isolation as an additional layer added to domain isolation. To deploy server isolation by itself, you still must create and deploy authentication requesting connection security rules. But instead of deploying them to all computers in the organization, you only need to deploy them to the servers that are to be isolated, and to the client computers that are used to access the servers. You can do this by deploying the authentication connection security rules with the same security group filter as is demonstrated in this section.
Next topic: Step 1: Creating the Security Group