Server and Domain Isolation Using IPsec and Group Policy
Published: March 17, 2005 | Updated: July 24, 2006
Download this Solution Accelerator
Click here for Server and Domain Isolation Using IPSec and Group Policy.
About This Solution Accelerator
This guide is designed to support a server and domain isolation solution through all stages of the IT life cycle, starting at the initial evaluation and approval phase and continuing through to deployment, testing, and management of the completed implementation
The advent of wireless networks and wireless connection technologies has made network access easier than ever. This increased connectivity means that domain members on the internal network are increasingly exposed to significant risks from other computers on the internal network, in addition to breaches in perimeter security.
.gif "Figure 1.1 Infrastructure areas and network defense layers")
The concept of logical isolation this guide presents embodies two solutions—server isolation to ensure that a server accepts network connections only from trusted domain members or a specific group of domain members, and domain isolation to isolate domain members from untrusted connections. These solutions can be used separately or together as part of an overall logical isolation solution.
At its core, server and domain isolation enables IT administrators to restrict TCP/IP communications of domain members that are trusted computers. These trusted computers can be configured to allow only incoming connections from other trusted computers or a specific group of trusted computers. Active Directory Group Policy centrally manages the access controls that control network logon rights. Nearly all TCP/IP network connections can be secured without application changes, because Internet Protocol security (IPSec) works at the network layer below the application layer to provide authentication and per-packet security, end-to-end between computers. Network traffic can be authenticated, or authenticated and encrypted, in a variety of customizable scenarios.
The Server and Domain Isolation Using IPSec and Group Policy Accelerator includes the following components:
- Server and Domain Isolation Using IPSec and Group Policy.doc
- Server and Domain Tools and Templates
Chapter 1: Introduction to Server and Domain Isolation
This chapter introduces server and domain isolation using IPSec and Group Policy and includes a brief overview of each chapter. The chapter also outlines the Woodgrove Bank scenario used throughout the guide.
Chapter 2: Understanding Server and Domain Isolation
This chapter is designed for technical decision makers and technical architects who will be responsible for designing a customized server and domain isolation solution for an organization. It describes how to identify trusted computers, provides a terminology refresher, and considers how to deploy server and domain isolation.
Chapter 3: Determining the Current State of Your IT Infrastructure
This chapter provides information about obtaining the information necessary to plan for and deploy a server and domain isolation solution. It discusses the process of understanding and documenting the computers that might function as "trusted" computers within the solution.
Chapter 4: Designing and Planning Isolation Groups
This chapter provides complete guidance for defining isolation groups that fulfill the business security requirements discussed in Chapter 2. The Woodgrove Bank scenario demonstrates the essential details of how an organization can turn its security requirements into deployed isolation groups.
Chapter 5: Creating IPSec Polices for Isolation Groups
This chapter provides instructions for implementing the server and domain isolation design. It provides complete guidance for applying the security requirements of domain isolation and the server isolation groups designed in Chapter 4..
Chapter 6: Managing a Server and Domain Isolation Environment
This chapter provides guidance for managing a server and domain isolation solution after it has been successfully deployed into a production environment. The information provided in this chapter is designed for developing well-documented and well-communicated solution management processes.
Chapter 7: Troubleshooting IPSec
This chapter provides information about how to troubleshoot IPSec, such as server and domain isolation scenarios, and is based on the experience of the Microsoft IT team. Whenever possible, this chapter refers to existing Microsoft troubleshooting procedures and related information.
Appendix A: Overview of IPSec Policy Concepts
This appendix provides a detailed overview of IPSec terms, processes, and concepts. It is designed to provide the prerequisite level of understanding for IPSec as described in this guide.
Appendix B: IPSec Policy Summary
This appendix provides a concise listing of information about all policy settings for the isolation groups used in the IPsec solution.
Appendix C: Lab Build Guide
This appendix provides complete guidance for building the required infrastructure to support isolation groups that use IPSec. It also provides the instructions that are used to implement the baseline IPSec policy for the Woodgrove Bank scenario that is presented throughout this guide.
Appendix D: IT Threat Categories
This appendix provides a list of potential threats and attacks that can affect an organization and explains how a server and domain isolation solution can help mitigate them.
Tools and Templates
The downloadable version of this guide includes scripts and additional tools to make it easier for your organization to implement an IPSec policy.
Related Resources
See other Solution Accelerators that focus on security at the Security Solution Accelerators site on Microsoft TechNet.
Community and Feedback
- Want to know what’s coming up next? Check out our Security Guidance Blog.
- E-mail your feedback to the following address: SecWish@microsoft.com
About Solution Accelerators
Solution Accelerators are authoritative resources that help IT professionals plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.
Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as
- Communication & Collaboration
- Security, Data Protection, & Recovery
- Deployment
- Operations & Management
Download This Accelerator
Click here for Server and Domain Isolation Using IPSec and Group Policy.