Step 2: Modifying a Firewall Rule to Require Group Membership and Encryption

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Server isolation takes the connection security rule that enforces authentication, and layers a firewall rule that additionally restricts the traffic to only authorized users or computers. In this step, you modify your Telnet firewall rule to allow Telnet traffic only from users who are members of the security group you created in the last step. Because the authentication that is currently configured, you could decide to restrict access based either on the computer, the user, or both. In this example, you configure the firewall rule to restrict access to user accounts that are approved.

To modify the Telnet firewall rule on MBRSVR1

  1. On MBRSVR1, switch to Group Policy Management.

  2. In the navigation pane, under Group Policy Objects, right-click Firewall Settings for Windows Servers, and then click Edit.

  3. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, and then click Inbound Rules.

  4. In the results pane, right-click Allow Inbound Telnet, and then click Properties.

  5. Change the name by typing Allow Encrypted Inbound Telnet to Group Members Only.

  6. Perform one of the following:

    • If you are running Windows Server 2008 R2: Select Allow the connection if it is secure, click Customize, select Require the connections to be encrypted, and then click OK.

    • If you are running Windows Server 2008: Select Allow only secure connections, and then click Require encryption.

  7. Perform one of the following:

    • If you are running Windows Server 2008 R2: Click the Users tab.

    • If you are running Windows Server 2008: Click the Users and Computers tab.

  8. Under Authorized users, select Only allow connections from these users, and then click Add.

  9. In the Select User or Groups dialog box, type Authorized to Access MBRSVR1, click Check Names to make sure that it resolves, and then click OK.

Important

Even though this guide only demonstrates how to use a user group, remember that you can also specify computer group membership as a requirement, as long as the authentication method that is used includes computer authentication in addition to user authentication. This enables you to specify that only users who are members of group X can access the protected server, and only when they are using a computer that is a member of group Y. An authorized user who uses a non-authorized computer cannot access the protected server, nor can an authorized computer be used by a non-authorized user to access the protected server.

  1. Click OK to close the Allow Inbound Telnet Properties page.

  2. Close the Group Policy Management Editor.

Next topic: Step 3: Creating a Firewall Rule for the Client to Support Encryption