GPO_DOMISO_Boundary_WS2003

Updated: January 27, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

This GPO is authored by using the Windows Firewall and IP Security Policies sections in the GPO editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2003 version of the isolated domain GPO, and renamed the copy to reflect its new purpose.

This GPO supports the ability for computers that are not part of the isolated domain to access specific servers that must be available to those untrusted computers. It is intended to only apply to server computers that are running Windows Server 2003.

In addition to the existing filter lists, filter actions, and registry settings, the following are added to support computers in the boundary zone.

Create the following IP filter action:

  • Name: Request In/Out

  • Security Methods: Negotiate security, with the same security method that is used in the isolated domain GPO.

  • Select the Accept unsecured communication, but always respond using IPsec check box (the inbound fall back to clear option).

  • Select the Allow fallback to unsecured communication if a secure connection cannot be established check box (the outbound fall back to clear option).

The GPO is configured to use an IPsec policy named "Boundary Zone Policy" that contains the rules shown in the following table.

 

IP Filter list Filter action Authentication

All IP traffic

Request In/Out

  • Computer-based Kerberos V5

  • Certificate from internal CA

ICMP traffic

Allow Traffic

Not applicable

Exemption List

Allow Traffic

Not applicable

  • The same key exchange, main mode, and quick mode algorithms as specified in the isolated domain GPO for Windows Server 2003 are used here.

  • The same registry settings added to the Windows Server 2003 isolated domain GPO are included here, using the same values. For more information, see the description of the registry settings in Isolated Domain.

  • After creating the Boundary Zone Policy, assign it as the active policy in the GPO.

Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests.

Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.

Next:  Encryption Zone GPOs

Community Additions

ADD
Show: