Server Isolation GPOs
Updated: January 27, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
Each set of computers that have different users or computers accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on computers in the zone. The Woodgrove Bank example has an isolation zone for their computers that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose.
All of the computer accounts for computers in the SQL Server server isolation zone are added to the group CG_SRVISO_WGBANK_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client computers are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone.
This GPO is identical to the GPO_DOMISO_Encryption_WS2008 GPO with the following changes:
The firewall rule that enforces encryption is modified to include the NAGs on the Users and Computers tab of the rule. The NAGs granted permission include CG_NAG_SQL_Users and CG_NAG_SQL_Computers.
Important Earlier versions of Windows support only computer-based authentication. If you specify that user authentication is mandatory, only users on computers that are running Windows 7, Windows Vista, Windows Server 2008 R2 or Windows Server 2008 can connect.
This GPO is authored by using the Windows Firewall and IP Security Policies sections in the GPO editing tools. The User Configuration section of the policy is disabled. It is intended to only apply to server computers that are running Windows Server 2003.
This GPO is identical to the GPO_DOMISO_Encryption_WS2003 GPO with the following changes:
Under User Rights Assignment, add the NAGs for users and computers to the Access this computer from the network user right. You must also remove the Everyone, Power Users, and Users group from the user right list. The NAGs granted permission include CG_NAG_SQL_Users and CG_NAG_SQL_Computers.
We recommend that you do not use computers that are running Windows 2000 as isolated servers. If information on these servers is sensitive enough to merit the protections of server isolation, we recommend that you use a computer that is running a version of Windows with stronger security, such as Windows Server 2008 R2.
However, if business requirements are such that a computer running Windows 2000 Server must be placed in the boundary zone, design the GPO as follows:
The basic policy settings for Windows Server 2003 and Windows 2000 are identical. Therefore you can save time by copying the whole GPO for Windows Server 2003, pasting it as a new GPO in the Group Policy Objects container, and then changing only the items that must be different. In the Woodgrove Bank example, the settings are the same, and no differences must be accounted for.
We recommend that you create a separate GPO to support the ability to make operating system version specific changes, in case the need occurs.
Next: Planning GPO Deployment