GPO_DOMISO_IsolatedDomain_Clients_Win7Vista

Updated: January 27, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client computers that are running Windows 7 or Windows Vista.

Because client computers can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile.

This GPO provides the following settings:

  • No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the Firewall GPOs section) in order to share them with all clients in all isolation zones with minimum redundancy.

  • The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting.

  • Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, such as Windows 7, Windows Vista, Windows Server 2008 or Windows Server 2008 R2, they can remove the weaker key exchange algorithms, and use only the stronger ones.

  • The registry settings shown in the following table. For more information, see the description of the registry settings in Isolated Domain.

     

    Setting Value

    Enable PMTU Discovery

    1

    IPsec Exemptions

    3

    Enable IPsec over NAT-T

    0

  • The main mode security method combinations in the order shown in the following table.

     

    Integrity Encryption

    Secure Hash Algorithm (SHA-1)

    Advanced Encryption Standard (AES-128)

    SHA-1

    3DES

  • The following quick mode security data integrity algorithms combinations in the order shown in the following table.

     

    Protocol Integrity Key Lifetime (minutes/KB)

    ESP

    SHA-1

    60/100,000

  • The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table.

     

    Protocol Integrity Encryption Key Lifetime (minutes/KB)

    ESP

    SHA-1

    AES-128

    60/100,000

    ESP

    SHA-1

    3DES

    60/100,000

noteNote
Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows.

This GPO provides the following rules:

  • A connection security rule named Isolated Domain Rule with the following settings:

    • From Any IP address to Any IP address.

    • Require inbound and request outbound authentication requirements.

      ImportantImportant
      On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the computers were successfully communicating by using IPsec, they switched the GPOs to require authentication.

    • For First authentication methods, select Computer Kerberos v5 as the primary method. Add certificate-based authentication from DC=com,DC=woodgrovebank,CN=CorporateCertServer for computers that cannot run Windows or cannot join the domain, but must still participate in the isolated domain.

    • For Second authentication, select User Kerberos v5, and then select the Second authentication is optional check box.

  • A connection security rule to exempt computers that are in the exemption list from the requirement to authenticate:

    • The IP addresses of all computers on the exemption list must be added individually under Endpoint 2.

    • Authentication mode is set to Do not authenticate.

Next:  GPO_DOMISO_IsolatedDomain_Servers_WS2008

Community Additions

ADD
Show: