Setting Up IPsec Domain and Server Isolation in a Test Lab
Applies To: Windows Server 2003, Windows Server 2003 R2
This document is intended for network architects who are investigating the use of Internet Protocol security (IPsec) in Microsoft® Windows® operating systems to deploy domain and server isolation in their environments. The procedures in this document demonstrate how to set up IPsec domain and server isolation in a limited test environment, which you can use as a basis for your own deployment.
The objective of setting up domain isolation in a test lab is to configure a test lab network in which isolated domain member computers accept only authenticated communications initiated from other domain member computers, while ignoring communications initiated from non-isolated computers outside the isolated domain.
The objective of setting up group-specific server isolation in a test lab is to configure a test lab network in which a server computer accepts only authenticated communications initiated from domain member computers that are members of a specific security group, while ignoring communications initiated from non-isolated computers outside the isolated domain and isolated computers that are not members of a specific security group.
The following steps are required for the successful setup and demonstration of the domain and server isolation lab:
Setting up four computers that make up the test lab network: two server computers and two client computers.
Demonstrating that the clients have full, unrestricted access to the servers.
Creating an IPsec policy to isolate the computers in the isolated domain from computers outside of the isolated domain.
Demonstrating, after the domain isolation policy is in place, that the isolated computers in the domain can access other isolated computers in the domain, but that non-isolated computers outside of the isolated domain do not have access to domain members.
Demonstrating, after the server isolation settings are in place, that specific, authorized isolated computers can access the isolated server, and that unauthorized isolated computers are denied access.
This lab is designed to demonstrate the basic capabilities of IPsec domain and group-specific server isolation in a limited test environment. It does not explore every possible configuration, but rather outlines a specific set of procedures to get you started. If you plan to deploy IPsec server and domain isolation in your production environment, see the "Other Resources" section at the end of this paper for links to IPsec planning and deployment documentation that may address the specifics of your network.
Note
The procedures in this document use the Microsoft Windows Server™ 2003, Standard Edition operating system. Your server might function differently based on the version and edition of the Windows operating system that is installed, your account permissions, and your menu settings. For example, the steps to open an item in Control Panel vary slightly based on how a server is configured.
The following illustration shows the configuration of the IPsec test lab.
Figure 1. Test lab configuration.
The following four computers make up the test lab network:
DC1: a computer running Windows Server 2003 that is used as a domain controller and a Domain Name System (DNS) server.
FS1: a computer running Windows Server 2003 that is used as a file sharing server.
CLIENT1: a computer running Windows XP that is used as a client.
CLIENT2: another computer running Windows XP that is used as a client.
The lab requires one network segment that represents a private network. All computers on the private network are connected to a common hub or Layer 2 switch. Private IP addresses are used throughout the test lab configuration. The private network of 172.16.0.0/24 is used for the test lab network.
In addition, each computer is manually configured with an IP address, subnet mask, and DNS server IP address. Dynamic Host Configuration Protocol (DHCP) and Windows Internet Name Service (WINS) servers are not used.
The following sections describe the configuration for each of the computers in the test lab.
DC1 is a computer running Windows Server 2003 that is functioning as:
The domain controller for the contoso.com Active Directory® domain.
The DNS server for the contoso.com DNS domain.
Note
The domain name, contoso.com, is used here for example purposes only. You can use any domain name in your test lab configuration.
To configure DC1 for these services, perform the following steps.
Install Windows Server 2003 as a stand-alone server.
Using Network Connections, configure the TCP/IP protocol for the Local Area Network connection with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0.
Run the Active Directory Installation Wizard (dcpromo.exe) for a new domain named contoso.com in a new forest. Install the DNS service when prompted.
FS1 is a computer running Windows Server 2003 that is providing file and print sharing services. To configure FS1 as a file server, perform the following steps.
Install Windows Server 2003 as a stand-alone server.
Using Network Connections, configure the TCP/IP protocol for the Local Area Network connection with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.
Using System, join FS1 to the contoso.com domain.
After restarting the computer, in Windows Explorer, share the root directory of Local Disk (C:) using the share name ROOT.
CLIENT1 is a computer running Windows XP Service Pack 1 (SP1) or SP2 that is acting as a client and member of the contoso.com domain. To configure CLIENT1 as a client, perform the following steps.
Install Windows XP SP1 or SP2 as a workgroup computer.
Turn off Windows Firewall.
Using Network Connections, configure the TCP/IP protocol for the Local Area Network connection with the IP address of 172.16.0.3, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.
Using System, join CLIENT1 to the contoso.com domain.
After restarting the computer, in Windows Explorer, share the root directory of Local Disk (C:) using the share name ROOT.
CLIENT2 is a computer running Windows XP SP1 or SP2 that is acting as a client but is not a member of the contoso.com domain and does not have a local IPsec policy. To configure CLIENT2 as a client, perform the following steps.
Install Windows XP SP1 or SP2 as a workgroup computer.
Turn off Windows Firewall.
Using Network Connections, configure the TCP/IP protocol with the IP address of 172.16.0.4, the subnet mask of **255.255.255.**0, and the DNS server IP address of 172.16.0.1.
In Windows Explorer, share the root directory of Local Disk (C:) using the share name ROOT.
Now that the domain is set up, move the computers to which the domain isolation IPsec policy should be applied from the Computers folder in Active Directory Users and Computers into a new organizational unit (OU). On DC1, perform the following steps using Active Directory Users and Computers.
In Active Directory Users and Computers, create the Isolate OU within the contoso.com domain.
In Active Directory Users and Computers, move the FS1 and CLIENT1 computer accounts to the Isolate OU.
Before configuring and assigning IPsec policy, confirm that hosts can successfully communicate.
On CLIENT2, from a command prompt, type net view \\FS1.
You should be able to successfully connect to the shared folder on FS1.
On CLIENT1, from a command prompt, type net view \\FS1.
You should be able to successfully connect to the shared folder on FS1.
Now that your domain computers are configured, you can configure an IPsec domain isolation policy to apply to the contoso.com domain. In the following steps, you will create a domain isolation policy that will allow only isolated computers to be accessed by other isolated computers within the isolated domain. Non-isolated computers outside the isolated domain, making communications requests to isolated computers inside the isolated domain, will be ignored. Perform the following steps using Group Policy.
Configure filter lists.
Configure policy filter actions.
Configure IPsec policy.
Assign IPsec policy.
Propagate IPsec policy to domain members.
You will create the following IP filter lists:
Domain Controller
Secure Subnet
To create the Domain Controller filter list
On DC1, click Start, point to Administrative Tools, and then click Domain Controller Security Policy.
Under Security Settings, right-click IP Security Policies on Active Directory, and then click Manage IP filter lists and filter actions.
On the Manage IP Filter Lists tab, click Add.
In IP Filter List, clear the Use Add Wizard check box.
In Name, type Domain Controller, in Description, type Permits all traffic between DC1 and any other computer, and then click Add to add filter properties.
In the Source address list on the Addresses tab, confirm that Mirrored is enabled.
In Source address, select My IP Address. In Destination address, select A specific IP Address.
In IP address, type the address of DC1, 172.16.0.1, click OK, and then click OK again.
To create the Secure Subnet filter list
On DC1, on the Manage IP Filter Lists tab, click Add.
In IP Filter List, confirm that the Use Add Wizard check box is cleared.
In Name, type Secure Subnet, in Description, type Matches all traffic between computers on the 172.16.0.0 subnet, and then click Add to add filter properties.
On the Addresses tab, confirm that Mirrored is enabled.
In Source address, select My IP Address. In Destination address, select A specific IP Subnet.
In IP address, type the private network ID, 172.16.0.0. In Subnet mask, type 255.255.255.0, click OK, and then click OK again.
IPsec Policy Filter Actions specify how the resulting IPsec policy negotiates security between computers. They indicate whether security will be negotiated, by what means it will be negotiated, and how to handle requests from non-IPsec-compatible computers.
You will create the following IP filter action:
- Isolate Domain
To create the Isolate Domain filter action
On DC1, click the Manage Filter Actions tab, clear the Use Add Wizard check box, and then click Add.
On the Security Methods tab, in New Filter Action Properties, click Add.
In New Security Method, click Integrity only, and then click OK.
In New Filter Action Properties, click the General tab. In Name, type Isolate Domain, and in Description, type Prohibits communication between isolated and non-isolated hosts.
Click OK, and then click Close.
Create an IPsec policy with the name "Domain Isolation." Use the following settings.
IP Filter Lists: Secure Subnet, Domain Controller, All ICMP Traffic
Filter Actions: Isolate Domain, Permit
Authentication method: Kerberos
Tunnel setting: This rule does not specify an IPsec tunnel
Connection type: All network connections
On DC1, under Security Settings, right-click IP Security Policies on Active Directory, and then click Create IP Security Policy. Click Next.
In Name, type Domain Isolation, and in Description, type Provides domain isolation. Click Next.
Clear the Activate the default response rule check box, click Next, and then click Finish.
Clear the Use Add Wizard check box, and then click Add.
On the IP Filter List tab, select Secure Subnet. On the Filter Action tab, select Isolate Domain, and then click OK.
Click Add. On the IP Filter List tab, select Domain Controller. On the Filter Action tab, select Permit, and then click OK.
Click Add. On the IP Filter List tab, select All ICMP Traffic. On the Filter Action tab, select Permit, click OK, and then click OK again.
Assign the Domain Isolation IPsec policy to the Isolate OU using Group Policy.
On DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Expand contoso.com, right-click Isolate, and then click Properties.
Click the Group Policy tab, and then click New.
Type Domain Isolation for the new policy name, and then click Edit.
Under Computer Configuration, expand Windows Settings, and then expand Security Settings.
Click IP Security Policies on Active Directory (contoso.com), right-click Domain Isolation, and then click Assign.
There should now be a small green diamond on the lower-right corner of the container for the Domain Isolation policy. This diamond indicates that the policy is currently assigned.
Close the Group Policy Object Editor, and then click Close to close Isolate Properties.
IPsec policy is updated through the standard Group Policy refresh intervals. To immediately update changes in IPsec policy settings, from a command prompt, run the following commands on FS1 and CLIENT1:
gpupdate /force
net stop policyagent
net start policyagent
To verify that IPsec policy is applied to the isolated domain hosts, FS1 and CLIENT1, do the following:
Click Start, click Run, type MMC, and then click OK.
In MMC, click File, click Add/Remove Snap-in, and then click Add.
In the Add Standalone Snap-in dialog box, click IP Security Monitor, and then click Add.
Click Close, and then click OK.
Expand IP Security Monitor, expand computer name, and then expand Quick Mode.
Click Specific Filters and verify that three filters are applied to this host. If the filters do not appear, restart FS1 or CLIENT1.
For more information about IPsec Security Monitor, see "Monitor IPSec Activity" on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=52598).
Figure 2. IP Security Monitor
After configuring and assigning IPsec policy, FS1 and CLIENT1 should be isolated from communication with CLIENT2.
On CLIENT2, from a command prompt, type net view \\FS1.
You should not be able to successfully connect to the shared folder on FS1. You will see the following message:
"System error 53 has occurred. The network path was not found."
On CLIENT2, from a command prompt, type net view \\CLIENT1.
You should not be able to successfully connect to the shared folder on CLIENT1.
On CLIENT1, from a command prompt, type net view \\FS1.
You should be able to successfully connect to the shared folder on FS1.
Figure 3. Result of domain isolation.
Now that the entire domain is secured with an IPsec policy, you may want to further isolate specific servers so that only certain isolated computers can communicate with them. Group-specific server isolation requires that a computer that is requesting IPsec authentication belongs to an Active Directory security group. If the requesting computer is a member of the group, it is allowed access to the server. If it is not a member of the group, the IPsec authentication fails.
The following steps build on the domain isolation lab steps, showing how to further isolate server FS2 so that only authorized client computers can communicate with it.
Join CLIENT2 to the domain.
Create an Active Directory security group named Authorized Computers.
Add CLIENT2 to the Authorized Computers group.
Configure the "Access this computer from the network" local Group Policy user right on FS1 for the Active Directory group.
Determine that CLIENT2 can access FS1 but CLIENT1 cannot.
Using System, join CLIENT2 to the contoso.com domain.
On CLIENT2, click Start, click Control Panel, click Performance and Maintenance, and then click System.
On the Computer Name tab, click Change.
Under Member of, click Domain, type contoso.com, and then click OK.
You will be prompted to provide a user name and user password to join the computer to the domain.
Click OK to close the System Properties dialog box. You will be prompted to restart your computer to apply your changes.
Reboot and log on to the contoso domain.
On DC1, in Active Directory Users and Computers, move the CLIENT2 computer account to the Isolate OU.
On CLIENT2, reboot and log on to the contoso domain.
From a command prompt, type net view \\FS1.
You should be able to successfully connect to the shared folder on FS1.
On DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, right-click contoso.com.
Click New, click Group, type Authorized Computers in Group Name, and then click OK.
On DC1, double-click the Authorized Computers security group, click the Members tab, and then click Add.
In Select Users, Contacts, Computers, or Groups, type client2; administrator.
Click Object Types, click Computers, and then click OK.
Click Check Names to verify the object names, click OK, and then click OK again.
On DC1, right-click the Isolate OU, click Properties, and then click the Group Policy tab.
Click New, type Restricted FS1 Access, and then click Edit.
In the console tree, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
In Policy, double-click Access this computer from the network.
Click Define these policy settings to enable this setting.
Click Add User or Group, and then click Browse.
Type Authorized Computers, click Check Names to verify the object name, and then click OK.
Click OK to close the Add User or Group properties.
Click OK to close the Access this computer from the network properties.
Click Yes to accept the warning, and then click Close to close Isolate Properties.
On FS1, from a command prompt, run the following command: gpupdate /force.
Reboot FS1, CLIENT1, and CLIENT2.
After configuring group specific isolation, FS1 should now be isolated from communication with CLIENT1, even though CLIENT1 is a host in the isolated domain.
On CLIENT1, from a command prompt, type net view \\fs1.
You should not be able to successfully connect to the shared folder on FS1.
On CLIENT2, from a command prompt, type net view \\fs1.
You should be able to successfully connect to the shared folder on FS1.
Figure 5. Result of server isolation.
This step-by-step guide has shown how to set up domain isolation and server isolation in a test lab by performing the following steps:
Setting up the four computers that make up the domain.
Demonstrating that the clients have full access to the servers.
Creating an IPsec policy to isolate computers in the isolated domain from computers outside the isolated domain.
Demonstrating that computers in the isolated domain can access other computers in the isolated domain, but that computers outside the isolated domain do not have access to members of the isolated domain.
Creating an IPsec policy that builds on the domain isolation policy by further isolating a server using group-specific server isolation.
Demonstrating that specific, authorized computers can access the isolated server and that unauthorized computers are denied access.
For more information, see the following resources:
Server and Domain Isolation Using IPsec and Group Policy on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=33947).
Improving Security with Domain Isolation on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=42414).
Windows Server 2003 IPsec Web site (https://go.microsoft.com/fwlink/?LinkId=42985).
For the latest information about Windows Server 2003, see the Windows Server 2003 Web site.