Checklist: Configuring Rules for the Isolated Domain

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. The way in which you configure these rules and settings depends on whether the computers to which the GPO applies are running Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2 or an earlier version of the Windows operating system.

In this topic:

  • Checklist for Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

  • Checklist for Windows XP, Windows Server 2003, and Windows 2000

Checklist: Configuring isolated domain rules for computers running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

Note

The GPOs for computers running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 7, make a copy of it for Windows Server 2008 R2, and then follow the steps in this checklist to make the few required changes to the copy.

  Task Reference

Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Checklist: Creating Group Policy Objects

Copy a GPO to Create a New GPO

If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Exempt ICMP from Authentication on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Create an Authentication Exemption List Rule on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Configure the key exchange (main mode) security methods and algorithms to be used.

Configure Key Exchange (Main Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Configure the data protection (quick mode) algorithm combinations to be used.

Configure Data Protection (Quick Mode) Settings on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Configure the authentication methods to be used.

Configure Authentication Methods on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Create the rule that requests authentication for all inbound network traffic.

Create an Authentication Request Rule on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Link the GPO to the domain level of the AD DS organizational unit hierarchy.

Link the GPO to the Domain

Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.

Add Test Computers to the Membership Group for a Zone

Verify that the connection security rules are protecting network traffic to and from the test computers.

Verify That Network Traffic Is Authenticated

Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.

Checklist: Creating isolated domain IPsec rules for computers running Windows XP, Windows Server 2003, or Windows 2000

Note

The GPOs for computers that run Windows Server 2003, Windows XP, and Windows 2000 are typically similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of it for the other operating systems. For example, create and configure the GPO for Windows XP, create a copy of it for Windows Server 2003, and then follow the steps in this checklist to make the few required changes to the copy.

  Task Reference

Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Create a Group Policy Object

Copy a GPO to Create a New GPO

If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Add registry settings that optimize IPsec behavior to the GPO.

Configure Settings to Optimize IPsec Behavior on Earlier Versions of Windows

Create a new IP Security policy in the GPO.

Create a New IP Security Policy in a GPO for Earlier Versions of Windows

Configure the key exchange (main mode) security methods and algorithms to be used.

Configure Key Exchange (Main Mode) Settings on Earlier Versions of Windows

Create IP filter lists for ICMP traffic, the exemption list, and all inbound IP traffic.

Create Filter Lists for Isolated Domain Computers and Isolated Servers Running Earlier Versions of Windows

Create filter actions to allow traffic, request authentication, require authentication, and require both authentication and encryption.

Create Filter Actions on Earlier Versions of Windows

Create the IPsec rules that combine the filter lists and filter actions. For the main zone in the isolated domain, you create rules that use the allow filter action with the exemption and ICMP filter lists and another rule that uses the request authentication filter action with the all IP traffic filter list.

Create IPsec Rules for an Isolated Domain on Earlier Versions of Windows

Assign the IPsec policy for the isolated domain to your GPO.

Assign an IPsec Policy to a GPO for Earlier Versions of Windows

Link the GPO to the domain level of the AD DS organizational unit hierarchy.

Link the GPO to the Domain

Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.

Add Test Computers to the Membership Group for a Zone

Verify that the connection security rules are correctly protecting your network traffic.

Verify That Network Traffic Is Authenticated

Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.