Checklist: Configuring Rules for the Encryption Zone

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. The way in which you configure these rules and settings depends on whether the computers to which the GPO applies are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 or an earlier version of the Windows operating system.

Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.

Checklist: Configuring encryption zone rules for Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2

A GPO for Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in Checklist: Implementing a Domain Isolation Policy Design. You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.

  Task Reference

Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.

Copy a GPO to Create a New GPO

Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Add the encryption requirements for the zone.

Configure the Rules to Require Encryption on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Link the GPO to the Domain

Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Add Test Computers to the Membership Group for a Zone

Verify that the connection security rules are protecting network traffic.

Verify That Network Traffic Is Authenticated

Checklist: Creating encryption zone rules for Windows XP, Windows Server 2003, or Windows 2000

A GPO for Windows XP, Windows Server 2003, or Windows 2000 can often simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in Checklist: Implementing a Domain Isolation Policy Design. You can then make copies of those GPOs for use with the encryption zone. The key exchange settings, filter lists, and filter actions that you defined in that GPO can be reused in the GPO for the encryption zone.

  Task Reference

Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.

Copy a GPO to Create a New GPO

Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Create a new IP Security policy that can be assigned to the encryption zone GPO.

Create a New IP Security Policy in a GPO for Earlier Versions of Windows

Create the IPsec rules that combine the filter lists and filter actions. For the encryption zone, you reuse the filters and filter lists you created earlier for the domain isolation and boundary zones and use the filter action that requires both authentication and encryption of traffic that is not exempt.

Create IPsec Rules for an Isolated Domain on Earlier Versions of Windows

Assign the IPsec policy for the encryption zone to your GPO.

Assign an IPsec Policy to a GPO for Earlier Versions of Windows

Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Add Test Computers to the Membership Group for a Zone

Verify that the connection security rules are protecting network traffic.

Verify That Network Traffic Is Authenticated