Checklist: Implementing a Domain Isolation Policy Design

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use the Netsh command-line tool to configure GPOs. For more information, see Use Netsh to Configure GPOs.
For more information about the security algorithms and authentication methods available in each version of Windows, see IPsec Algorithms and Methods Supported in Windows (https://go.microsoft.com/fwlink/?linkid=129230.

Checklist: Implementing a domain isolation policy design

  Task Reference

Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.

Identifying Your Windows Firewall with Advanced Security Deployment Goals

Domain Isolation Policy Design

Domain Isolation Policy Design Example

Planning Domain Isolation Zones

Create the GPOs and connection security rules for the isolated domain.

Checklist: Configuring Rules for the Isolated Domain

Create the GPOs and connection security rules for the boundary zone.

Checklist: Configuring Rules for the Boundary Zone

Create the GPOs and connection security rules for the encryption zone.

Checklist: Configuring Rules for the Encryption Zone

Create the GPOs and connection security rules for the isolated server zone.

Checklist: Configuring Rules for an Isolated Server Zone

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.

Add Production Computers to the Membership Group for a Zone

After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.

Change Rules from Request to Require Mode