Create Filter Lists for Isolated Domain Computers and Isolated Servers Running Earlier Versions of Windows

  • Article

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

IP Security rules for Windows 2000, Windows XP, and Windows Server 2003 are composed of filter lists, filter actions, and authentication methods. In this section, you create the filter lists that you later combine with filter actions and authentication method lists.

The filter lists you need for either a domain isolation or standalone server isolation scenario include:

  • All IP Traffic. This filter list exists by default, but the procedure in this topic shows you how to re-create it, if necessary. This filter list contains a single filter that matches traffic that is not better matched by another filter list, and is initially associated with the Request Security filter action to create the basic domain isolation rule. After testing is complete, the rule is changed to use the Require Security filter action instead.

  • All ICMP Traffic. This filter list exists by default, but the procedure in this topic shows you how to re-create it, if necessary. This filter contains a single filter that matches any ICMP network packets. It is used to create an exemption rule that allows ICMP to work without authentication to simplify network troubleshooting.

Important

Because of its usefulness in troubleshooting network connectivity problems, we recommend that you use this filter to exempt all ICMP traffic unless your network risk analysis indicates a need to protect ICMP traffic.

  • All Exempted Computers. This is a new filter that you must create. The list contains filters for any computers that cannot participate in IPsec authentication, and that do not work well with the delays caused by fallback-to-clear behavior.

Important

Adding computers to the exemption list for a zone reduces security because it permits computers in the zone to send network traffic that is unprotected by IPsec to the computers on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, add only managed and trusted computers to the exemption list.

Note

Remember that with the simplified IPsec policy described in article 914841 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?linkid=110514), and implemented in Configure Settings to Optimize IPsec Behavior on Earlier Versions of Windows, the fallback-to-clear timeout is reduced from 3 seconds to 500 milliseconds. Consider not including in this list any servers whose network services work with fallback-to-clear to keep the list small and manageable. Include only those servers whose services do not work well even with the reduced fallback-to-clear timeout.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To create the All IP Traffic filter

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage IP Filter Lists tab.

  4. If the list includes All IP Traffic, and that filter list has not been modified, you can use it as is. If it does not exist, click Add.

  5. In the Name text box, type All IP Traffic.

  6. Provide a good description that will help you understand the purpose of the filter list when you refer to it in the future (for example, Matches all IP packets from this computer to any other computer, except those protocols exempted by “NoDefaultExempt” registry key).

  7. Click Add.

  8. On the Welcome page, click Next.

  9. On the IP Filter Description and Mirrored Property page, type a good description that will help you understand the purpose of the IP filter when you refer to it in the future.

  10. Check Mirrored, and then click Next. Mirroring allows the rule to apply to traffic flowing either way for a connection, without having to create a second rule in which the addresses are reversed.

  11. On the IP Traffic Source page, select My IP Address from the list, and then click Next.

  12. On the IP Traffic Destination page, select Any IP Address from the list, and then click Next.

  13. On the IP Protocol Type page, select Any from the list, and then click Next.

  14. On the Completing the IP Filter Wizard page, click Finish.

To create the All ICMP Traffic filter

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage IP Filter Lists tab.

  4. If All ICMP Traffic appears in the list, and that filter list has not been modified, you can use it as is. If it does not exist, click Add.

  5. In the Name text box, type All ICMP Traffic.

  6. Provide a good description that will help you understand the purpose of the filter list when you refer to it in the future (for example, Matches all ICMP packets between this computer and any other computer).

  7. Click Add.

  8. On the Welcome page, click Next.

  9. On the IP Filter Description and Mirrored Property page, type a good description that will help you understand the purpose of the IP filter when you refer to it in the future.

  10. Check Mirrored, and then click Next. Mirroring allows the rule to apply to traffic flowing either way for a connection, without having to create a second rule in which the addresses are reversed.

  11. On the IP Traffic Source page, select My IP Address from the list, and then click Next.

  12. On the IP Traffic Destination page, select Any IP Address from the list, and then click Next.

  13. On the IP Protocol Type page, select ICMP from the list, and then click Next.

  14. On the Completing the IP Filter Wizard page, click Finish.

To create the All Exempted Computers filter

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the navigation pane, right-click IP Security Policies on Active Directory (YourDomainName), and then click Manage IP filter lists and filter actions.

  3. Select the Manage IP Filter Lists tab.

  4. Click Add.

  5. In the Name text box, type All Exempted Computers.

  6. Provide a good description that will help you understand the purpose of the filter list when you refer to it in the future (for example, Matches all network traffic between this computer and any computer on the exemption list).

  7. Click Add.

  8. On the Welcome page, click Next.

  9. On the IP Filter Description and Mirrored Property page, type a good description that will help you understand the purpose of the IP filter when you refer to it in the future (for example, All Exchange servers on the 10.1.2.0/24 Network).

  10. Select Mirrored, and then click Next. Mirroring allows the rule to apply to traffic flowing either way for a connection, without having to create a second rule in which the addresses are reversed.

  11. On the IP Traffic Source page, select My IP Address from the list, and then click Next.

  12. On the IP Traffic Destination page, select one of the following:

    • For a single computer by name, select A specific DNS Name, type the host name, and then click Next. On the Security Warning dialog box, the discovered IP addresses are displayed. Click Yes to add each address to the IP filter list.

Warning

The DNS name is not stored. It is used only to look up the IP address, which is stored in the IP filter. If the IP address of the computer changes, this value is not dynamically updated; you must manually update the IP filter with the new IP address. 

  - For a single computer by IP address, or for a group of computers by subnet address, select **A specific IP Address or Subnet.**, type the IP address or subnet address in the text box, and then click **Next**. For a typical IPv4 subnet address, use the format *ipaddress/nn*, where *nn* is the number of bits in the subnet mask. For example, 192.168.0.0/24 indicates all IP addresses from 192.168.0.1 to 192.168.0.254.  
      
  - For computers performing a specified server role, select one of the following: **DNS Servers**, **WINS Servers**, **DHCP Servers**, or **Default Gateway**. This filter matches when the local computer attempts to connect to a computer for the specified service.

  1. On the IP Protocol Type page, select Any from the list, and then click Next.

  2. On the Completing the IP Filter Wizard page, click Finish.

  3. Using the set of computers that you identified as your exemption list in your domain isolation design, repeat steps 6 through 13 for each computer or set of computers to complete the exemption list.

  4. When the list is complete, click OK to save the exemption list.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.