Server Isolation with Microsoft Windows Explained
Applies To: Windows Server 2008, Windows Vista
This paper is organized as follows:
About server isolation
Server isolation solutions
Related documents
Additional References
About server isolation
Server isolation enforces a network policy requiring specific server computers that are domain members to accept only authenticated and secured communications from other domain member computers. To do so, you configure the following components:
An Active Directory domain
Domain membership, and
Group Policy settings
This network policy, once enforced, isolates specific servers from computers that are not domain members.
For example, sensitive data on servers is typically protected by access control security at the application layer (of the Open Systems Interconnections [OSI] model). Before accessing the files on a file server that contains sensitive data, a user must provide credentials. However, by specifying access control lists (ACLs) at the application layer, the server is protected neither from network-level attacks made from computers that are not domain members, nor from attacks against other services running on the server.
To provide another layer of protection for servers that store sensitive data, you can isolate servers from computers that are not domain members by implementing additional authentication and security at the Internet layer with Internet Protocol security (IPsec) configured by using Windows Firewall with Advanced Security. By using IPsec-based server isolation, computers that are not domain members cannot initiate Internet Protocol (IP)-based communication with isolated servers. Organizations that send sensitive data over their networks and that must provide extra protection for sensitive data assets require this additional level of protection.
To isolate a server, you can configure Group Policy settings to require that all communication with isolated servers must be authenticated and protected by using IPsec. IPsec in Windows Firewall with Advanced Security protects traffic from address spoofing, data injection, session hijacking, replay attacks, and other types of data tampering. Optionally, you can specify that packets must be encrypted. You can also configure exceptions to specify that trusted computers, computers that are not domain members, or computers that are known as exempted computers, can initiate unprotected communications with isolated servers.
Note
Windows Vista and Windows Server 2008 refer to IPsec rules as connection security rules. They perform the same function as the IPsec rules available in previous versions of Windows, but support more advanced authentication and encryption algorithms.
Server isolation solutions
This section is organized as follows:
Prerequisites for server isolation
Deployment overview
Communication processes
Group-specific server isolation
Prerequisites for server isolation
To isolate a server, you must have the following:
An Active Directory domain
A domain includes domain controllers and the appropriate trust relationships to establish trust with other domains or the directory trees of an organization network.
Member computers
These are computers that have joined the Active Directory domain and received domain credentials.
Group Policy settings
These computer and user settings are automatically downloaded to member computers.
Windows Firewall with Advanced Security policy settings
These Group Policy settings determine the server isolation behavior of domain member computers.
In a simplified server isolation deployment, you configure a Windows Firewall with Advanced Security policy with connection security rules that define specific types of traffic and how the traffic should be handled. You then enable the rules for the appropriate Active Directory containers, such as sites, domains, and organizational units. The member computers in the Active Directory containers to which the Group Policy settings apply automatically download the Group Policy settings.
After the domain member computers have downloaded and applied the Group Policy settings, they have both the correct Windows Firewall with Advanced Security policy for server isolation and the domain credentials that allow them to communicate securely with isolated servers. Computers that are not domain members, which do not have domain credentials or the correct Windows Firewall with Advanced Security IPsec rules, cannot initiate communications with isolated servers.
Deployment overview
Server isolation deployment consists of four steps.
To deploy server isolation
Determine the state of your network infrastructure.
Before you can begin planning for server isolation, you must assess your organization's network. In your assessment, identify and document your network's physical topology (such as client and server computer configurations), logical topology (such as your Active Directory infrastructure including trust relationships and system container structure), and current use of Group Policy settings. You must also determine which computers to exempt.
Design and test server isolation policy in a lab network.
Create a scaled-down version of your network in a physically isolated lab that is not connected to your production network. Your test lab network should include domain member client computers, client computers that are not a member of the domain, and exempted computers. Then, configure the IPsec or connection security rules required to implement server isolation for your network. Use the test lab to ensure that the policies work as expected. Fine-tune your policy settings, as needed.
Perform a pilot using a subset of computers.
After verifying the IPsec policy settings in the test lab, configure the server isolation policy on a subset of computers on your production network to test their behavior. For example, you might want to activate the server isolation policy for the computers in a specific Active Directory organizational unit.
Roll out the server isolation policy in phases.
After the pilot program is complete, begin activating the server isolation policy for other parts of your domain infrastructure in a phased roll out.
Communication processes
When you implement server isolation by configuring domain member computers with the appropriate IPsec or conneciton security rules, communication between computers in your network differs depending on which type of computer (domain member or non-domain-member) initiates communication and which type of computer receives communication. This section describes how communication occurs:
When a domain member computer initiates communication with an isolated server.
When a computer that is not a domain member initiates communication with an isolated server.
When an exempted computer initiates communication with an isolated server.
The following figure shows the types of communication that occur when you deploy server isolation.
Communication with an isolated server initiated by a domain member computer
When a domain member computer with both Active Directory credentials and server isolation rules (for example, COMPUTER1 in the figure) initiates communication with an isolated server (for example, SERVER1), the following occurs:
The initial communication packet sent by COMPUTER1—for example, a Transmission Control Protocol (TCP) Synchronize (SYN) segment destined for the IP address of an e-mail server that is isolated—matches the rule of the active IPsec policy that specifies that the initiating computer must secure the traffic with IPsec.
COMPUTER1 uses IPsec to perform mutual authentication with SERVER1 and to negotiate the use of IPsec protection.
Because both COMPUTER1 and SERVER1 have domain credentials, the IPsec authentication process succeeds. Because COMPUTER1 has IPsec policy settings that match SERVER1, negotiation of IPsec protection also succeeds.
COMPUTER1 sends the initial communication packet to SERVER1 with Windows Firewall with Advanced Security protection.
SERVER1 sends the response to the initial communication packet—for example, a TCP SYN-Acknowledgement (SYN-ACK) segment—to COMPUTER1 with IPsec protection.
Subsequent packets sent between COMPUTER1 and SERVER1 are protected by IPsec.
Domain member computers that have the appropriate IPsec or connection security rules authenticate and protect with IPsec communications to all isolated servers.
Communication with an isolated server initiated by a non-domain-member computer
When a non-domain-member computer (for example, COMPUTER2 in the figure) initiates communication with an isolated server (for example, SERVER1), the following events occur:
Because COMPUTER2 does not have IPsec or connection security rules, it sends its initial communication packet—for example, a TCP SYN segment—without IPsec protection to SERVER1.
On SERVER1, the initial communication packet sent by COMPUTER2 matches the IPsec or connection security rule for the server that requires IPsec protection for all incoming packets.
Because SERVER1 does not accept unprotected packets, it silently discards the TCP SYN segment sent by COMPUTER2.
SERVER1 also discards subsequent communication initiation packets sent by COMPUTER2.
Eventually, COMPUTER2 ends its attempt to communicate with SERVER1.
The IPsec policy on SERVER1 causes unprotected communications to be dropped. Non-domain-member computers that attempt to communicate with an isolated server never receive a response and, therefore, cannot connect to the server. Even if a user on a non-domain-member computer was able to duplicate the IPsec or connection security rules of a domain member computer, communications with SERVER1 would fail because the non-domain-member computer does not have valid domain credentials, and the authentication would fail.
Communication with an isolated server initiated by an exempted computer
When an exempted computer (for example, COMPUTER3 in the figure) initiates communication with an isolated server (for example, SERVER1), the following events occur:
Because COMPUTER3 does not have IPsec or connection security rules, it sends its initial communication packet—for example, a TCP SYN segment—without IPsec protection to SERVER1.
On SERVER1, the initial communications packet sent by COMPUTER3 matches the IPsec or connection security rule for the server that permits unsecured communication to its own IP address from the IP addresses of specific exempted computers.
SERVER1 sends a response—for example, a TCP SYN-ACK segment—to COMPUTER3 without IPsec protection.
Subsequent packets sent between COMPUTER3 and SERVER1 are sent without IPsec protection.
The specified IPsec policy allows exempted computers to communicate with isolated servers without requiring IPsec protection.
Group-specific server isolation
The server isolation configuration described thus far allows all domain member and exempted computers to communicate with an isolated server. However, servers differ in the level of sensitivity of their data and whether they permit universal access or access only from specific computers. For example, e-mail servers typically must be available to all domain member computers in order to allow a user on any domain member computer to access e-mail. However, finance or legal department servers should only be available to a specific subset of computers.
To further isolate servers that store sensitive data and prevent unauthorized domain member computers from communicating with them, you can separate these servers and authorized computers by providing them with an IP address on a separate subnet, or by using a different authentication method, such as digital certificates. However, both solutions require additional administrative overhead.
For servers that are running Windows Server 2008, you can create a firewall rule that permits traffic only from computers or users that are members of a specified Active Directory security group. The firewall rule can be deployed along with the IPsec rules required for server isolation.
For servers that are running Windows Server 2003, you must use a different method to enforce authorization. By applying the Access this computer from the network user right (a local Group Policy setting), you can specify the computer accounts or Active Directory security groups that you want to allow to access a server over the network.
When IPsec processes the credentials of the computer requesting communications, Windows checks firewall rule for computers that are running Windows Server 2008, or the Access this computer from the network user right for computers that are running Windows Server 2003.
To further isolate servers that are running Windows Server 2008 that store sensitive data based on Active Directory group membership
Ensure that the servers have been added to the existing connection security rules for isolated servers.
Create an Active Directory security group and add the computer accounts of the authorized computers to the group.
Create a firewall rule on the isolated server specifying that only network connections that are authenticated as coming from a computer that is a member of authorized group.
For a file server that contains sensitive financial data, for example, add the financial server to the connection security rules for the isolated servers, create a ConfidentialFinancial security group, and then add the authorized computer accounts.
To further isolate servers that are running Windows Server 2003 that store sensitive data based on Active Directory group membership
Ensure that the servers have been added to the existing IPsec rules for isolated servers.
Create an Active Directory security group and add the computer accounts of the authorized computers to the group.
Configure the local Group Policy settings of each server that stores sensitive data and change the Access this computer from the network user right as follows:
Click Computer Configuration, click Windows Settings, and then click Security Settings.
Click Local Policies, and then click User Rights Assignment so that it contains only the Active Directory security group created in step 2.
For a file server that contains sensitive financial data, for example, add the financial server to the IPsec rule of the isolated servers, create a ConfidentialFinancial security group, and then add the authorized computer accounts.
Finally, change the Access this computer from the network user right on the financial file server to contain only the ConfidentialFinancial security group for other parts of your domain infrastructure in a phased roll out.
Related documents
This paper is one of a series of papers that describes server and domain isolation, and provides guidelines for planning their deployment.
The other papers include:
Introduction to Server and Domain Isolation [WS2008] (https://go.microsoft.com/fwlink/?LinkId=94631)
This paper introduces server and domain isolation, and the benefits of deployment.
Domain Isolation with Microsoft Windows Explained (https://go.microsoft.com/fwlink/?LinkId=94632)
This paper explains how domain isolation protects domain member computers and the benefits of deploying domain isolation. It also provides a brief overview of how to deploy domain isolation.
Domain Isolation Planning Guide for IT Managers (https://go.microsoft.com/fwlink/?LinkId=44645)
This paper assists you in gathering the information required to develop a domain isolation deployment plan and to design your Windows Firewall with Advanced Security policies. It includes a step-by-step guide to the planning process, an overview of the deployment process, and links to resources that you can use to plan and design your deployment. However, it does not explain how to deploy domain isolation.
Additional References
In addition to the papers described in the preceding section, see the following resources for more information.
Windows Firewall with Advanced Security
For more information about Windows Firewall with Advanced Security, see:
Windows Firewall with Advanced Security Content Roadmap (https://go.microsoft.com/fwlink/?linkid=96525)
This topic describes the documents currently available in the Windows Technical Library for Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008.
Windows Firewall with Advanced Security - Diagnostics and Troubleshooting (https://go.microsoft.com/fwlink/?linkid=95372)
This article describes how Windows Firewall with Advanced Security works, what the common troubleshooting situations are, and which tools you can use for troubleshooting.
IPsec
For more information about IPsec, see:
IPsec (https://go.microsoft.com/fwlink/?linkid=95394)
This TechNet page contains links to a variety of documents for Internet Protocol security (IPsec) for Windows XP, Windows Server 2003, and the version available as connection security rules in Windows Firewall with Advanced Security on Windows Vista and Windows Server 2008.
Simplifying IPSec Policy with the Simple Policy Update (https://go.microsoft.com/fwlink/?linkid=94767)
This article describes a downloadable update available for Windows XP SP2 and Windows Server 2003 SP1. The update changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases significantly reducing the number of required IP filters and their ongoing maintenance.
Server and domain isolation
For more information about server and domain isolation, see:
Server and Domain Isolation (https://go.microsoft.com/fwlink/?linkid=95395)
This TechNet page contains links to documentation about the most common uses for IPsec: server and domain isolation. Documentation is available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Server and Domain Isolation Demo (https://go.microsoft.com/fwlink/?LinkId=107552)
This demonstration presents two server and domain isolation scenarios by using Microsoft® Virtual PC and Microsoft® Virtual Server 2005.
Group Policy
For more information about Group Policy, see:
Group Policy (https://go.microsoft.com/fwlink/?linkid=93542)
This page contains links to the documents currently available for Group Policy, for both the version available in Windows XP and Windows Server 2003, and the version available in Windows Vista and Windows Server 2008.
HOWTO: Leverage Group Policies with WMI Filters (https://go.microsoft.com/fwlink/?linkid=93760)
This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system version number.
Active Directory Domain Services
In Windows Server 2008, organizations can use Active Directory® Domain Services (AD DS) to manage users and resources, such as computers, printers, or applications, on a network. The ability to configure computers with firewall and connection security rules by using Group Policy is a key feature for firewall and server and domain isolation designs. Server and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication.
For more information about AD DS and related technologies, see:
Active Directory Domain Services (https://go.microsoft.com/fwlink/?linkid=102573)
Group Policy (https://go.microsoft.com/fwlink/?linkid=93542)
WMI Filtering Using GPMC (https://go.microsoft.com/fwlink/?linkid=93188)
Networking
For more information about networking, see:
Windows Server 2008 Networking (https://go.microsoft.com/fwlink/?LinkId=105691)
Windows Vista Networking (https://go.microsoft.com/fwlink/?LinkId=89051)