Encryption Zone

Applies To: Windows Server 2008, Windows Server 2008 R2

Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between computers.

To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the computers and that requires that the sensitive inbound and outbound network traffic be encrypted.

You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols.

Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the Planning Group Policy Deployment for Your Isolation Zones section.

GPO settings for encryption zone servers running Windows Server 2008 or Windows Server 2008 R2

The GPO for computers that are running Windows Server 2008 R2 or Windows Server 2008 should include the following:

  • IPsec default settings that specify the following options:

    1. Exempt all ICMP traffic from IPsec.

    2. Key exchange (main mode) security methods and algorithm. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.

    3. Data protection (quick mode) algorithm combinations. Check Require encryption for all connection security rules that use these settings, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.

      If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices.

    4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method.

  • The following connection security rules:

    • A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.

    • A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy.

Important

Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out.

Note

For a sample template for these registry settings, see Appendix A: Sample GPO Template Files for Settings Used in this Guide.

  • If domain member computers must communicate with computers in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.

GPO settings for encryption zone servers running Windows 2000 or Windows Server 2003

You must create a new IPsec policy instead of modifying an existing IPsec policy in a copied GPO. Because all GPOs share a common store of IPsec policies, if you modify an IPsec policy in a copied GPO, you are modifying the shared one used by other GPOs. Make sure that your newly created IPsec policy is the one assigned in the GPO.

The GPOs for computers that are running Windows 2000 or Windows Server 2003 should include the following:

  • An IPsec policy that includes the following settings and security rules:

    1. Key exchange settings that specify main mode security methods and algorithms. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.

    2. A permit rule for all ICMP traffic using My IP Address to Any IP Address.

    3. A permit rule for all computers on the exempted list. Be sure to include all your Active Directory domain controllers on this list. Take advantage of the ability to enter subnet addresses, if applicable in your environment.

    4. A negotiate rule for all network addresses using My IP Address to communicate with subnet addresses that make up the network address space. The filter action should specify Negotiate security and then specify the encryption protocols to be required by members of the zone. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices.

      To initially make the GPO request inbound and outbound authentication, select both the Accept unsecured communication and Allow fallback to unsecured communication check boxes. After you have confirmed that all your computers are successfully using IPsec as designed, come back to this setting, and then clear the Accept unsecured communication check box to require inbound authentication.

  • A registry policy that includes the following values:

    1. Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in Appendix A: Sample GPO Template Files for Settings Used in this Guide sets the value to 1.

    2. Enforce the default IPsec protocol exemptions. This setting is documented in Knowledge Base article 810207 at https://go.microsoft.com/fwlink/?linkid=110516. The sample GPO preferences XML file in Appendix A: Sample GPO Template Files for Settings Used in this Guide sets this value to 3 on Windows Server 2003, and sets the value to 1 on Windows XP and Windows 2000.

    3. If required by the organization, enable IPsec over NAT-T. This setting is documented in Knowledge Base article 120492 at https://go.microsoft.com/fwlink/?linkid=120492. The sample GPO preferences XML file in Appendix A: Sample GPO Template Files for Settings Used in this Guide sets this value to 0 (the default). To enable IPsec over NAT-T, you must change this value to either 1 or 2, as required by your environment.

    4. Set the Simplified IPsec Policy registry entry to a value of 0x14 to improve the 'fall back to clear' behavior in Windows XP and Windows Server 2003. To use this, you must have already deployed the update available for free download (for Windows Server 2003) from the Knowledge Base article 914841 at https://go.microsoft.com/fwlink/?linkid=110514.

Note

For a sample template for these registry settings, see Appendix A: Sample GPO Template Files for Settings Used in this Guide.

Make sure that your GPOs for stationary computers, such as desktop and server computers, assign all rules to all profiles. For portable computers, you might want to allow more profile flexibility to enable users to communicate successfully when they are not connected to the organization's network.

Next: Planning Server Isolation Zones