TechNet Home > TechNet Security > Library > Architecture and Design

Server and Domain Isolation Using IPsec and Group Policy

Overview

Published: March 17, 2005 | Updated: July 24, 2006

Microsoft recognizes that large organizations face increasing challenges in securing the perimeters of their networks. As organizations grow and business relationships change, and customers, vendors, and consultants need to connect mobile devices to your network for valid business reasons, controlling physical access to a network can become impossible. The advent of wireless networks and wireless connection technologies has made network access easier than ever. This increased connectivity means that domain members on the internal network are increasingly exposed to significant risks from other computers on the internal network, in addition to breaches in perimeter security.

The concept of logical isolation this guide presents embodies two solutions—server isolation to ensure that a server accepts network connections only from trusted domain members or a specific group of domain members, and domain isolation to isolate domain members from untrusted connections. These solutions can be used separately or together as part of an overall logical isolation solution.

At its core, server and domain isolation enables IT administrators to restrict TCP/IP communications of domain members that are trusted computers. These trusted computers can be configured to allow only incoming connections from other trusted computers or a specific group of trusted computers. Microsoft® Active Directory® Group Policy centrally manages the access controls that control network logon rights. Nearly all TCP/IP network connections can be secured without application changes, because IPsec works at the network layer below the application layer to provide authentication and per-packet security, end-to-end between computers. Network traffic can be authenticated, or authenticated and encrypted, in a variety of customizable scenarios.

On This Page
The Business BenefitsThe Business Benefits
Who Should Read This GuideWho Should Read This Guide
Chapter 1: Introduction to Server and Domain IsolationChapter 1: Introduction to Server and Domain Isolation
Chapter 2: Understanding Server and Domain IsolationChapter 2: Understanding Server and Domain Isolation
Chapter 3: Determining the Current State of Your IT InfrastructureChapter 3: Determining the Current State of Your IT Infrastructure
Chapter 4: Designing and Planning Isolation GroupsChapter 4: Designing and Planning Isolation Groups
Chapter 5: Creating IPsec Polices for Isolation GroupsChapter 5: Creating IPsec Polices for Isolation Groups
Chapter 6: Managing a Server and Domain Isolation EnvironmentChapter 6: Managing a Server and Domain Isolation Environment
Chapter 7: Troubleshooting IPsecChapter 7: Troubleshooting IPsec
Appendix A: Overview of IPSec Policy ConceptsAppendix A: Overview of IPSec Policy Concepts
Appendix B: IPsec Policy SummaryAppendix B: IPsec Policy Summary
Appendix C: Lab Build GuideAppendix C: Lab Build Guide
Appendix D: IT Threat CategoriesAppendix D: IT Threat Categories
Tools and TemplatesTools and Templates
Give Us Your FeedbackGive Us Your Feedback
Consulting and Support ServicesConsulting and Support Services

The Business Benefits

Introducing a logical isolation defense layer includes the following benefits:

Additional security. A logical isolation defense layer provides additional security for all managed computers on the network.

Tighter control of who can access specific information. By using this solution, computers do not automatically gain access to all network resources simply by connecting to the network.

Lower cost. This solution is typically far less expensive to implement than a physical isolation solution.

An increase in the number of managed computers. If an organization's information is available only to managed computers, all devices will have to become managed systems to provide access to their users.

Improved levels of protection against malware attacks. The isolation solution significantly restricts the ability of an untrusted computer to access trusted resources. For this reason, a malware attack from an untrusted computer will fail because the connection will not be allowed, even if the attacker obtains a valid user name and password.

A mechanism to encrypt network data. Logical isolation makes it possible to require encryption of all network traffic among selected computers.

Rapid emergency isolation. This solution provides a mechanism to quickly and efficiently isolate specific resources inside your network in the event of an attack.

Improved auditing. This solution provides a way to log and audit network access by managed resources.

Who Should Read This Guide

This guide is designed to support a server and domain isolation solution through all stages of the IT lifecycle, starting at the initial evaluation and approval phase, and continuing through to deployment, testing, and management of the completed implementation. For this reason, the various chapters in this guide have been written to meet the needs of a variety of readers.

Chapter 1 is designed primarily for business decision-makers who are trying to determine whether their organizations will benefit from a server and domain isolation project. Understanding the contents of this chapter requires no specific technical knowledge beyond the comprehension of an organization's business and security needs.

Chapters 2, 3, and 4 are the planning chapters, which will be most helpful to the technical architects and IT professionals who will be responsible for designing a customized solution for an organization. A technical understanding of the technologies involved as well as the organization's current infrastructure are required to obtain the most benefit from these chapters.

Chapter 5 and the appendices are designed for the support staff that will be responsible for creating the deployment plans for the organization's solution. This guidance includes a number of recommendations about the process of completing a successful solution deployment as well as practical implementation steps to create the test lab environment.

Chapter 6 is intended as a reference for the staff that will be responsible for the day-to-day operations of the solution after it is implemented and fully operational. A number of operating processes and procedures highlighted in this chapter should be built into the organization's operations framework.

Chapter 7 provides information that will be helpful for staff tasked with troubleshooting the server and domain isolation deployment. Because IPsec fundamentally affects network communications, troubleshooting information and techniques can significantly help organizations that implement IPsec as part of this solution.

This guide includes seven chapters and four appendices.

Chapter 1: Introduction to Server and Domain Isolation

This chapter introduces server and domain isolation using IPsec and Group Policy and includes a brief overview of each chapter. The chapter outlines the Woodgrove Bank scenario used throughout the guide.

Chapter 2: Understanding Server and Domain Isolation

This chapter is designed for technical decision-makers and technical architects who will be responsible for designing a customized server and domain isolation solution for an organization. It describes how to identify trusted computers, provides a Terminology Refresher, and looks at how to deploy server and domain isolation.

Chapter 3: Determining the Current State of Your IT Infrastructure

This chapter provides information about obtaining the information necessary to plan for and deploy a server and domain isolation solution. It discusses the process of understanding and documenting the computers that might function as "trusted" computers within the solution.

Chapter 4: Designing and Planning Isolation Groups

This chapter provides complete guidance for defining isolation groups that fulfill the business security requirements discussed in Chapter 2, "Understanding Server and Domain Isolation". The Woodgrove Bank scenario demonstrates the essential details of how an organization can turn its security requirements into deployed isolation groups.

Chapter 5: Creating IPsec Polices for Isolation Groups

This chapter provides instructions for implementing the server and domain isolation design. It provides complete guidance for applying the security requirements of domain isolation and the server isolation groups designed in Chapter 4, "Designing and Planning Isolation Groups".

Chapter 6: Managing a Server and Domain Isolation Environment

This chapter provides guidance for managing a server and domain isolation solution after it has been successfully deployed into a production environment. The information provided in this chapter is designed for developing well-documented and well-communicated solution management processes.

Chapter 7: Troubleshooting IPsec

This chapter provides information about how to troubleshoot Internet Protocol security (IPsec), such as server and domain isolation scenarios, and is based on the experience of the Microsoft Information Technology (IT) team. Where possible, this chapter refers to existing Microsoft troubleshooting procedures and related information.

Appendix A: Overview of IPSec Policy Concepts

This appendix provides a detailed overview of IPsec terms, processes, and concepts. It is designed to provide the prerequisite level of understanding for IPsec, as described in this guide.

Appendix B: IPsec Policy Summary

This appendix provides a concise listing of information about all policy settings for the isolation groups used in the IPsec solution.

Appendix C: Lab Build Guide

This appendix provides complete guidance for building the required infrastructure to support isolation groups that use IPsec. It also provides the instructions that are used to implement the baseline IPsec policy for the Woodgrove Bank scenario that is presented throughout this guide.

Appendix D: IT Threat Categories

This appendix provides a list of potential threats and attacks that can affect an organization and explains how a server and domain isolation solution can help mitigate them.

Tools and Templates

The downloadable version of this guide includes scripts and additional tools to make it easier for your organization to implement an IPsec policy.

Give Us Your Feedback

The Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions.

Have an opinion? Let us know on the Security Solutions Blog for the IT Professional.

Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback that is sent to this mailbox.

We look forward to hearing from you.

Consulting and Support Services

Many services are available to assist organizations in their security efforts. Use the following links to help you find the services you need:

For Microsoft Gold Certified Partners, Microsoft Certified Technical Education Centers, Microsoft Certified Partners, and products from independent software vendors (ISVs) using Microsoft technologies, search the Microsoft Resource Directory.

To find consulting and support services appropriate for your organization’s needs, visit Microsoft Services.


**
**

Download

Get the Server and Domain Isolation Using IPsec and Group Policy

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions