Domain Isolation with Microsoft Windows Explained
Applies To: Windows Server 2008, Windows Vista
This paper is organized as follows:
About domain isolation
Domain isolation solutions
Related documents
Additional references
About domain isolation
Domain isolation enforces a network policy that requires domain member computers to accept incoming communication requests only from computers that can authenticate themselves with domain credentials. To do so, you configure the following components:
An Active Directory domain
Domain membership
Group Policy settings.
This network policy, once enforced, isolates domain member computers from non-domain-member computers.
By isolating your domain, you provide an additional layer of protection for your network traffic. Security technologies, such as Institute of Electrical and Electronic Engineers (IEEE) standard 802.1X, require a computer to authenticate itself before sending frames on a network. However, 802.1X does not protect the traffic sent by an 802.1X-authenticated computer after it is on the network. Secure Sockets Layer (SSL) provides computer authentication and data confidentiality (encryption) for SSL-enabled client and server applications. However, SSL works only if the client and server application support SSL. Whereas 802.1X works at the data link layer (of the Open Systems Interconnections [OSI] model) and SSL works at the application layer, domain isolation uses IPsec at the Network layer, providing additional protection for IP-based traffic. Organizations that routinely send sensitive data on their networks and, therefore, must provide extra protection for data assets need this additional level of protection at the Network layer.
To deploy domain isolation, you configure Group Policy settings to require that all incoming connection requests and subsequent data be authenticated and protected by using Internet Protocol security (IPsec). IPsec protects traffic from address spoofing, data injection, session hijacking, replay attacks, and other types of data tampering. Optionally, you can specify that packets must be encrypted. You also can configure exemptions so that specific computers that are not domain members can initiate communications with isolated hosts.
Note
Windows Vista and Windows Server 2008 refer to IPsec rules as connection security rules. They perform the same function as the IPsec rules available in previous versions of Windows, but support more advanced authentication and encryption algorithms.
Domain isolation solutions
This section is organized as follows:
Prerequisites for domain isolation
Deployment overview
Communication Processes
Prerequisites for domain isolation
To isolate a domain, you must have the following:
An Active Directory domain
The domain includes domain controllers and the appropriate trust relationships to establish trust with other domains or the directory trees of an organization network.
Member computers
These are computers that have joined the Active Directory domain and received domain credentials.
Group Policy settings
These computer and user settings are automatically downloaded to domain member computers.
Active Windows Firewall with Advanced Security policy settings
These Group Policy settings determine the domain isolation behavior of domain member computers.
In a simplified domain isolation deployment, you configure IPsec or connection security rules that define specific types of traffic and how the traffic will be handled. You then activate the policy for the appropriate Active Directory containers, such as sites, domains, and organizational units. The member computers in the Active Directory containers to which the Group Policy settings apply automatically download the Group Policy settings.
After the domain member computers have downloaded and applied the Group Policy settings, they have both the correct IPsec policy for domain isolation and the domain credentials that will allow them to communicate securely with each other and to communicate without security with non-domain-member computers. Computers that are not domain members, which do not have the correct IPsec policy settings for domain isolation or domain credentials, cannot initiate communication with isolated hosts.
Deployment overview
Domain isolation deployment consists of four steps.
To deploy domain isolation
Determine the state of your network infrastructure.
Before you can begin planning for domain isolation, you must assess your organization's network. In your assessment, identify and document your network's physical topology (such as client and server computer configurations), logical topology (such as your Active Directory infrastructure including trust relationships and system container structure), and current use of Group Policy settings. You must also determine which computers to exempt.
Design and test domain isolation Windows Firewall with Advanced Security policy in a lab network.
Create a scaled-down version of your network in a physically isolated lab that is not connected to your production network. Then, configure the Windows Firewall with Advanced Security rules required to implement domain isolation for your network. Be sure to include isolated and non-isolated client computers in your test lab network. Use the test lab to ensure that the Windows Firewall with Advanced Security policies work as expected. Fine-tune your policy settings, as needed.
Perform a pilot with a subset of computers.
After verifying Windows Firewall with Advanced Security policy settings in the test lab, configure and activate the domain isolation Windows Firewall with Advanced Security policy on a subset of computers on your production network to test their behavior. For example, you might want to activate the Windows Firewall with Advanced Security policy settings for the computers in a specific Active Directory organizational unit.
Roll out the Windows Firewall with Advanced Security policy in phases.
After the pilot program is complete, begin activating the Windows Firewall with Advanced Security policy for other parts of your domain infrastructure in a phased rollout.
Communication Processes
When you implement domain isolation, communication between hosts in your network differs depending on which type of host (isolated or non-isolated) initiates communication and which type of host the initiating host attempts to communicate with. This section describes how communication occurs:
When an isolated host initiates communication with another isolated host.
When a non-isolated host initiates communication with an isolated host.
When an isolated host initiates communication with a non-isolated host.
The following figure shows the types of communication that occur when you deploy domain isolation.
Communication with an isolated host initiated by another isolated host
When an isolated host with both Active Directory credentials and domain isolation Windows Firewall with Advanced Security policy settings (for example, COMPUTER1 in the figure) initiates communication with another isolated host (for example, COMPUTER2), the following occurs:
The initial communication packet sent by COMPUTER1—for example, a Transmission Control Protocol (TCP) Synchronize (SYN) segment—matches the IPsec or connection security rule that specifies that the initiating host must attempt to secure the traffic with IPsec.
COMPUTER1 uses IPsec to perform mutual authentication with COMPUTER2 and to negotiate the use of IPsec protection.
Because COMPUTER2 has domain credentials, the Windows Firewall with Advanced Security authentication process succeeds. Because COMPUTER2 has IPsec policy settings that match those on COMPUTER1, negotiation of IPsec protection also succeeds.
COMPUTER1 sends the initial communication packet to COMPUTER2 with IPsec protection.
COMPUTER2 sends the response to the initial communication packet—for example, a TCP SYN-Acknowledgement (SYN-ACK) segment—to COMPUTER1 with IPsec protection.
Subsequent packets sent between COMPUTER1 and COMPUTER2 are also protected by IPsec.
Because they are domain members and have Windows Firewall with Advanced Security policy settings, isolated hosts authenticate and protect with IPsec communications initiated with other isolated hosts.
Communication with a non-isolated host initiated by an isolated host
When an isolated host with both Active Directory credentials and domain isolation Windows Firewall with Advanced Security policy settings (for example, COMPUTER1 in the figure) initiates communication with a non-isolated host (for example, COMPUTER3), the following occurs:
The initial communication packet being sent by COMPUTER1—for example, a TCP SYN segment—matches the IPsec or connection security rule of the policy that specifies that the initiating host must attempt to secure the traffic with IPsec.
COMPUTER1 attempts to use IPsec to authenticate COMPUTER3 and to negotiate the use of IPsec protection.
Because COMPUTER3 does not have domain credentials, the IPsec authentication attempt fails.
Because the rule matched in Step 1 allows unsecured communication with computers that fail the IPsec authentication, COMPUTER1 sends the initial communication packet without IPsec protection.
COMPUTER3 sends the response to the initial communication packet sent by COMPUTER1 without IPsec protection.
COMPUTER1 and COMPUTER3 send subsequent packets without IPsec protection.
An isolated host tries to authenticate non-isolated hosts. If it cannot authenticate a host, an isolated host sends packets without IPsec protection, allowing isolated hosts to initiate communications with non-isolated hosts.
Communication with an isolated host initiated by a non-isolated host
When a non-isolated host (for example, COMPUTER3 in the figure) initiates communication with an isolated host (for example, COMPUTER2), the following occurs:
Because COMPUTER3 does not have IPsec policy settings, it sends its initial communication packet—for example, a TCP SYN segment—without IPsec protection to COMPUTER2.
On COMPUTER2, the initial communications packet sent by COMPUTER3 matches the IPsec or connection security rule that requires incoming communication attempts to be protected by IPsec.
Because the rule does not allow COMPUTER2 to accept incoming communication attempts that are not protected by IPsec, COMPUTER2 discards the initial communications packet sent by COMPUTER3.
COMPUTER2 also discards subsequent incoming communication attempts from COMPUTER3.
COMPUTER3 fails in its attempt to communicate with COMPUTER2.
Isolated hosts discard all initial communication packets sent by non-isolated hosts.
Related documents
This paper is one of a series of papers that describes server and domain isolation, and provides guidelines for planning their deployment.
The other papers include:
Introduction to Server and Domain Isolation (https://go.microsoft.com/fwlink/?LinkId=94631)
This paper introduces server and domain isolation, and the benefits of deployment.
Server Isolation with Microsoft Windows Explained at https://go.microsoft.com/fwlink/?LinkId=94793
This paper explains how server isolation protects isolated servers and the benefits of deploying server isolation. It also provides a brief overview of how to deploy server isolation. It assumes that you are somewhat familiar with the Microsoft implementation of IPsec and would like more detailed information about using that technology to deploy server isolation.
Domain Isolation Planning Guide for IT Managers (https://go.microsoft.com/fwlink/?LinkId=44645)
This paper assists you in gathering the information required to develop a domain isolation deployment plan and to design your Windows Firewall with Advanced Security policies. It includes a step-by-step guide to the planning process, an overview of the deployment process, and links to resources that you can use to plan and design your deployment. However, it does not explain how to deploy domain isolation.
Additional references
In addition to the papers described in the preceding section, see the following resources for more information.
Windows Firewall with Advanced Security
For more information about Windows Firewall with Advanced Security, see:
Windows Firewall with Advanced Security Content Roadmap (https://go.microsoft.com/fwlink/?linkid=96525)
This topic describes the documents currently available in the Windows Technical Library for Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008.
Windows Firewall with Advanced Security - Diagnostics and Troubleshooting (https://go.microsoft.com/fwlink/?linkid=95372)
This article describes how Windows Firewall with Advanced Security works, what the common troubleshooting situations are, and which tools you can use for troubleshooting.
Windows Firewall (https://go.microsoft.com/fwlink/?linkid=95393)
This TechNet page contains links to a variety of documents available for Windows Firewall, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
IPsec
For more information about IPsec, see:
IPsec (https://go.microsoft.com/fwlink/?linkid=95394)
This TechNet page contains links to a variety of documents for Internet Protocol security (IPsec), Windows XP, Windows Server 2003, and the version available as connection security rules in Windows Firewall with Advanced Security on Windows Vista and Windows Server 2008.
Simplifying IPSec Policy with the Simple Policy Update (https://go.microsoft.com/fwlink/?linkid=94767)
This article describes a downloadable update available for Windows XP SP2 and Windows Server 2003 SP1. The update changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases significantly reducing the number of required IP filters and their ongoing maintenance.
Server and domain isolation
For more information about server and domain isolation, see:
Server and Domain Isolation (https://go.microsoft.com/fwlink/?linkid=95395)
This TechNet page contains links to documentation about the most common uses for IPsec: server and domain isolation. Documentation is available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Server and Domain Isolation Demo (https://go.microsoft.com/fwlink/?LinkId=107552)
This demonstration presents two server and domain isolation scenarios by using Microsoft® Virtual PC and Microsoft® Virtual Server 2005.
Group Policy
For more information about Group Policy, see:
Group Policy (https://go.microsoft.com/fwlink/?linkid=93542)
This page contains links to the documents currently available for Group Policy, for both the version available in Windows XP and Windows Server 2003, and the version available in Windows Vista and Windows Server 2008.
HOWTO: Leverage Group Policies with WMI Filters (https://go.microsoft.com/fwlink/?linkid=93760)
This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system version number.
Active Directory Domain Services
In Windows Server 2008, organizations can use Active Directory® Domain Services (AD DS) to manage users and resources, such as computers, printers, or applications, on a network. The ability to configure computers with firewall and connection security rules by using Group Policy is a key feature for firewall and server and domain isolation designs. Server and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication.
For more information about AD DS and related technologies, see:
Active Directory Domain Services (https://go.microsoft.com/fwlink/?linkid=102573)
Group Policy (https://go.microsoft.com/fwlink/?linkid=93542)
WMI Filtering Using GPMC (https://go.microsoft.com/fwlink/?linkid=93188)
Networking
For more information about networking, see:
Windows Server 2008 Networking (https://go.microsoft.com/fwlink/?LinkId=105691)
Windows Vista Networking (https://go.microsoft.com/fwlink/?LinkId=89051)