Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
Applies To: Windows Server 2012
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone.
The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
.jpeg)
Checklist: Configuring rules for isolated servers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
Note
The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy.
|
Task |
Reference |
||
|---|---|---|---|---|
|
Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. |
|||
|
If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended. |
|
||
|
Configure IPsec to exempt all ICMP network traffic from IPsec protection. |
|||
|
Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. |
|||
|
Configure the key exchange (main mode) security methods and algorithms to be used. |
|||
|
Configure the data protection (quick mode) algorithm combinations to be used. |
|||
|
Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional. |
|||
|
Create a rule that requests authentication for all inbound network traffic.
|
|||
|
If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. |
|||
|
Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers. |
|||
|
Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zone’s NAG. |
|||
|
Link the GPO to the domain level of the Active Directory organizational unit hierarchy. |
|||
|
Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group. |
.jpeg)
.jpeg)
.jpeg)
.jpeg)
ImportantDo not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested.