mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 05:13:40 +00:00
Merge pull request #4246 from mypil/patch-5
Fixes markdown issues for **Next:**
This commit is contained in:
Daniel Simpson
GitHub
@ -71,4 +71,4 @@ For more information about this design:
|
||||
|
||||
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
|
||||
|
||||
**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)
|
||||
**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md)
|
||||
|
||||
@ -57,4 +57,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
|
||||
|
||||
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
|
||||
|
||||
**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
|
||||
**Next:** [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
|
||||
|
||||
@ -45,4 +45,4 @@ For more info about this design:
|
||||
|
||||
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
|
||||
|
||||
**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
|
||||
**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
|
||||
|
||||
@ -52,4 +52,4 @@ The information that you gather will help you answer the following questions. Th
|
||||
|
||||
This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
|
||||
|
||||
**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)
|
||||
**Next:** [Gathering the Information You Need](gathering-the-information-you-need.md)
|
||||
|
||||
@ -144,4 +144,4 @@ With the other information that you have gathered in this section, this informat
|
||||
|
||||
The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
|
||||
|
||||
**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
|
||||
**Next:** [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
|
||||
|
||||
@ -32,4 +32,4 @@ Generally, the task of determining zone membership is not complex, but it can be
|
||||
| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)|
|
||||
| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary|
|
||||
|
||||
**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
|
||||
**Next:** [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
|
||||
|
||||
@ -63,4 +63,4 @@ The following groups were created by using the Active Directory Users and Comput
|
||||
|
||||
>**Note:** If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
|
||||
|
||||
**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
|
||||
**Next:** [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
|
||||
|
||||
@ -67,4 +67,4 @@ The GPO for devices that are running at least Windows Server 2008 should includ
|
||||
|
||||
- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.
|
||||
|
||||
**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)
|
||||
**Next:** [Planning Server Isolation Zones](planning-server-isolation-zones.md)
|
||||
|
||||
@ -57,4 +57,4 @@ To keep the number of exemptions as small as possible, you have several options:
|
||||
|
||||
As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
|
||||
|
||||
**Next: **[Isolated Domain](isolated-domain.md)
|
||||
**Next:** [Isolated Domain](isolated-domain.md)
|
||||
|
||||
@ -110,5 +110,5 @@ The following groups were created by using the Active Directory Users and Comput
|
||||
|
||||
In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
|
||||
|
||||
**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
|
||||
**Next:** [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
|
||||
|
||||
|
||||
@ -37,4 +37,4 @@ Active Directory is another important item about which you must gather informati
|
||||
|
||||
- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
|
||||
|
||||
**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
|
||||
**Next:** [Gathering Information about Your Devices](gathering-information-about-your-devices.md)
|
||||
|
||||
@ -118,4 +118,4 @@ Some of the more common applications and protocols are as follows:
|
||||
|
||||
- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
|
||||
|
||||
**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
|
||||
**Next:** [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
|
||||
|
||||
@ -59,4 +59,4 @@ Whether you use an automatic, manual, or hybrid option to gather the information
|
||||
|
||||
This inventory will be critical for planning and implementing your Windows Defender Firewall design.
|
||||
|
||||
**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
|
||||
**Next:** [Gathering Other Relevant Information](gathering-other-relevant-information.md)
|
||||
|
||||
@ -82,4 +82,4 @@ Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Ne
|
||||
|
||||
Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
|
||||
|
||||
**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
|
||||
**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
|
||||
|
||||
@ -48,4 +48,4 @@ Copy the firewall rules for the boundary zone from the GPO that contains the fir
|
||||
|
||||
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
|
||||
|
||||
**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)
|
||||
**Next:** [Encryption Zone GPOs](encryption-zone-gpos.md)
|
||||
|
||||
@ -50,7 +50,7 @@ Change the action for every inbound firewall rule from **Allow the connection**
|
||||
|
||||
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
|
||||
|
||||
**Next: **[Server Isolation GPOs](server-isolation-gpos.md)
|
||||
**Next:** [Server Isolation GPOs](server-isolation-gpos.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -70,4 +70,4 @@ This GPO provides the following rules:
|
||||
|
||||
- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
|
||||
|
||||
**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)
|
||||
**Next:** [Isolated Domain GPOs](isolated-domain-gpos.md)
|
||||
|
||||
@ -88,4 +88,4 @@ This GPO provides the following rules:
|
||||
|
||||
- Authentication mode is set to **Do not authenticate**.
|
||||
|
||||
**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
|
||||
**Next:** [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
|
||||
|
||||
@ -31,5 +31,5 @@ Because so many of the settings and rules for this GPO are common to those in th
|
||||
|
||||
>**Important:** Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
|
||||
|
||||
**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)
|
||||
**Next:** [Boundary Zone GPOs](boundary-zone-gpos.md)
|
||||
|
||||
|
||||
@ -64,4 +64,4 @@ GPOs for devices running at least Windows Vista and Windows Server 2008 should
|
||||
|
||||
>**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
|
||||
|
||||
**Next: **[Boundary Zone](boundary-zone.md)
|
||||
**Next:** [Boundary Zone](boundary-zone.md)
|
||||
|
||||
@ -38,4 +38,4 @@ Use the following table to determine which Windows Firewall with Advanced Securi
|
||||
|
||||
To examine details for a specific design, click the design title at the top of the column in the preceding table.
|
||||
|
||||
**Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)
|
||||
**Next:** [Basic Firewall Policy Design](basic-firewall-policy-design.md)
|
||||
|
||||
@ -59,4 +59,4 @@ When the clients and servers have the certificates available, you can configure
|
||||
|
||||
Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
|
||||
|
||||
**Next: **[Documenting the Zones](documenting-the-zones.md)
|
||||
**Next:** [Documenting the Zones](documenting-the-zones.md)
|
||||
|
||||
@ -43,5 +43,5 @@ Multiple GPOs might be delivered to each group. Which one actually becomes appli
|
||||
|
||||
If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
|
||||
|
||||
**Next: **[Planning Network Access Groups](planning-network-access-groups.md)
|
||||
**Next:** [Planning Network Access Groups](planning-network-access-groups.md)
|
||||
|
||||
|
||||
@ -38,4 +38,4 @@ For the Woodgrove Bank scenario, access to the devices running SQL Server that s
|
||||
|
||||
>**Note:** Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5.
|
||||
|
||||
**Next: **[Planning the GPOs](planning-the-gpos.md)
|
||||
**Next:** [Planning the GPOs](planning-the-gpos.md)
|
||||
|
||||
@ -79,4 +79,4 @@ GPOs for devices running at least Windows Server 2008 should include the follow
|
||||
|
||||
>**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
|
||||
|
||||
**Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
|
||||
**Next:** [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
|
||||
|
||||
@ -55,4 +55,4 @@ The following is a list of the firewall settings that you might consider for inc
|
||||
|
||||
- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
|
||||
|
||||
**Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
|
||||
**Next:** [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
|
||||
|
||||
@ -95,4 +95,4 @@ After you have selected a design and assigned your devices to zones, you can beg
|
||||
|
||||
When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
|
||||
|
||||
**Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
|
||||
**Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
|
||||
|
||||
@ -47,4 +47,4 @@ The following component is recommended for this deployment goal:
|
||||
|
||||
Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
|
||||
|
||||
**Next: **[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
|
||||
**Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
|
||||
|
||||
@ -45,4 +45,4 @@ The following components are required for this deployment goal:
|
||||
|
||||
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
|
||||
|
||||
**Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
|
||||
**Next:** [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
|
||||
|
||||
@ -49,4 +49,4 @@ The following components are required for this deployment goal:
|
||||
|
||||
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
|
||||
|
||||
**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
||||
**Next:** [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
||||
|
||||
@ -59,4 +59,4 @@ The following components are required for this deployment goal:
|
||||
|
||||
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
|
||||
|
||||
**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
|
||||
**Next:** [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
|
||||
|
||||
@ -36,4 +36,4 @@ This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following chan
|
||||
|
||||
>**Important:** Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect.
|
||||
|
||||
**Next: **[Planning GPO Deployment](planning-gpo-deployment.md)
|
||||
**Next:** [Planning GPO Deployment](planning-gpo-deployment.md)
|
||||
|
||||
@ -82,4 +82,4 @@ If Woodgrove Bank wants to implement server isolation without domain isolation,
|
||||
|
||||
You do not have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption.
|
||||
|
||||
**Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
|
||||
**Next:** [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
|
||||
|
||||
@ -59,4 +59,4 @@ For more info about this design:
|
||||
|
||||
- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
|
||||
|
||||
**Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
|
||||
**Next:** [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
|
||||
|
||||
Reference in New Issue
Block a user