mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
fixing links
This commit is contained in:
Brian Lich
@ -10,13 +10,13 @@ author: brianlic-msft
|
||||
|
||||
The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization.
|
||||
|
||||
- [Firewall Policy Design Example](91fc4c4c-dca9-422e-be05-42a5e14f5e4a)
|
||||
- [Firewall Policy Design Example](firewall-policy-design-example.md)
|
||||
|
||||
- [Domain Isolation Policy Design Example](d918816a-52be-4266-9027-7bc3c36f4916)
|
||||
- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
|
||||
|
||||
- [Server Isolation Policy Design Example](c275b916-56cf-4863-9900-e50193cd77ed)
|
||||
- [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
|
||||
|
||||
- [Certificate-based Isolation Policy Design Example](85a83c33-358b-4b73-9b08-ef7589d01f91)
|
||||
- [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -28,23 +28,23 @@ The following table lists the three main tasks for articulating, refining, and s
|
||||
<td><p>Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.</p></td>
|
||||
<td><p>Predefined deployment goals:</p>
|
||||
<ul>
|
||||
<li><p>[Protect Computers from Unwanted Network Traffic](fe94e9b8-c456-4343-af5f-5511b8047d29)</p></li>
|
||||
<li><p>[Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919)</p></li>
|
||||
<li><p>[Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267)</p></li>
|
||||
<li><p>[Restrict Access to Sensitive Resources to Only Specified Users or Computers](09cd6d03-c1ce-45ed-a894-d7f7aaa9b6f0)</p></li>
|
||||
<li><p>[Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)</p></li>
|
||||
<li><p>[Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)</p></li>
|
||||
<li><p>[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)</p></li>
|
||||
<li><p>[Restrict Access to Sensitive Resources to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)</p></li>
|
||||
</ul></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design.</p></td>
|
||||
<td><ul>
|
||||
<li><p>[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](39bb8fa5-4601-45ae-83c5-121d42f7f82c)</p></li>
|
||||
<li><p>[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)</p></li>
|
||||
</ul></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan.</p></td>
|
||||
<td><ul>
|
||||
<li><p>[Designing A Windows Firewall with Advanced Security Strategy](36230ca4-ee8d-4b2c-ab4f-5492b4400340)</p></li>
|
||||
<li><p>[Planning Your Windows Firewall with Advanced Security Design](6622d31d-a62c-4506-8cea-275bf42e755f)</p></li>
|
||||
<li><p>[Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)</p></li>
|
||||
<li><p>[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)</p></li>
|
||||
</ul></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
||||
@ -11,7 +11,7 @@ author: brianlic-msft
|
||||
To use certificates in a server isolation or domain isolation design, you must first set up the infrastructure to deploy the certificates. This is called a public key infrastructure (PKI). The services required for a PKI are available in Windows Server 2012 in the form of the Active Directory Certificate Services (AD CS) role.
|
||||
|
||||
**Caution**
|
||||
Creation of a full PKI for an enterprise environment with all of the appropriate security considerations included in the design is beyond the scope of this guide. The following procedure shows you only the basics of installing an issuing certificate server; it is appropriate for a test lab environment only. For more information about deploying AD CS in a production environment, see [Active Directory Certificate Services Overview](e37b2335-0796-449f-aaf4-0520e508f47d) in the Windows Server 2012 Technical Library (http://technet.microsoft.com/library/hh831740.aspx).
|
||||
Creation of a full PKI for an enterprise environment with all of the appropriate security considerations included in the design is beyond the scope of this guide. The following procedure shows you only the basics of installing an issuing certificate server; it is appropriate for a test lab environment only. For more information about deploying AD CS in a production environment, see [Active Directory Certificate Services Overview](http://technet.microsoft.com/library/hh831740.aspx).
|
||||
|
||||
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ The term *domain* in this context means a boundary of communications trust inste
|
||||
|
||||
For most implementations, an isolated domain will contain the largest number of computers. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones.
|
||||
|
||||
You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](cdbe81c3-6dbf-41c2-b003-3ac4fd4e67dd) section.
|
||||
You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
|
||||
|
||||
The GPOs for the isolated domain should contain the following connection security rules and settings.
|
||||
|
||||
|
||||
@ -331,7 +331,7 @@ Use the following procedure if you want to block intranet access for a specific
|
||||
## <a href="" id="bkmk-links"></a>See also
|
||||
|
||||
|
||||
- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md)
|
||||
- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ Reports of targeted attacks against organizations, governments, and individuals
|
||||
|
||||
Running a host-based firewall on every computer that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable computer to provide protection when it is away from the organization's network.
|
||||
|
||||
A host-based firewall helps secure a computer by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](0c75637e-86b7-4fb3-9910-04c5cf186305), provides the following benefits:
|
||||
A host-based firewall helps secure a computer by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits:
|
||||
|
||||
- Network traffic that is a reply to a request from the local computer is permitted into the computer from the network.
|
||||
|
||||
@ -32,7 +32,7 @@ The following component is recommended for this deployment goal:
|
||||
|
||||
Other means of deploying a firewall policy are available, such as creating scripts that use the **netsh** command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
|
||||
|
||||
**Next: **[Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919)
|
||||
**Next: **[Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -8,9 +8,9 @@ author: brianlic-msft
|
||||
# Restrict Access to Only Specified Users or Computers
|
||||
|
||||
|
||||
Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919)) prevents computers that are members of the isolated domain from accepting network traffic from untrusted computers. However, some computers on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
|
||||
Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) prevents computers that are members of the isolated domain from accepting network traffic from untrusted computers. However, some computers on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
|
||||
|
||||
Windows Firewall with Advanced Security enables you to restrict access to computers and users that are members of domain groups authorized to access that computer. These groups are called *network access groups (NAGs)*. When a computer authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple computers in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Computers that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267)).
|
||||
Windows Firewall with Advanced Security enables you to restrict access to computers and users that are members of domain groups authorized to access that computer. These groups are called *network access groups (NAGs)*. When a computer authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple computers in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Computers that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
|
||||
|
||||
Restricting access to only users and computers that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ The following illustration shows an isolated domain, with one of the zones that
|
||||
|
||||
|
||||
|
||||
These goals, which correspond to [Domain Isolation Policy Design](3aa75a74-adef-41e4-bf2d-afccf2c47d46) and [Certificate-based Isolation Policy Design](a706e809-ddf3-42a4-9991-6e5d987ebf38), provide the following benefits:
|
||||
These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits:
|
||||
|
||||
- Computers in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another computer in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason cannot perform IPsec authentication.
|
||||
|
||||
@ -45,9 +45,9 @@ These goals also support optional zones that can be created to add customized pr
|
||||
|
||||
The following components are required for this deployment goal:
|
||||
|
||||
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources \[lhs\]](508b3d05-e9c9-4df9-bae4-750d4ad03302).
|
||||
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md).
|
||||
|
||||
**Next: **[Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267)
|
||||
**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ To complete these procedures, you must be a member of the Domain Administrators
|
||||
|
||||
**To create a firewall rule that grants access to an isolated server running Windows Server 2008 or later**
|
||||
|
||||
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](75ccea22-f225-40be-94a9-d0b17170d4fe). You must edit the GPO that applies settings to servers in the isolated server zone.
|
||||
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
|
||||
|
||||
2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**.
|
||||
|
||||
|
||||
@ -191,7 +191,7 @@ You might not find the exact answer for the issue, but you can find good hints.
|
||||
## <a href="" id="bkmk-links"></a>See also
|
||||
|
||||
|
||||
- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md)
|
||||
- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -10,19 +10,19 @@ author: brianlic-msft
|
||||
|
||||
Designing any deployment starts by performing several important tasks:
|
||||
|
||||
- [Identifying Your Windows Firewall with Advanced Security Design Goals](bba6fa3a-2318-4cb7-aa75-f2910d9c406d)
|
||||
- [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
|
||||
|
||||
- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](39bb8fa5-4601-45ae-83c5-121d42f7f82c)
|
||||
- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
||||
|
||||
- [Evaluating Windows Firewall with Advanced Security Design Examples](6da09290-8cda-4731-8fce-07fc030f9f4f)
|
||||
- [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
|
||||
|
||||
After you identify your deployment goals and map them to a Windows Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
|
||||
|
||||
- [Designing A Windows Firewall with Advanced Security Strategy](36230ca4-ee8d-4b2c-ab4f-5492b4400340)
|
||||
- [Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
|
||||
|
||||
- [Planning Your Windows Firewall with Advanced Security Design](6622d31d-a62c-4506-8cea-275bf42e755f)
|
||||
- [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
|
||||
|
||||
**Next:**[Identifying Your Windows Firewall with Advanced Security Design Goals](bba6fa3a-2318-4cb7-aa75-f2910d9c406d)
|
||||
**Next:**[Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ Windows PowerShell and netsh command references are at the following locations.
|
||||
## Scope
|
||||
|
||||
|
||||
This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide.
|
||||
This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide.
|
||||
|
||||
## Audience and user requirements
|
||||
|
||||
|
||||
@ -12,7 +12,7 @@ Windows Firewall with Advanced Security in Windows Server 2012, Windows Server
|
||||
|
||||
The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single computer in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
|
||||
|
||||
For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security Overview](9ae80ae1-a693-48ed-917a-f03ea92b550d).
|
||||
For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
|
||||
|
||||
## About this guide
|
||||
|
||||
@ -132,7 +132,7 @@ The following table identifies and defines terms used throughout this guide.
|
||||
|
||||
|
||||
|
||||
**Next:**[Understanding the Windows Firewall with Advanced Security Design Process](b9774295-8dd3-47e3-9f5a-7fa748ae9fba)
|
||||
**Next:**[Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user