deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fixing links

Browse Source
This commit is contained in:
Brian Lich
2016-04-28 16:29:11 -07:00
parent 269f8756c0
commit 69a5e703f5
86 changed files with 360 additions and 360 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md
View File

@ -15,7 +15,7 @@ For GPOs that contain connection security rules that prevent unauthenticated con
   
The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new computers that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude computers that must not receive the GPOs. Use computer groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Computers that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md). The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new computers that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude computers that must not receive the GPOs. Use computer groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Computers that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
Without such a group (or groups), you must either add computers individually or use the groups containing computer accounts that are available to you. Without such a group (or groups), you must either add computers individually or use the groups containing computer accounts that are available to you.
@ -55,7 +55,7 @@ After a computer is a member of the group, you can force a Group Policy refresh
**To refresh Group Policy on a computer** **To refresh Group Policy on a computer**
- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: - For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax ``` syntax
gpupdate /target:computer /force gpupdate /target:computer /force
@ -68,7 +68,7 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to
**To see which GPOs are applied to a computer** **To see which GPOs are applied to a computer**
- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: - For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax ``` syntax
gpresult /r /scope:computer gpresult /r /scope:computer

4
windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md
View File

@ -50,7 +50,7 @@ After a computer is a member of the group, you can force a Group Policy refresh
**To refresh Group Policy on a computer** **To refresh Group Policy on a computer**
- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: - For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax ``` syntax
gpupdate /target:computer /force gpupdate /target:computer /force
@ -63,7 +63,7 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to
**To see which GPOs are applied to a computer** **To see which GPOs are applied to a computer**
- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: - For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax ``` syntax
gpresult /r /scope:computer gpresult /r /scope:computer

12
windows/keep-secure/basic-firewall-policy-design.md
View File

@ -44,7 +44,7 @@ An organization typically uses this design as a first step toward a more compreh
After implementing this design, your administrative team will have centralized management of the firewall rules applied to all computers that are running Windows in your organization. After implementing this design, your administrative team will have centralized management of the firewall rules applied to all computers that are running Windows in your organization.
**Important**   **Important**  
If you also intend to deploy the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md), or the [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
   
@ -52,17 +52,17 @@ The basic firewall design can be applied to computers that are part of an Active
For more information about this design: For more information about this design:
- This design coincides with the deployment goal to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md). - This design coincides with the deployment goal to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md).
- To learn more about this design, see [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md). - To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). - Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md). - To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see "Checklist: Implementing a Basic Firewall Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308. - For a list of detailed tasks that you can use to deploy your basic firewall policy design, see "Checklist: Implementing a Basic Firewall Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308.
**Next: **[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) **Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)
   

2
windows/keep-secure/boundary-zone-gpos.md
View File

@ -21,7 +21,7 @@ The boundary zone GPOs discussed in this guide are only for server versions of W
In the Woodgrove Bank example, only the GPO settings for a Web service on Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 are discussed. In the Woodgrove Bank example, only the GPO settings for a Web service on Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 are discussed.
- [GPO\_DOMISO\_Boundary\_WS2008](../p_server_archive/gpo-domiso-boundary-ws2008.md) - [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary-ws2008.md)
   

8
windows/keep-secure/boundary-zone.md
View File

@ -22,7 +22,7 @@ The goal of this process is to determine whether the risk of adding a computer t
You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
## GPO settings for boundary zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 ## GPO settings for boundary zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2
@ -49,14 +49,14 @@ The boundary zone GPO for computers running Windows Server 2012, Windows Server
- A registry policy that includes the following values: - A registry policy that includes the following values:
- Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
**Note**   **Note**  
For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
   
**Next: **[Encryption Zone](../p_server_archive/encryption-zone.md) **Next: **[Encryption Zone](encryption-zone.md)
   

4
windows/keep-secure/certificate-based-isolation-policy-design-example.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Certificate-based Isolation Policy Design Example # Certificate-based Isolation Policy Design Example
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md), [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md). This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
One of the servers that must be included in the domain isolation environment is a computer running UNIX that supplies other information to the WGBank dashboard program running on the client computers. This computer sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the computers that receive this information. One of the servers that must be included in the domain isolation environment is a computer running UNIX that supplies other information to the WGBank dashboard program running on the client computers. This computer sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the computers that receive this information.
@ -44,7 +44,7 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local computer. Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local computer.
**Next: **[Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md) **Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
   

12
windows/keep-secure/certificate-based-isolation-policy-design.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Certificate-based Isolation Policy Design # Certificate-based Isolation Policy Design
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) and [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
Domain isolation and server isolation help provide security for the computers on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some computers that must run another operating system, such as Linux or UNIX. These computers cannot join an Active Directory domain, without a third-party package being installed. Also, some computers that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the computer needs to be joined to the Active Directory and (for non-windows computers) support Kerberos as an authentication protocol. Domain isolation and server isolation help provide security for the computers on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some computers that must run another operating system, such as Linux or UNIX. These computers cannot join an Active Directory domain, without a third-party package being installed. Also, some computers that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the computer needs to be joined to the Active Directory and (for non-windows computers) support Kerberos as an authentication protocol.
@ -20,17 +20,17 @@ For computers that run Windows and that are part of an Active Directory domain,
For more information about this design: For more information about this design:
- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). - This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md). - To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). - Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md). - To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
- For a list of tasks that you can use to deploy your certificate-based policy design, see "Checklist: Implementing a Certificate-based Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308. - For a list of tasks that you can use to deploy your certificate-based policy design, see "Checklist: Implementing a Certificate-based Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308.
**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](../p_server_archive/evaluating-windows-firewall-with-advanced-security-design-examples.md) **Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
   

4
windows/keep-secure/change-rules-from-request-to-require-mode.md
View File

@ -27,7 +27,7 @@ In this topic:
**To convert a rule from request to require mode for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** **To convert a rule from request to require mode for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**. 2. In the navigation pane, click **Connection Security Rules**.
@ -42,7 +42,7 @@ In this topic:
**To apply the modified GPOs to the client computers** **To apply the modified GPOs to the client computers**
1. The next time each computer refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md) and run the following command: 1. The next time each computer refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) and run the following command:
``` syntax ``` syntax
gpupdate /force gpupdate /force

6
windows/keep-secure/checklist-configuring-basic-firewall-settings.md
View File

@ -32,17 +32,17 @@ This checklist includes tasks for configuring a GPO with firewall defaults and s
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Turn the firewall on and set the default inbound and outbound behavior.</p></td> <td><p>Turn the firewall on and set the default inbound and outbound behavior.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Turn on Windows Firewall and Configure Default Behavior](../p_server_archive/turn-on-windows-firewall-and-configure-default-behavior.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules.</p></td> <td><p>Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](../p_server_archive/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the firewall to record a log file.</p></td> <td><p>Configure the firewall to record a log file.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure the Windows Firewall Log](../p_server_archive/configure-the-windows-firewall-log.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

26
windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Checklist: Configuring Rules for an Isolated Server Zone # Checklist: Configuring Rules for an Isolated Server Zone
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](../p_server_archive/checklist-implementing-a-standalone-server-isolation-policy-design.md). The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or computers who are authenticated members of a network access group (NAG). Computers that are running Windows 2000, Windows XP, or Windows Server 2003 can restrict access in IPsec only to computers that are members of the NAG, because IPsec and IKE in those versions of Windows do not support user-based authentication. If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or computers who are authenticated members of a network access group (NAG). Computers that are running Windows 2000, Windows XP, or Windows Server 2003 can restrict access in IPsec only to computers that are members of the NAG, because IPsec and IKE in those versions of Windows do not support user-based authentication. If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer.
@ -44,37 +44,37 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.</p> <td><p>Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.</p>
<p>Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPOs element to make sure it is constructed in a way that meets the needs of the server isolation zone.</p></td> <p>Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPOs element to make sure it is constructed in a way that meets the needs of the server isolation zone.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zones membership group that are running the specified version of Windows can read and apply it.</p></td> <td><p>Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zones membership group that are running the specified version of Windows can read and apply it.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure IPsec to exempt all ICMP network traffic from IPsec protection.</p></td> <td><p>Configure IPsec to exempt all ICMP network traffic from IPsec protection.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the key exchange (main mode) security methods and algorithms to be used.</p></td> <td><p>Configure the key exchange (main mode) security methods and algorithms to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption.</p></td> <td><p>Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the authentication methods to be used.</p></td> <td><p>Configure the authentication methods to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.</p></td> <td><p>Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
@ -86,27 +86,27 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se
<div> <div>
   
</div></td> </div></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the NAG to contain the computer or user accounts that are allowed to access the servers in the isolated server zone.</p></td> <td><p>Create the NAG to contain the computer or user accounts that are allowed to access the servers in the isolated server zone.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG.</p></td> <td><p>Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td> <td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.</p></td> <td><p>Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

30
windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](../p_server_archive/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
@ -39,38 +39,38 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.</p></td> <td><p>Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)</p> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)</p>
<p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)</p></td> <p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended.</p></td> <td><p>If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure IPsec to exempt all ICMP network traffic from IPsec protection.</p></td> <td><p>Configure IPsec to exempt all ICMP network traffic from IPsec protection.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.</p></td> <td><p>Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the key exchange (main mode) security methods and algorithms to be used.</p></td> <td><p>Configure the key exchange (main mode) security methods and algorithms to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the data protection (quick mode) algorithm combinations to be used.</p></td> <td><p>Configure the data protection (quick mode) algorithm combinations to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional.</p></td> <td><p>Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
@ -82,32 +82,32 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se
<div> <div>
   
</div></td> </div></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it.</p></td> <td><p>If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers.</p></td> <td><p>Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zones NAG.</p></td> <td><p>Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zones NAG.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td> <td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td> <td><p>Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

12
windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
View File

@ -17,7 +17,7 @@ Rules for the boundary zone are typically the same as those for the isolated dom
![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring boundary zone rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** ![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring boundary zone rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs.
<table> <table>
<colgroup> <colgroup>
@ -36,27 +36,27 @@ A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Se
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.</p></td> <td><p>Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.</p></td> <td><p>If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td> <td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td> <td><p>Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted.</p></td> <td><p>Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

14
windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
View File

@ -14,7 +14,7 @@ Rules for the encryption zone are typically the same as those for the isolated d
![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring encryption zone rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** ![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring encryption zone rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
<table> <table>
<colgroup> <colgroup>
@ -33,32 +33,32 @@ A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Se
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.</p></td> <td><p>Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended.</p></td> <td><p>Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Add the encryption requirements for the zone.</p></td> <td><p>Add the encryption requirements for the zone.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td> <td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td> <td><p>Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Verify that the connection security rules are protecting network traffic.</p></td> <td><p>Verify that the connection security rules are protecting network traffic.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

24
windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
View File

@ -37,58 +37,58 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.</p></td> <td><p>Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)</p> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)</p>
<p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)</p></td> <p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended.</p></td> <td><p>If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure IPsec to exempt all ICMP network traffic from IPsec protection.</p></td> <td><p>Configure IPsec to exempt all ICMP network traffic from IPsec protection.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.</p></td> <td><p>Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the key exchange (main mode) security methods and algorithms to be used.</p></td> <td><p>Configure the key exchange (main mode) security methods and algorithms to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the data protection (quick mode) algorithm combinations to be used.</p></td> <td><p>Configure the data protection (quick mode) algorithm combinations to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the authentication methods to be used.</p></td> <td><p>Configure the authentication methods to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the rule that requests authentication for all inbound network traffic.</p></td> <td><p>Create the rule that requests authentication for all inbound network traffic.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Link the GPO to the domain level of the AD DS organizational unit hierarchy.</p></td> <td><p>Link the GPO to the domain level of the AD DS organizational unit hierarchy.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td> <td><p>Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Verify that the connection security rules are protecting network traffic to and from the test computers.</p></td> <td><p>Verify that the connection security rules are protecting network traffic to and from the test computers.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

18
windows/keep-secure/checklist-creating-group-policy-objects.md
View File

@ -43,44 +43,44 @@ You can also use a membership group for one zone as an exclusion group for anoth
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.</p></td> <td><p>Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p>
<p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md)</p></td> <p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the membership group in AD DS that will be used to contain computer accounts that must receive the GPO.</p> <td><p>Create the membership group in AD DS that will be used to contain computer accounts that must receive the GPO.</p>
<p>If some computers in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the computer accounts for the computers that cannot be blocked by using a WMI filter.</p></td> <p>If some computers in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the computer accounts for the computers that cannot be blocked by using a WMI filter.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a GPO for each version of Windows that has different implementation requirements.</p></td> <td><p>Create a GPO for each version of Windows that has different implementation requirements.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create a Group Policy Object](../p_server_archive/create-a-group-policy-object.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create a Group Policy Object](create-a-group-policy-object.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create security group filters to limit the GPO to only computers that are members of the membership group and to exclude computers that are members of the exclusion group.</p></td> <td><p>Create security group filters to limit the GPO to only computers that are members of the membership group and to exclude computers that are members of the exclusion group.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create WMI filters to limit each GPO to only the computers that match the criteria in the filter.</p></td> <td><p>Create WMI filters to limit each GPO to only the computers that match the criteria in the filter.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create WMI Filters for the GPO](../p_server_archive/create-wmi-filters-for-the-gpo.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.</p></td> <td><p>If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td> <td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Before adding any rules or configuring the GPO, add a few test computers to the membership group, and make sure that the correct GPO is received and applied to each member of the group.</p></td> <td><p>Before adding any rules or configuring the GPO, add a few test computers to the membership group, and make sure that the correct GPO is received and applied to each member of the group.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

10
windows/keep-secure/checklist-creating-inbound-firewall-rules.md
View File

@ -32,27 +32,27 @@ This checklist includes tasks for creating firewall rules in your GPOs.
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires.</p></td> <td><p>Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that allows inbound network traffic on a specified port number.</p></td> <td><p>Create a rule that allows inbound network traffic on a specified port number.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that allows inbound ICMP network traffic.</p></td> <td><p>Create a rule that allows inbound ICMP network traffic.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create rules that allow inbound RPC network traffic.</p></td> <td><p>Create rules that allow inbound RPC network traffic.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.</p></td> <td><p>Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

6
windows/keep-secure/checklist-creating-outbound-firewall-rules.md
View File

@ -34,17 +34,17 @@ By default, in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windo
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that allows a program to send any outbound network traffic on any port it requires.</p></td> <td><p>Create a rule that allows a program to send any outbound network traffic on any port it requires.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that allows outbound network traffic on a specified port number.</p></td> <td><p>Create a rule that allows outbound network traffic on a specified port number.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.</p></td> <td><p>Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

22
windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
View File

@ -37,53 +37,53 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.</p></td> <td><p>Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)</p> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)</p>
<p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)</p></td> <p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.</p></td> <td><p>To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure IPsec to exempt all ICMP network traffic from IPsec protection.</p></td> <td><p>Configure IPsec to exempt all ICMP network traffic from IPsec protection.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.</p></td> <td><p>Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the key exchange (main mode) security methods and algorithms to be used.</p></td> <td><p>Configure the key exchange (main mode) security methods and algorithms to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the data protection (quick mode) algorithm combinations to be used.</p></td> <td><p>Configure the data protection (quick mode) algorithm combinations to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the authentication methods to be used.</p></td> <td><p>Configure the authentication methods to be used.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with computers that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.</p></td> <td><p>Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with computers that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td> <td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Add your test computers to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td> <td><p>Add your test computers to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

26
windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
View File

@ -36,51 +36,51 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization.</p></td> <td><p>Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization.</p></td>
<td><p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p> <td><p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md)</p> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Basic Firewall Policy Design](basic-firewall-policy-design.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md)</p> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Firewall Policy Design Example](firewall-policy-design-example.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md)</p></td> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the membership group and a GPO for each set of computers that require different firewall rules. Where GPOs will be similar, such as for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy.</p></td> <td><p>Create the membership group and a GPO for each set of computers that require different firewall rules. Where GPOs will be similar, such as for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)</p> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)</p>
<p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)</p></td> <p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the computers for which this GPO is intended.</p></td> <td><p>If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the computers for which this GPO is intended.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the GPO with firewall default settings appropriate for your design.</p></td> <td><p>Configure the GPO with firewall default settings appropriate for your design.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Basic Firewall Settings](../p_server_archive/checklist-configuring-basic-firewall-settings.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create one or more inbound firewall rules to allow unsolicited inbound network traffic.</p></td> <td><p>Create one or more inbound firewall rules to allow unsolicited inbound network traffic.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Inbound Firewall Rules](../p_server_archive/checklist-creating-inbound-firewall-rules.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create one or more outbound firewall rules to block unwanted outbound network traffic.</p></td> <td><p>Create one or more outbound firewall rules to block unwanted outbound network traffic.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Outbound Firewall Rules](../p_server_archive/checklist-creating-outbound-firewall-rules.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td> <td><p>Link the GPO to the domain level of the Active Directory organizational unit hierarchy.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Add test computers to the membership group, and then confirm that the computers receive the firewall rules from the GPOs as expected.</p></td> <td><p>Add test computers to the membership group, and then confirm that the computers receive the firewall rules from the GPOs as expected.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy the completed firewall policy settings to your computers.</p></td> <td><p>According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy the completed firewall policy settings to your computers.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

16
windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
View File

@ -36,30 +36,30 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.</p></td> <td><p>Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.</p></td>
<td><p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p> <td><p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md)</p> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md)</p> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md)</p></td> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.</p></td> <td><p>Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Install Active Directory Certificate Services](../p_server_archive/install-active-directory-certificate-services.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Install Active Directory Certificate Services](install-active-directory-certificate-services.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure the certificate template for workstation authentication certificates.</p></td> <td><p>Configure the certificate template for workstation authentication certificates.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure the Workstation Authentication Certificate Template](../p_server_archive/configure-the-workstation-authentication-certificate-templatewfas-dep.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Configure Group Policy to automatically deploy certificates based on your template to workstation computers.</p></td> <td><p>Configure Group Policy to automatically deploy certificates based on your template to workstation computers.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Group Policy to Autoenroll and Deploy Certificates](../p_server_archive/configure-group-policy-to-autoenroll-and-deploy-certificates.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>On a test computer, refresh Group Policy and confirm that the certificate is installed.</p></td> <td><p>On a test computer, refresh Group Policy and confirm that the certificate is installed.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Confirm That Certificates Are Deployed Correctly](../p_server_archive/confirm-that-certificates-are-deployed-correctly.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

20
windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
View File

@ -38,40 +38,40 @@ For more information about the security algorithms and authentication methods av
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.</p></td> <td><p>Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.</p></td>
<td><p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p> <td><p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md)</p> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Domain Isolation Policy Design](domain-isolation-policy-design.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md)</p> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md)</p></td> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the GPOs and connection security rules for the isolated domain.</p></td> <td><p>Create the GPOs and connection security rules for the isolated domain.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for the Isolated Domain](../p_server_archive/checklist-configuring-rules-for-the-isolated-domain.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the GPOs and connection security rules for the boundary zone.</p></td> <td><p>Create the GPOs and connection security rules for the boundary zone.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for the Boundary Zone](../p_server_archive/checklist-configuring-rules-for-the-boundary-zone.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the GPOs and connection security rules for the encryption zone.</p></td> <td><p>Create the GPOs and connection security rules for the encryption zone.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for the Encryption Zone](../p_server_archive/checklist-configuring-rules-for-the-encryption-zone.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the GPOs and connection security rules for the isolated server zone.</p></td> <td><p>Create the GPOs and connection security rules for the isolated server zone.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for an Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-an-isolated-server-zone.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.</p></td> <td><p>According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.</p></td> <td><p>After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

20
windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Checklist: Implementing a Standalone Server Isolation Policy Design # Checklist: Implementing a Standalone Server Isolation Policy Design
This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-an-isolated-server-zone.md). This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
@ -38,35 +38,35 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.</p></td> <td><p>Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.</p></td>
<td><p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p> <td><p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md)</p> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Server Isolation Policy Design](server-isolation-policy-design.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md)</p> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)</p>
<p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md)</p></td> <p><img src="images/faa393df-4856-4431-9eda-4f4e5be72a90.gif" alt="Conceptual topic" />[Planning Server Isolation Zones](planning-server-isolation-zones.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the GPOs and connection security rules for isolated servers.</p></td> <td><p>Create the GPOs and connection security rules for isolated servers.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Create the GPOs and connection security rules for the client computers that must connect to the isolated servers.</p></td> <td><p>Create the GPOs and connection security rules for the client computers that must connect to the isolated servers.</p></td>
<td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](../p_server_archive/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)</p></td> <td><p><img src="images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif" alt="Checklist topic" />[Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>Verify that the connection security rules are protecting network traffic on your test computers.</p></td> <td><p>Verify that the connection security rules are protecting network traffic on your test computers.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it.</p></td> <td><p>After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td> <td><p><img src="images/wfas-icon-checkbox.gif" alt="_" /></p></td>
<td><p>According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings.</p></td> <td><p>According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings.</p></td>
<td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)</p></td> <td><p><img src="images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif" alt="Procedure topic" />[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

2
windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -21,7 +21,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure authentication methods** **To configure authentication methods**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. 2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.

2
windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure quick mode settings** **To configure quick mode settings**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. 2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.

2
windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure key exchange settings** **To configure key exchange settings**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. 2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.

6
windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -16,7 +16,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
**To modify an authentication request rule to also require encryption** **To modify an authentication request rule to also require encryption**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**. 2. In the navigation pane, click **Connection Security Rules**.
@ -36,14 +36,14 @@ To complete this procedure, you must be a member of the Domain Administrators gr
This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client computers will use to connect to members of the encryption zone. The client computers receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client computers in that zone will not be able to connect to computers in this zone. This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client computers will use to connect to members of the encryption zone. The client computers receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client computers in that zone will not be able to connect to computers in this zone.
10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md). 10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md).
**Note**   **Note**  
Not all of the algorithms available in Windows 8 or Windows Server 2012 can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. Not all of the algorithms available in Windows 8 or Windows Server 2012 can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell. Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell.
For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md) For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
   

2
windows/keep-secure/configure-the-windows-firewall-log.md
View File

@ -23,7 +23,7 @@ In this topic:
**To configure Windows Firewall logging for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** **To configure Windows Firewall logging for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. 2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.

2
windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
View File

@ -30,7 +30,7 @@ In this topic:
**To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2** **To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. 2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.

2
windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
View File

@ -27,7 +27,7 @@ In this topic:
**To refresh Group Policy on a computer** **To refresh Group Policy on a computer**
- On a computer running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: - On a computer running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax ``` syntax
gpupdate /target:computer /force gpupdate /target:computer /force

2
windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -21,7 +21,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To create a rule that exempts specified hosts from authentication** **To create a rule that exempts specified hosts from authentication**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**. 2. In the navigation pane, click **Connection Security Rules**.

4
windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -16,7 +16,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
**To create the authentication request rule** **To create the authentication request rule**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. 2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**.
@ -31,7 +31,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP), which is supported only on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. 5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP), which is supported only on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2.
1. **Default**. Selecting this option tells the computer to request authentication by using the method currently defined as the default on the computer. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) procedure. 1. **Default**. Selecting this option tells the computer to request authentication by using the method currently defined as the default on the computer. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) procedure.
2. **Computer and User (Kerberos V5)**. Selecting this option tells the computer to request authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. 2. **Computer and User (Kerberos V5)**. Selecting this option tells the computer to request authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.

6
windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -16,13 +16,13 @@ To complete these procedures, you must be a member of the Domain Administrators
This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see: This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see:
- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) - [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) - [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
**To create an inbound ICMP rule** **To create an inbound ICMP rule**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**. 2. In the navigation pane, click **Inbound Rules**.

8
windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -16,13 +16,13 @@ To complete these procedures, you must be a member of the Domain Administrators
This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see: This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see:
- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) - [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) - [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
**To create an inbound port rule** **To create an inbound port rule**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**. 2. In the navigation pane, click **Inbound Rules**.
@ -38,7 +38,7 @@ This topic describes how to create a standard port rule for a specified protocol
5. On the **Program** page, click **All programs**, and then click **Next**. 5. On the **Program** page, click **All programs**, and then click **Next**.
**Note**   **Note**  
This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
   

6
windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -11,7 +11,7 @@ author: brianlic-msft
To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
**Note**   **Note**  
This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure. This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure.
   
@ -21,7 +21,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To create an inbound firewall rule for a program or service** **To create an inbound firewall rule for a program or service**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**. 2. In the navigation pane, click **Inbound Rules**.
@ -61,7 +61,7 @@ To complete these procedures, you must be a member of the Domain Administrators
   
8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). After you have configured the protocol and port options, click **Next**. 8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). After you have configured the protocol and port options, click **Next**.
9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. 9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.

2
windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To create an outbound port rule** **To create an outbound port rule**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**. 2. In the navigation pane, click **Outbound Rules**.

4
windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To create an outbound firewall rule for a program or service** **To create an outbound firewall rule for a program or service**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**. 2. In the navigation pane, click **Outbound Rules**.
@ -41,7 +41,7 @@ To complete these procedures, you must be a member of the Domain Administrators
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**. - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**.
8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). When you have configured the protocol and port options, click **Next**. 8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). When you have configured the protocol and port options, click **Next**.
9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. 9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.

6
windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -16,9 +16,9 @@ To complete these procedures, you must be a member of the Domain Administrators
This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see: This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see:
- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) - [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) - [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
In this topic: In this topic:
@ -31,7 +31,7 @@ In this topic:
**To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service** **To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**. 2. In the navigation pane, click **Inbound Rules**.

8
windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md
View File

@ -10,9 +10,9 @@ author: brianlic-msft
To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the computers on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the computers. To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the computers on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the computers.
- [Gathering the Information You Need](../p_server_archive/gathering-the-information-you-need.md) - [Gathering the Information You Need](gathering-the-information-you-need.md)
- [Determining the Trusted State of Your Computers](../p_server_archive/determining-the-trusted-state-of-your-computers.md) - [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md)
The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design. The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design.
@ -46,9 +46,9 @@ Computers running Windows XP and Windows Server 2003 will not be able to partici
   
This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems, starting with Windows Vista and Windows Server 2008. Windows XP and Windows Server 2003 are not discussed in this guide. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide. This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems, starting with Windows Vista and Windows Server 2008. Windows XP and Windows Server 2003 are not discussed in this guide. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
**Next: **[Gathering the Information You Need](../p_server_archive/gathering-the-information-you-need.md) **Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)
   

6
windows/keep-secure/determining-the-trusted-state-of-your-computers.md
View File

@ -115,7 +115,7 @@ The final step in this part of the process is to record the approximate cost of
- What is the projected cost or impact of making the proposed changes to enable the computer to achieve a trusted state? - What is the projected cost or impact of making the proposed changes to enable the computer to achieve a trusted state?
By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular computer or group of computers into the scope of the project. It is important to remember that the state of a computer is transitive, and that by performing the listed remedial actions you can change the state of a computer from untrusted to trusted. After you decide whether to place a computer in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) discusses. By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular computer or group of computers into the scope of the project. It is important to remember that the state of a computer is transitive, and that by performing the listed remedial actions you can change the state of a computer from untrusted to trusted. After you decide whether to place a computer in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses.
The following table is an example of a data sheet that you could use to help capture the current state of a computer and what would be required for the computer to achieve a trusted state. The following table is an example of a data sheet that you could use to help capture the current state of a computer and what would be required for the computer to achieve a trusted state.
@ -164,7 +164,7 @@ In the previous table, the computer CLIENT001 is currently "known, untrusted" be
The computer SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. The computer SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs.
With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) section. With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
The costs identified in this section only capture the projected cost of the computer upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. The costs identified in this section only capture the projected cost of the computer upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
@ -172,7 +172,7 @@ For more information about how to configure firewalls to support IPsec, see "Con
For more information about WMI, see "Windows Management Instrumentation" at <http://go.microsoft.com/fwlink/?linkid=110483>. For more information about WMI, see "Windows Management Instrumentation" at <http://go.microsoft.com/fwlink/?linkid=110483>.
**Next: **[Planning Your Windows Firewall with Advanced Security Design](../p_server_archive/planning-your-windows-firewall-with-advanced-security-design.md) **Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
   

4
windows/keep-secure/documenting-the-zones.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Documenting the Zones # Documenting the Zones
Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here:
<table style="width:100%;"> <table style="width:100%;">
<colgroup> <colgroup>
@ -73,7 +73,7 @@ Generally, the task of determining zone membership is not complex, but it can be
   
**Next: **[Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) **Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
   

6
windows/keep-secure/domain-isolation-policy-design-example.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Domain Isolation Policy Design Example # Domain Isolation Policy Design Example
This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.
## Design Requirements ## Design Requirements
@ -29,7 +29,7 @@ The following illustration shows the traffic protection needed for this design e
**Other traffic notes:** **Other traffic notes:**
- All of the design requirements described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section are still enforced. - All of the design requirements described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced.
## Design Details ## Design Details
@ -53,7 +53,7 @@ If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Window
   
**Next: **[Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md) **Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
   

18
windows/keep-secure/domain-isolation-policy-design.md
View File

@ -10,7 +10,7 @@ author: brianlic-msft
In the domain isolation policy design, you configure the computers on your network to accept only connections coming from computers that are authenticated as members of the same isolated domain. In the domain isolation policy design, you configure the computers on your network to accept only connections coming from computers that are authenticated as members of the same isolated domain.
This design typically begins with a network configured as described in the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure computers in the isolated domain to accept only network traffic from other computers that can authenticate as a member of the isolated domain. After implementing the new rules, your computers reject unsolicited network traffic from computers that are not members of the isolated domain. This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure computers in the isolated domain to accept only network traffic from other computers that can authenticate as a member of the isolated domain. After implementing the new rules, your computers reject unsolicited network traffic from computers that are not members of the isolated domain.
The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them. The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them.
@ -22,7 +22,7 @@ The design is shown in the following illustration, with the arrows that show the
Characteristics of this design, as shown in the diagram, include the following: Characteristics of this design, as shown in the diagram, include the following:
- Isolated domain (area A) - Computers in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from computers referenced in authentication exemption rules. Computers in the isolated domain can send traffic to any computer. This includes unauthenticated traffic to computers that are not in the isolated domain. Computers that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more information, see the [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md). - Isolated domain (area A) - Computers in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from computers referenced in authentication exemption rules. Computers in the isolated domain can send traffic to any computer. This includes unauthenticated traffic to computers that are not in the isolated domain. Computers that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more information, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md).
- Boundary zone (area B) - Computers in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted computers, such as clients on the Internet. - Boundary zone (area B) - Computers in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted computers, such as clients on the Internet.
@ -37,27 +37,27 @@ Characteristics of this design, as shown in the diagram, include the following:
After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the computers that are running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista in your organization. After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the computers that are running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista in your organization.
**Important**   **Important**  
This design builds on the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
   
This design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. This design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
In order to expand the isolated domain to include computers that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md). In order to expand the isolated domain to include computers that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md).
For more information about this design: For more information about this design:
- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). - This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md). - To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). - Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md). - To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
- For a list of tasks that you can use to deploy your domain isolation policy design, see "Checklist: Implementing a Domain Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxxx. - For a list of tasks that you can use to deploy your domain isolation policy design, see "Checklist: Implementing a Domain Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxxx.
**Next:** [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) **Next:** [Server Isolation Policy Design](server-isolation-policy-design.md)
   

2
windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To deploy predefined firewall rules that allow inbound network traffic for common network functions** **To deploy predefined firewall rules that allow inbound network traffic for common network functions**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**. 2. In the navigation pane, click **Inbound Rules**.

2
windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To deploy predefined firewall rules that block outbound network traffic for common network functions** **To deploy predefined firewall rules that block outbound network traffic for common network functions**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**. 2. In the navigation pane, click **Outbound Rules**.

2
windows/keep-secure/encryption-zone-gpos.md
View File

@ -12,7 +12,7 @@ Handle encryption zones in a similar manner to the boundary zones. A computer is
The GPO is only for server versions of Windows. Client computers are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. The GPO is only for server versions of Windows. Client computers are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows.
- [GPO\_DOMISO\_Encryption\_WS2008](../p_server_archive/gpo-domiso-encryption-ws2008.md) - [GPO\_DOMISO\_Encryption\_WS2008](gpo-domiso-encryption-ws2008.md)
   

8
windows/keep-secure/encryption-zone.md
View File

@ -14,7 +14,7 @@ To support the additional security requirements of these servers, we recommend t
You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols.
Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
## GPO settings for encryption zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 ## GPO settings for encryption zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2
@ -46,16 +46,16 @@ The GPO for computers that are running Windows Server 2012, Windows Server 2008
- A registry policy that includes the following values: - A registry policy that includes the following values:
- Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
**Note**   **Note**  
For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
   
- If domain member computers must communicate with computers in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. - If domain member computers must communicate with computers in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.
**Next: **[Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) **Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)
   

2
windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -21,7 +21,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
**To exempt ICMP network traffic from authentication** **To exempt ICMP network traffic from authentication**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. 2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.

4
windows/keep-secure/exemption-list.md
View File

@ -40,9 +40,9 @@ To keep the number of exemptions as small as possible, you have several options:
- Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address. - Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address.
As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](../p_server_archive/boundary-zone.md) section. As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
**Next: **[Isolated Domain](../p_server_archive/isolated-domain.md) **Next: **[Isolated Domain](isolated-domain.md)
   

2
windows/keep-secure/firewall-gpos.md
View File

@ -12,7 +12,7 @@ All the computers on Woodgrove Bank's network that run Windows are part of the i
The GPO created for the example Woodgrove Bank scenario include the following: The GPO created for the example Woodgrove Bank scenario include the following:
- [GPO\_DOMISO\_Firewall](../p_server_archive/gpo-domiso-firewall.md) - [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md)
   

2
windows/keep-secure/firewall-policy-design-example.md
View File

@ -96,7 +96,7 @@ The following groups were created by using the Active Directory Users and Comput
In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most computers on the network, you might consider adding computers performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there. In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most computers on the network, you might consider adding computers performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
**Next: **[Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) **Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
   

2
windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
View File

@ -22,7 +22,7 @@ Active Directory is another important item about which you must gather informati
- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to computers running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable computers using either the old or new IPsec policies to communicate with each other. - **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to computers running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable computers using either the old or new IPsec policies to communicate with each other.
**Next: **[Gathering Information about Your Computers](../p_server_archive/gathering-information-about-your-computers.md) **Next: **[Gathering Information about Your Computers](gathering-information-about-your-computers.md)
   

2
windows/keep-secure/gathering-information-about-your-computers.md
View File

@ -46,7 +46,7 @@ Whether you use an automatic, manual, or hybrid option to gather the information
This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design. This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design.
**Next: **[Gathering Other Relevant Information](../p_server_archive/gathering-other-relevant-information.md) **Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
   

2
windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
View File

@ -116,7 +116,7 @@ Some of the more common applications and protocols are as follows:
- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between computers by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. - **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between computers by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
**Next: **[Gathering Information about Your Active Directory Deployment](../p_server_archive/gathering-information-about-your-active-directory-deployment.md) **Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
   

2
windows/keep-secure/gathering-other-relevant-information.md
View File

@ -79,7 +79,7 @@ Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Ne
Network Monitor is available as a free download from Microsoft at <http://go.microsoft.com/fwlink/?linkid=94770>. Network Monitor is available as a free download from Microsoft at <http://go.microsoft.com/fwlink/?linkid=94770>.
**Next: **[Determining the Trusted State of Your Computers](../p_server_archive/determining-the-trusted-state-of-your-computers.md) **Next: **[Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md)
   

8
windows/keep-secure/gathering-the-information-you-need.md
View File

@ -12,13 +12,13 @@ Before starting the planning process for a Windows Firewall with Advanced Securi
Review each of the following topics for guidance about the kinds of information that you must gather: Review each of the following topics for guidance about the kinds of information that you must gather:
- [Gathering Information about Your Current Network Infrastructure](../p_server_archive/gathering-information-about-your-current-network-infrastructure.md) - [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
- [Gathering Information about Your Active Directory Deployment](../p_server_archive/gathering-information-about-your-active-directory-deployment.md) - [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
- [Gathering Information about Your Computers](../p_server_archive/gathering-information-about-your-computers.md) - [Gathering Information about Your Computers](gathering-information-about-your-computers.md)
- [Gathering Other Relevant Information](../p_server_archive/gathering-other-relevant-information.md) - [Gathering Other Relevant Information](gathering-other-relevant-information.md)
   

4
windows/keep-secure/gpo-domiso-boundary-ws2008.md
View File

@ -25,7 +25,7 @@ Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authen
## Registry settings ## Registry settings
The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
## Firewall rules ## Firewall rules
@ -34,7 +34,7 @@ Copy the firewall rules for the boundary zone from the GPO that contains the fir
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
**Next: **[Encryption Zone GPOs](../p_server_archive/encryption-zone-gpos.md) **Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)
   

4
windows/keep-secure/gpo-domiso-encryption-ws2008.md
View File

@ -27,7 +27,7 @@ Rename the **Isolated Domain Rule** to **Encryption Zone Rule**. Leave the authe
## Registry settings ## Registry settings
The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
## Firewall rules ## Firewall rules
@ -38,7 +38,7 @@ Change the action for every inbound firewall rule from **Allow the connection**
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
**Next: **[Server Isolation GPOs](../p_server_archive/server-isolation-gpos.md) **Next: **[Server Isolation GPOs](server-isolation-gpos.md)
   

2
windows/keep-secure/gpo-domiso-firewall.md
View File

@ -59,7 +59,7 @@ This GPO provides the following rules:
- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile. - A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
**Next: **[Isolated Domain GPOs](../p_server_archive/isolated-domain-gpos.md) **Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)
   

6
windows/keep-secure/gpo-domiso-isolateddomain-clients.md
View File

@ -17,13 +17,13 @@ Because client computers can sometimes be portable, the settings and rules for t
This GPO provides the following settings: This GPO provides the following settings:
- No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](../p_server_archive/firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy. - No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy.
- The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting. - The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting.
- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, they can remove the weaker key exchange algorithms, and use only the stronger ones. - Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, they can remove the weaker key exchange algorithms, and use only the stronger ones.
- The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). - The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
<table> <table>
<colgroup> <colgroup>
@ -169,7 +169,7 @@ This GPO provides the following rules:
- Authentication mode is set to **Do not authenticate**. - Authentication mode is set to **Do not authenticate**.
**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](../p_server_archive/gpo-domiso-isolateddomain-servers.md) **Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
   

2
windows/keep-secure/gpo-domiso-isolateddomain-servers.md
View File

@ -19,7 +19,7 @@ Because so many of the settings and rules for this GPO are common to those in th
   
**Next: **[Boundary Zone GPOs](../p_server_archive/boundary-zone-gpos.md) **Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)
   

10
windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md
View File

@ -29,15 +29,15 @@ The next step in implementing your design is to determine in what order each of
Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design. Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design.
- [Checklist: Implementing a Basic Firewall Policy Design](../p_server_archive/checklist-implementing-a-basic-firewall-policy-design.md) - [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
- [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md) - [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
- [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md) - [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
- [Checklist: Implementing a Certificate-based Isolation Policy Design](../p_server_archive/checklist-implementing-a-certificate-based-isolation-policy-design.md) - [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md). The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).
   

6
windows/keep-secure/isolated-domain-gpos.md
View File

@ -10,13 +10,13 @@ author: brianlic-msft
All of the computers in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. All of the computers in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.
Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) section. Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section.
The GPOs created for the Woodgrove Bank isolated domain include the following: The GPOs created for the Woodgrove Bank isolated domain include the following:
- [GPO\_DOMISO\_IsolatedDomain\_Clients](../p_server_archive/gpo-domiso-isolateddomain-clients.md) - [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md)
- [GPO\_DOMISO\_IsolatedDomain\_Servers](../p_server_archive/gpo-domiso-isolateddomain-servers.md) - [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
   

6
windows/keep-secure/isolated-domain.md
View File

@ -48,14 +48,14 @@ GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server
- A registry policy that includes the following values: - A registry policy that includes the following values:
- Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
**Note**   **Note**  
For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
   
**Next: **[Boundary Zone](../p_server_archive/boundary-zone.md) **Next: **[Boundary Zone](boundary-zone.md)
   

2
windows/keep-secure/isolating-windows-store-apps-on-your-network.md
View File

@ -331,7 +331,7 @@ Use the following procedure if you want to block intranet access for a specific
## <a href="" id="bkmk-links"></a>See also ## <a href="" id="bkmk-links"></a>See also
- [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md) - [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md)
   

18
windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
View File

@ -28,36 +28,36 @@ Use the following table to determine which Windows Firewall with Advanced Securi
<thead> <thead>
<tr class="header"> <tr class="header">
<th>Deployment Goals</th> <th>Deployment Goals</th>
<th>[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md)</th> <th>[Basic Firewall Policy Design](basic-firewall-policy-design.md)</th>
<th>[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md)</th> <th>[Domain Isolation Policy Design](domain-isolation-policy-design.md)</th>
<th>[Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md)</th> <th>[Server Isolation Policy Design](server-isolation-policy-design.md)</th>
<th>[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md)</th> <th>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr class="odd"> <tr class="odd">
<td><p>[Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md)</p></td> <td><p>[Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p>[Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md)</p></td> <td><p>[Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)</p></td>
<td><p>-</p></td> <td><p>-</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td><p>[Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md)</p></td> <td><p>[Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)</p></td>
<td><p>-</p></td> <td><p>-</p></td>
<td><p>-</p></td> <td><p>-</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
<td><p>Yes</p></td> <td><p>Yes</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p>[Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md)</p></td> <td><p>[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)</p></td>
<td><p>-</p></td> <td><p>-</p></td>
<td><p>Optional</p></td> <td><p>Optional</p></td>
<td><p>Optional</p></td> <td><p>Optional</p></td>
@ -70,7 +70,7 @@ Use the following table to determine which Windows Firewall with Advanced Securi
To examine details for a specific design, click the design title at the top of the column in the preceding table. To examine details for a specific design, click the design title at the top of the column in the preceding table.
**Next: **[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) **Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)
   

2
windows/keep-secure/planning-certificate-based-authentication.md
View File

@ -46,7 +46,7 @@ When the clients and servers have the certificates available, you can configure
Starting in Windows Server 2012, the Administrator can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. Starting in Windows Server 2012, the Administrator can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
**Next: **[Documenting the Zones](../p_server_archive/documenting-the-zones.md) **Next: **[Documenting the Zones](documenting-the-zones.md)
   

8
windows/keep-secure/planning-domain-isolation-zones.md
View File

@ -14,13 +14,13 @@ The bulk of the work in planning server and domain isolation is determining whic
The zones described in this guide include the following: The zones described in this guide include the following:
- [Exemption List](../p_server_archive/exemption-list.md) - [Exemption List](exemption-list.md)
- [Isolated Domain](../p_server_archive/isolated-domain.md) - [Isolated Domain](isolated-domain.md)
- [Boundary Zone](../p_server_archive/boundary-zone.md) - [Boundary Zone](boundary-zone.md)
- [Encryption Zone](../p_server_archive/encryption-zone.md) - [Encryption Zone](encryption-zone.md)
   

8
windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md
View File

@ -12,13 +12,13 @@ After you have decided on the best logical design of your isolation environment
You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the computer accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct computers within each group. You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the computer accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct computers within each group.
- [Planning Isolation Groups for the Zones](../p_server_archive/planning-isolation-groups-for-the-zones.md) - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
- [Planning Network Access Groups](../p_server_archive/planning-network-access-groups.md) - [Planning Network Access Groups](planning-network-access-groups.md)
- [Planning the GPOs](../p_server_archive/planning-the-gpos.md) - [Planning the GPOs](planning-the-gpos.md)
- [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) - [Planning GPO Deployment](planning-gpo-deployment.md)
   

4
windows/keep-secure/planning-isolation-groups-for-the-zones.md
View File

@ -63,11 +63,11 @@ The following table lists typical groups that can be used to manage the domain i
   
Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](../p_server_archive/planning-the-gpos.md). Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md).
If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the computer. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific. If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the computer. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
**Next: **[Planning Network Access Groups](../p_server_archive/planning-network-access-groups.md) **Next: **[Planning Network Access Groups](planning-network-access-groups.md)
   

2
windows/keep-secure/planning-network-access-groups.md
View File

@ -56,7 +56,7 @@ Membership in a NAG does not control the level of IPsec traffic protection. The
   
**Next: **[Planning the GPOs](../p_server_archive/planning-the-gpos.md) **Next: **[Planning the GPOs](planning-the-gpos.md)
   

8
windows/keep-secure/planning-server-isolation-zones.md
View File

@ -29,7 +29,7 @@ Each set of servers that must be accessed by different sets of users should be s
## Creating the GPOs ## Creating the GPOs
Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members. An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members.
@ -69,14 +69,14 @@ The connection security rules described here are identical to the ones for the e
- A registry policy that includes the following values: - A registry policy that includes the following values:
- Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
**Note**   **Note**  
For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
   
**Next: **[Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md) **Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
   

2
windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
View File

@ -46,7 +46,7 @@ The following is a list of the firewall settings that you might consider for inc
- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs. - **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
**Next: **[Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) **Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
   

12
windows/keep-secure/planning-the-gpos.md
View File

@ -40,19 +40,19 @@ After considering these issues, document each GPO that you require, and the deta
## Woodgrove Bank example GPOs ## Woodgrove Bank example GPOs
The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which computers receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) section. The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which computers receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section.
In this section you can find information about the following: In this section you can find information about the following:
- [Firewall GPOs](../p_server_archive/firewall-gpos.md) - [Firewall GPOs](firewall-gpos.md)
- [Isolated Domain GPOs](../p_server_archive/isolated-domain-gpos.md) - [Isolated Domain GPOs](isolated-domain-gpos.md)
- [Boundary Zone GPOs](../p_server_archive/boundary-zone-gpos.md) - [Boundary Zone GPOs](boundary-zone-gpos.md)
- [Encryption Zone GPOs](../p_server_archive/encryption-zone-gpos.md) - [Encryption Zone GPOs](encryption-zone-gpos.md)
- [Server Isolation GPOs](../p_server_archive/server-isolation-gpos.md) - [Server Isolation GPOs](server-isolation-gpos.md)
   

10
windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Planning to Deploy Windows Firewall with Advanced Security # Planning to Deploy Windows Firewall with Advanced Security
After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](../p_server_archive/windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization.
## Reviewing your Windows Firewall with Advanced Security Design ## Reviewing your Windows Firewall with Advanced Security Design
@ -17,11 +17,11 @@ If the design team that created the Windows Firewall with Advanced Security desi
- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which computers apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide: - The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which computers apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide:
- [Planning Isolation Groups for the Zones](../p_server_archive/planning-isolation-groups-for-the-zones.md) - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
- [Planning the GPOs](../p_server_archive/planning-the-gpos.md) - [Planning the GPOs](planning-the-gpos.md)
- [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) - [Planning GPO Deployment](planning-gpo-deployment.md)
- The communication to be allowed between members of each of the zones in the isolated domain and computers that are not part of the isolated domain or members of the isolated domain's exemption list. - The communication to be allowed between members of each of the zones in the isolated domain and computers that are not part of the isolated domain or members of the isolated domain's exemption list.
@ -39,7 +39,7 @@ If the design team that created the Windows Firewall with Advanced Security desi
If at least one set of each does not match between two computers, then the computers cannot successfully communicate. If at least one set of each does not match between two computers, then the computers cannot successfully communicate.
After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](../p_server_archive/implementing-your-windows-firewall-with-advanced-security-design-plan.md). After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
   

16
windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
View File

@ -13,9 +13,9 @@ After you have gathered the relevant information in the previous sections, and u
## Basic firewall design ## Basic firewall design
We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization.
When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) section. When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section.
## Algorithm and method support and selection ## Algorithm and method support and selection
@ -40,7 +40,7 @@ Include this design in your plans:
If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the computers are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting. If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the computers are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting.
When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) section. When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
## Server isolation design ## Server isolation design
@ -53,7 +53,7 @@ Include this design in your plans:
If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements. If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements.
When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) section. When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section.
## Certificate-based authentication design ## Certificate-based authentication design
@ -68,23 +68,23 @@ Include this design in your plans:
If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the computers that require it. If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the computers that require it.
When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md) section. When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section.
## Documenting your design ## Documenting your design
After you finish selecting the designs that you will use, you must assign each of your computers to the appropriate isolation zone and document the assignment for use by the deployment team. After you finish selecting the designs that you will use, you must assign each of your computers to the appropriate isolation zone and document the assignment for use by the deployment team.
- [Documenting the Zones](../p_server_archive/documenting-the-zones.md) - [Documenting the Zones](documenting-the-zones.md)
## Designing groups and GPOs ## Designing groups and GPOs
After you have selected a design and assigned your computers to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your computers. After you have selected a design and assigned your computers to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your computers.
When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
**Next: **[Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) **Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
   

78
windows/keep-secure/procedures-used-in-this-guide.md
View File

@ -10,83 +10,83 @@ author: brianlic-msft
The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md) [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)
[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md) [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)
[Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md) [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md) [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
[Configure Group Policy to Autoenroll and Deploy Certificates](../p_server_archive/configure-group-policy-to-autoenroll-and-deploy-certificates.md) [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) [Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) [Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
[Configure the Windows Firewall Log](../p_server_archive/configure-the-windows-firewall-log.md) [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
[Configure the Workstation Authentication Certificate Template](../p_server_archive/configure-the-workstation-authentication-certificate-templatewfas-dep.md) [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)
[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](../p_server_archive/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
[Confirm That Certificates Are Deployed Correctly](../p_server_archive/confirm-that-certificates-are-deployed-correctly.md) [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md) [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md) [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
[Create a Group Policy Object](../p_server_archive/create-a-group-policy-object.md) [Create a Group Policy Object](create-a-group-policy-object.md)
[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) [Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) [Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) [Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Create WMI Filters for the GPO](../p_server_archive/create-wmi-filters-for-the-gpo.md) [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) [Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) [Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) [Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
[Install Active Directory Certificate Services](../p_server_archive/install-active-directory-certificate-services.md) [Install Active Directory Certificate Services](install-active-directory-certificate-services.md)
[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md) [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
[Open the Group Policy Management Console to IP Security Policies](../p_server_archive/open-the-group-policy-management-console-to-ip-security-policies.md) [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
[Open the Group Policy Management Console to Windows Firewall](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall.md) [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
[Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
[Open Windows Firewall with Advanced Security](../p_server_archive/open-windows-firewall-with-advanced-security.md) [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md) [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
[Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md) [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md)
[Turn on Windows Firewall and Configure Default Behavior](../p_server_archive/turn-on-windows-firewall-and-configure-default-behavior.md) [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md) [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
   

10
windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Require Encryption When Accessing Sensitive Network Resources # Require Encryption When Accessing Sensitive Network Resources
The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md)) enables a computer in the isolated domain to block traffic from untrusted computers. However, it does not prevent an untrusted computer from eavesdropping on the network traffic shared between two trusted computers, because by default network packets are not encrypted. The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) enables a computer in the isolated domain to block traffic from untrusted computers. However, it does not prevent an untrusted computer from eavesdropping on the network traffic shared between two trusted computers, because by default network packets are not encrypted.
For computers that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to computers that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. For computers that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to computers that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
@ -18,19 +18,19 @@ The following illustration shows an encryption zone in an isolated domain. The r
This goal provides the following benefits: This goal provides the following benefits:
- Computers in the encryption zone require authentication to communicate with other computers. This works no differently from the domain isolation goal and design. For more information, see [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md). - Computers in the encryption zone require authentication to communicate with other computers. This works no differently from the domain isolation goal and design. For more information, see [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md).
- Computers in the encryption zone require that all inbound and outbound network traffic be encrypted. - Computers in the encryption zone require that all inbound and outbound network traffic be encrypted.
For example, Woodgrove Bank processes sensitive customer data on a computer that must be protected from eavesdropping by computers on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data. For example, Woodgrove Bank processes sensitive customer data on a computer that must be protected from eavesdropping by computers on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data.
- Computers in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more information, see [Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md). - Computers in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more information, see [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md).
The following components are required for this deployment goal: The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](../p_server_archive/additional-resources-wfasdesign.md). - **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md).
**Next: **[Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md) **Next: **[Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)
   

8
windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md
View File

@ -20,7 +20,7 @@ The following illustration shows an isolated server, and examples of computers t
![isolated domain with network access groups](images/wfas-domainnag.gif) ![isolated domain with network access groups](images/wfas-domainnag.gif)
This goal, which corresponds to [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md), provides the following features: This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features:
- Isolated servers accept unsolicited inbound network traffic only from computers or users that are members of the NAG. - Isolated servers accept unsolicited inbound network traffic only from computers or users that are members of the NAG.
@ -28,13 +28,13 @@ This goal, which corresponds to [Server Isolation Policy Design](../p_server_arc
- Server isolation can also be configured independently of an isolated domain. To do so, configure only the computers that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership. - Server isolation can also be configured independently of an isolated domain. To do so, configure only the computers that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership.
- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). - A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
The following components are required for this deployment goal: The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](../p_server_archive/additional-resources-wfasdesign.md). - **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md).
**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](../p_server_archive/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) **Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
   

2
windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md
View File

@ -191,7 +191,7 @@ You might not find the exact answer for the issue, but you can find good hints.
## <a href="" id="bkmk-links"></a>See also ## <a href="" id="bkmk-links"></a>See also
- [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md) - [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md)
   

2
windows/keep-secure/server-isolation-gpos.md
View File

@ -24,7 +24,7 @@ This GPO is identical to the GPO\_DOMISO\_Encryption\_WS2008 GPO with the follow
   
**Next: **[Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) **Next: **[Planning GPO Deployment](planning-gpo-deployment.md)
   

8
windows/keep-secure/server-isolation-policy-design-example.md
View File

@ -8,7 +8,7 @@ author: brianlic-msft
# Server Isolation Policy Design Example # Server Isolation Policy Design Example
This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) section. This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section.
In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide additional protection to the computers that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. This includes a requirement to prevent interception of and access to the information when it is in transit over the network. In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide additional protection to the computers that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. This includes a requirement to prevent interception of and access to the information when it is in transit over the network.
@ -42,9 +42,9 @@ The following illustration shows the traffic protection needs for this design ex
**Other traffic notes:** **Other traffic notes:**
- All of the design requirements shown in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section are still enforced. - All of the design requirements shown in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced.
- All of the design requirements shown in the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) section are still enforced. - All of the design requirements shown in the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section are still enforced.
## Design details ## Design details
@ -75,7 +75,7 @@ If Woodgrove Bank wants to implement server isolation without domain isolation,
You do not have to include the encryption-capable rules on all computers. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption. You do not have to include the encryption-capable rules on all computers. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption.
**Next: **[Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md) **Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
   

16
windows/keep-secure/server-isolation-policy-design.md
View File

@ -10,7 +10,7 @@ author: brianlic-msft
In the server isolation policy design, you assign servers to a zone that allows access only to users and computers that authenticate as members of an approved network access group (NAG). In the server isolation policy design, you assign servers to a zone that allows access only to users and computers that authenticate as members of an approved network access group (NAG).
This design typically begins with a network configured as described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have additional security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. This can be done on a per server basis, or for a group of servers that share common security requirements. This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have additional security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. This can be done on a per server basis, or for a group of servers that share common security requirements.
You can implement a server isolation design without using domain isolation. To do this, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the computers that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and computers can access the isolated server are also used to determine which computers receive the GPO. You can implement a server isolation design without using domain isolation. To do this, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the computers that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and computers can access the isolated server are also used to determine which computers receive the GPO.
@ -20,7 +20,7 @@ The design is shown in the following illustration, with arrows that show the per
Characteristics of this design include the following: Characteristics of this design include the following:
- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then computers in the boundary zone behave just like other members of the isolated domain in the way that they interact with computers in server isolation zones. - Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then computers in the boundary zone behave just like other members of the isolated domain in the way that they interact with computers in server isolation zones.
- Isolated servers (area B) - Computers in the server isolation zones restrict access to computers, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access. - Isolated servers (area B) - Computers in the server isolation zones restrict access to computers, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access.
@ -29,7 +29,7 @@ Characteristics of this design include the following:
To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules. To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules.
**Important**   **Important**  
This design builds on the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented. This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.
   
@ -37,17 +37,17 @@ This design can be applied to computers that are part of an Active Directory for
For more information about this design: For more information about this design:
- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), [Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md), and [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). - This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md). - To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). - Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md). - To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
- For a list of tasks that you can use to deploy your server isolation policy design, see "Checklist: Implementing a Standalone Server Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxx. - For a list of tasks that you can use to deploy your server isolation policy design, see "Checklist: Implementing a Standalone Server Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxx.
**Next: **[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md) **Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
   

2
windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
View File

@ -19,7 +19,7 @@ To complete these procedures, you must be a member of the Domain Administrators
**To enable Windows Firewall and configure the default behavior on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** **To enable Windows Firewall and configure the default behavior on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. 2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.

4
windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -26,7 +26,7 @@ Windows PowerShell and netsh command references are at the following locations.
## Scope ## Scope
This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide. This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide.
## Audience and user requirements ## Audience and user requirements
@ -408,7 +408,7 @@ Windows PowerShell
New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 RemoteAddress $nonWindowsGateway New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 RemoteAddress $nonWindowsGateway
``` ```
For more information about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](../p_server_archive/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md). For more information about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md).
### Copy an IPsec rule from one policy to another ### Copy an IPsec rule from one policy to another

16
windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md
View File

@ -17,21 +17,21 @@ You can use Windows Firewall to control access to the computer from the network.
This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected. This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](../p_server_archive/planning-to-deploy-windows-firewall-with-advanced-security.md). Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](../p_server_archive/windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization. If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide: After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
- [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) - [Basic Firewall Policy Design](basic-firewall-policy-design.md)
- [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) - [Domain Isolation Policy Design](domain-isolation-policy-design.md)
- [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) - [Server Isolation Policy Design](server-isolation-policy-design.md)
- [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md) - [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](../p_server_archive/implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design. Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
**Caution**   **Caution**  
We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the computers in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the computers in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
@ -51,7 +51,7 @@ In a large enterprise environment with hundreds or thousands of GPOs, using this
This guide does not provide: This guide does not provide:
- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide. - Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide.
- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. For more information, see Active Directory Domain Services (<http://go.microsoft.com/fwlink/?linkid=102573>) and Group Policy (<http://go.microsoft.com/fwlink/?linkid=93542>). - Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. For more information, see Active Directory Domain Services (<http://go.microsoft.com/fwlink/?linkid=102573>) and Group Policy (<http://go.microsoft.com/fwlink/?linkid=93542>).

2
windows/keep-secure/windows-firewall-with-advanced-security.md
View File

@ -126,7 +126,7 @@ See the following topics for more information about Windows Firewall with Advanc
<tbody> <tbody>
<tr class="odd"> <tr class="odd">
<td><p><strong>Deployment</strong></p></td> <td><p><strong>Deployment</strong></p></td>
<td><p>[Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](../p_server_archive/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) | [Isolating Windows Store Apps on Your Network](../p_server_archive/isolating-windows-store-apps-on-your-network.md) | [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)</p></td> <td><p>[Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) | [Isolating Windows Store Apps on Your Network](isolating-windows-store-apps-on-your-network.md) | [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td><p><strong>Troubleshooting</strong></p></td> <td><p><strong>Troubleshooting</strong></p></td>