mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-28 13:17:23 +00:00
Merge pull request #5599 from MicrosoftDocs/v-mathavale-5392069-1to20
Updated1to20
This commit is contained in:
Gary Moore
GitHub
commit
723f657acc
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Add Production Devices to the Membership Group for a Zone (Windows 10)
|
||||
title: Add Production Devices to the Membership Group for a Zone (Windows)
|
||||
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
|
||||
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
|
||||
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Add Test Devices to the Membership Group for a Zone (Windows 10)
|
||||
title: Add Test Devices to the Membership Group for a Zone (Windows)
|
||||
description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
|
||||
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
|
||||
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows)
|
||||
description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
|
||||
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Assign Security Group Filters to the GPO (Windows 10)
|
||||
title: Assign Security Group Filters to the GPO (Windows)
|
||||
description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
|
||||
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/02/2019
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Basic Firewall Policy Design (Windows 10)
|
||||
title: Basic Firewall Policy Design (Windows)
|
||||
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
|
||||
ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
|
||||
ms.reviewer:
|
||||
@ -20,8 +20,9 @@ ms.technology: mde
|
||||
# Basic Firewall Policy Design
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
|
||||
|
||||
@ -37,7 +38,7 @@ Many network administrators do not want to tackle the difficult task of determin
|
||||
|
||||
For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
|
||||
|
||||
- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
|
||||
- For other standard network behavior, the predefined rules that are built into Windows 11, Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
|
||||
|
||||
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
|
||||
|
||||
|
||||
@ -20,9 +20,10 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows operating systems including Windows 10
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
- Windows Server Operating Systems
|
||||
|
||||
Windows Defender Firewall with Advanced Security provides host-based, two-way
|
||||
network traffic filtering and blocks unauthorized network traffic flowing into
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Boundary Zone GPOs (Windows 10)
|
||||
title: Boundary Zone GPOs (Windows)
|
||||
description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
|
||||
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Boundary Zone (Windows 10)
|
||||
title: Boundary Zone (Windows)
|
||||
description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
|
||||
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,15 +22,16 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
|
||||
In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
|
||||
|
||||
Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device.
|
||||
|
||||
The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it.
|
||||
The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it.
|
||||
|
||||
Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
|
||||
These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision.
|
||||
|
||||
|
||||
|
||||
@ -38,7 +39,7 @@ The goal of this process is to determine whether the risk of adding a device to
|
||||
|
||||
You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
|
||||
|
||||
Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
|
||||
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group.
|
||||
|
||||
## GPO settings for boundary zone servers running at least Windows Server 2008
|
||||
|
||||
@ -49,13 +50,13 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i
|
||||
|
||||
1. Exempt all ICMP traffic from IPsec.
|
||||
|
||||
2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
|
||||
2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES, and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
|
||||
|
||||
3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems..
|
||||
3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
|
||||
|
||||
If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
|
||||
|
||||
4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
|
||||
4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
|
||||
|
||||
- The following connection security rules:
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Certificate-based Isolation Policy Design Example (Windows 10)
|
||||
title: Certificate-based Isolation Policy Design Example (Windows)
|
||||
description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
|
||||
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 08/17/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Certificate-based Isolation Policy Design (Windows 10)
|
||||
title: Certificate-based Isolation Policy Design (Windows)
|
||||
description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
|
||||
ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 08/17/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Change Rules from Request to Require Mode (Windows 10)
|
||||
title: Change Rules from Request to Require Mode (Windows)
|
||||
description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
|
||||
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 08/17/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Configuring Basic Firewall Settings (Windows 10)
|
||||
title: Checklist Configuring Basic Firewall Settings (Windows)
|
||||
description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
|
||||
ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 08/17/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
|
||||
title: Checklist Configuring Rules for an Isolated Server Zone (Windows)
|
||||
description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
|
||||
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10)
|
||||
title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows)
|
||||
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
|
||||
ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
|
||||
title: Checklist Configuring Rules for the Boundary Zone (Windows)
|
||||
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
|
||||
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
|
||||
title: Checklist Configuring Rules for the Encryption Zone (Windows)
|
||||
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
|
||||
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
|
||||
title: Checklist Configuring Rules for the Isolated Domain (Windows)
|
||||
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
|
||||
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Creating Group Policy Objects (Windows 10)
|
||||
title: Checklist Creating Group Policy Objects (Windows)
|
||||
description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
|
||||
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 08/17/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
|
||||
|
||||
@ -30,7 +31,7 @@ The checklists for firewall, domain isolation, and server isolation include a li
|
||||
|
||||
## About membership groups
|
||||
|
||||
For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
|
||||
For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
|
||||
|
||||
## About exclusion groups
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Creating Inbound Firewall Rules (Windows 10)
|
||||
title: Checklist Creating Inbound Firewall Rules (Windows)
|
||||
description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
|
||||
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This checklist includes tasks for creating firewall rules in your GPOs.
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Checklist Creating Outbound Firewall Rules (Windows 10)
|
||||
title: Checklist Creating Outbound Firewall Rules (Windows)
|
||||
description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
|
||||
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
|
||||
ms.reviewer:
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 09/07/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
@ -22,7 +22,8 @@ ms.technology: mde
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
This checklist includes tasks for creating outbound firewall rules in your GPOs.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user