diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 89aee60958..e035651dd8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -439,7 +439,7 @@ ###### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) ###### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) ###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md) -###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md) +###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-devices.md) ##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) ###### [Basic Firewall Policy Design](basic-firewall-policy-design.md) ###### [Domain Isolation Policy Design](domain-isolation-policy-design.md) @@ -454,9 +454,9 @@ ###### [Gathering the Information You Need](gathering-the-information-you-need.md) ####### [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md) ####### [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) -####### [Gathering Information about Your Computers](gathering-information-about-your-computers.md) +####### [Gathering Information about Your Computers](gathering-information-about-your-devices.md) ####### [Gathering Other Relevant Information](gathering-other-relevant-information.md) -###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md) +###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md) ##### [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) ###### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) ###### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) diff --git a/windows/keep-secure/additional-resources-wfasdesign.md b/windows/keep-secure/additional-resources-wfasdesign.md deleted file mode 100644 index 1e524c920a..0000000000 --- a/windows/keep-secure/additional-resources-wfasdesign.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Additional Resources (Windows 10) -description: Additional Resources -ms.assetid: 74897052-508d-49b9-911c-5902a1fb0d26 -author: brianlic-msft ---- - -# Additional Resources - - -For more information about the technologies discussed in this guide, see topics referenced in the following sections. - -## Windows Firewall with Advanced Security - - -- [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365) (http://technet.microsoft.com/library/hh831365) - - This TechNet page contains links to a variety of documents available for Windows Firewall with Advanced Security. - -## IPsec - - -- [IPsec](http://technet.microsoft.com/network/bb531150.aspx) (http://technet.microsoft.com/network/bb531150.aspx) - - This TechNet page contains links to a variety of documents currently available for Internet Protocol security (IPsec) for Windows available as connection security rules. - -## Server and Domain Isolation - - -- [Server and Domain Isolation](http://technet.microsoft.com/network/bb545651.aspx) (http://technet.microsoft.com/network/bb545651.aspx) - - This TechNet page contains links to documentation about the most common uses for IPsec: server isolation and domain isolation. - -## Group Policy - - -Group Policy is a key method for implementing firewall and server and domain isolation designs. - -For more information about Group Policy and related technologies, see: - -- **Group Policy**[Group Policy Overview](http://technet.microsoft.com/library/hh831791) (http://technet.microsoft.com/library/hh831791) - - This page contains links to the documents currently available for Group Policy. - -- [WMI Filtering Using GPMC](http://technet.microsoft.com/library/6237b9b2-4a21-425e-8976-2065d28b3147) (http://technet.microsoft.com/library/6237b9b2-4a21-425e-8976-2065d28b3147) - -- [HOWTO: Leverage Group Policies with WMI Filters](http://support.microsoft.com/kb/555253) (http://support.microsoft.com/kb/555253) - - This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system. - -## Active Directory Domain Services - - -Organizations can use AD DS to manage users and resources, such as computers, printers, or applications, on a network. Server isolation and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication. - -For more information about AD DS and related technologies, see: - -- [Active Directory Domain Services Overview](http://technet.microsoft.com/library/hh831484) (http://technet.microsoft.com/library/hh831484) - -  - -  - - - - - diff --git a/windows/keep-secure/additional-resourceswfas-deploy.md b/windows/keep-secure/additional-resourceswfas-deploy.md deleted file mode 100644 index 3a4efaa457..0000000000 --- a/windows/keep-secure/additional-resourceswfas-deploy.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Additional Resources (Windows 10) -description: Additional Resources -ms.assetid: 09bdec5d-8a3f-448c-bc48-d4cb41f9c6e8 -author: brianlic-msft ---- - -# Additional Resources - - -For more information about the technologies discussed in this guide, see topics referenced in the following sections. - -## Windows Firewall with Advanced Security - - -- [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365.aspx) (http://technet.microsoft.com/library/hh831365.aspx) - - This TechNet page contains links to a variety of documents available for Windows Firewall with Advanced Security in Windows Server 2012. - -- [Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012](http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx#z6d72b831d4c24158874a04e9e9d37c43) - - This wiki article describes how Windows Firewall with Advanced Security works, what the common troubleshooting situations are, and which tools you can use for troubleshooting. The community is encouraged to add their troubleshooting and experiences to this article. - -## IPsec - - -- [IPsec](http://www.microsoft.com/ipsec) (http://www.microsoft.com/ipsec) - - This TechNet page contains links to a variety of documents currently available for Internet Protocol security (IPsec) in Windows. - -## Group Policy - - -Group Policy is a key method for implementing firewall and server and domain isolation designs. - -For more information about Group Policy and related technologies, see: - -- [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx) (http://technet.microsoft.com/library/hh831791.aspx) - - This page contains links to the documents currently available for Group Policy. - -- [WMI Filtering Using GPMC](http://go.microsoft.com/fwlink/?linkid=93188) (http://go.microsoft.com/fwlink/?linkid=93188) - -- [HOWTO: Leverage Group Policies with WMI Filters](http://go.microsoft.com/fwlink/?linkid=93760) (http://go.microsoft.com/fwlink/?linkid=93760) - - This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system. - -## Active Directory Domain Services - - -In Windows 8 and Windows Server 2012, organizations can use AD DS to manage users and resources, such as computers, printers, or applications, on a network. Server isolation and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication. - -For more information about AD DS and related technologies, see: - -- [Active Directory Domain Services Overview](http://technet.microsoft.com/library/hh831484.aspx) (http://technet.microsoft.com/library/hh831484.aspx) - -  - -  - - - - - diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 078ccc621c..f72093bb1e 100644 --- a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -2,13 +2,20 @@ title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10) description: Appendix A Sample GPO Template Files for Settings Used in this Guide ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Appendix A: Sample GPO Template Files for Settings Used in this Guide +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). Creating registry setting preferences as described here was first implemented in Windows Server 2008 and Windows Vista with Service Pack 1 (SP1). +You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there. @@ -16,10 +23,7 @@ To import an .xml file to GPMC, drag it and drop it on the **Registry** node und The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply. -**Note**   -The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization. - -  +>**Note:**  The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization. ``` syntax @@ -87,12 +91,3 @@ The file shown here is for sample use only. It should be customized to meet the ``` - -  - -  - - - - - diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md index e8e136ef00..a9a8a4d8a0 100644 --- a/windows/keep-secure/boundary-zone-gpos.md +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -2,32 +2,27 @@ title: Boundary Zone GPOs (Windows 10) description: Boundary Zone GPOs ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Boundary Zone GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -All the computers in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. +All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. -**Note**   -If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any computers that are incorrectly assigned to more than one group. - -  +>**Note:**  If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone. -The boundary zone GPOs discussed in this guide are only for server versions of Windows because client computers are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. +The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. -In the Woodgrove Bank example, only the GPO settings for a Web service on Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 are discussed. +In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed. - [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary-ws2008.md) - -  - -  - - - - - diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md index e6e1d51bec..b44e15fdc1 100644 --- a/windows/keep-secure/boundary-zone.md +++ b/windows/keep-secure/boundary-zone.md @@ -2,32 +2,39 @@ title: Boundary Zone (Windows 10) description: Boundary Zone ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Boundary Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -In most organizations, some computers must be able to receive network traffic from computers that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted computers, create a boundary zone within your isolated domain. +In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. -Computers in the boundary zone are trusted computers that can accept communication requests both from other isolated domain member computers and from untrusted computers. Boundary zone computers try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating computer. +Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device. The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it. -Because these boundary zone computers can receive unsolicited inbound communications from untrusted computers that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a computer to the boundary zone. For example, completing a formal business justification process before adding each computer to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. +Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. ![design flowchart](images/wfas-designflowchart1.gif) -The goal of this process is to determine whether the risk of adding a computer to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. +The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. -## GPO settings for boundary zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +## GPO settings for boundary zone servers running at least Windows Server 2008 -The boundary zone GPO for computers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 should include the following: +The boundary zone GPO for devices running at least Windows Server 2008 should include the following: - IPsec default settings that specify the following options: @@ -39,11 +46,11 @@ The boundary zone GPO for computers running Windows Server 2012, Windows Server If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method. - The following connection security rules: - - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication. @@ -51,18 +58,6 @@ The boundary zone GPO for computers running Windows Server 2012, Windows Server - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) - -   + >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) **Next: **[Encryption Zone](encryption-zone.md) - -  - -  - - - - - diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md index 93ba95bbff..979ef0e243 100644 --- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md +++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md @@ -2,58 +2,25 @@ title: Checklist Configuring Basic Firewall Settings (Windows 10) description: Checklist Configuring Basic Firewall Settings ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Basic Firewall Settings +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring firewall defaults and settings** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Turn the firewall on and set the default inbound and outbound behavior.

Procedure topic[Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)

_

Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules.

Procedure topic[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)

_

Configure the firewall to record a log file.

Procedure topic[Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)

- -  - -  - -  - - - - +**Checklist: Configuring firewall defaults and settings** +| Task | Reference | +| - | - | +| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| +| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) | +| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md index 3fe907d8cd..a3cd9303ca 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -2,124 +2,42 @@ title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10) description: Checklist Configuring Rules for an Isolated Server Zone ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for an Isolated Server Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). -In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or computers who are authenticated members of a network access group (NAG). Computers that are running Windows 2000, Windows XP, or Windows Server 2003 can restrict access in IPsec only to computers that are members of the NAG, because IPsec and IKE in those versions of Windows do not support user-based authentication. If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. +In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. -Computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can identify both computers and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. For more information, see “AuthIP in Windows Vista” (). +Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server. -## +**Checklist: Configuring rules for isolated servers** - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring rules for isolated servers for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2** - -**Note**   -The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. - -  - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

-

Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone.

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for all network traffic.

-
-Important   -

Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.

-
-
-  -

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the NAG to contain the computer or user accounts that are allowed to access the servers in the isolated server zone.

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG.

Procedure topic[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

- -  +| Task | Reference | +| - | - | +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Create a rule that requests authentication for all network traffic.
**Important:** Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. - -  - -  - - - - - diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 6d2a88909f..f954a6f45e 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -2,125 +2,39 @@ title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10) description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring rules for isolated servers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -**Note**   -The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. +**Checklist: Configuring rules for isolated servers** +| Task | Reference | +| - | - | +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) | +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) | +| Create a rule that requests authentication for all inbound network traffic.

**Important:** Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| +| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) | +| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|   - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for all inbound network traffic.

-
-Important   -

Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.

-
-
-  -

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it.

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers.

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zone’s NAG.

Procedure topic[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

- -  - Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. - -  - -  - - - - - diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md index bd93a5e321..899be3e221 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -2,72 +2,31 @@ title: Checklist Configuring Rules for the Boundary Zone (Windows 10) description: Checklist Configuring Rules for the Boundary Zone ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for the Boundary Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring boundary zone rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.

Procedure topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted.

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

- -  - -  - -  - - - +**Checklist: Configuring boundary zone rules** +This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. +| Task | Reference | +| - | - | +| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | +| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md index c90e28f60a..f0d1aab7e7 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -2,74 +2,32 @@ title: Checklist Configuring Rules for the Encryption Zone (Windows 10) description: Checklist Configuring Rules for the Encryption Zone ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for the Encryption Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring encryption zone rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.

Procedure topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Add the encryption requirements for the zone.

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security rules are protecting network traffic.

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

- -  - -  - -  - - - +**Checklist: Configuring encryption zone rules** +This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. +| Task | Reference | +| - | - | +| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md index 84b4f69a88..bec1da29f6 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -2,106 +2,36 @@ title: Checklist Configuring Rules for the Isolated Domain (Windows 10) description: Checklist Configuring Rules for the Isolated Domain ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for the Isolated Domain +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring isolated domain rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -**Note**   -The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. - -  - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the rule that requests authentication for all inbound network traffic.

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the AD DS organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security rules are protecting network traffic to and from the test computers.

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

+**Checklist: Configuring isolated domain rules** +| Task | Reference | +| - | - | +| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|   Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. - -  - -  - - - - - diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md index 698ddd1336..b846638c4e 100644 --- a/windows/keep-secure/checklist-creating-group-policy-objects.md +++ b/windows/keep-secure/checklist-creating-group-policy-objects.md @@ -2,96 +2,42 @@ title: Checklist Creating Group Policy Objects (Windows 10) description: Checklist Creating Group Policy Objects ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Creating Group Policy Objects +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a computer into a membership group. +To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. The checklists for firewall, domain isolation, and server isolation include a link to this checklist. ## About membership groups - -For most GPO deployment tasks, you must determine which computers must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a computer, you make that computer's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. +For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. ## About exclusion groups +A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. -A Windows Firewall with Advanced Security design must often take into account domain-joined computers on the network that cannot or must not apply the rules and settings in the GPOs. Because these computers are typically fewer in number than the computers that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception computers into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a computer that is a member of both the membership group and the exception group is prevented from applying the GPO. Computers typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. - -You can also use a membership group for one zone as an exclusion group for another zone. For example, computers in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating Group Policy objects** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.

Procedure topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Procedure topic[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)

_

Create the membership group in AD DS that will be used to contain computer accounts that must receive the GPO.

-

If some computers in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the computer accounts for the computers that cannot be blocked by using a WMI filter.

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a GPO for each version of Windows that has different implementation requirements.

Procedure topic[Create a Group Policy Object](create-a-group-policy-object.md)

_

Create security group filters to limit the GPO to only computers that are members of the membership group and to exclude computers that are members of the exclusion group.

Procedure topic[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)

_

Create WMI filters to limit each GPO to only the computers that match the criteria in the filter.

Procedure topic[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)

_

If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Before adding any rules or configuring the GPO, add a few test computers to the membership group, and make sure that the correct GPO is received and applied to each member of the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

- -  - -  - -  - - - +You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. +**Checklist: Creating Group Policy objects** +| Task | Reference | +| - | - | +| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| +| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) | +| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) | +| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) | +| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) | +| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md index c62910188e..16681cba2a 100644 --- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md @@ -2,60 +2,30 @@ title: Checklist Creating Inbound Firewall Rules (Windows 10) description: Checklist Creating Inbound Firewall Rules ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Creating Inbound Firewall Rules +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This checklist includes tasks for creating firewall rules in your GPOs. -## +**Checklist: Creating inbound firewall rules** - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating inbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires.

Procedure topic[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows inbound network traffic on a specified port number.

Procedure topic[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows inbound ICMP network traffic.

Procedure topic[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create rules that allow inbound RPC network traffic.

Procedure topic[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.

Procedure topic[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+| Task | Reference | +| - | - | +| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)| +| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)| +| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)| +| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)| +| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)|   diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md index 0e6115009a..22b8d892c8 100644 --- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md @@ -2,52 +2,30 @@ title: Checklist Creating Outbound Firewall Rules (Windows 10) description: Checklist Creating Outbound Firewall Rules ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Creating Outbound Firewall Rules +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This checklist includes tasks for creating outbound firewall rules in your GPOs. Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 support the use of outbound rules. +This checklist includes tasks for creating outbound firewall rules in your GPOs. -**Important**   -By default, in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. +>**Important:**  By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. -  +**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a rule that allows a program to send any outbound network traffic on any port it requires.

Procedure topic[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows outbound network traffic on a specified port number.

Procedure topic[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.

Procedure topic[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+| Task | Reference | +| - | - | +| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)| +| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)| +| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)|   diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 843f11e525..c7701cd4f8 100644 --- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -2,99 +2,32 @@ title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10) description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client computers that must connect to servers in an isolated server zone. - -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring isolated server zone client rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -**Note**   -The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO. For example, create and configure the GPO for Windows 8, create a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the required changes (if any) to the copy. - -  - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.

Checklist topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with computers that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

- -  - -  - -  - - - +This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. +**Checklist: Configuring isolated server zone client rules** +| Task | Reference | +| - | - | +| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange--main-mode--settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection--quick-mode--settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md index 1c3c8530e2..f72a945895 100644 --- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md @@ -2,96 +2,35 @@ title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) description: Checklist Implementing a Basic Firewall Policy Design ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Implementing a Basic Firewall Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. -**Note**   -Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. - -  - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a basic firewall policy design** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Basic Firewall Policy Design](basic-firewall-policy-design.md)

-

Conceptual topic[Firewall Policy Design Example](firewall-policy-design-example.md)

-

Conceptual topic[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)

_

Create the membership group and a GPO for each set of computers that require different firewall rules. Where GPOs will be similar, such as for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy.

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the computers for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure the GPO with firewall default settings appropriate for your design.

Checklist topic[Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)

_

Create one or more inbound firewall rules to allow unsolicited inbound network traffic.

Checklist topic[Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)

_

Create one or more outbound firewall rules to block unwanted outbound network traffic.

Checklist topic[Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add test computers to the membership group, and then confirm that the computers receive the firewall rules from the GPOs as expected.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy the completed firewall policy settings to your computers.

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

- -  - -  - -  - - +>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). + **Checklist: Implementing a basic firewall policy design** +| Task | Reference | +| - | - | +| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| +| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| +| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| +| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md index 67dfdd611b..23e5c64172 100644 --- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -2,75 +2,29 @@ title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10) description: Checklist Implementing a Certificate-based Isolation Policy Design ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Implementing a Certificate-based Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. -**Note**   -Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist - -The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. - -  - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing certificate-based authentication** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)

-

Conceptual topic[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)

-

Conceptual topic[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)

_

Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.

Procedure topic[Install Active Directory Certificate Services](install-active-directory-certificate-services.md)

_

Configure the certificate template for workstation authentication certificates.

Procedure topic[Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)

_

Configure Group Policy to automatically deploy certificates based on your template to workstation computers.

Procedure topic[Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)

_

On a test computer, refresh Group Policy and confirm that the certificate is installed.

Procedure topic[Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)

- -  - -  - -  - - - +>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist +**Checklist: Implementing certificate-based authentication** +| Task | Reference | +| - | - | +| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | +| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| [Install Active Directory Certificate Services](install-active-directory-certificate-services.md) | +| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)| +| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| +| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md index 1bb54f22dd..f89ac11201 100644 --- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -2,87 +2,33 @@ title: Checklist Implementing a Domain Isolation Policy Design (Windows 10) description: Checklist Implementing a Domain Isolation Policy Design ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Implementing a Domain Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. -**Note**   -Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. - -For more information about the security algorithms and authentication methods available in each version of Windows, see [IPsec Algorithms and Methods Supported in Windows](http://technet.microsoft.com/library/dd125380.aspx) at http://technet.microsoft.com/library/dd125380.aspx. - -  - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a domain isolation policy design** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Domain Isolation Policy Design](domain-isolation-policy-design.md)

-

Conceptual topic[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)

-

Conceptual topic[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)

_

Create the GPOs and connection security rules for the isolated domain.

Checklist topic[Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)

_

Create the GPOs and connection security rules for the boundary zone.

Checklist topic[Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)

_

Create the GPOs and connection security rules for the encryption zone.

Checklist topic[Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)

_

Create the GPOs and connection security rules for the isolated server zone.

Checklist topic[Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

_

After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.

Procedure topic[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)

- -  - -  - -  - - +>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). +**Checklist: Implementing a domain isolation policy design** +| Task | Reference | +| - | - | +| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Domain Isolation Policy Design](domain-isolation-policy-design.md)
[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | +| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| +| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| +| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| +| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| +| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)| +| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md index be94daaa5c..ba750e4d59 100644 --- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -2,82 +2,32 @@ title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10) description: Checklist Implementing a Standalone Server Isolation Policy Design ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Implementing a Standalone Server Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. -**Note**   -Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. - -  - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a standalone server isolation policy design** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Server Isolation Policy Design](server-isolation-policy-design.md)

-

Conceptual topic[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)

-

Conceptual topic[Planning Server Isolation Zones](planning-server-isolation-zones.md)

_

Create the GPOs and connection security rules for isolated servers.

Checklist topic[Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)

_

Create the GPOs and connection security rules for the client computers that must connect to the isolated servers.

Checklist topic[Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)

_

Verify that the connection security rules are protecting network traffic on your test computers.

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

_

After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it.

Procedure topic[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings.

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

- -  - -  - -  - - - +>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +**Checklist: Implementing a standalone server isolation policy design** +| Task | Reference | +| - | - | +| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Server Isolation Policy Design](server-isolation-policy-design.md)
[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
[Planning Server Isolation Zones](planning-server-isolation-zones.md) | +| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| +| Create the GPOs and connection security rules for the client computers that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| +| Verify that the connection security rules are protecting network traffic on your test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| +| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| +| According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings. | [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md) | diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-computers.md b/windows/keep-secure/determining-the-trusted-state-of-your-computers.md deleted file mode 100644 index 4e2b3f8fd2..0000000000 --- a/windows/keep-secure/determining-the-trusted-state-of-your-computers.md +++ /dev/null @@ -1,184 +0,0 @@ ---- -title: Determining the Trusted State of Your Computers (Windows 10) -description: Determining the Trusted State of Your Computers -ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 -author: brianlic-msft ---- - -# Determining the Trusted State of Your Computers - - -After obtaining information about the computers that are currently part of the IT infrastructure, you must determine at what point a computer is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. - -**Note**   -In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your computers just indicates the level of risk that you believe the computer brings to the network. Trusted computers bring little risk whereas untrusted computers can potentially bring great risk. - -  - -## Trust states - - -To understand this concept, consider the four basic states that apply to computers in a typical IT infrastructure. These states are (in order of risk, lowest risk first): - -- Trusted - -- Trustworthy - -- Known, untrusted - -- Unknown, untrusted - -The remainder of this section defines these states and how to determine which computers in your organization belong in each state. - -### Trusted state - -Classifying a computer as trusted means that the computer's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the computer. A trusted computer that is poorly managed will likely become a point of weakness for the network. - -When a computer is considered trusted, other trusted computers can reasonably assume that the computer will not initiate a malicious act. For example, trusted computers can expect that other trusted computers will not run a virus that attacks them, because all trusted computers are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. - -Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a computer to obtain trusted status. - -A possible list of technology requirements might include the following: - -- **Operating system.** A trusted client computer should run Windows 8, Windows 7, or Windows Vista. A trusted server should run Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. - -- **Domain membership.** A trusted computer will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member computers by using Group Policy. - -- **Management client.** All trusted computers must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Microsoft System Center Configuration Manager is one such management system with an appropriate client. For more information, see [System Center Configuration Manager](http://technet.microsoft.com/systemcenter/bb507744.aspx) at http://technet.microsoft.com/systemcenter/bb507744.aspx. - -- **Antivirus software.** All trusted computers will run antivirus software that is configured to check for and automatically update the latest virus signature files daily. Microsoft ForeFront Endpoint Protection is one such antivirus software program. For more information, see [ForeFront Endpoint Protection](http://technet.microsoft.com/forefront/ee822838.aspx) at http://technet.microsoft.com/forefront/ee822838.aspx. - -- **File system.** All trusted computers will be configured to use the NTFS file system. - -- **BIOS settings.** All trusted portable computers will be configured to use a BIOS-level password that is under the management of the IT support team. - -- **Password requirements.** Trusted clients must use strong passwords. - -It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted computers to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status. - -A computer that continues to meet all these security requirements can be considered trusted. However it is possible that most computers that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which computers can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. - -### Trustworthy state - -It is useful to identify as soon as possible those computers in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current computer can physically achieve the trusted state with required software and configuration changes. - -For each computer that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the computer to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the computer to the solution) and the support staff (to enable them to apply the required configuration). - -Generally, trustworthy computers fall into one of the following two groups: - -- **Configuration required.** The current hardware, operating system, and software enable the computer to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a computer can be considered trusted, a computer that uses a FAT32-formatted hard disk does not meet this requirement. - -- **Upgrade required.** These computers require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these computers might require: - - - **Operating system upgrade required.** If the computer's current operating system cannot support the security needs of the organization, an upgrade would be required before the computer could achieve a trusted state. - - - **Software required.** A computer that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active. - - - **Hardware upgrade required.** In some cases, a computer might require a specific hardware upgrade before it can achieve trusted status. This type of computer usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the computer. - - - **Computer replacement required.** This category is reserved for computers that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a computer that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based computer). - -Use these groups to assign costs for implementing the solution on the computers that require upgrades. - -### Known, untrusted state - -During the process of categorizing an organization's computers, you will identify some computers that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: - -- **Financial.** The funding is not available to upgrade the hardware or software for this computer. - -- **Political.** The computer must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the computer to discuss the added value of server and domain isolation. - -- **Functional.** The computer must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the computer might be required to run an older operating system because a specific line of business application will only work on that operating system. - -There can be multiple functional reasons for a computer to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: - -- **Computers that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Computers that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of computer configurations (although limited central management of user configurations is supported). - -- **Stand-alone computers.** Computers running any version of Windows that are configured as stand-alone computers or as members of a workgroup usually cannot achieve a trustworthy state. Although these computers fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the computer is not a part of a trusted domain. - -- **Computers in an untrusted domain.** A computer that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of computers that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when computers are not in a trusted domain. - -### Unknown, untrusted state - -The unknown, untrusted state should be considered the default state for all computers. Because computers in this state have a configuration that is unknown, you can assign no trust to them. All planning for computers in this state must assume that the computer is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the computers in this state can have on their organizations. - -## Capturing upgrade costs for current computers - - -The final step in this part of the process is to record the approximate cost of upgrading the computers to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions: - -- Does the computer meet the minimum hardware requirements necessary for isolation? - -- Does the computer meet the minimum software requirements necessary for isolation? - -- What configuration changes must be made to integrate this computer into the isolation solution? - -- What is the projected cost or impact of making the proposed changes to enable the computer to achieve a trusted state? - -By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular computer or group of computers into the scope of the project. It is important to remember that the state of a computer is transitive, and that by performing the listed remedial actions you can change the state of a computer from untrusted to trusted. After you decide whether to place a computer in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. - -The following table is an example of a data sheet that you could use to help capture the current state of a computer and what would be required for the computer to achieve a trusted state. - - -------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer nameHardware reqs metSoftware reqs metConfiguration requiredDetailsProjected cost

CLIENT001

No

No

Upgrade hardware and software.

Current operating system is Windows XP. Old hardware is not compatible with Windows 8.

$??

SERVER001

Yes

No

Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.

No antivirus software present.

$??

- -  - -In the previous table, the computer CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many computers require the same upgrades, the overall cost of the solution would be much higher. - -The computer SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. - -With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. - -The costs identified in this section only capture the projected cost of the computer upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. - -For more information about how to configure firewalls to support IPsec, see "Configuring Firewalls" at . - -For more information about WMI, see "Windows Management Instrumentation" at . - -**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) - -  - -  - - - - - diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md new file mode 100644 index 0000000000..8bbd75608d --- /dev/null +++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md @@ -0,0 +1,139 @@ +--- +title: Determining the Trusted State of Your Devices (Windows 10) +description: Determining the Trusted State of Your Devices +ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Determining the Trusted State of Your Devices + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. + +>**Note:**  In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk. + +## Trust states + + +To understand this concept, consider the four basic states that apply to devices in a typical IT infrastructure. These states are (in order of risk, lowest risk first): + +- Trusted + +- Trustworthy + +- Known, untrusted + +- Unknown, untrusted + +The remainder of this section defines these states and how to determine which devices in your organization belong in each state. + +### Trusted state + +Classifying a device as trusted means that the device's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network. + +When a device is considered trusted, other trusted devices can reasonably assume that the device will not initiate a malicious act. For example, trusted devices can expect that other trusted devices will not run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. + +Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status. + +A possible list of technology requirements might include the following: + +- **Operating system.** A trusted client device should run at least Windows Vista. A trusted server should run at least Windows Server 2008. + +- **Domain membership.** A trusted device will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member devices by using Group Policy. + +- **Management client.** All trusted devices must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Configuration Manager is one such management system with an appropriate client. + +- **Antivirus software.** All trusted devices will run antivirus software that is configured to check for and automatically update the latest virus signature files daily. + +- **File system.** All trusted devices will be configured to use the NTFS file system. + +- **BIOS settings.** All trusted portable devices will be configured to use a BIOS-level password that is under the management of the IT support team. + +- **Password requirements.** Trusted clients must use strong passwords. + +It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status. + +A device that continues to meet all these security requirements can be considered trusted. However it is possible that most devices that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which devices can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. + +### Trustworthy state + +It is useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes. + +For each device that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the device to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the device to the solution) and the support staff (to enable them to apply the required configuration). + +Generally, trustworthy devices fall into one of the following two groups: + +- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk does not meet this requirement. + +- **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require: + + - **Operating system upgrade required.** If the device's current operating system cannot support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state. + + - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active. + + - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device. + + - **Device replacement required.** This category is reserved for devices that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a device that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device). + +Use these groups to assign costs for implementing the solution on the devices that require upgrades. + +### Known, untrusted state + +During the process of categorizing an organization's devices, you will identify some devices that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: + +- **Financial.** The funding is not available to upgrade the hardware or software for this device. + +- **Political.** The device must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation. + +- **Functional.** The device must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the device might be required to run an older operating system because a specific line of business application will only work on that operating system. + +There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: + +- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). + +- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually cannot achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device is not a part of a trusted domain. + +- **Devices in an untrusted domain.** A device that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when devices are not in a trusted domain. + +### Unknown, untrusted state + +The unknown, untrusted state should be considered the default state for all devices. Because devices in this state have a configuration that is unknown, you can assign no trust to them. All planning for devices in this state must assume that the device is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the devices in this state can have on their organizations. + +## Capturing upgrade costs for current devices + + +The final step in this part of the process is to record the approximate cost of upgrading the devices to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions: + +- Does the device meet the minimum hardware requirements necessary for isolation? + +- Does the device meet the minimum software requirements necessary for isolation? + +- What configuration changes must be made to integrate this device into the isolation solution? + +- What is the projected cost or impact of making the proposed changes to enable the device to achieve a trusted state? + +By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It is important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. + +The following table is an example of a data sheet that you could use to help capture the current state of a device and what would be required for the device to achieve a trusted state. + +| Device name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | +| - | - | - | - | - | - | +| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware is not compatible with newer versions of Windows.| $??| +| SERVER001 | Yes| No| Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.| No antivirus software present.| $??| + +In the previous table, the device CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many devices require the same upgrades, the overall cost of the solution would be much higher. + +The device SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. + +With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. + +The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. + +**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md index d15b2fd6c4..88e67e80c4 100644 --- a/windows/keep-secure/documenting-the-zones.md +++ b/windows/keep-secure/documenting-the-zones.md @@ -2,84 +2,26 @@ title: Documenting the Zones (Windows 10) description: Documenting the Zones ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Documenting the Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: - --------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Host nameHardware reqs metSoftware reqs metConfiguration requiredDetailsProjected costGroup

CLIENT001

No

No

Upgrade hardware and software.

Current operating system is Windows XP. Old hardware not compatible with Windows 8.

$??

Isolated domain

SERVER002

Yes

No

Join trusted domain, upgrade from Windows Server 2008 to Windows Server 2012

No antivirus software present.

$??

Encryption

SENSITIVE001

Yes

Yes

Not required.

Running Windows Server 2012. Ready for inclusion.

$0

Isolated server (in zone by itself)

PRINTSVR1

Yes

Yes

Not required.

Running Windows Server 2008 R2. Ready for inclusion.

$0

Boundary

- -  +| Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group | +| - | - | - | - | - | - | +| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware not compatible with newer versions of Windows.| $??| Isolated domain| +| SERVER002 | Yes| No| Join trusted domain, upgrade from Windows Server 2008 to at least Windows Server 2012| No antivirus software present.| $??| Encryption| +| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)| +| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary| **Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) - -  - -  - - - - - diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md index a02f4037c8..dcb49121a4 100644 --- a/windows/keep-secure/encryption-zone-gpos.md +++ b/windows/keep-secure/encryption-zone-gpos.md @@ -2,23 +2,21 @@ title: Encryption Zone GPOs (Windows 10) description: Encryption Zone GPOs ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Encryption Zone GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Handle encryption zones in a similar manner to the boundary zones. A computer is added to an encryption zone by adding the computer account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the computers that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. - -The GPO is only for server versions of Windows. Client computers are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. - -- [GPO\_DOMISO\_Encryption\_WS2008](gpo-domiso-encryption-ws2008.md) - -  - -  - - - +Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. +The GPO is only for server versions of Windows. Client devices are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. +- [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md) diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md index 54a7dfeb35..f6fd2aacd4 100644 --- a/windows/keep-secure/encryption-zone.md +++ b/windows/keep-secure/encryption-zone.md @@ -2,24 +2,31 @@ title: Encryption Zone (Windows 10) description: Encryption Zone ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Encryption Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between computers. +Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. -To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the computers and that requires that the sensitive inbound and outbound network traffic be encrypted. +To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted. You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. -## GPO settings for encryption zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +## GPO settings for encryption zone servers running at least Windows Server 2008 -The GPO for computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 should include the following: +The GPO for devices that are running at least Windows Server 2008 should include the following: - IPsec default settings that specify the following options: @@ -31,16 +38,16 @@ The GPO for computers that are running Windows Server 2012, Windows Server 2008 If any NAT devices are present on your networks, use ESP encapsulation.. - 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. - The following connection security rules: - - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy. **Important**   - Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out.   @@ -48,20 +55,8 @@ The GPO for computers that are running Windows Server 2012, Windows Server 2008 - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). -   - -- If domain member computers must communicate with computers in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. +- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. **Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md) - -  - -  - - - - - diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md index 0a1aea9187..3ebf7a465b 100644 --- a/windows/keep-secure/exemption-list.md +++ b/windows/keep-secure/exemption-list.md @@ -2,29 +2,36 @@ title: Exemption List (Windows 10) description: Exemption List ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Exemption List +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all computers on the internal network, yet secured from network attacks. However, if they must remain available to all computers on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. +When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. -In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted computers cannot use IPsec to access, which would be added to the exemption list. +In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list. -Generally, the following conditions are reasons to consider adding a computer to the exemption list: +Generally, the following conditions are reasons to consider adding a device to the exemption list: -- If the computer must be accessed by trusted computers but it does not have a compatible IPsec implementation. +- If the device must be accessed by trusted devices but it does not have a compatible IPsec implementation. -- If the computer must provide services to both trusted and untrusted computers, but does not meet the criteria for membership in the boundary zone. +- If the device must provide services to both trusted and untrusted devices, but does not meet the criteria for membership in the boundary zone. -- If the computer must be accessed by trusted computers from different isolated domains that do not have an Active Directory trust relationship established with each other. +- If the device must be accessed by trusted devices from different isolated domains that do not have an Active Directory trust relationship established with each other. -- If the computer is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista. +- If the device is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista. -- If the computer must support trusted and untrusted computers, but cannot use IPsec to help secure communications to trusted computers. +- If the device must support trusted and untrusted devices, but cannot use IPsec to help secure communications to trusted devices. -For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all computers in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every computer that receives the GPO, including the following: +For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following: - Reduces the overall effectiveness of isolation. @@ -43,12 +50,3 @@ To keep the number of exemptions as small as possible, you have several options: As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section. **Next: **[Isolated Domain](isolated-domain.md) - -  - -  - - - - - diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md index 95375afd70..b264a38993 100644 --- a/windows/keep-secure/firewall-gpos.md +++ b/windows/keep-secure/firewall-gpos.md @@ -2,23 +2,21 @@ title: Firewall GPOs (Windows 10) description: Firewall GPOs ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Firewall GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -All the computers on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. +All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. The GPO created for the example Woodgrove Bank scenario include the following: - [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gpo-domiso-boundary-ws2008.md b/windows/keep-secure/gpo-domiso-boundary.md similarity index 60% rename from windows/keep-secure/gpo-domiso-boundary-ws2008.md rename to windows/keep-secure/gpo-domiso-boundary.md index feafd79586..22db5273b8 100644 --- a/windows/keep-secure/gpo-domiso-boundary-ws2008.md +++ b/windows/keep-secure/gpo-domiso-boundary.md @@ -1,26 +1,32 @@ --- -title: GPO\_DOMISO\_Boundary\_WS2008 (Windows 10) -description: GPO\_DOMISO\_Boundary\_WS2008 +title: GPO\_DOMISO\_Boundary (Windows 10) +description: GPO\_DOMISO\_Boundary ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# GPO\_DOMISO\_Boundary\_WS2008 +# GPO\_DOMISO\_Boundary +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. -This GPO supports the ability for computers that are not part of the isolated domain to access specific servers that must be available to those untrusted computers. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. +This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008. ## IPsec settings - The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain when authentication can be used. ## Connection security rules -Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the computer uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted computer that is not part of the isolated domain connects. +Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the device uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted device that is not part of the isolated domain connects. ## Registry settings @@ -30,17 +36,8 @@ The boundary zone uses the same registry settings as the isolated domain to opti ## Firewall rules -Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests. +Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other devices. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests. Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. **Next: **[Encryption Zone GPOs](encryption-zone-gpos.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gpo-domiso-encryption-ws2008.md b/windows/keep-secure/gpo-domiso-encryption.md similarity index 100% rename from windows/keep-secure/gpo-domiso-encryption-ws2008.md rename to windows/keep-secure/gpo-domiso-encryption.md diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md index 5ffd27f985..226c9deac1 100644 --- a/windows/keep-secure/gpo-domiso-firewall.md +++ b/windows/keep-secure/gpo-domiso-firewall.md @@ -2,33 +2,35 @@ title: GPO\_DOMISO\_Firewall (Windows 10) description: GPO\_DOMISO\_Firewall ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # GPO\_DOMISO\_Firewall +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2. +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. ## Firewall settings - This GPO provides the following settings: - Unless otherwise stated, the firewall rules and settings described here are applied to all profiles. - The firewall is enabled, with inbound, unsolicited connections blocked and outbound connections allowed. -- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the computers can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**. +- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the devices can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**. - **Note**   - Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot computers. - -   + >**Note:**  Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot devices. ## Firewall rules - This GPO provides the following rules: - Built-in firewall rule groups are configured to support typically required network operation. The following rule groups are set to **Allow the connection**: @@ -60,12 +62,3 @@ This GPO provides the following rules: - A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile. **Next: **[Isolated Domain GPOs](isolated-domain-gpos.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md index 0b881a5231..0f2faadb9e 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md @@ -2,150 +2,64 @@ title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) description: GPO\_DOMISO\_IsolatedDomain\_Clients ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # GPO\_DOMISO\_IsolatedDomain\_Clients +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client computers that are running Windows 8, Windows 7, or Windows Vista. +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. -Because client computers can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile. +Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile. ## General settings - This GPO provides the following settings: - No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy. - The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting. -- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, they can remove the weaker key exchange algorithms, and use only the stronger ones. +- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, they can remove the weaker key exchange algorithms, and use only the stronger ones. - The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md). - - - - - - - - - - - - - - - - - - - - - -
SettingValue

Enable PMTU Discovery

1

IPsec Exemptions

3

- -   +| Setting | Value | +| - | - | +| Enable PMTU Discovery | 1 | +| IPsec Exemptions | 3 | - The main mode security method combinations in the order shown in the following table. - - - - - - - - - - - - - - - - - - - - - -
IntegrityEncryption

Secure Hash Algorithm (SHA-1)

Advanced Encryption Standard (AES-128)

SHA-1

3DES

- -   - +| Integrity | Encryption | +| - | - | +| Secure Hash Algorithm (SHA-1) | Advanced Encryption Standard (AES-128) | +| SHA-1 | 3DES | + - The following quick mode security data integrity algorithms combinations in the order shown in the following table. - - - - - - - - - - - - - - - - - - - - -
ProtocolIntegrityKey Lifetime (minutes/KB)

ESP

SHA-1

60/100,000

- -   +| Protocol | Integrity | Key Lifetime (minutes/KB) | +| - | - | - | +| ESP | SHA-1 | 60/100,000 | - The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ProtocolIntegrityEncryptionKey Lifetime (minutes/KB)

ESP

SHA-1

AES-128

60/100,000

ESP

SHA-1

3DES

60/100,000

+| Protocol | Integrity | Encryption | Key Lifetime (minutes/KB) | +| - | - | - | - | +| ESP | SHA-1 | AES-128 | 60/100,000| +| ESP | SHA-1 | 3DES | 60/100,000| -   - -**Note**   -Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows. - -  +>**Note:**  Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows. ## Connection Security Rules - This GPO provides the following rules: - A connection security rule named **Isolated Domain Rule** with the following settings: @@ -154,28 +68,16 @@ This GPO provides the following rules: - **Require inbound and request outbound** authentication requirements. - **Important**   - On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the computers were successfully communicating by using IPsec, they switched the GPOs to require authentication. + >**Important:**  On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the devices were successfully communicating by using IPsec, they switched the GPOs to require authentication. -   - - - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for computers that cannot run Windows or cannot join the domain, but must still participate in the isolated domain. + - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for devices that cannot run Windows or cannot join the domain, but must still participate in the isolated domain. - For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box. -- A connection security rule to exempt computers that are in the exemption list from the requirement to authenticate: +- A connection security rule to exempt devices that are in the exemption list from the requirement to authenticate: - - The IP addresses of all computers on the exemption list must be added individually under **Endpoint 2**. + - The IP addresses of all devices on the exemption list must be added individually under **Endpoint 2**. - Authentication mode is set to **Do not authenticate**. **Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md index 20491ecac5..fb984adf5f 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md @@ -2,30 +2,26 @@ title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) description: GPO\_DOMISO\_IsolatedDomain\_Servers ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # GPO\_DOMISO\_IsolatedDomain\_Servers +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2. +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. -Because so many of the settings and rules for this GPO are common to those in the GPO for Windows 8, Windows 7 and Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for Windows 8, Windows 7 and Windows Vista, and importing it to the GPO for Windows Server 2012, Windows Server 2008 and Windows Server 2008 R2. After the import, change only the items specified here: +Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here: -- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the computer to the Public profile with a different set of rules (in the case of a server running Windows Server 2008). +- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008). - **Important**   - Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the computer. If you attach a network adapter to a computer that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the computer. - -   + >**Important:**  Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device. **Next: **[Boundary Zone GPOs](boundary-zone-gpos.md) -  - -  - - - - - diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 17ef2d4aa4..b1adf33fd9 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -35,10 +35,10 @@ The following table lists the three main tasks for articulating, refining, and s

Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.

Predefined deployment goals:

    -

  • [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)

    • -

  • [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)

    • +

  • [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

    • +

  • [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)

  • [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

    • -

  • [Restrict Access to Sensitive Resources to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)

    • +

  • [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)

@@ -57,4 +57,4 @@ The following table lists the three main tasks for articulating, refining, and s -**Next:** [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) +**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md index acd8702deb..25f0fba560 100644 --- a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -2,23 +2,30 @@ title: Implementing Your Windows Firewall with Advanced Security Design Plan (Windows 10) description: Implementing Your Windows Firewall with Advanced Security Design Plan ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Implementing Your Windows Firewall with Advanced Security Design Plan +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan: -- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the computers on your network. [Group Policy Analysis and Troubleshooting Overview](http://technet.microsoft.com/library/jj134223.aspx) (http://technet.microsoft.com/library/jj134223.aspx) can help you review and change, if necessary, your Group Policy infrastructure. +- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network. -- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the computers on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external computers to connect to computers in that zone, then you must allow that traffic through the perimeter firewall to the computers in the boundary zone. +- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone. -- **Computers running operating systems other than Windows**. If your network includes computers that are not running the Windows operating system, then you must make sure that required communication with those computers is not blocked by the restrictions put in place by your design. You must do one of the following: +- **Devices running operating systems other than Windows**. If your network includes devices that are not running the Windows operating system, then you must make sure that required communication with those devices is not blocked by the restrictions put in place by your design. You must do one of the following: - - Include those computers in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used. + - Include those devices in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used. - - Include the computer in the authentication exemption list included in your design. You can choose this option if for any reason the computer cannot participate in the isolated domain design. + - Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design. ## How to implement your Windows Firewall with Advanced Security design using this guide @@ -38,12 +45,3 @@ Use the following parent checklists in this section of the guide to become famil - [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md). - -  - -  - - - - - diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md index 022c062ce6..b7f6c3b921 100644 --- a/windows/keep-secure/isolated-domain-gpos.md +++ b/windows/keep-secure/isolated-domain-gpos.md @@ -2,13 +2,20 @@ title: Isolated Domain GPOs (Windows 10) description: Isolated Domain GPOs ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Isolated Domain GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -All of the computers in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. +All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section. @@ -17,12 +24,3 @@ The GPOs created for the Woodgrove Bank isolated domain include the following: - [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md) - [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md) - -  - -  - - - - - diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md index 9e52a463a4..3d23484bf9 100644 --- a/windows/keep-secure/isolated-domain.md +++ b/windows/keep-secure/isolated-domain.md @@ -2,26 +2,33 @@ title: Isolated Domain (Windows 10) description: Isolated Domain ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Isolated Domain +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -The isolated domain is the primary zone for trusted computers. The computers in this zone use connection security and firewall rules to control the communications that can be sent between computers in the zone. +The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. -The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution the two constructs are very similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted computers. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, computers that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain. +The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution the two constructs are very similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted devices. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, devices that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain. -For most implementations, an isolated domain will contain the largest number of computers. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. +For most implementations, an isolated domain will contain the largest number of devices. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. The GPOs for the isolated domain should contain the following connection security rules and settings. -## GPO settings for isolated domain members running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 +## GPO settings for isolated domain members running at least Windows Vista and Windows Server 2008 -GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 should include the following: +GPOs for devices running at least Windows Vista and Windows Server 2008 should include the following: - IPsec default settings that specify the following options: @@ -33,35 +40,20 @@ GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members cannot use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members cannot use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method. - The following connection security rules: - - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment. + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment. - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. - **Important**   - Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out. - -   + >**Important:**  Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out.  - A registry policy that includes the following values: - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). - -   + >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). **Next: **[Boundary Zone](boundary-zone.md) - -  - -  - - - - - diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 012969637d..3187e17371 100644 --- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -23,9 +23,9 @@ Use the following table to determine which Windows Firewall with Advanced Securi | Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design | | - |- | - | - | - | -| [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes| -| [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md) | -| Yes| Yes| Yes| -| [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)| -| -| Yes| Yes| +| [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes| +| [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) | -| Yes| Yes| Yes| +| [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)| -| -| Yes| Yes| | [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)| -| Optional| Optional| Optional| To examine details for a specific design, click the design title at the top of the column in the preceding table. diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md index 5882c9fec7..69e599b812 100644 --- a/windows/keep-secure/planning-certificate-based-authentication.md +++ b/windows/keep-secure/planning-certificate-based-authentication.md @@ -2,57 +2,53 @@ title: Planning Certificate-based Authentication (Windows 10) description: Planning Certificate-based Authentication ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Certificate-based Authentication +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Sometimes a computer cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the computer can still participate in the isolated domain by using certificate-based authentication. +Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. -The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each computer sends a copy of its certificate to the other computer. Each computer examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local computer. +The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each device sends a copy of its certificate to the other device. Each device examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local device. -Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS). For more information about creating and maintaining a PKI in your organization, see [Active Directory Certificate Services Overview](http://technet.microsoft.com/library/hh831740.aspx) at http://technet.microsoft.com/library/hh831740.aspx. +Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS). ## Deploying certificates - No matter how you acquire your certificates, you must deploy them to clients and servers that require them in order to communicate. ### Using Active Directory Certificate Services -If you use AD CS to create your own user and computer certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member computers. Computer certificates are deployed when a domain member computer starts. User certificates are deployed when a user logs on. +If you use AD CS to create your own user and device certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member devices. Device certificates are deployed when a domain member device starts. User certificates are deployed when a user logs on. -If you want non-domain member computers to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each computer or user includes enough identification information to enable IPsec to match the certificate to both user and computer accounts. +If you want non-domain member devices to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each device or user includes enough identification information to enable IPsec to match the certificate to both user and device accounts. -AD CS automatically ensures that certificates issued by the CAs are trusted by the client computers by putting the CA certificates in the correct store on each domain member computer. +AD CS automatically ensures that certificates issued by the CAs are trusted by the client devices by putting the CA certificates in the correct store on each domain member device. -### Using a commercially purchased certificate for computers running Windows +### Using a commercially purchased certificate for devices running Windows -You can import the certificates manually onto each computer if the number of computers is relatively small. For a deployment to more than a handful of computers, use Group Policy. +You can import the certificates manually onto each device if the number of devices is relatively small. For a deployment to more than a handful of devices, use Group Policy. -You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each computer that applies the GPO. +You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each device that applies the GPO. -You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each computer that applies the GPO. +You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each device that applies the GPO. -### Using a commercially purchased certificate for computers running a non-Windows operating system +### Using a commercially purchased certificate for devices running a non-Windows operating system If you are installing the certificates on an operating system other than Windows, see the documentation for that operating system. ## Configuring IPsec to use the certificates +When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or devices that are members of authorized groups in a server isolation solution. -When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or computers that are members of authorized groups in a server isolation solution. - -Starting in Windows Server 2012, the Administrator can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. +Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. **Next: **[Documenting the Zones](documenting-the-zones.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md index 79003e56ed..208265eefb 100644 --- a/windows/keep-secure/planning-domain-isolation-zones.md +++ b/windows/keep-secure/planning-domain-isolation-zones.md @@ -2,15 +2,22 @@ title: Planning Domain Isolation Zones (Windows 10) description: Planning Domain Isolation Zones ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Domain Isolation Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you have the required information about your network, Active Directory, and client and server computers, you can use that information to make decisions about the isolation zones you want to use in your environment. +After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. -The bulk of the work in planning server and domain isolation is determining which computers to assign to each isolation zone. Correctly choosing the zone for each computer is important to providing the correct level of security without compromising performance or the ability a computer to send or receive required network traffic. +The bulk of the work in planning server and domain isolation is determining which devices to assign to each isolation zone. Correctly choosing the zone for each device is important to providing the correct level of security without compromising performance or the ability for a device to send or receive required network traffic. The zones described in this guide include the following: @@ -21,12 +28,3 @@ The zones described in this guide include the following: - [Boundary Zone](boundary-zone.md) - [Encryption Zone](encryption-zone.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md index 9346df25bc..050a5550f7 100644 --- a/windows/keep-secure/planning-gpo-deployment.md +++ b/windows/keep-secure/planning-gpo-deployment.md @@ -2,133 +2,115 @@ title: Planning GPO Deployment (Windows 10) description: Planning GPO Deployment ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning GPO Deployment +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -You can control which GPOs are applied to computers in Active Directory in a combination of three ways: +You can control which GPOs are applied to devices in Active Directory in a combination of three ways: -- **Active Directory organizational unit hierarchy**. This involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All computers in the OU and its subordinate containers receive and apply the GPO. +- **Active Directory organizational unit hierarchy**. This involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All devices in the OU and its subordinate containers receive and apply the GPO. - Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to computers based on their location within Active Directory. If a computer is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling. + Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to devices based on their location within Active Directory. If a device is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling. -- **Security group filtering**. This involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which computers receive the GPO by using permissions that only allow correct group members to apply the GPO. +- **Security group filtering**. This involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which devices receive the GPO by using permissions that only allow correct group members to apply the GPO. - The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those computers whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO. + The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those devices whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO. -- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a computer is a member of the result set when the WMI filter query runs, the GPO is applied to the computer. +- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a device is a member of the result set when the WMI filter query runs, the GPO is applied to the device. - A WMI filter consists of one or more conditions that are evaluated against the local computer. You can check almost any characteristic of the computer, its operating system, and its installed programs. If all of the specified conditions are true for the computer, the GPO is applied; otherwise the GPO is ignored. + A WMI filter consists of one or more conditions that are evaluated against the local device. You can check almost any characteristic of the device, its operating system, and its installed programs. If all of the specified conditions are true for the device, the GPO is applied; otherwise the GPO is ignored. This guide uses a combination of security group filtering and WMI filtering to provide the most flexible options. If you follow this guidance, even though there might be five different GPOs linked to a specific group because of operating system version differences, only the correct GPO is applied. ## General considerations - -- Deploy your GPOs before you add any computer accounts to the groups that receive the GPOs. That way you can add your computers to the groups in a controlled manner. Be sure to add only a few test computers at first. Before adding many group members, examine the results on the test computers and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue. +- Deploy your GPOs before you add any device accounts to the groups that receive the GPOs. That way you can add your devices to the groups in a controlled manner. Be sure to add only a few test devices at first. Before adding many group members, examine the results on the test devices and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue. ## Test your deployed groups and GPOs +After you have deployed your GPOs and added some test devices to the groups, confirm the following before you continue with more group members: -After you have deployed your GPOs and added some test computers to the groups, confirm the following before you continue with more group members: +- Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt. -- Examine the GPOs that are both assigned to and filtered from the computer. Run the **gpresult** tool at a command prompt. - -- Examine the rules deployed to the computer. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes. +- Examine the rules deployed to the device. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes. - Verify that communications are authenticated. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**. -- Verify that communications are encrypted when the computers require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column. +- Verify that communications are encrypted when the devices require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column. - Verify that your programs are unaffected. Run them and confirm that they still work as expected. -After you have confirmed that the GPOs have been correctly applied, and that the computers are now communicating by using IPsec network traffic in request mode, you can begin to add more computers to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the computers. +After you have confirmed that the GPOs have been correctly applied, and that the devices are now communicating by using IPsec network traffic in request mode, you can begin to add more devices to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the devices. ## Do not enable require mode until deployment is complete +If you deploy a GPO that requires authentication to a device before the other devices have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the devices are successfully communicating by using IPsec. -If you deploy a GPO that requires authentication to a computer before the other computers have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the computers are successfully communicating by using IPsec. +If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, devices can continue to operate, because request mode enables any device to fall back to clear communications. -If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, computers can continue to operate, because request mode enables any computer to fall back to clear communications. - -Only after you have added all of the computers to their zones, and you have confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it is required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they are functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain. +Only after you have added all of the devices to their zones, and you have confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it is required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they are functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain. Do not change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections. -If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of computers to the larger groups. +If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of devices to the larger groups. ## Example Woodgrove Bank deployment plans +Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of devices. All of the GPOs have the User Configuration section disabled to improve performance. -Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of computers. All of the GPOs have the User Configuration section disabled to improve performance. +### GPO\_DOMISO\_Firewall -### GPO\_DOMISO\_Firewall\_2008\_Win7-Vista - -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType <> "2"` - **Note**   - This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers running versions of Windows earlier than Windows Vista and Windows Server 2008. + >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices running versions of Windows earlier than Windows Vista and Windows Server 2008. + +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC. -   +### GPO\_DOMISO\_IsolatedDomain\_Clients -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC. - -### GPO\_DOMISO\_IsolatedDomain\_Clients\_Win7Vista - -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"` -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. -### GPO\_DOMISO\_IsolatedDomain\_Servers\_WS2008 +### GPO\_DOMISO\_IsolatedDomain\_Servers -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - **Note**   - This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. + >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. -   +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. +### GPO\_DOMISO\_Boundary -### GPO\_DOMISO\_Boundary\_WS2008 - -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - **Note**   - This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. + >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. -   +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. +### GPO\_DOMISO\_Encryption -### GPO\_DOMISO\_Encryption\_WS2008 - -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - **Note**   - This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. - -   - -- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to computers that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC. - -  - -  - - - - + >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. +- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to devices that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC. diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md index 83dd7f12ae..fff34a12c7 100644 --- a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md @@ -2,15 +2,22 @@ title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10) description: Planning Group Policy Deployment for Your Isolation Zones ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Group Policy Deployment for Your Isolation Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you have decided on the best logical design of your isolation environment for the network and computer security requirements, you can start the implementation plan. +After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. -You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the computer accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct computers within each group. +You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the device accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct devices within each group. - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) @@ -19,12 +26,3 @@ You have a list of isolation zones with the security requirements of each. For i - [Planning the GPOs](planning-the-gpos.md) - [Planning GPO Deployment](planning-gpo-deployment.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md index 209c9c78e2..b4f667a50b 100644 --- a/windows/keep-secure/planning-isolation-groups-for-the-zones.md +++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md @@ -2,78 +2,38 @@ title: Planning Isolation Groups for the Zones (Windows 10) description: Planning Isolation Groups for the Zones ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Isolation Groups for the Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A computer is assigned to a zone by adding its computer account to the group which represents that zone. +Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. -**Caution**   -Do not add computers to your groups yet. If a computer is in a group when the GPO is activated then that GPO is applied to the computer. If the GPO is one that requires authentication, and the other computers have not yet received their GPOs, the computer that uses the new GPO might not be able to communicate with the others. - -  +>**Caution:**  Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others. Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead. The following table lists typical groups that can be used to manage the domain isolation zones discussed in the Woodgrove Bank example in this guide: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Group nameDescription

CG_DOMISO_No_IPsec

A universal group of computer accounts that do not participate in the IPsec environment. Typically consists of infrastructure computer accounts that will also be included in exemption lists.

-

This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.

CG_DOMISO_IsolatedDomain

A universal group of computer accounts that contains the members of the isolated domain.

-

During the early days of testing, this group might contain only a very small number of computers. During production, it might contain the built-in Domain Computers group to ensure that every computer in the domain participates.

-

Members of this group receive the domain isolation GPO that requires authentication for inbound connections.

CG_DOMISO_Boundary

A universal group of computer accounts that contains the members of the boundary zone.

-

Members of this group receive a GPO that specifies that authentication is requested, but not required.

CG_DOMISO_Encryption

A universal group of computer accounts that contains the members of the encryption zone.

-

Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections.

CG_SRVISO_ServerRole

A universal group of computer accounts that contains the members of the server isolation group.

-

Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.

-

There will be one group for each set of servers that have different user and computer restriction requirements.

- -  +| Group name | Description | +| - | - | +| CG_DOMISO_No_IPsec | A universal group of device accounts that do not participate in the IPsec environment. Typically consists of infrastructure device accounts that will also be included in exemption lists.
This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.| +| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
During the early days of testing, this group might contain only a very small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
Members of this group receive the domain isolation GPO that requires authentication for inbound connections.| +| CG_DOMISO_Boundary | A universal group of device accounts that contains the members of the boundary zone.

Members of this group receive a GPO that specifies that authentication is requested, but not required.| +| CG_DOMISO_Encryption | A universal group of device accounts that contains the members of the encryption zone.
Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections. +| CG_SRVISO_*ServerRole* | A universal group of device accounts that contains the members of the server isolation group.
Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.
There will be one group for each set of servers that have different user and device restriction requirements. | Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md). -If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the computer. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific. +If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific. **Next: **[Planning Network Access Groups](planning-network-access-groups.md) -  - -  - - - - - diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md index e96e8d26f2..4d9b002e7c 100644 --- a/windows/keep-secure/planning-network-access-groups.md +++ b/windows/keep-secure/planning-network-access-groups.md @@ -2,67 +2,32 @@ title: Planning Network Access Groups (Windows 10) description: Planning Network Access Groups ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Network Access Groups +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -A network access group (NAG) is used to identify users and computers that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a computer, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. +A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. -Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the computers or users that are granted access. You can optionally split the NAG into two different groups: one for authorized computers and one for authorized users. +Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the devices or users that are granted access. You can optionally split the NAG into two different groups: one for authorized devices and one for authorized users. The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership. -For the Woodgrove Bank scenario, access to the computers running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative computers. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service. +For the Woodgrove Bank scenario, access to the devices running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service. - ----- - - - - - - - - - - - - - - - - - - - -
NAG NameNAG Member Users, Computers, or GroupsDescription

CG_NAG_ServerRole_Users

Svr1AdminA

-

Svr1AdminB

-

Group_AppUsers

-

AppSvcAccount

This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.

CG_NAG_ServerRole_Computers

Desktop1

-

Desktop2

-

AdminDT1

-

AppAdminDT1

This group contains all computers that are authorized to make inbound IPsec connections to the isolated servers in this zone.

+| NAG Name | NAG Member Users, Computers, or Groups | Description | +| - | - | - | +| CG_NAG_*ServerRole*_Users| Svr1AdminA
Svr1AdminB
Group_AppUsers
AppSvcAccount| This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.| +| CG_NAG_*ServerRole*_Computers| Desktop1
Desktop2
AdminDT1
AppAdminDT1| This group contains all devices that are authorized to make inbound IPsec connections to the isolated servers in this zone.| -  - -**Note**   -Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the computer or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5. - -  +>**Note:**  Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5. **Next: **[Planning the GPOs](planning-the-gpos.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md index dc95031002..12688b93c9 100644 --- a/windows/keep-secure/planning-server-isolation-zones.md +++ b/windows/keep-secure/planning-server-isolation-zones.md @@ -2,45 +2,46 @@ title: Planning Server Isolation Zones (Windows 10) description: Planning Server Isolation Zones ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Server Isolation Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any computers that are outside the isolated domain, and encrypts all network connections to server. +Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. -The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or computers who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved computers. +The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or devices who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved devices. -To grant access, you add the approved user and computer accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided computer and user accounts for group membership in the NAGs. If either the user or computer is not a member of a required NAG then the network connection is refused. +To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device is not a member of a required NAG then the network connection is refused. ## Isolated domains and isolated servers +If you are using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user. -If you are using an isolated domain, the client computers already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized computer or user. - -If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client computers that you want to access the server to use the appropriate IPsec rules. If the client computers are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG. +If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG. ## Creating multiple isolated server zones - Each set of servers that must be accessed by different sets of users should be set up in its own isolated server zone. After one set of GPOs for one isolated server zone has been successfully created and verified, you can copy the GPOs to a new set. You must change the GPO names to reflect the new zone, the name and membership of the isolated server zone group to which the GPOs are applied, and the names and membership of the NAG groups that determine which clients can access the servers in the isolated server zone. ## Creating the GPOs - Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members. -### GPO settings for isolated servers running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 +### GPO settings for isolated servers running at least Windows Server 2008 -GPOs for computers running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 should include the following: +GPOs for devices running at least Windows Server 2008 should include the following: -**Note**   -The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone. - -  +>**Note:**  The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone. - IPsec default settings that specify the following options: @@ -52,37 +53,22 @@ The connection security rules described here are identical to the ones for the e If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs. - 4. Authentication methods. Include at least computer-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else computers that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else devices that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method. - The following connection security and firewall rules: - - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. - **Important**   - Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + >**Important:**  Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. -   - - - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both computer and user network access groups. + - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both device and user network access groups. - A registry policy that includes the following values: - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). - -   + >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). **Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md index 4609526945..4fcbd977dc 100644 --- a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md @@ -2,22 +2,26 @@ title: Planning Settings for a Basic Firewall Policy (Windows 10) description: Planning Settings for a Basic Firewall Policy ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Settings for a Basic Firewall Policy +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you have identified your requirements, and have the information about the network layout and computers available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the computers. +After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. The following is a list of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis: -- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private** (on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2). Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on computers that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization. +- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization. - **Important**   - We recommend that on server computers that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop computers, and only support different profiles on portable computers. - -   + >**Important:**  We recommend that on server devices that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop devices, and only support different profiles on portable devices. - **Firewall state: On**. We recommend that you prevent the user from turning it off. @@ -35,24 +39,12 @@ The following is a list of the firewall settings that you might consider for inc - **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions. -- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another computer on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port. +- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port. - Inbound rules are common on servers, because they host services to which client computers connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required. + Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required. - **Important**   - If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application. - -   + >**Important:**  If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application. - **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs. **Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md index e2809e0d05..b22f0497cd 100644 --- a/windows/keep-secure/planning-the-gpos.md +++ b/windows/keep-secure/planning-the-gpos.md @@ -2,45 +2,45 @@ title: Planning the GPOs (Windows 10) description: Planning the GPOs ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning the GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the computers to the zones. +When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. ## General considerations - A few things to consider as you plan the GPOs: -- Do not allow a computer to be a member of more than one isolation zone. A computer in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior. +- Do not allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior. The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones. -- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The computers will negotiate down from the top of their lists, selecting one that is configured on both computers. So a computer that is running Windows Vista that is connected to a server that is running Windows Server 2012 can communicate by using a much more secure algorithm. +- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The devices will negotiate down from the top of their lists, selecting one that is configured on both devices. - The primary difference in your domain isolation GPOs is whether the rules request or require authentication. - **Caution**   - It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the computers over time, applying a require policy to one computer breaks its ability to communicate with another computer that has not yet received its policy. Using request mode at the beginning enables computers to continue communicating by using plaintext connections if required. After you confirm that your computers are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone. + >**Caution:**  It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone. -   +- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. -- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the computer. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the computer handles network traffic will change accordingly. We recommend for stationary computers, such as desktops and servers, that you assign any rule for the computer to all profiles. Apply GPOs that change rules per network location to computers that must move between networks, such as your portable computers. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. For more information, see Network Location Types at . - - **Note**   - Computers running Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2 support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. - -   + >**Note:**  Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs. ## Woodgrove Bank example GPOs -The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which computers receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section. +The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section. In this section you can find information about the following: @@ -53,12 +53,3 @@ In this section you can find information about the following: - [Encryption Zone GPOs](encryption-zone-gpos.md) - [Server Isolation GPOs](server-isolation-gpos.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md index e044483cf2..1801d2a86a 100644 --- a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -2,20 +2,26 @@ title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10) description: Planning to Deploy Windows Firewall with Advanced Security ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning to Deploy Windows Firewall with Advanced Security +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. ## Reviewing your Windows Firewall with Advanced Security Design - If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points: -- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which computers apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide: +- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide: - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) @@ -23,13 +29,13 @@ If the design team that created the Windows Firewall with Advanced Security desi - [Planning GPO Deployment](planning-gpo-deployment.md) -- The communication to be allowed between members of each of the zones in the isolated domain and computers that are not part of the isolated domain or members of the isolated domain's exemption list. +- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list. - The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. -- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between computers might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated. +- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated. -- The requirement that all computers that must communicate with each other share a common set of: +- The requirement that all devices that must communicate with each other share a common set of: - Authentication methods @@ -37,15 +43,6 @@ If the design team that created the Windows Firewall with Advanced Security desi - Quick mode data integrity algorithms - If at least one set of each does not match between two computers, then the computers cannot successfully communicate. + If at least one set of each does not match between two devices, then the devices cannot successfully communicate. After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md). - -  - -  - - - - - diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md index 4c5d9ec780..c800eca94d 100644 --- a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md @@ -2,43 +2,47 @@ title: Planning Your Windows Firewall with Advanced Security Design (Windows 10) description: Planning Your Windows Firewall with Advanced Security Design ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Your Windows Firewall with Advanced Security Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. ## Basic firewall design - -We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. +We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section. ## Algorithm and method support and selection - -To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths. To review the algorithms and methods supported in versions of the Windows operating system, see IPsec Algorithms and Methods Supported in Windows (). +To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths. ## IPsec performance considerations +Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. -Although IPsec is critically important in securing network traffic going to and from your computers, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your computer from making use of all of the available bandwidth. For example, an IPsec-enabled computer using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. - -IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a computer’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. For more information, see Improving Network Performance by Using IPsec Task Offload (). +IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. ## Domain isolation design Include this design in your plans: -- If you have an Active Directory domain of which most of the computers are members. +- If you have an Active Directory domain of which most of the devices are members. -- If you want to prevent the computers in your organization from accepting any unsolicited network traffic from computers that are not part of the domain. +- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that are not part of the domain. -If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the computers are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting. +If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting. When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. @@ -47,9 +51,9 @@ When you are ready to examine the options for creating an isolated domain, see t Include this design in your plans: -- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and computers. +- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and devices. -- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and computers. +- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices. If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements. @@ -60,37 +64,28 @@ When you are ready to examine the options for isolating servers, see the [Planni Include this design in your plans: -- If you want to implement some of the elements of domain or server isolation on computers that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism. +- If you want to implement some of the elements of domain or server isolation on devices that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism. -- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the computer is not running Windows, or for any other reason. +- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the device is not running Windows, or for any other reason. -- You must enable external computers that are not managed by your organization to access information on one of your servers, and want to do this in a secure way. +- You must enable external devices that are not managed by your organization to access information on one of your servers, and want to do this in a secure way. -If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the computers that require it. +If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the devices that require it. When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section. ## Documenting your design -After you finish selecting the designs that you will use, you must assign each of your computers to the appropriate isolation zone and document the assignment for use by the deployment team. +After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team. - [Documenting the Zones](documenting-the-zones.md) ## Designing groups and GPOs -After you have selected a design and assigned your computers to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your computers. +After you have selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your devices. When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. **Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) - -  - -  - - - - - diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md index 4a19f0dbf8..0a0d740794 100644 --- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 Technical Preview -The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. +The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md index acfe57e0bb..149730d1a5 100644 --- a/windows/keep-secure/server-isolation-gpos.md +++ b/windows/keep-secure/server-isolation-gpos.md @@ -2,35 +2,30 @@ title: Server Isolation GPOs (Windows 10) description: Server Isolation GPOs ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Server Isolation GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Each set of computers that have different users or computers accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on computers in the zone. The Woodgrove Bank example has an isolation zone for their computers that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. +Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. -All of the computer accounts for computers in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client computers are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. +All of the device accounts for devices in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. -## GPO\_SRVISO\_WS2008 +## GPO\_SRVISO -This GPO is identical to the GPO\_DOMISO\_Encryption\_WS2008 GPO with the following changes: +This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following changes: - The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs granted permission include CG\_NAG\_SQL\_Users and CG\_NAG\_SQL\_Computers. - **Important**   - Earlier versions of Windows support only computer-based authentication. If you specify that user authentication is mandatory, only users on computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 can connect. - -   + >**Important:**  Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect. **Next: **[Planning GPO Deployment](planning-gpo-deployment.md) - -  - -  - - - - - diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md index 915d050d9a..5dabaedf02 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md @@ -2,19 +2,25 @@ title: Windows Firewall with Advanced Security Deployment Guide (Windows 10) description: Windows Firewall with Advanced Security Deployment Guide ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Windows Firewall with Advanced Security Deployment Guide +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -You can use the Windows Firewall with Advanced Security MMC snap-in in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 to help protect the computers and the data that they share across a network. +You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. -You can use Windows Firewall to control access to the computer from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from computer to computer. +You can use Windows Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device. ## About this guide - This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected. Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md). @@ -33,44 +39,24 @@ After you select your design and gather the required information about the zones Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design. -**Caution**   -We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the computers in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. - -In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or computer accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded. For more information about the problems associated with excessive group membership, see the following articles in the Microsoft Knowledge Base: - -- Article 327825, “New resolution for problems with Kerberos authentication when users belong to many groups” () - -- Article 263693 “Group Policy may not be applied to users belonging to many groups” () - -- Article 328889 “Users who are members of more than 1,015 groups may fail logon authentication” () +>**Caution:**  We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. +In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded.   - ## What this guide does not provide - This guide does not provide: - Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide. -- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. For more information, see Active Directory Domain Services () and Group Policy (). +- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. -- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication. For this information, see Active Directory Certificate Services (). +- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication. ## Overview of Windows Firewall with Advanced Security +Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. -Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the computer by allowing you to create rules that determine which network traffic is permitted to enter the computer from the network and which network traffic the computer is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any computer that is attempting to communicate with your computer. When authentication is required, computers that cannot be authenticated as a trusted computer cannot communicate with your computer. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. - -The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single computer in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. - -For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365.aspx) at http://technet.microsoft.com/library/hh831365.aspx. - -  - -  - - - - +The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. +For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).