deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

restart re-org

Browse Source
This commit is contained in:
Justin Hall
2018-02-01 09:55:37 -08:00
parent 01c6963b9d
commit 897162ef2b
640 changed files with 2802 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Add Production Devices to the Membership Group for a Zone (Windows 10)
description: Add Production Devices to the Membership Group for a Zone
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Add Production Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
- Windows Server 2016
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
**Caution**  
For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode.
 
The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
In this topic:
- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add domain devices to the GPO membership group
1. Open Active Directory Users and Computers.
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
3. In the details pane, double-click the GPO membership group to which you want to add computers.
4. Select the **Members** tab, and then click **Add**.
5. Type **Domain Computers** in the text box, and then click **OK**.
6. Click **OK** to close the group properties dialog box.
After a computer is a member of the group, you can force a Group Policy refresh on the computer.
## To refresh Group Policy on a device
From an elevated command prompt, type the following:
``` syntax
gpupdate /target:computer /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
## To see which GPOs are applied to a device
From an elevated command prompt, type the following:
``` syntax
gpresult /r /scope:computer
```
 
 

78
windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Add Test Devices to the Membership Group for a Zone (Windows 10)
description: Add Test Devices to the Membership Group for a Zone
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Add Test Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
- Windows Server 2016
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
In this topic:
- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)
- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add test devices to the GPO membership groups
1. Open Active Directory Users and Computers.
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account.
3. In the details pane, double-click the GPO membership group to which you want to add devices.
4. Select the **Members** tab, and then click **Add**.
5. Type the name of the device in the text box, and then click **OK**.
6. Repeat steps 5 and 6 for each additional device account or group that you want to add.
7. Click **OK** to close the group properties dialog box.
After a device is a member of the group, you can force a Group Policy refresh on the device.
## To refresh Group Policy on a device
From a elevated command prompt, run the following:
``` syntax
gpupdate /target:device /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
## To see which GPOs are applied to a device
From an elevated command prompt, run the following:
``` syntax
gpresult /r /scope:computer
```
 
 

94
windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
description: Appendix A Sample GPO Template Files for Settings Used in this Guide
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Appendix A: Sample GPO Template Files for Settings Used in this Guide
**Applies to**
- Windows 10
- Windows Server 2016
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there.
To import an .xml file to GPMC, drag it and drop it on the **Registry** node under **Computer Configuration**, **Preferences**, **Windows Settings**. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
>**Note:**  The file shown here is for sample use only. It should be customized to meet the requirements of your organizations deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="Enable PMTU Discovery"
status="EnablePMTUDiscovery"
image="12"
changed="2008-05-30 20:37:37"
uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
desc="&lt;b&gt;Enable PMTU Discovery&lt;/b&gt;&lt;p&gt;
This setting configures whether computers can use PMTU
discovery on the network.&lt;p&gt;
&lt;b&gt;1&lt;/b&gt; -- Enable&lt;br&gt;
&lt;b&gt;0&lt;/b&gt; -- Disable"
bypassErrors="1">
<Properties
action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="System\CurrentControlSet\Services\TCPIP\Parameters"
name="EnablePMTUDiscovery" type="REG_DWORD" value="00000001"/>
</Registry>
<Registry
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
name="IPsec Default Exemptions (Vista and W2K8)"
status="NoDefaultExempt"
image="12"
changed="2008-05-30 20:33:32"
uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
desc="&lt;b&gt;IPsec Default Exemptions for Windows Server 2008
and later&lt;/b&gt;&lt;p&gt;
This setting determines which network traffic type is exempt
from any IPsec authentication requirements.&lt;p&gt;
&lt;b&gt;0&lt;/b&gt;: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP&lt;br&gt;
&lt;b&gt;1&lt;/b&gt;: Exempts multicast, broadcast, ISAKMP&lt;br&gt;
&lt;b&gt;2&lt;/b&gt;: Exempts RSVP, Kerberos, ISAKMP&lt;br&gt;
&lt;b&gt;3&lt;/b&gt;: Exempts ISAKMP only"
bypassErrors="1">
<Properties
action="U"
displayDecimal="1"
default="0"
hive="HKEY_LOCAL_MACHINE"
key="SYSTEM\CurrentControlSet\Services\PolicyAgent"
name="NoDefaultExempt"
type="REG_DWORD"
value="00000003"/>
<Filters>
<FilterOs
bool="AND" not="0"
class="NT" version="VISTA"
type="NE" edition="NE" sp="NE"/>
<FilterOs
bool="OR" not="0"
class="NT" version="2K8"
type="NE" edition="NE" sp="NE"/>
</Filters>
</Registry>
</Collection>
```

71
windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Assign Security Group Filters to the GPO (Windows 10)
description: Assign Security Group Filters to the GPO
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Assign Security Group Filters to the GPO
**Applies to**
- Windows 10
- Windows Server 2016
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
>**Important:**  This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
 
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.
In this topic:
- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo)
- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo)
## To allow members of a group to apply a GPO
Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**.
>**Note:**  You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
4. Click **Add**.
5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
## To prevent members of a group from applying a GPO
Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
3. In the details pane, click the **Delegation** tab.
4. Click **Advanced**.
5. Under the **Group or user names** list, click **Add**.
6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
7. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**.
8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
9. The group appears in the list with **Custom** permissions.

67
windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Basic Firewall Policy Design (Windows 10)
description: Basic Firewall Policy Design
ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Basic Firewall Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped.
Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted.
Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization.
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
>**Caution:**  Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later.
If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation.
After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
>**Important:**  If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.
For more information about this design:
- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)

29
windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Boundary Zone GPOs (Windows 10)
description: Boundary Zone GPOs
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Boundary Zone GPOs
**Applies to**
- Windows 10
- Windows Server 2016
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
>**Note:**  If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone.
The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows.
In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed.
- [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary.md)

64
windows/security/identity-protection/windows-firewall/boundary-zone.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Boundary Zone (Windows 10)
description: Boundary Zone
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Boundary Zone
**Applies to**
- Windows 10
- Windows Server 2016
In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device.
The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it.
Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
![design flowchart](images/wfas-designflowchart1.gif)
The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
## GPO settings for boundary zone servers running at least Windows Server 2008
The boundary zone GPO for devices running at least Windows Server 2008 should include the following:
- IPsec default settings that specify the following options:
1. Exempt all ICMP traffic from IPsec.
2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems..
If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
- The following connection security rules:
- A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
- A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication.
- A registry policy that includes the following values:
- Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
>**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
**Next:**[Encryption Zone](encryption-zone.md)

53
windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Certificate-based Isolation Policy Design Example (Windows 10)
description: Certificate-based Isolation Policy Design Example
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Certificate-based Isolation Policy Design Example
**Applies to**
- Windows 10
- Windows Server 2016
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the devices that receive this information.
## Design requirements
One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it cannot authenticate.
A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed.
In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server.
The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate.
The creation of the IPsec connection security rules for a non-Windows device is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows device by using the standard IPsec protocols is the subject of this design.
The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates.
**Other traffic notes:**
- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device.
## Design details
Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization.
The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directorysupported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules.
When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because the majority of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

41
windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md Normal file
View File

@ -0,0 +1,41 @@
---
title: Certificate-based Isolation Policy Design (Windows 10)
description: Certificate-based Isolation Policy Design
ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Certificate-based Isolation Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices cannot join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol.
To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that do not run Windows.
The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain.
For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but are not part of the Active Directory domain. For other devices, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner.
For more info about this design:
- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)

57
windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md Normal file
View File

@ -0,0 +1,57 @@
---
title: Change Rules from Request to Require Mode (Windows 10)
description: Change Rules from Request to Require Mode
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Change Rules from Request to Require Mode
**Applies to**
- Windows 10
- Windows Server 2016
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
In this topic:
- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode)
- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices)
## To convert a rule from request to require mode
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the right navigation pane, click **Connection Security Rules**.
3. In the details pane, double-click the connection security rule that you want to modify.
4. Click the **Authentication** tab.
5. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**.
## To apply the modified GPOs to the client devices
1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt:
``` syntax
gpupdate /force
```
2. To verify that the modified GPO is correctly applied to the client devices, you can run the following command:
``` syntax
gpresult /r /scope computer
```
3. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device.

27
windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Checklist Configuring Basic Firewall Settings (Windows 10)
description: Checklist Configuring Basic Firewall Settings
ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Checklist: Configuring Basic Firewall Settings
**Applies to**
- Windows 10
- Windows Server 2016
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
**Checklist: Configuring firewall defaults and settings**
| Task | Reference |
| - | - |
| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)|
| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)|

44
windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
description: Checklist Configuring Rules for an Isolated Server Zone
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Checklist: Configuring Rules for an Isolated Server Zone
**Applies to**
- Windows 10
- Windows Server 2016
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer.
Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication.
The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server.
**Checklist: Configuring rules for isolated servers**
| Task | Reference |
| - | - |
| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.<br/>Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPOs element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zones membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
| Create a rule that requests authentication for all network traffic.<br/>**Important:** Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)|
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
| Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.

41
windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md Normal file
View File

@ -0,0 +1,41 @@
---
title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10)
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
**Applies to**
- Windows 10
- Windows Server 2016
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
**Checklist: Configuring rules for isolated servers**
| Task | Reference |
| - | - |
| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) |
| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) |
| Create a rule that requests authentication for all inbound network traffic. <br/><br/>**Important:** Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)|
| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) |
| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zones NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)|
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
 
Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested.

33
windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
description: Checklist Configuring Rules for the Boundary Zone
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Checklist: Configuring Rules for the Boundary Zone
**Applies to**
- Windows 10
- Windows Server 2016
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.
**Checklist: Configuring boundary zone rules**
This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs.
| Task | Reference |
| - | - |
| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) |
| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|

34
windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
description: Checklist Configuring Rules for the Encryption Zone
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Checklist: Configuring Rules for the Encryption Zone
**Applies to**
- Windows 10
- Windows Server 2016
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.
**Checklist: Configuring encryption zone rules**
This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
| Task | Reference |
| - | - |
| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)|
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|

38
windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
description: Checklist Configuring Rules for the Isolated Domain
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Checklist: Configuring Rules for the Isolated Domain
**Applies to**
- Windows 10
- Windows Server 2016
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
**Checklist: Configuring isolated domain rules**
| Task | Reference |
| - | - |
| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
 
Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.

44
windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Checklist Creating Group Policy Objects (Windows 10)
description: Checklist Creating Group Policy Objects
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Checklist: Creating Group Policy Objects
**Applies to**
- Windows 10
- Windows Server 2016
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
The checklists for firewall, domain isolation, and server isolation include a link to this checklist.
## About membership groups
For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
## About exclusion groups
A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
**Checklist: Creating Group Policy objects**
| Task | Reference |
| - | - |
| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)|
| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.<br/>If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |

40
windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md Normal file
View File

@ -0,0 +1,40 @@
---
title: Checklist Creating Inbound Firewall Rules (Windows 10)
description: Checklist Creating Inbound Firewall Rules
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Checklist: Creating Inbound Firewall Rules
**Applies to**
- Windows 10
- Windows Server 2016
This checklist includes tasks for creating firewall rules in your GPOs.
**Checklist: Creating inbound firewall rules**
| Task | Reference |
| - | - |
| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)|
| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)|
| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)|
| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)|
| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)|
 
 
 

40
windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md Normal file
View File

@ -0,0 +1,40 @@
---
title: Checklist Creating Outbound Firewall Rules (Windows 10)
description: Checklist Creating Outbound Firewall Rules
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Checklist: Creating Outbound Firewall Rules
**Applies to**
- Windows 10
- Windows Server 2016
This checklist includes tasks for creating outbound firewall rules in your GPOs.
>**Important:**  By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organizations network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.
**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
| Task | Reference |
| - | - |
| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)|
| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)|
| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)|
 
 
 

34
windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10)
description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone
ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
**Applies to**
- Windows 10
- Windows Server 2016
This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
**Checklist: Configuring isolated server zone client rules**
| Task | Reference |
| - | - |
| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)|
| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|

37
windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md Normal file
View File

@ -0,0 +1,37 @@
---
title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
description: Checklist Implementing a Basic Firewall Policy Design
ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Checklist: Implementing a Basic Firewall Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
 **Checklist: Implementing a basic firewall policy design**
| Task | Reference |
| - | - |
| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|
| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)|
| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)|
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
| Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)|

31
windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md Normal file
View File

@ -0,0 +1,31 @@
---
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
description: Checklist Implementing a Certificate-based Isolation Policy Design
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Checklist: Implementing a Certificate-based Isolation Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
**Checklist: Implementing certificate-based authentication**
| Task | Reference |
| - | - |
| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|
| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)|

35
windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
description: Checklist Implementing a Domain Isolation Policy Design
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Checklist: Implementing a Domain Isolation Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
**Checklist: Implementing a domain isolation policy design**
| Task | Reference |
| - | - |
| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|
| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)|
| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)|
| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)|

34
windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
description: Checklist Implementing a Standalone Server Isolation Policy Design
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Checklist: Implementing a Standalone Server Isolation Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
**Checklist: Implementing a standalone server isolation policy design**
| Task | Reference |
| - | - |
| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Server Isolation Policy Design](server-isolation-policy-design.md)<br/>[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)<br/>[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)|
| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)|
| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)|
| According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) |

76
windows/security/identity-protection/windows-firewall/configure-authentication-methods.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Configure Authentication Methods (Windows 10)
description: Configure Authentication Methods
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Configure Authentication Methods
**Applies to**
- Windows 10
- Windows Server 2016
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
>**Note:**  If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To configure authentication methods**
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.
4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following:
1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default.
2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.
3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials.
5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The first authentication method can be one of the following:
- **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
- **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used.
- **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes.
If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
The second authentication method can be one of the following:
- **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups.
- **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule.
If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
>**Important:**  Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor.

63
windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Configure Data Protection (Quick Mode) Settings (Windows 10)
description: Configure Data Protection (Quick Mode) Settings
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Configure Data Protection (Quick Mode) Settings
**Applies to**
- Windows 10
- Windows Server 2016
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To configure quick mode settings**
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.
4. In the **Data protection (Quick Mode)** section, click **Advanced**, and then click **Customize**.
5. If you require encryption for all network traffic in the specified zone, then check **Require encryption for all connection security rules that use these settings**. Selecting this option disables the **Data integrity** section, and forces you to select only integrity algorithms that are combined with an encryption algorithm. If you do not select this option, then you can use only data integrity algorithms. Before selecting this option, consider the performance impact and the increase in network traffic that will result. We recommend that you use this setting only on network traffic that truly requires it, such as to and from computers in the encryption zone.
6. If you did not select **Require encryption**, then select the data integrity algorithms that you want to use to help protect the data sessions between the two computers. If the data integrity algorithms displayed in the list are not what you want, then do the following:
1. From the left column, remove any of the data integrity algorithms that you do not want by selecting the algorithm and then clicking **Remove**.
2. Add any required data integrity algorithms by clicking **Add**, selecting the appropriate protocol (ESP or AH) and algorithm (SHA1 or MD5), selecting the key lifetime in minutes or sessions, and then clicking **OK**. We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. We also recommend that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT).
3. In **Key lifetime (in sessions)**, type the number of times that the quick mode session can be rekeyed. After this number is reached, the quick mode SA must be renegotiated. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode SA. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
4. Click **OK** to save your algorithm combination settings.
5. After the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on.
7. Select the data integrity and encryption algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following:
1. From the second column, remove any of the data integrity and encryption algorithms that you do not want by selecting the algorithm combination and then clicking **Remove**.
2. Add any required integrity and encryption algorithm combinations by clicking **Add**, and then doing the following:
3. Select the appropriate protocol (ESP or AH). We recommend that you use ESP instead of AH if you have any devices on your network that use NAT.
4. Select the appropriate encryption algorithm. The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. We recommend that you do not include DES in any combination. It is included for backward compatibility only.
5. Select the appropriate integrity algorithm (SHA1 or MD5). We recommend that you do not include MD5 in any combination. It is included for backward compatibility only.
6. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
8. Click **OK** three times to save your settings.

39
windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
description: Configure Group Policy to Autoenroll and Deploy Certificates
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Configure Group Policy to Autoenroll and Deploy Certificates
**Applies to**
- Windows 10
- Windows Server 2016
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
**Administrative credentials**
To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest and a member of the Enterprise Admins group.
**To configure Group Policy to autoenroll certificates**
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
3. In the navigation pane, expand the following path: **Computer Configuration**, **Policies**, **Windows Settings**, **Security Settings**, **Public Key Policies**.
4. Double-click **Certificate Services Client - Auto-Enrollment**.
5. In the **Properties** dialog box, change **Configuration Model** to **Enabled**.
6. Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**.
7. Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed.

63
windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Configure Key Exchange (Main Mode) Settings (Windows 10)
description: Configure Key Exchange (Main Mode) Settings
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Configure Key Exchange (Main Mode) Settings
**Applies to**
- Windows 10
- Windows Server 2016
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To configure key exchange settings**
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.
4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**.
5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following:
**Important**  
In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices.
Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected.
**Note**  
When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select.
1. Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**.
2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**.
>**Caution:**  We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only.
3. After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on.
6. From the list on the right, select the key exchange algorithm that you want to use.
>**Caution:**  We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only. 
7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key.
>**Note:**  You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance.
8. In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key.
9. Click **OK** three times to save your settings.

54
windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Configure the Rules to Require Encryption (Windows 10)
description: Configure the Rules to Require Encryption
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Configure the Rules to Require Encryption
If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To modify an authentication request rule to also require encryption**
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**.
3. In the details pane, double-click the connection security rule you want to modify.
4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**.
5. In the navigation pane, right-click **Windows Defender Firewall LDAP://CN={***guid***}**, and then click **Properties**.
6. Click the **IPsec Settings** tab.
7. Under **IPsec defaults**, click **Customize**.
8. Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**.
9. Click **Require encryption for all connection security rules that use these settings**.
This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone.
10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
**Note**  
Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Defender Firewall user interface. Instead, you can create or modify the rules by using Windows PowerShell.
For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
12. Click **OK** three times to save your changes.

54
windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Configure the Windows Defender Firewall Log (Windows 10)
description: Configure the Windows Defender Firewall Log
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Configure the Windows Defender Firewall with Advanced Security Log
**Applies to**
- Windows 10
- Windows Server 2016
To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
In this topic:
- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log)
## To configure the Windows Defender Firewall with Advanced Security log
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
3. For each network location type (Domain, Private, Public), perform the following steps.
1. Click the tab that corresponds to the network location type.
2. Under **Logging**, click **Customize**.
3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
>**Important:**  The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
5. No logging occurs until you set one of following two options:
- To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
- To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
6. Click **OK** twice.

49
windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Configure the Workstation Authentication Certificate Template (Windows 10)
description: Configure the Workstation Authentication Certificate Template
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Configure the Workstation Authentication Certificate Template
**Applies to**
- Windows 10
- Windows Server 2016
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
**Administrative credentials**
## To configure the workstation authentication certificate template and autoenrollment
To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group.
1. On the device where AD CS is installed, open the Certification Authority console.
2. In the navigation pane, right-click **Certificate Templates**, and then click **Manage**.
3. In the details pane, click the **Workstation Authentication** template.
4. On the **Action** menu, click **Duplicate Template**. In the **Duplicate Template** dialog box, select the template version that is appropriate for your deployment, and then click **OK**. For the resulting certificates to have maximum compatibility with the available versions of Windows, we recommended that you select **Windows Server 2003**.
5. On the **General** tab, in **Template display name**, type a new name for the certificate template, such as **Domain Isolation Workstation Authentication Template**.
6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**.
7. Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
>**Note:**  If you want do not want to deploy the certificate to every device in the domain, then specify a different group or groups that contain the device accounts that you want to receive the certificate.
9. Close the Certificate Templates Console.
10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**.

47
windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10)
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
**Applies to**
- Windows 10
- Windows Server 2016
To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
>**Caution:**  If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
We recommend that you do not enable these settings until you have created and tested the required rules.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
## To configure Windows Defender Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
3. For each network location type (Domain, Private, Public), perform the following steps.
1. Click the tab that corresponds to the network location type.
2. Under **Settings**, click **Customize**.
3. Under **Firewall settings**, change **Display a notification** to **No**.
4. Under **Rule merging**, change **Apply local firewall rules** to **No**.
5. Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**.
6. Click **OK** twice.

49
windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Confirm That Certificates Are Deployed Correctly (Windows 10)
description: Confirm That Certificates Are Deployed Correctly
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: securit
author: brianlic-msft
ms.date: 04/19/2017
---
# Confirm That Certificates Are Deployed Correctly
**Applies to**
- Windows 10
- Windows Server 2016
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
In these procedures, you refresh Group Policy on a client device, and then confirm that the certificate is deployed correctly.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
In this topic:
- [Refresh Group Policy on a device](#to-refresh-group-policy-on-a-device)
- [Verify that a certificate is installed](#to-verify-that-a-certificate-is-installed)
## To refresh Group Policy on a device
From an elevated command prompt, run the following command:
``` syntax
gpupdate /target:computer /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
## To verify that a certificate is installed
1. Open the Cerificates console.
2. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates**.
The CA that you created appears in the list.

51
windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md Normal file
View File

@ -0,0 +1,51 @@
---
title: Copy a GPO to Create a New GPO (Windows 10)
description: Copy a GPO to Create a New GPO
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Copy a GPO to Create a New GPO
**Applies to**
- Windows 10
- Windows Server 2016
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs.
**To make a copy of a GPO**
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**.
3. In the details pane, right-click the GPO you want to copy, and then click **Copy**.
4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**.
5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler.
6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*.
7. To rename it, right-click the GPO, and then click **Rename**.
8. Type the new name, and then press ENTER.
9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**.
10. In the confirmation dialog box, click **OK**.
11. Click **Add**.
12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**.
13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.

43
windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Create a Group Account in Active Directory (Windows 10)
description: Create a Group Account in Active Directory
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Create a Group Account in Active Directory
**Applies to**
- Windows 10
- Windows Server 2016
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new group accounts.
**To add a new membership group in Active Directory**
1. Open the Active Directory Users and Computers console.
2. In the navigation pane, select the container in which you want to store your group. This is typically the **Users** container under the domain.
3. Click **Action**, click **New**, and then click **Group**.
4. In the **Group name** text box, type the name for your new group.
>**Note:**  Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups.
5. In the **Description** text box, enter a description of the purpose of this group.
6. In the **Group scope** section, select either **Global** or **Universal**, depending on your Active Directory forest structure. If your group must include computers from multiple domains, then select **Universal**. If all of the members are from the same domain, then select **Global**.
7. In the **Group type** section, click **Security**.
8. Click **OK** to save your group.

45
windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Create a Group Policy Object (Windows 10)
description: Create a Group Policy Object
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Create a Group Policy Object
**Applies to**
- Windows 10
- Windows Server 2016
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs.
To create a new GPO
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**.
3. Click **Action**, and then click **New**.
4. In the **Name** text box, type the name for your new GPO.
>**Note:**  Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**.
6. If your GPO will not contain any user settings, then you can improve performance by disabling the **User Configuration** section of the GPO. To do this, perform these steps:
1. In the navigation pane, click the new GPO.
2. In the details pane, click the **Details** tab.
3. Change the **GPO Status** to **User configuration settings disabled**.

63
windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Create an Authentication Exemption List Rule (Windows 10)
description: Create an Authentication Exemption List Rule
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Create an Authentication Exemption List Rule
**Applies to**
- Windows 10
- Windows Server 2016
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
**Important**  
Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Defender Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
 
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To create a rule that exempts specified hosts from authentication**
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**.
3. Click **Action**, and then click **New Rule**.
4. On the **Rule Type** page of the New Connection Security Rule Wizard, click **Authentication exemption**, and then click **Next**.
5. On the **Exempt Computers** page, to create a new exemption, click **Add**. To modify an existing exemption, click it, and then click **Edit**.
6. In the **IP Address** dialog box, do one of the following:
- To add a single IP address, click **This IP address or subnet**, type the IP address of the host in the text box, and then click **OK**.
- To add an entire subnet by address, click **This IP address or subnet**, and then type the IP address of the subnet, followed by a forward slash (/) and the number of bits in the corresponding subnet mask. For example, **10.50.0.0/16** represents the class B subnet that begins with address 10.50.0.1, and ends with address **10.50.255.254**. Click **OK** when you are finished.
- To add the local devices subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**.
>**Note:**  If you select the local subnet from the list rather than typing the subnet address in manually, the device automatically adjusts the active local subnet to match the devices current IP address.
- To add a discrete range of addresses that do not correspond to a subnet, click **This IP address range**, type the beginning and ending IP addresses in the **From** and **To** text boxes, and then click **OK**.
- To exempt all of the remote hosts that the local device uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**.
7. Repeat steps 5 and 6 for each exemption that you need to create.
8. Click **Next** when you have created all of the exemptions.
9. On the **Profile** page, check the profile for each network location type to which this set of exemptions applies, and then click **Next**.
>**Caution:**  If all of the exemptions are on the organizations network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate.
10. On the **Name** page, type the name of the exemption rule, type a description, and then click **Finish**.

85
windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Create an Authentication Request Rule (Windows 10)
description: Create an Authentication Request Rule
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Create an Authentication Request Rule
**Applies to**
- Windows 10
- Windows Server 2016
After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To create the authentication request rule
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**.
3. On the **Rule Type** page, select **Isolation**, and then click **Next**.
4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**.
>**Caution:**  Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure.
2. **Computer and User (Kerberos V5)**. Selecting this option tells the device to request authentication of both the device and the currently logged-on user by using their domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The **First authentication method** can be one of the following:
- **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
- **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
- **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only.
If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
The **Second authentication method** can be one of the following:
- **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1.
- **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups.
- **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails.
>**Important:**  Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
- On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network.
- On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
Click **Next**.
8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
The new rule appears in the list of connection security rules.

63
windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Create an Inbound ICMP Rule (Windows 10)
description: Create an Inbound ICMP Rule
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Create an Inbound ICMP Rule
**Applies to**
- Windows 10
- Windows Server 2016
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see:
- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
To create an inbound ICMP rule
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
5. On the **Program** page, click **All programs**, and then click **Next**.
6. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each.
7. Click **Customize**.
8. In the **Customize ICMP Settings** dialog box, do one of the following:
- To allow all ICMP network traffic, click **All ICMP types**, and then click **OK**.
- To select one of the predefined ICMP types, click **Specific ICMP types**, and then select each type in the list that you want to allow. Click **OK**.
- To select an ICMP type that does not appear in the list, click **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, click **Add**, and then select the newly created entry from the list. Click **OK**
9. Click **Next**.
10. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
11. On the **Action** page, select **Allow the connection**, and then click **Next**.
12. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
13. On the **Name** page, type a name and description for your rule, and then click **Finish**.

64
windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Create an Inbound Port Rule (Windows 10)
description: Create an Inbound Port Rule
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Create an Inbound Port Rule
**Applies to**
- Windows 10
- Windows Server 2016
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall
with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see:
- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
**To create an inbound port rule**
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
>**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **All programs**, and then click **Next**.
>**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number.
If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
When you have configured the protocols and ports, click **Next**.
7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
8. On the **Action** page, select **Allow the connection**, and then click **Next**.
9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
>**Note:**  If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
10. On the **Name** page, type a name and description for your rule, and then click **Finish**.

72
windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Create an Inbound Program or Service Rule (Windows 10)
description: Create an Inbound Program or Service Rule
ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Create an Inbound Program or Service Rule
**Applies to**
- Windows 10
- Windows Server 2016
To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
>**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To create an inbound firewall rule for a program or service
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
>**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **This program path**.
6. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
7. Do one of the following:
- If the executable file contains a single program, click **Next**.
- If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**.
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, click **Apply to service with this service short name**, and then type the short name for the service in the text box. Click **OK**, and then click **Next**.
**Important**  
To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command:
**sc** **qsidtype** *&lt;ServiceName&gt;*
If the result is **NONE**, then a firewall rule cannot be applied to that service.
To set a SID type on a service, run the following command:
**sc** **sidtype** *&lt;Type&gt; &lt;ServiceName&gt;*
In the preceding command, the value of *&lt;Type&gt;* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**.
8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**.
9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
10. On the **Action** page, select **Allow the connection**, and then click **Next**.
11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
12. On the **Name** page, type a name and description for your rule, and then click **Finish**.

53
windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Create an Outbound Port Rule (Windows 10)
description: Create an Outbound Port Rule
ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Create an Outbound Port Rule
**Applies to**
- Windows 10
- Windows Server 2016
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To create an outbound port rule
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Outbound Rule wizard, click **Custom**, and then click **Next**.
>**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **All programs**, and then click **Next**.
6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number.
If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it.
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
When you have configured the protocols and ports, click **Next**.
7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
8. On the **Action** page, select **Block the connection**, and then click **Next**.
9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
10. On the **Name** page, type a name and description for your rule, and then click **Finish**.

57
windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md Normal file
View File

@ -0,0 +1,57 @@
---
title: Create an Outbound Program or Service Rule (Windows 10)
description: Create an Outbound Program or Service Rule
ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Create an Outbound Program or Service Rule
**Applies to**
- Windows 10
- Windows Server 2016
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To create an outbound firewall rule for a program or service
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Outbound Rule Wizard, click **Custom**, and then click **Next**.
>**Note:**  Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **This program path**.
6. Type the path to the program in the text box. Use environment variables as appropriate to ensure that programs installed in different locations on different computers work correctly.
7. Do one of the following:
- If the executable file contains a single program, click **Next**.
- If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**.
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**.
8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](create-an-outbound-port-rule.md). When you have configured the protocol and port options, click **Next**.
9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
10. On the **Action** page, select **Block the connection**, and then click **Next**.
11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
12. On the **Name** page, type a name and description for your rule, and then click **Finish**.

90
windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md Normal file
View File

@ -0,0 +1,90 @@
---
title: Create Inbound Rules to Support RPC (Windows 10)
description: Create Inbound Rules to Support RPC
ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Create Inbound Rules to Support RPC
**Applies to**
- Windows 10
- Windows Server 2016
To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see:
- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
In this topic:
- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#to-create-a-rule-to-allow-inbound-network-traffic-to-the-rpc-endpoint-mapper-service)
- [To create a rule to allow inbound network traffic to RPC-enabled network services](#to-create-a-rule-to-allow-inbound-network-traffic-to-rpc-enabled-network-services)
## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
5. On the **Program** page, click **This Program Path**, and then type **%systemroot%\\system32\\svchost.exe**.
6. Click **Customize**.
7. In the **Customize Service Settings** dialog box, click **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, click **OK**, and then click **Next**.
8. On the warning about Windows service-hardening rules, click **Yes**.
9. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
10. For **Local port**, select **RPC Endpoint Mapper**, and then click **Next**.
11. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
12. On the **Action** page, select **Allow the connection**, and then click **Next**.
13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.  
14. On the **Name** page, type a name and description for your rule, and then click **Finish**.
## To create a rule to allow inbound network traffic to RPC-enabled network services
1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**.
2. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
3. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**.
4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service does not appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box.
5. Click **OK**, and then click **Next**.
6. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
7. For **Local port**, select **RPC Dynamic Ports**, and then click **Next**.
8. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
9. On the **Action** page, select **Allow the connection**, and then click **Next**.
10. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
11. On the **Name** page, type a name and description for your rule, and then click **Finish**.

95
windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md Normal file
View File

@ -0,0 +1,95 @@
---
title: Create WMI Filters for the GPO (Windows 10)
description: Create WMI Filters for the GPO
ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 05/25/2017
---
# Create WMI Filters for the GPO
**Applies to**
- Windows 10
- Windows Server 2016
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
- [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows)
- [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo)
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
First, create the WMI filter and configure it to look for a specified version (or versions) of the Windows operating system.
## To create a WMI filter that queries for a specified version of Windows
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**.
3. Click **Action**, and then click **New**.
4. In the **Name** text box, type the name of the WMI filter.
>**Note:**  Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.
5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description.
6. Click **Add**.
7. Leave the **Namespace** value set to **root\\CIMv2**.
8. In the **Query** text box, type:
``` syntax
select * from Win32_OperatingSystem where Version like "6.%"
```
This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 10 and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following:
``` syntax
... where Version like "6.1%" or Version like "6.2%"
```
To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
The following clause returns **true** for all devices that are not domain controllers:
``` syntax
... where ProductType="1" or ProductType="3"
```
The following complete query returns **true** for all devices running Windows 10, and returns **false** for any server operating system or any other client operating system.
``` syntax
select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
```
The following query returns **true** for any device running Windows Server 2016, except domain controllers:
``` syntax
select * from Win32_OperatingSystem where Version like "10.%" and ProductType="3"
```
9. Click **OK** to save the query to the filter.
10. Click **Save** to save your completed filter.
## To link a WMI filter to a GPO
After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
3. Under **WMI Filtering**, select the correct WMI filter from the list.
4. Click **Yes** to accept the filter.

48
windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Designing a Windows Defender Firewall with Advanced Security Strategy (Windows 10)
description: Designing a Windows Defender Firewall Strategy
ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Designing a Windows Defender Firewall with Advanced Security Strategy
**Applies to**
- Windows 10
- Windows Server 2016
To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.
- [Gathering the Information You Need](gathering-the-information-you-need.md)
- [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design.
- What traffic must always be allowed? What are characteristics of the network traffic generated and consumed by the business programs?
- What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs?
- What traffic on the network cannot be protected by IPsec because the devices or devices sending or receiving the traffic do not support IPsec?
- For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required?
- Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use.
- Which devices must be able to accept unsolicited inbound connections from devices that are not part of the domain?
- Which devices contain data that must be encrypted when exchanged with another computer?
- Which devices contain sensitive data to which access must be restricted to specifically authorized users and devices?
- Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall?
This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)

140
windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md Normal file
View File

@ -0,0 +1,140 @@
---
title: Determining the Trusted State of Your Devices (Windows 10)
description: Determining the Trusted State of Your Devices
ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Determining the Trusted State of Your Devices
**Applies to**
- Windows 10
- Windows Server 2016
After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status.
>**Note:**  In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk.
## Trust states
To understand this concept, consider the four basic states that apply to devices in a typical IT infrastructure. These states are (in order of risk, lowest risk first):
- Trusted
- Trustworthy
- Known, untrusted
- Unknown, untrusted
The remainder of this section defines these states and how to determine which devices in your organization belong in each state.
### Trusted state
Classifying a device as trusted means that the device's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network.
When a device is considered trusted, other trusted devices can reasonably assume that the device will not initiate a malicious act. For example, trusted devices can expect that other trusted devices will not run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses.
Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status.
A possible list of technology requirements might include the following:
- **Operating system.** A trusted client device should run at least Windows Vista. A trusted server should run at least Windows Server 2008.
- **Domain membership.** A trusted device will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member devices by using Group Policy.
- **Management client.** All trusted devices must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Configuration Manager is one such management system with an appropriate client.
- **Antivirus software.** All trusted devices will run antivirus software that is configured to check for and automatically update the latest virus signature files daily.
- **File system.** All trusted devices will be configured to use the NTFS file system.
- **BIOS settings.** All trusted portable devices will be configured to use a BIOS-level password that is under the management of the IT support team.
- **Password requirements.** Trusted clients must use strong passwords.
It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status.
A device that continues to meet all these security requirements can be considered trusted. However it is possible that most devices that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which devices can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications.
### Trustworthy state
It is useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes.
For each device that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the device to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the device to the solution) and the support staff (to enable them to apply the required configuration).
Generally, trustworthy devices fall into one of the following two groups:
- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk does not meet this requirement.
- **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require:
- **Operating system upgrade required.** If the device's current operating system cannot support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state.
- **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active.
- **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device.
- **Device replacement required.** This category is reserved for devices that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a device that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device).
Use these groups to assign costs for implementing the solution on the devices that require upgrades.
### Known, untrusted state
During the process of categorizing an organization's devices, you will identify some devices that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types:
- **Financial.** The funding is not available to upgrade the hardware or software for this device.
- **Political.** The device must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation.
- **Functional.** The device must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the device might be required to run an older operating system because a specific line of business application will only work on that operating system.
There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state:
- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported).
- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually cannot achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device is not a part of a trusted domain.
- **Devices in an untrusted domain.** A device that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when devices are not in a trusted domain.
### Unknown, untrusted state
The unknown, untrusted state should be considered the default state for all devices. Because devices in this state have a configuration that is unknown, you can assign no trust to them. All planning for devices in this state must assume that the device is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the devices in this state can have on their organizations.
## Capturing upgrade costs for current devices
The final step in this part of the process is to record the approximate cost of upgrading the devices to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions:
- Does the device meet the minimum hardware requirements necessary for isolation?
- Does the device meet the minimum software requirements necessary for isolation?
- What configuration changes must be made to integrate this device into the isolation solution?
- What is the projected cost or impact of making the proposed changes to enable the device to achieve a trusted state?
By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It is important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses.
The following table is an example of a data sheet that you could use to help capture the current state of a device and what would be required for the device to achieve a trusted state.
| Device name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost |
| - | - | - | - | - | - |
| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware is not compatible with newer versions of Windows.| $??|
| SERVER001 | Yes| No| Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.| No antivirus software present.| $??|
In the previous table, the device CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many devices require the same upgrades, the overall cost of the solution would be much higher.
The device SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs.
With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)

28
windows/security/identity-protection/windows-firewall/documenting-the-zones.md Normal file
View File

@ -0,0 +1,28 @@
---
title: Documenting the Zones (Windows 10)
description: Documenting the Zones
ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Documenting the Zones
**Applies to**
- Windows 10
- Windows Server 2016
Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here:
| Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group |
| - | - | - | - | - | - |
| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware not compatible with newer versions of Windows.| $??| Isolated domain|
| SERVER002 | Yes| No| Join trusted domain, upgrade from Windows Server 2008 to at least Windows Server 2012| No antivirus software present.| $??| Encryption|
| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)|
| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary|
**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)

59
windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md Normal file
View File

@ -0,0 +1,59 @@
---
title: Domain Isolation Policy Design Example (Windows 10)
description: Domain Isolation Policy Design Example
ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Domain Isolation Policy Design Example
**Applies to**
- Windows 10
- Windows Server 2016
This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.
## Design Requirements
In addition to the basic protection provided by the firewall rules in the previous design example, you might want to implement domain isolation to provide another layer of security to their networked devices. You can create firewall and connection security rules that use authentication to reduce the risk of communicating with untrusted and potentially hostile devices.
The following illustration shows the traffic protection needed for this design example.
![domain isolation policy design](images/wfas-design2example1.gif)
1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule.
2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which are not members of Woodgrove Bank's domain.
3. Client devices can initiate non-authenticated outbound communications with devices that are not members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked.
4. Devices in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain.
**Other traffic notes:**
- All of the design requirements described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced.
## Design Details
Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices on its network.
Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs.
The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, simply add the device's account in the appropriate group.
- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO does not apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections.
- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that cannot participate in domain isolation, such as a DHCP server running UNIX, is added to this group.
- **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the devices that are part of the boundary group able to receive unsolicited inbound traffic from untrusted devices. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication.
- **CG\_DOMISO\_ENCRYPTION**. This group contains the computer accounts for all the devices that require all inbound and outbound traffic to be both authenticated and encrypted. Members of the group receive a GPO that configures connection security and firewall rules to require both authentication and encryption on all inbound and outbound traffic.
>**Note:**  If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)

65
windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md Normal file
View File

@ -0,0 +1,65 @@
---
title: Domain Isolation Policy Design (Windows 10)
description: Domain Isolation Policy Design
ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Domain Isolation Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain.
This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After implementing the new rules, your devices reject unsolicited network traffic from devices that are not members of the isolated domain.
The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them.
By using connection security rules based on IPsec, you provide a logical barrier between devices even if they are connected to the same physical network segment.
The design is shown in the following illustration, with the arrows that show the permitted communication paths.
![isolated domain boundary zone](images/wfasdomainisoboundary.gif)
Characteristics of this design, as shown in the diagram, include the following:
- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This includes unauthenticated traffic to devices that are not in the isolated domain. Devices that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md).
- Boundary zone (area B) - Devices in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted devices, such as clients on the Internet.
Devices in the boundary zone request but do not require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member the traffic is authenticated. When a device that is not part of the isolated domain communicates with a boundary zone member the traffic is not authenticated.
Because boundary zone devices are exposed to network traffic from untrusted and potentially hostile devices, they must be carefully managed and secured. Put only the devices that must be accessed by external devices in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member devices.
- Trusted non-domain members (area C) - Devices on the network that are not domain members or that cannot use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices.
- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices.
After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization.
>**Important:**  This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
In order to expand the isolated domain to include Devices that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md).
For more info about this design:
- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
- Before completing the design, gather the info described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
- For a list of tasks that you can use to deploy your domain isolation policy design, see [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md).
**Next:** [Server Isolation Policy Design](server-isolation-policy-design.md)

37
windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md Normal file
View File

@ -0,0 +1,37 @@
---
title: Enable Predefined Inbound Rules (Windows 10)
description: Enable Predefined Inbound Rules
ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Enable Predefined Inbound Rules
**Applies to**
- Windows 10
- Windows Server 2016
Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To deploy predefined firewall rules that allow inbound network traffic for common network functions
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**.
5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**.
6. On the **Action** page, select **Allow the connection**, and then click **Finish**.

39
windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Enable Predefined Outbound Rules (Windows 10)
description: Enable Predefined Outbound Rules
ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Enable Predefined Outbound Rules
**Applies to**
- Windows 10
- Windows Server 2016
By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To deploy predefined firewall rules that block outbound network traffic for common network functions
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**.
5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They are all selected by default. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**.
6. On the **Action** page, select **Block the connection**, and then click **Finish**.
The selected rules are added to the GPO.

23
windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md Normal file
View File

@ -0,0 +1,23 @@
---
title: Encryption Zone GPOs (Windows 10)
description: Encryption Zone GPOs
ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Encryption Zone GPOs
**Applies to**
- Windows 10
- Windows Server 2016
Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.
The GPO is only for server versions of Windows. Client devices are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows.
- [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md)

63
windows/security/identity-protection/windows-firewall/encryption-zone.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Encryption Zone (Windows 10)
description: Encryption Zone
ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Encryption Zone
**Applies to**
- Windows 10
- Windows Server 2016
Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted.
You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols.
Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
## GPO settings for encryption zone servers running at least Windows Server 2008
The GPO for devices that are running at least Windows Server 2008 should include the following:
- IPsec default settings that specify the following options:
1. Exempt all ICMP traffic from IPsec.
2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
If any NAT devices are present on your networks, use ESP encapsulation..
4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method.
- The following connection security rules:
- A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
- A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy.
**Important**  
Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out.
 
- A registry policy that includes the following values:
- Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
>**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.
**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)

28
windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md Normal file
View File

@ -0,0 +1,28 @@
---
title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10)
description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Evaluating Windows Defender Firewall with Advanced Security Design Examples
**Applies to**
- Windows 10
- Windows Server 2016
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.
- [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md)
- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
- [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
- [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)

31
windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md Normal file
View File

@ -0,0 +1,31 @@
---
title: Exempt ICMP from Authentication (Windows 10)
description: Exempt ICMP from Authentication
ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Exempt ICMP from Authentication
**Applies to**
- Windows 10
- Windows Server 2016
This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To exempt ICMP network traffic from authentication
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. On the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**.

53
windows/security/identity-protection/windows-firewall/exemption-list.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Exemption List (Windows 10)
description: Exemption List
ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Exemption List
**Applies to**
- Windows 10
- Windows Server 2016
When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list.
Generally, the following conditions are reasons to consider adding a device to the exemption list:
- If the device must be accessed by trusted devices but it does not have a compatible IPsec implementation.
- If the device must provide services to both trusted and untrusted devices, but does not meet the criteria for membership in the boundary zone.
- If the device must be accessed by trusted devices from different isolated domains that do not have an Active Directory trust relationship established with each other.
- If the device is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista.
- If the device must support trusted and untrusted devices, but cannot use IPsec to help secure communications to trusted devices.
For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following:
- Reduces the overall effectiveness of isolation.
- Creates a larger management burden (because of frequent updates).
- Increases the size of the IPsec policy, which means that it consumes more memory and CPU resources, slows down network throughput, and increases the time required to download and apply the GPO containing the IPsec policy.
To keep the number of exemptions as small as possible, you have several options:
- Carefully consider the communications requirements of each isolation zone, especially server-only zones. They might not be required to communicate with every exemption in the domain-level policy for clients.
- Consolidate server functions. If several exempt services can be hosted at one IP address, the number of exemptions is reduced.
- Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address.
As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
**Next: **[Isolated Domain](isolated-domain.md)

23
windows/security/identity-protection/windows-firewall/firewall-gpos.md Normal file
View File

@ -0,0 +1,23 @@
---
title: Firewall GPOs (Windows 10)
description: Firewall GPOs
ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Firewall GPOs
**Applies to**
- Windows 10
- Windows Server 2016
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
The GPO created for the example Woodgrove Bank scenario include the following:
- [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md)

107
windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md Normal file
View File

@ -0,0 +1,107 @@
---
title: Firewall Policy Design Example (Windows 10)
description: Firewall Policy Design Example
ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Firewall Policy Design Example
**Applies to**
- Windows 10
- Windows Server 2016
In this example, the fictitious company Woodgrove Bank is a financial services institution.
Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing.
Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server.
## Design requirements
The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
The following illustration shows the traffic protection needs for this design example.
![design example 1](images/wfas-designexample1.gif)
1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers.
2. The WGBank front-end servers can receive unsolicited inbound traffic from the client devices and the WGBank partner servers. The WGBank client devices and partner servers can receive the response.
3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients do not poll for this unsolicited traffic, but must be able to receive it.
4. The WGBank back-end servers can receive SQL query requests from the WGBank front-end servers. The WGBank front-end servers can receive the corresponding responses.
5. There is no direct communications between the client devices and the WGBank back-end devices.
6. There is no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers.
7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that do not require an outside server. Firewall rules must block the network traffic created by these programs.
8. The WGBank partner servers can receive inbound requests from partner devices through the Internet.
Other traffic notes:
- Devices are not to receive any unsolicited traffic from any computer other than specifically allowed above.
- Other outbound network traffic from the client devices not specifically identified in this example is permitted.
## Design details
Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices:
- Client devices that run Windows 10, Windows 8, or Windows 7
- WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
- WGBank partner servers that run Windows Server 2008
- WGBank back-end SQL Server devices that run Windows Server 2008 (there are none in place yet, but their solution must support adding them)
- Infrastructure servers that run Windows Server 2008
- Active Directory domain controllers that run Windows Server 2008 R2 or Windows Server 2012
- DHCP servers that run the UNIX operating system
After evaluating these sets of devices, and comparing them to the Active Directory organizational unit (OU) structure, Woodgrove Bank network administrators determined that there was not a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs will not be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it is applied to the correct devices.
Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs.
The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all devices that run Windows were added to the correct groups:
- **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all devices.
The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs.
- Client devices receive a GPO that configures Windows Defender Firewall to enforce the default Windows Defender Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
- Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices.
All rules are scoped to allow network traffic only from devices on Woodgrove Bank's corporate network.
- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group.
- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Defender Firewall with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)

33
windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Gathering Information about Your Active Directory Deployment (Windows 10)
description: Gathering Information about Your Active Directory Deployment
ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Gathering Information about Your Active Directory Deployment
**Applies to**
- Windows 10
- Windows Server 2016
Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed:
- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation.
- **Names and number of domains**. Authentication in server and domain isolation uses the IKE negotiation process with the Kerberos V5 protocol. This protocol assumes that devices are domain members.
- **Number and types of trusts**. Trusts affect the logical boundaries of domain isolation and define whether IKE negotiation can occur between devices in different Active Directory domains.
- **Names and number of sites**. Site architecture is usually aligned with the network topology. Understanding how sites are defined in Active Directory will help provide insight into replication and other details. Site architecture can provide a better understanding of the current Active Directory deployment.
- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices.
- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)

114
windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md Normal file
View File

@ -0,0 +1,114 @@
---
title: Gathering Information about Your Current Network Infrastructure (Windows 10)
description: Gathering Information about Your Current Network Infrastructure
ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Gathering Information about Your Current Network Infrastructure
**Applies to**
- Windows 10
- Windows Server 2016
Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
- **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them.
- Network address translation (NAT). NAT is a means of separating network segments by using a device that maps all of the IP addresses on one side of the device to a single IP address accessible on the other side.
- Network infrastructure devices. This includes the routers, switches, hubs, and other network equipment that makes communications between the devices on the network possible.
- **Current network traffic model.** This includes the quantity and the characteristics of the network traffic flowing through your network.
- Intrusion Detection System (IDS) devices. You will need to identify if you have any IDS devices on your network that might be negatively impacted by any encryption introduced in an Encryption Zone.
The goal is to have enough information to be able to identify an asset by its network location, in addition to its physical location.
Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation.
This guidance helps obtain the most relevant information for planning Windows Defender Firewall implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
## Network segmentation
If your organization does not have its current network architecture documented and available for reference, such documentation should be obtained as soon as possible before you continue with the design and deployment. If the documented information is not current or has not been validated recently, you have two options:
- Accept that the lack of accurate information can cause risk to the project.
- Undertake a discovery project, either through manual processes or with network analysis tools that can provide the information you need to document the current network topology.
Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, do not include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every device in your organization.
During this process, you might discover some network applications and services that are not compatible with IPsec. For example, IPsec breaks network-based prioritization and port/protocol-based traffic management. If traffic management or prioritization must be based on ports or protocol, the host itself must be able to perform any traffic management or prioritization.
Other examples of incompatibility include:
- Cisco NetFlow on routers cannot analyze packets between IPsec members based on protocol or port.
- Router-based Quality of Service (QoS) cannot use ports or protocols to prioritize traffic. However, using firewall rules that specify IP addresses to prioritize traffic are not affected by this limitation of QoS. For example, a rule that says "From anyone to anyone using port 80 prioritize" does not work, but a rule that says "From anyone to 10.0.1.10 prioritize" works.
- Weighted Fair Queuing and other flow-based router traffic priority methods might fail.
- Devices that do not support or allow IP protocol 50, the port that is used by Encapsulating Security Payload (ESP).
- Router access control lists (ACLs) cannot examine protocol and port fields in ESP-encrypted packets, and therefore the packets are dropped. ACLs based only on IP address are forwarded as usual. If the device cannot parse ESP, any ACLs that specify port or protocol rules will not be processed on the ESP packets. If the device has an ESP parser and uses encryption, ACLs that specify port or protocol rules will not be processed on the ESP packets.
- Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null).
>**Note:**  Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](http://www.microsoft.com/download/details.aspx?id=44226).
 
## Network address translation (NAT)
IPsec NAT traversal (NAT-T) enables IPsec peers that are behind NATs to detect the presence of NATs, negotiate IPsec security associations (SAs), and send ESP-protected data even though the addresses in the IPsec-protected IPv4 packets change. IPsec NAT-T does not support the use of AH across NAT devices.
## Network infrastructure devices
The devices that make up the network infrastructure (routers, switches, load balancers, and firewalls) must be able communicate using IPsec after the solution is implemented. For this reason, you have to examine the following characteristics of these network devices to ensure that they can handle the technical and physical requirements of the design:
- **Make/model**. You can use this information to determine the features that the device supports. In addition, check the BIOS version or software running on the device to ensure that IPsec is supported.
- **Amount of RAM**. This information is useful when you are analyzing capacity or the impact of IPsec on the device.
- **Traffic analysis**. Information, such as peak usage and daily orweekly trends, is helpful to have. The information helps provide a baseline snapshot of the device and how it is used over time. If problems occur after IPsec is implemented, the information can help determine whether the root cause is related to greater usage of the device.
- **Router ACLs that affect IPsec directly**. ACLs directly affect the ability of specific protocols to function. For example, blocking the Kerberos V5 protocol (UDP and TCP port 88) or IP protocol 50 or 51 prevents IPsec from working. Devices must also be configured to allow IKE traffic (UDP port 500) if using NAT-T (UDP port 4500).
- **Networks/subnets connected to device interfaces**. This information provides the best picture of what the internal network looks like. Defining the boundary of subnets based on an address range is straightforward and helps identify whether other addresses are either unmanaged or foreign to the internal network (such as IP addresses on the Internet).
- **VLAN segmentation**. Determining how VLANs are implemented on the network can help you understand traffic patterns and security requirements, and then help to determine how IPsec might augment or interfere with these requirements.
- **The maximum transmission unit (MTU) size on device interface(s)**. The MTU defines the largest datagram that can be transmitted on a particular interface without being divided into smaller pieces for transmission (a process also known as *fragmentation*). In IPsec communications, the MTU is necessary to anticipate when fragmentation occurs. Packet fragmentation must be tracked for Internet Security Association and Key Management Protocol (ISAKMP) by the router. IPsec configures the MTU size on the session to the minimum-discovered MTU size along the communication path being used, and then set the Don't Fragment bit (DF bit) to 1.
>**Note:**  If Path MTU (PMTU) discovery is enabled and functioning correctly, you do not have to gather the MTU size on device interfaces. Although sources, such as the Windows Server 2003 Hardening Guide, recommend disabling PMTU discovery, it must be enabled for IPsec to function correctly.
- **Intrusion detection system (IDS) in use**. Your IDS must have an IPsec-compatible parser to detect ESP packets. If the IDS does not have such a parser, it cannot determine if data in those packets is encrypted.
After you obtain this information, you can quickly determine whether you must upgrade the devices to support the requirements of the project, change the ACLs, or take other measures to ensure that the devices can handle the loads needed.
## Current network traffic model
After gathering the addressing and network infrastructure information, the next step is to examine the communications flow. For example, if a department such as Human Resources (HR) spans several buildings, and you want to use server isolation with encryption to help protect information in that department, you must know how those buildings are connected to determine the level of "trust" to place in the connection. A highly secured building that is connected by an unprotected cable to another building that is not secured can be compromised by an eavesdropping or information replay attack. If such an attack is considered a threat, IPsec can help by providing strong mutual authentication and traffic encryption for trusted hosts. IPsec allows you to more securely communicate across untrusted links such as the Internet.
When you examine traffic flow, look closely at how all managed and unmanaged devices interact. This includes non-Windows-based devices running Linux, UNIX, and Macintosh. Ask yourself such questions as:
- Do specific communications occur at the port and protocol level, or are there many sessions between the same hosts across many protocols?
- How do servers and clients communicate with each other?
- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Defender Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
Some of the more common applications and protocols are as follows:
- **NetBIOS over TCP/IP (NetBT) and server message block (SMB)**. On a LAN, it is common to have ports 137, 138, and 139 enabled for NetBT and port 445 enabled for SMB. These ports provide NetBIOS name resolution services and other features. Unfortunately, they also allow the creation of *null sessions*. A null session is a session that is established on a host that does not use the security context of a known user or entity. Frequently, these sessions are anonymous.
- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account.
- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)

55
windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Gathering Information about Your Devices (Windows 10)
description: Gathering Information about Your Devices
ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Gathering Information about Your Devices
**Applies to**
- Windows 10
- Windows Server 2016
One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.
Capture the following information from each device:
- **Computer name**. This name is the device's NetBIOS or DNS name that identifies the device on the network. Because a device can have more than one media access control (MAC) or IP address, the device's name is one of the criteria that can be used to determine uniqueness on the network. Because device names can be duplicated under some circumstances, the uniqueness should not be considered absolute.
- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address is not an effective way to identify an asset because it is often subject to change.
- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It is also important to track the current state of service packs and updates that might be installed, because these are often used to determine that minimum security standards have been met.
- **Domain membership**. This information is used to determine whether a device can obtain IPsec policy from Active Directory or whether it must use a local IPsec policy.
- **Physical location**. This information is just the location of the device in your organization. It can be used to determine whether a device can participate in a specific isolation group based on its location or the location of the devices that it communicates with regularly.
- **Hardware type or role**. Some tools that perform host discovery can provide this information by querying the hardware information and running applications to determine its type, such as server, workstation, or portable device. You can use this information to determine the appropriate IPsec policy to assign, whether a specific device can participate in isolation, and in which isolation group to include the device.
After collecting all this information and consolidating it into a database, perform regular discovery efforts periodically to keep the information current. You need the most complete and up-to-date picture of the managed hosts on their networks to create a design that matches your organization's requirements.
You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to completely manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy.
## Automated Discovery
Using an automated auditing network management system provides valuable information about the current state of the IT infrastructure.
## Manual Discovery
The biggest difference between manual discovery methods and automated methods is time.
You can use Windows PowerShell to create a script file that can collect the system configuration information. For more information, see [Windows PowerShell Scripting](https://go.microsoft.com/fwlink/?linkid=110413).
Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory.
This inventory will be critical for planning and implementing your Windows Defender Firewall design.
**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)

78
windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Gathering Other Relevant Information (Windows 10)
description: Gathering Other Relevant Information
ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Gathering Other Relevant Information
**Applies to**
- Windows 10
- Windows Server 2016
This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization.
## Capacity considerations
Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a device. Areas to watch:
- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](http://technet.microsoft.com/network/dd277647.aspx).
- **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5  KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization.
- **NAT devices.** As discussed earlier, NAT does not allow Authentication Header (AH) conversations between hosts. If NAT devices exist on the internal network, ESP must be selected instead of AH.
- **Switches and routers.** Proper capacity planning for the implementation of IPsec is more about thorough testing and expected traffic loads than exact calculations. You might have to upgrade or reconfigure switches or routers that currently exceed 75 percent usage to allow for increased traffic on the device and still provide some extra usage for bursts of traffic.
- **Other factors.** These include CPU usage on network infrastructure servers, increased overhead on servers and workstations running IPsec (especially servers, because they usually contain more main mode SAs than clients), and increased network latency because of IPsec negotiation.
>**Note:**  When Microsoft deployed its own domain isolation solution, it found a one to three percent increase in usage on the network as a direct result of IPsec.
## Group Policy deployment groups and WMI filters
You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Defender Firewall GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
## Different Active Directory trust environments
When you design a domain isolation policy, consider any logical boundaries that might affect IPsec-secured communications. For example, the trust relationships between your domains and forests are critical in determining an appropriate IKE authentication method.
Kerberos V5 authentication is recommended for use in a two-way (mutual) domain and forest trust environment. You can use Kerberos V5 for IKE authentication across domains that have two-way trusts established, if the domains are in the same forest or different forests. If the two domains are in different forests, you must configure two external trusts, one for each direction, between the domains. The external trusts must use the fully qualified domain name (FQDN) of the domains, and IPsec policy must allow an IKE initiator in one domain to communicate with any domain controller in the forest domain hierarchy, so that the initiator can obtain a Kerberos V5 ticket from a domain controller in the responders domain. If firewalls separate the domains then you must configure the firewall to allow Kerberos V5 traffic over UDP destination port 88, TCP destination port 88, and UDP destination port 389.
If the use of Kerberos V5 authentication is not possible because two-way trusts across forests cannot be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication.
## Creating firewall rules to permit IKE, AH, and ESP traffic
In some cases, IPsec-secured traffic might have to pass through a router, perimeter firewall, or other filtering device. In the case of a router, unless the router filters TCP and UDP traffic or other upper-level protocol headers, no special configuration is required to allow the IPsec traffic to be forwarded.
In the case of a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected.
For more info, see [How to Enable IPsec Traffic Through a Firewall](https://go.microsoft.com/fwlink/?LinkId=45085).
## Network load balancing and server clusters
There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific device, it prevents different devices from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client device as untrusted.
This means that NLB in "no affinity" mode is not supported by IPsec at all. If you must use "no affinity" mode in the cluster then consider including the servers that make up the cluster in your IPsec exemption group, and allowing clients to communicate with the servers without IPsec.
When a TCP connection is dropped because of a cluster node failover, IPsec detects the TCP connection failure and removes the IPsec SAs for that connection. When the new TCP connection is established to another node, IPsec can negotiate new SAs immediately without having to wait for the obsolete SAs to time out.
## Network inspection technologies
Within a TCP/IP packet, IPsec without encryption changes the offsets for the destination ports and protocols. These changes can adversely affect applications that are running on network devices such as routers that monitor and manage traffic on the network. While some network applications have been updated to support IPsec, some are not yet compatible. Check with the vendor of your device to see whether the changes in the protocol and port fields caused by IPsec are compatible with the device.
Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, cannot parse ESP-encrypted traffic. Only the destination device, with which the originating device negotiated the connection, can decrypt the traffic.
In general, IPsec defeats network-based prioritization and port- or protocol-based traffic management. For encrypted packets, there is no workaround; the host itself must handle any traffic management functions. For unencrypted, authenticated-only packets, the devices and applications must be aware of how IPsec changes packets to be able to do anything with them other than route them to the correct host. If you cannot upgrade monitoring or management devices to support IPsec, it is important that you record this information and figure it into your domain or server isolation design.
Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices.
Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)

29
windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Gathering the Information You Need (Windows 10)
description: Gathering the Information You Need
ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Gathering the Information You Need
**Applies to**
- Windows 10
- Windows Server 2016
Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
Review each of the following topics for guidance about the kinds of information that you must gather:
- [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
- [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
- [Gathering Information about Your Devices](gathering-information-about-your-devices.md)
- [Gathering Other Relevant Information](gathering-other-relevant-information.md)

44
windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md Normal file
View File

@ -0,0 +1,44 @@
---
title: GPO\_DOMISO\_Boundary (Windows 10)
description: GPO\_DOMISO\_Boundary
ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# GPO\_DOMISO\_Boundary
**Applies to**
- Windows 10
- Windows Server 2016
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008.
## IPsec settings
The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain when authentication can be used.
## Connection security rules
Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the device uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted device that is not part of the isolated domain connects.
## Registry settings
The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
## Firewall rules
Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other devices. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests.
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)

55
windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md Normal file
View File

@ -0,0 +1,55 @@
---
title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10)
description: GPO\_DOMISO\_Encryption\_WS2008
ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
author: brianlic-msft
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.date: 08/17/2017
---
# GPO\_DOMISO\_Encryption\_WS2008
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008.
## IPsec settings
The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain The following changes are made to encryption zone copy of the GPO:
The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This disables all integrity-only algorithm combinations.
## Connection security rules
Rename the **Isolated Domain Rule** to **Encryption Zone Rule**. Leave the authentication mode setting on **Require inbound and request outbound**. In this mode, the computer forces authentication for all inbound network traffic, and uses it when it can on outbound traffic.
## Registry settings
The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
## Firewall rules
Copy the firewall rules for the encryption zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 1433 for SQL Server client requests.
Change the action for every inbound firewall rule from **Allow the connection** to **Allow only secure connections**, and then select **Require the connections to be encrypted**.
Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
**Next: **[Server Isolation GPOs](server-isolation-gpos.md)
 
 

66
windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md Normal file
View File

@ -0,0 +1,66 @@
---
title: GPO\_DOMISO\_Firewall (Windows 10)
description: GPO\_DOMISO\_Firewall
ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# GPO\_DOMISO\_Firewall
**Applies to**
- Windows 10
- Windows Server 2016
This GPO is authored by using the Windows Defender Firewall
with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
## Firewall settings
This GPO provides the following settings:
- Unless otherwise stated, the firewall rules and settings described here are applied to all profiles.
- The firewall is enabled, with inbound, unsolicited connections blocked and outbound connections allowed.
- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the devices can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**.
>**Note:**  Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot devices.
## Firewall rules
This GPO provides the following rules:
- Built-in firewall rule groups are configured to support typically required network operation. The following rule groups are set to **Allow the connection**:
- Core Networking
- File and Printer Sharing
- Network Discovery
- Remote Administration
- Remote Desktop
- Remote Event Log Management
- Remote Scheduled Tasks Management
- Remote Service Management
- Remote Volume Management
- Windows Defender Firewall Remote Management
- Windows Management Instrumentation (WMI)
- Windows Remote Management
- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)

84
windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md Normal file
View File

@ -0,0 +1,84 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10)
description: GPO\_DOMISO\_IsolatedDomain\_Clients
ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# GPO\_DOMISO\_IsolatedDomain\_Clients
**Applies to**
- Windows 10
- Windows Server 2016
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile.
## General settings
This GPO provides the following settings:
- No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy.
- The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting.
- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, they can remove the weaker key exchange algorithms, and use only the stronger ones.
- The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
| Setting | Value |
| - | - |
| Enable PMTU Discovery | 1 |
| IPsec Exemptions | 3 |
- The main mode security method combinations in the order shown in the following table.
| Integrity | Encryption |
| - | - |
| Secure Hash Algorithm (SHA-1) | Advanced Encryption Standard (AES-128) |
| SHA-1 | 3DES |
- The following quick mode security data integrity algorithms combinations in the order shown in the following table.
| Protocol | Integrity | Key Lifetime (minutes/KB) |
| - | - | - |
| ESP | SHA-1 | 60/100,000 |
- The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table.
| Protocol | Integrity | Encryption | Key Lifetime (minutes/KB) |
| - | - | - | - |
| ESP | SHA-1 | AES-128 | 60/100,000|
| ESP | SHA-1 | 3DES | 60/100,000|
>**Note:**  Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows.
## Connection Security Rules
This GPO provides the following rules:
- A connection security rule named **Isolated Domain Rule** with the following settings:
- From **Any IP address** to **Any IP address**.
- **Require inbound and request outbound** authentication requirements.
>**Important:**  On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the devices were successfully communicating by using IPsec, they switched the GPOs to require authentication.
- For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for devices that cannot run Windows or cannot join the domain, but must still participate in the isolated domain.
- For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box.
- A connection security rule to exempt devices that are in the exemption list from the requirement to authenticate:
- The IP addresses of all devices on the exemption list must be added individually under **Endpoint 2**.
- Authentication mode is set to **Do not authenticate**.
**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)

28
windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md Normal file
View File

@ -0,0 +1,28 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10)
description: GPO\_DOMISO\_IsolatedDomain\_Servers
ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# GPO\_DOMISO\_IsolatedDomain\_Servers
**Applies to**
- Windows 10
- Windows Server 2016
This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Defender Firewall piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008).
>**Important:**  Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)

30
windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals (Windows 10)
description: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
**Applies to**
- Windows 10
- Windows Server 2016
Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios.
The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals:
| Deployment goal tasks | Reference links |
| --- | --- |
| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals: <p><ul><li>[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)</li><p><li>[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)</li> <p><li>[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)</li> <p><li>[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)</li></ul>
| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. | <ul><li>[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)</li></ul>
| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. | <ul><li>[Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)</li> <p><li>[Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)</li></ul>
<br />
**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

BIN
windows/security/identity-protection/windows-firewall/images/corpnet.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.0 KiB

BIN
windows/security/identity-protection/windows-firewall/images/createipsecrule.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.9 KiB

BIN
windows/security/identity-protection/windows-firewall/images/powershelllogosmall.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
windows/security/identity-protection/windows-firewall/images/qmcryptoset.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.1 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-design2example1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-design3example1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-designexample1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-designflowchart1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-domainiso.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-domainisoencrypt.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-domainisohighsec.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-domainnag.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfas-icon-checkbox.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 B

BIN
windows/security/identity-protection/windows-firewall/images/wfas-implement.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/security/identity-protection/windows-firewall/images/wfasdomainisoboundary.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

48
windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10)
description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
**Applies to**
- Windows 10
- Windows Server 2016
The following are important factors in the implementation of your Windows Defender Firewall design plan:
- **Group Policy**. The Windows Defender Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone.
- **Devices running operating systems other than Windows**. If your network includes devices that are not running the Windows operating system, then you must make sure that required communication with those devices is not blocked by the restrictions put in place by your design. You must do one of the following:
- Include those devices in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used.
- Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design.
## How to implement your Windows Defender Firewall with Advanced Security design using this guide
The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
![wfas implementation](images/wfas-implement.gif)
Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design.
- [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).

27
windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Isolated Domain GPOs (Windows 10)
description: Isolated Domain GPOs
ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Isolated Domain GPOs
**Applies to**
- Windows 10
- Windows Server 2016
All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.
Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section.
The GPOs created for the Woodgrove Bank isolated domain include the following:
- [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md)
- [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)

60
windows/security/identity-protection/windows-firewall/isolated-domain.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Isolated Domain (Windows 10)
description: Isolated Domain
ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Isolated Domain
**Applies to**
- Windows 10
- Windows Server 2016
The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone.
The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution the two constructs are very similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted devices. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, devices that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain.
For most implementations, an isolated domain will contain the largest number of devices. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones.
You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
The GPOs for the isolated domain should contain the following connection security rules and settings.
## GPO settings for isolated domain members running at least Windows Vista and Windows Server 2008
GPOs for devices running at least Windows Vista and Windows Server 2008 should include the following:
- IPsec default settings that specify the following options:
1. Exempt all ICMP traffic from IPsec.
2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members cannot use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method.
- The following connection security rules:
- A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment.
- A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication by using Kerberos V5 authentication.
>**Important:**  Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out. 
- A registry policy that includes the following values:
- Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
>**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
**Next: **[Boundary Zone](boundary-zone.md)

250
windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md Normal file
View File

@ -0,0 +1,250 @@
---
title: Isolating Microsoft Store Apps on Your Network (Windows 10)
description: Isolating Microsoft Store Apps on Your Network
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 10/13/2017
---
# Isolating Microsoft Store Apps on Your Network
**Applies to**
- Windows 10
- Windows Server 2016
When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the device, and the network. In addition, apps can be isolated and protected from malicious access from the network.
When creating new Microsoft Store apps, a developer can define the following network capabilities for their app:
- **Home\\Work Networking**
Provides inbound and outbound access to intranet networks that the user has designated as a home or a work network, or if the network has an authenticated domain controller.
- **Internet (Client)**
Provides outbound access to the Internet and untrusted networks, such as airports and coffee shops (for example, intranet networks where the user has designated the network as Public). Most apps that require Internet access should use this capability.
- **Internet (Client and Server)**
Provides inbound and outbound access to the Internet and untrusted networks, such as airports and coffee shops. This capability is a superset of the **Internet (Client)** capability, and **Internet (Client)** does not need to be enabled if this capability is enabled.
- **Proximity**
Provides near-field communication (NFC) with devices that are in close proximity to the device. Proximity may be used to send files or connect with an application on a proximate device.
**In this topic**
To isolate Microsoft Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Microsoft Store app firewall rules.
- [Prerequisites](#prerequisites)
- [Step 1: Define your network](#step-1-define-your-network)
- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
## Prerequisites
- A domain controller is installed on your network, and your devices are joined to the Windows domain.
- Your Microsoft Store app is installed on the client device.
- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules.
>**Note:**  You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
 
## Step 1: Define your network
The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Microsoft Store apps can access intranet resources appropriately.
A network endpoint is considered part of the **Home\\Work Network** if:
- It is part of the local subnet of a trusted network.
For example, home users generally flag their network as Trusted. Local devices will be designated as such.
- A device is on a network, and it is authenticated to a domain controller.
- Endpoints within the intranet address space are considered private.
- Endpoints within the local subnet are considered private.
- The device is configured for DirectAccess, and the endpoint is part of the intranet address space.
The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative.
Any proxies that you configure or that are automatically configured with proxy autoconfiguration (by using Web Proxy Auto-Discovery (WPAD) protocol) are exempt from the intranet zone. You can add proxy addresses by using Group Policy.
All other endpoints that do not meet the previously stated criteria are considered endpoints on the Internet.
**To configure a GPO that defines your intranet address space**
1. Open the Group Policy Management snap-in (gpmc.msc) and edit the Default Domain Policy.
2. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Administrative Templates**, expand **Network**, and click **Network Isolation**.
3. In the right pane, double-click **Private network ranges for apps**.
4. In the **Private network ranges for apps** dialog box, click **Enabled**. In the **Private subnets** text box, type the private subnets for your intranet, separated by commas if necessary.
For example, if the Contoso intranet is defined as 10.0.0.0 with a subnet mask of 255.255.255.0, you would type 10.0.0.0/24 in the **Private subnets** text box.
5. Double-click **Subnet definitions are authoritative**.
If you want the subnet definitions that you previously created to be the single source for your subnet definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional subnets by using local settings or network isolation heuristics.
**To configure the proxy addresses for the intranet and Internet**
1. Double-click **Internet proxy servers for apps**. Click **Enabled**, and then in the **Domain Proxies** text box, type the IP addresses of your Internet proxy servers, separated by semicolons.
2. Double-click **Intranet proxy servers for apps**. Click **Enabled**, and then in the IP address text box, type the IP addresses of your intranet proxy servers, separated by semicolons.
3. Double-click **Proxy definitions are authoritative**.
If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics.
## Step 2: Create custom firewall rules
Microsoft Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
The following table provides a complete list of the possible app capabilities.
| Capability | Name | Description |
| - | - | - |
| **Internet (Client)** | internetClient | Your outgoing Internet connection.|
| **Internet (Client &amp; Server)** | internetClientServer| Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your device through a firewall. You do not need to declare **internetClient** if this capability is declared.
| **Home\Work Networking** |privateNetworkClientServer| A home or work network. The app can send information to or from your device and other devices on the same network.|
| **Document Library Access**| documentsLibrary| Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest.|
| **Picture Library Access**| picturesLibrary| Your Pictures library, including the capability to add, change, or delete files.|
| **Video Library Access**| videosLibrary| Your Videos library, including the capability to add, change, or delete files.|
| **Music Library Access**| musicLibrary|Your Music library, including the capability to add, change, or delete files.|
| **Default Windows Credentials**| defaultWindowsCredentials| Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.|
| **Removable Storage** | removableStorage| A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.|
| **Shared User Certificates**| sharedUserCertificates| Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.|
| **Location**| location| Provides access to the user's current location.|
| **Microphone** | microphone| Provides access to the microphone's audio feed.|
| **Near-field Proximity** | proximity| Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.|
| **Text Messaging** | sms| Provides access to text messaging functionality.|
| **Webcam** | webcam| Provides access to the webcam's video feed.|
| **Other devices (represented by GUIDs)** | &lt;GUID&gt;| Includes specialized devices and Windows Portable Devices.|
You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Microsoft Store app.
For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
**To block Internet access for any apps on your network that have the Documents Library capability**
1. Open the Group Policy Management snap-in (gpmc.msc).
2. In the left pane, right-click your domain name and click **Create a GPO in this domain, and link it here**.
3. Type a name for the GPO in the **Name** text box, and then click **OK**.
4. Right-click the new GPO, and then click **Edit**.
5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall LDAP://…**
6. Right-click **Outbound Rules**, and then click **New Rule**.
7. Click **Custom**, and then click **Next**.
8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
9. On the **Action** page, ensure that **Block the Connection** is selected, and then click **Next**.
10. On the **Profile** page, click **Next**.
11. On the **Name** page, type a name for your rule, and then click **Finish**.
12. In the right pane, right-click your new rule and click **Properties**.
13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
14. Click **Application Package Properties**, and then click **OK**.
15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\Your documents library**, and then click **OK**.
16. Click the **Scope** tab under **Remote IP addresses**, and then click **Add**.
17. Click **Predefined set of computers**, select **Internet**, and click **OK**.
This scopes the rule to block traffic to Internet devices.
18. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**.
19. Click **Apply to application packages only**, and then click **OK**.
>**Important:**  You must do this to ensure that the rule applies only to Microsoft Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
20. Click **OK** to close the **Properties** dialog box.
21. Close the Group Policy Management Editor.
22. In the Group Policy Management snap-in, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**. Click **Remove**, and then click **OK**.
23. Under **Security Filtering**, click **Add**.
24. Type **domain computers** in the text box, and then click **OK**.
25. Close the Group Policy Management snap-in.
Use the following procedure if you want to block intranet access for a specific media sharing app on your network.
**To block intranet access for a specific media sharing app on your network**
1. Open the Group Policy Management snap-in (gpmc.msc).
2. In the left pane, right-click your domain name, and then click **Create a GPO in this domain, and link it here**.
3. Type a name for your GPO in the **Name** text box, and then click **OK**.
4. Right-click your new GPO, and then click **Edit**.
5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall LDAP://**
6. Right-click **Outbound Rules**, and then click **New Rule**.
7. Click **Custom**, and then click **Next**.
8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
9. On the **Action** page, ensure **Block the Connection** is selected, and then click **Next**.
10. On the **Profile** page, click **Next**.
11. On the **Name** page, type a name for your rule, and then click **Finish**.
12. In the right pane, right-click your new rule, and then click **Properties**.
13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
14. Click **Application Package Properties**, and then click **OK**.
15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\A home or work network**, and then click **OK**.
16. Click the **Programs and Services** tab under **Application Packages**, and then click **Settings**.
17. Click **Apply to this application package**, select the app in the text box, and then click **OK**.
18. Click **OK** to close the **Properties** dialog box.
19. Close the Group Policy Management Editor.
20. In Group Policy Management, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**, click **Remove**, and then click **OK**.
21. Under **Security Filtering**, click **Add**.
22. Type **domain computers** in the text box and click **OK**.
23. Close Group Policy Management.
## See also
- [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)

39
windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Link the GPO to the Domain (Windows 10)
description: Link the GPO to the Domain
ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Link the GPO to the Domain
**Applies to**
- Windows 10
- Windows Server 2016
After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
If the filters comprehensively control the application of the GPO to only the correct devices, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of devices.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Admins group, or otherwise be delegated permissions to modify the GPOs.
To link the GPO to the domain container in Active Directory
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, and then expand *YourDomainName*.
3. Right-click *YourDomainName*, and then click **Link an Existing GPO**.
4. In the **Select GPO** dialog box, select the GPO that you want to deploy, and then click **OK**.
5. The GPO appears in the **Linked Group Policy Objects** tab in the details pane and as a linked item under the domain container in the navigation pane.
6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client device from the highest link order number to the lowest.

34
windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design (Windows 10)
description: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
**Applies to**
- Windows 10
- Windows Server 2016
After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
>**Important:**  The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security deployment goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security deployment goals to meet the needs of your organization.
| Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design |
| - |- | - | - | - |
| [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes|
| [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) | -| Yes| Yes| Yes|
| [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)| -| -| Yes| Yes|
| [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)| -| Optional| Optional| Optional|
To examine details for a specific design, click the design title at the top of the column in the preceding table.
**Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)

75
windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Modify GPO Filters to Apply to a Different Zone or Version of Windows (Windows 10)
description: Modify GPO Filters to Apply to a Different Zone or Version of Windows
ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Modify GPO Filters to Apply to a Different Zone or Version of Windows
**Applies to**
- Windows 10
- Windows Server 2016
You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
In this topic:
- [Change the security group filter for a GPO](#to-change-the-security-group-filter-for-a-gpo)
- [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo)
- [Remove a block for members of a group from applying a GPO](#to-remove-a-block-for-members-of-group-from-applying-a-gpo)
## To change the security group filter for a GPO
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
3. In the details pane, under **Security Filtering**, click the currently assigned security group, and then click **Remove**.
4. Now you can add the appropriate security group to this GPO. Under **Security Filtering**, click **Add**.
5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
## To block members of a group from applying a GPO
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
3. In the details pane, click the **Delegation** tab.
4. Click **Advanced**.
5. Under the **Group or user names** list, click **Add**.
6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
7. Select the group in the **Group or user names** list, and then select the boxes in the **Deny** column for both **Read** and **Apply group policy**.
8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
9. The group appears in the list with custom permissions.
## To remove a block for members of group from applying a GPO
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
3. In the details pane, click the **Delegation** tab.
4. In the **Groups and users** list, select the group that should no longer be blocked, and then click **Remove**.
5. In the message box, click **OK**.

27
windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Open the Group Policy Management Console to IP Security Policies (Windows 10)
description: Open the Group Policy Management Console to IP Security Policies
ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Open the Group Policy Management Console to IP Security Policies
**Applies to**
- Windows 10
- Windows Server 2016
Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).
**To open a GPO to the IP Security Policies section**
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (***YourDomainName***)**.

27
windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Open the Group Policy Management Console to Windows Firewall with Advanced Security (Windows 10)
description: Open the Group Policy Management Console to Windows Firewall with Advanced Security
ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Open the Group Policy Management Console to Windows Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.
To open a GPO to Windows Firewall with Advanced Security
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
3. In the navigation pane of the Group Policy Management Editor, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - LDAP://cn={***GUID***},cn=…**.

27
windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security (Windows 10)
description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
To open a GPO to Windows Defender Firewall:
1. Open the Active Directory Users and Computers console.
2. In the navigation pane, expand *YourDomainName*, right-click the container that your GPO is linked to, and then click **Properties**.
3. Click the **Group Policy** tab, select your GPO, and then click **Edit**.
4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.

47
windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Open Windows Defender Firewall with Advanced Security (Windows 10)
description: Open Windows Defender Firewall with Advanced Security
ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Open Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
This procedure shows you how to open the Windows Defender Firewall with Advanced Security console.
**Administrative credentials**
To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
## Opening Windows Defender Firewall
- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
## To open Windows Defender Firewall using the UI
Click Start, type **Windows Defender Firewall**, and the press ENTER.
## To open Windows Defender Firewall from a command prompt
1. Open a command prompt window.
2. At the command prompt, type:
``` syntax
wf.msc
```
**Additional considerations**
Although standard users can start the Windows Defender Firewall MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.

55
windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Planning Certificate-based Authentication (Windows 10)
description: Planning Certificate-based Authentication
ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Planning Certificate-based Authentication
**Applies to**
- Windows 10
- Windows Server 2016
Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication.
The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each device sends a copy of its certificate to the other device. Each device examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local device.
Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS).
## Deploying certificates
No matter how you acquire your certificates, you must deploy them to clients and servers that require them in order to communicate.
### Using Active Directory Certificate Services
If you use AD CS to create your own user and device certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member devices. Device certificates are deployed when a domain member device starts. User certificates are deployed when a user logs on.
If you want non-domain member devices to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each device or user includes enough identification information to enable IPsec to match the certificate to both user and device accounts.
AD CS automatically ensures that certificates issued by the CAs are trusted by the client devices by putting the CA certificates in the correct store on each domain member device.
### Using a commercially purchased certificate for devices running Windows
You can import the certificates manually onto each device if the number of devices is relatively small. For a deployment to more than a handful of devices, use Group Policy.
You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each device that applies the GPO.
You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each device that applies the GPO.
### Using a commercially purchased certificate for devices running a non-Windows operating system
If you are installing the certificates on an operating system other than Windows, see the documentation for that operating system.
## Configuring IPsec to use the certificates
When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or devices that are members of authorized groups in a server isolation solution.
Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
**Next: **[Documenting the Zones](documenting-the-zones.md)

31
windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md Normal file
View File

@ -0,0 +1,31 @@
---
title: Planning Domain Isolation Zones (Windows 10)
description: Planning Domain Isolation Zones
ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Planning Domain Isolation Zones
**Applies to**
- Windows 10
- Windows Server 2016
After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment.
The bulk of the work in planning server and domain isolation is determining which devices to assign to each isolation zone. Correctly choosing the zone for each device is important to providing the correct level of security without compromising performance or the ability for a device to send or receive required network traffic.
The zones described in this guide include the following:
- [Exemption List](exemption-list.md)
- [Isolated Domain](isolated-domain.md)
- [Boundary Zone](boundary-zone.md)
- [Encryption Zone](encryption-zone.md)

117
windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md Normal file
View File

@ -0,0 +1,117 @@
---
title: Planning GPO Deployment (Windows 10)
description: Planning GPO Deployment
ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/17/2017
---
# Planning GPO Deployment
**Applies to**
- Windows 10
- Windows Server 2016
You can control which GPOs are applied to devices in Active Directory in a combination of three ways:
- **Active Directory organizational unit hierarchy**. This involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All devices in the OU and its subordinate containers receive and apply the GPO.
Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to devices based on their location within Active Directory. If a device is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling.
- **Security group filtering**. This involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which devices receive the GPO by using permissions that only allow correct group members to apply the GPO.
The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those devices whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO.
- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a device is a member of the result set when the WMI filter query runs, the GPO is applied to the device.
A WMI filter consists of one or more conditions that are evaluated against the local device. You can check almost any characteristic of the device, its operating system, and its installed programs. If all of the specified conditions are true for the device, the GPO is applied; otherwise the GPO is ignored.
This guide uses a combination of security group filtering and WMI filtering to provide the most flexible options. If you follow this guidance, even though there might be five different GPOs linked to a specific group because of operating system version differences, only the correct GPO is applied.
## General considerations
- Deploy your GPOs before you add any device accounts to the groups that receive the GPOs. That way you can add your devices to the groups in a controlled manner. Be sure to add only a few test devices at first. Before adding many group members, examine the results on the test devices and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue.
## Test your deployed groups and GPOs
After you have deployed your GPOs and added some test devices to the groups, confirm the following before you continue with more group members:
- Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt.
- Examine the rules deployed to the device. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
- Verify that communications are authenticated. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
- Verify that communications are encrypted when the devices require it. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
- Verify that your programs are unaffected. Run them and confirm that they still work as expected.
After you have confirmed that the GPOs have been correctly applied, and that the devices are now communicating by using IPsec network traffic in request mode, you can begin to add more devices to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the devices.
## Do not enable require mode until deployment is complete
If you deploy a GPO that requires authentication to a device before the other devices have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the devices are successfully communicating by using IPsec.
If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, devices can continue to operate, because request mode enables any device to fall back to clear communications.
Only after you have added all of the devices to their zones, and you have confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it is required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they are functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain.
Do not change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections.
If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of devices to the larger groups.
## Example Woodgrove Bank deployment plans
Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of devices. All of the GPOs have the User Configuration section disabled to improve performance.
### GPO\_DOMISO\_Firewall
- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
`select * from Win32_OperatingSystem where Version like "6.%" and ProductType <> "2"`
>**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices running versions of Windows earlier than Windows Vista and Windows Server 2008.
- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC.
### GPO\_DOMISO\_IsolatedDomain\_Clients
- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
`select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"`
- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
### GPO\_DOMISO\_IsolatedDomain\_Servers
- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
`select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
>**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
### GPO\_DOMISO\_Boundary
- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
`select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
>**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC.
### GPO\_DOMISO\_Encryption
- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query:
`select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"`
>**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008.
- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to devices that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC.

29
windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10)
description: Planning Group Policy Deployment for Your Isolation Zones
ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Planning Group Policy Deployment for Your Isolation Zones
**Applies to**
- Windows 10
- Windows Server 2016
After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan.
You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the device accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct devices within each group.
- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
- [Planning Network Access Groups](planning-network-access-groups.md)
- [Planning the GPOs](planning-the-gpos.md)
- [Planning GPO Deployment](planning-gpo-deployment.md)

Some files were not shown because too many files have changed in this diff Show More