| + | Task | +Reference | +
|---|---|---|
|
+Turn the firewall on and set the default inbound and outbound behavior. |
+
|
+
|
+Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. |
+
|
+
|
+Configure the firewall to record a log file. |
+
|
+
[Turn on Windows Firewall and Configure Default Behavior](../p_server_archive/turn-on-windows-firewall-and-configure-default-behavior.md)| + | Task | +Reference | +
|---|---|---|
|
+Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. +Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |
+
|
+
|
+Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it. |
+
|
+
|
+Configure IPsec to exempt all ICMP network traffic from IPsec protection. |
+
|
+
|
+Configure the key exchange (main mode) security methods and algorithms to be used. |
+
|
+
|
+Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. |
+
|
+
|
+Configure the authentication methods to be used. |
+
|
+
|
+Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. |
+
|
+
|
+Create a rule that requests authentication for all network traffic. +
+Important
+
+Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate. +
+
+ |
+
|
+
|
+Create the NAG to contain the computer or user accounts that are allowed to access the servers in the isolated server zone. |
+
|
+
|
+Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. |
+
|
+
|
+Link the GPO to the domain level of the Active Directory organizational unit hierarchy. |
+
|
+
|
+Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group. |
+
|
+
[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)| + | Task | +Reference | +
|---|---|---|
|
+Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. |
+
|
+
|
+If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended. |
+
|
+
|
+Configure IPsec to exempt all ICMP network traffic from IPsec protection. |
+
|
+
|
+Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. |
+
|
+
|
+Configure the key exchange (main mode) security methods and algorithms to be used. |
+
|
+
|
+Configure the data protection (quick mode) algorithm combinations to be used. |
+
|
+
|
+Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional. |
+
|
+
|
+Create a rule that requests authentication for all inbound network traffic. +
+Important
+
+Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate. +
+
+ |
+
|
+
|
+If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. |
+
|
+
|
+Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers. |
+
|
+
|
+Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zone’s NAG. |
+
|
+
|
+Link the GPO to the domain level of the Active Directory organizational unit hierarchy. |
+
|
+
|
+Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication. |
+
|
+
|
+If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended. |
+
|
+
|
+Link the GPO to the domain level of the Active Directory organizational unit hierarchy. |
+
|
+
|
+Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group. |
+
|
+
|
+Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone. |
+
|
+
|
+Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. |
+
|
+
|
+Add the encryption requirements for the zone. |
+
|
+
|
+Link the GPO to the domain level of the Active Directory organizational unit hierarchy. |
+
|
+
|
+Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group. |
+
|
+
|
+Verify that the connection security rules are protecting network traffic. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. |
+
|
+
|
+If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. |
+
|
+
|
+Configure IPsec to exempt all ICMP network traffic from IPsec protection. |
+
|
+
|
+Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. |
+
|
+
|
+Configure the key exchange (main mode) security methods and algorithms to be used. |
+
|
+
|
+Configure the data protection (quick mode) algorithm combinations to be used. |
+
|
+
|
+Configure the authentication methods to be used. |
+
|
+
|
+Create the rule that requests authentication for all inbound network traffic. |
+
|
+
|
+Link the GPO to the domain level of the AD DS organizational unit hierarchy. |
+
|
+
|
+Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group. |
+
|
+
|
+Verify that the connection security rules are protecting network traffic to and from the test computers. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization. |
+
|
+
|
+Create the membership group in AD DS that will be used to contain computer accounts that must receive the GPO. +If some computers in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the computer accounts for the computers that cannot be blocked by using a WMI filter. |
+
|
+
|
+Create a GPO for each version of Windows that has different implementation requirements. |
+
|
+
|
+Create security group filters to limit the GPO to only computers that are members of the membership group and to exclude computers that are members of the exclusion group. |
+
|
+
|
+Create WMI filters to limit each GPO to only the computers that match the criteria in the filter. |
+
|
+
|
+If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended. |
+
|
+
|
+Link the GPO to the domain level of the Active Directory organizational unit hierarchy. |
+
|
+
|
+Before adding any rules or configuring the GPO, add a few test computers to the membership group, and make sure that the correct GPO is received and applied to each member of the group. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. |
+
|
+
|
+Create a rule that allows inbound network traffic on a specified port number. |
+
|
+
|
+Create a rule that allows inbound ICMP network traffic. |
+
|
+
|
+Create rules that allow inbound RPC network traffic. |
+
|
+
|
+Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Create a rule that allows a program to send any outbound network traffic on any port it requires. |
+
|
+
|
+Create a rule that allows outbound network traffic on a specified port number. |
+
|
+
|
+Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it. |
+
|
+
|
+To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows. |
+
|
+
|
+Configure IPsec to exempt all ICMP network traffic from IPsec protection. |
+
|
+
|
+Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. |
+
|
+
|
+Configure the key exchange (main mode) security methods and algorithms to be used. |
+
|
+
|
+Configure the data protection (quick mode) algorithm combinations to be used. |
+
|
+
|
+Configure the authentication methods to be used. |
+
|
+
|
+Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with computers that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain. |
+
|
+
|
+Link the GPO to the domain level of the Active Directory organizational unit hierarchy. |
+
|
+
|
+Add your test computers to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. |
+
|
+
|
+Create the membership group and a GPO for each set of computers that require different firewall rules. Where GPOs will be similar, such as for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. |
+
|
+
|
+If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the computers for which this GPO is intended. |
+
|
+
|
+Configure the GPO with firewall default settings appropriate for your design. |
+
|
+
|
+Create one or more inbound firewall rules to allow unsolicited inbound network traffic. |
+
|
+
|
+Create one or more outbound firewall rules to block unwanted outbound network traffic. |
+
|
+
|
+Link the GPO to the domain level of the Active Directory organizational unit hierarchy. |
+
|
+
|
+Add test computers to the membership group, and then confirm that the computers receive the firewall rules from the GPOs as expected. |
+
|
+
|
+According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy the completed firewall policy settings to your computers. |
+
|
+
[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)| + | Task | +Reference | +
|---|---|---|
|
+Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization. |
+
|
+
|
+Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network. |
+
|
+
|
+Configure the certificate template for workstation authentication certificates. |
+
|
+
|
+Configure Group Policy to automatically deploy certificates based on your template to workstation computers. |
+
|
+
|
+On a test computer, refresh Group Policy and confirm that the certificate is installed. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization. |
+
|
+
|
+Create the GPOs and connection security rules for the isolated domain. |
+
|
+
|
+Create the GPOs and connection security rules for the boundary zone. |
+
|
+
|
+Create the GPOs and connection security rules for the encryption zone. |
+
|
+
|
+Create the GPOs and connection security rules for the isolated server zone. |
+
|
+
|
+According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers. |
+
|
+
|
+After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode. |
+
|
+
| + | Task | +Reference | +
|---|---|---|
|
+Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization. |
+
|
+
|
+Create the GPOs and connection security rules for isolated servers. |
+
|
+
|
+Create the GPOs and connection security rules for the client computers that must connect to the isolated servers. |
+
|
+
|
+Verify that the connection security rules are protecting network traffic on your test computers. |
+
|
+
|
+After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. |
+
|
+
|
+According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings. |
+
|
+
| Computer name | +Hardware reqs met | +Software reqs met | +Configuration required | +Details | +Projected cost | +
|---|---|---|---|---|---|
CLIENT001 |
+No |
+No |
+Upgrade hardware and software. |
+Current operating system is Windows XP. Old hardware is not compatible with Windows 8. |
+$?? |
+
SERVER001 |
+Yes |
+No |
+Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012. |
+No antivirus software present. |
+$?? |
+
| Host name | +Hardware reqs met | +Software reqs met | +Configuration required | +Details | +Projected cost | +Group | +
|---|---|---|---|---|---|---|
CLIENT001 |
+No |
+No |
+Upgrade hardware and software. |
+Current operating system is Windows XP. Old hardware not compatible with Windows 8. |
+$?? |
+Isolated domain |
+
SERVER002 |
+Yes |
+No |
+Join trusted domain, upgrade from Windows Server 2008 to Windows Server 2012 |
+No antivirus software present. |
+$?? |
+Encryption |
+
SENSITIVE001 |
+Yes |
+Yes |
+Not required. |
+Running Windows Server 2012. Ready for inclusion. |
+$0 |
+Isolated server (in zone by itself) |
+
PRINTSVR1 |
+Yes |
+Yes |
+Not required. |
+Running Windows Server 2008 R2. Ready for inclusion. |
+$0 |
+Boundary |
+
| Setting | +Value | +
|---|---|
Enable PMTU Discovery |
+ 1 |
+
IPsec Exemptions |
+ 3 |
+
| Integrity | +Encryption | +
|---|---|
Secure Hash Algorithm (SHA-1) |
+ Advanced Encryption Standard (AES-128) |
+
SHA-1 |
+ 3DES |
+
| Protocol | +Integrity | +Key Lifetime (minutes/KB) | +
|---|---|---|
ESP |
+ SHA-1 |
+ 60/100,000 |
+
| Protocol | +Integrity | +Encryption | +Key Lifetime (minutes/KB) | +
|---|---|---|---|
ESP |
+ SHA-1 |
+ AES-128 |
+ 60/100,000 |
+
ESP |
+ SHA-1 |
+ 3DES |
+ 60/100,000 |
+
| Deployment goal tasks | +Reference links | +
|---|---|
Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. |
+Predefined deployment goals: +
|
+
Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design. |
+
|
+
Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan. |
+
|
+
| Capability | +Name | +Description | +
|---|---|---|
Internet (Client) |
+internetClient |
+Your outgoing Internet connection. |
+
Internet (Client & Server) |
+internetClientServer |
+Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your computer through a firewall. You do not need to declare internetClient if this capability is declared. |
+
Home\Work Networking |
+privateNetworkClientServer |
+A home or work network. The app can send information to or from your computer and other computers on the same network. |
+
Document Library Access |
+documentsLibrary |
+Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest. The app cannot access document libraries on HomeGroup computers. |
+
Picture Library Access |
+picturesLibrary |
+Your Pictures library, including the capability to add, change, or delete files. This capability also includes Picture libraries on HomeGroup computers and picture file types on locally connected media servers. |
+
Video Library Access |
+videosLibrary |
+Your Videos library, including the capability to add, change, or delete files. This capability also includes Video libraries on HomeGroup computers and video file types on locally connected media servers. |
+
Music Library Access |
+musicLibrary |
+Your Music library, including the capability to add, change, or delete files. This capability also includes Music libraries on HomeGroup computers and music file types on locally connected media servers. |
+
Default Windows Credentials |
+defaultWindowsCredentials |
+Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network. |
+
Removable Storage |
+removableStorage |
+A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest. |
+
Shared User Certificates |
+sharedUserCertificates |
+Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you. |
+
Location |
+location |
+Provides access to the user's current location. |
+
Microphone |
+microphone |
+Provides access to the microphone's audio feed. |
+
Near-field Proximity |
+proximity |
+Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device. |
+
Text Messaging |
+sms |
+Provides access to computer text messaging functionality. |
+
Webcam |
+webcam |
+Provides access to the webcam's video feed. |
+
Other devices (represented by GUIDs) |
+<GUID> |
+Includes specialized devices and Windows Portable Devices. |
+
| Deployment Goals | +[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) | +[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) | +[Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) | +[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md) | +
|---|---|---|---|---|
[Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md) |
+Yes |
+Yes |
+Yes |
+Yes |
+
[Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md) |
+- |
+Yes |
+Yes |
+Yes |
+
[Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md) |
+- |
+- |
+Yes |
+Yes |
+
[Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md) |
+- |
+Optional |
+Optional |
+Optional |
+
| Group name | +Description | +
|---|---|
CG_DOMISO_No_IPsec |
+A universal group of computer accounts that do not participate in the IPsec environment. Typically consists of infrastructure computer accounts that will also be included in exemption lists. +This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members. |
+
CG_DOMISO_IsolatedDomain |
+A universal group of computer accounts that contains the members of the isolated domain. +During the early days of testing, this group might contain only a very small number of computers. During production, it might contain the built-in Domain Computers group to ensure that every computer in the domain participates. +Members of this group receive the domain isolation GPO that requires authentication for inbound connections. |
+
CG_DOMISO_Boundary |
+A universal group of computer accounts that contains the members of the boundary zone. +Members of this group receive a GPO that specifies that authentication is requested, but not required. |
+
CG_DOMISO_Encryption |
+A universal group of computer accounts that contains the members of the encryption zone. +Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections. |
+
CG_SRVISO_ServerRole |
+A universal group of computer accounts that contains the members of the server isolation group. +Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect. +There will be one group for each set of servers that have different user and computer restriction requirements. |
+
| NAG Name | +NAG Member Users, Computers, or Groups | +Description | +
|---|---|---|
CG_NAG_ServerRole_Users |
+Svr1AdminA +Svr1AdminB +Group_AppUsers +AppSvcAccount |
+This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone. |
+
CG_NAG_ServerRole_Computers |
+Desktop1 +Desktop2 +AdminDT1 +AppAdminDT1 |
+This group contains all computers that are authorized to make inbound IPsec connections to the isolated servers in this zone. |
+
| Topic | +Description | +
|---|---|
[Set profile global defaults](#bkmk-profileglobaldefaults) |
+Enable and control firewall behavior |
+
[Deploy basic firewall rules](#bkmk-deploying) |
+How to create, modify, and delete firewall rules |
+
[Manage Remotely](#bkmk-remote) |
+Remote management by using |
+
[Deploy basic IPsec rule settings](#bkmk-deployingipsec) |
+IPsec rules and associated parameters |
+
[Deploy secure firewall rules with IPsec](#bkmk-deploysecurerules) |
+Domain and server isolation |
+
[Additional resources](#bkmk-additionalresources) |
+More information about Windows PowerShell |
+
| Term | +Definition | +
|---|---|
Active Directory domain |
+A group of computers and users managed by an administrator by using Active Directory Domain Services (AD DS). Computers in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary. |
+
Authentication |
+A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite. |
+
Boundary zone |
+A subset of the computers in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from computers that are not members of the isolated domain. Computers in the boundary zone request but do not require authentication. They use IPsec to communicate with other computers in the isolated domain. |
+
Connection security rule |
+A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an IPsec rule. |
+
Certificate-based isolation |
+A way to add computers that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every computer in the isolated domain and the computers that cannot use Kerberos V5 are provided with a computer certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider). |
+
Domain isolation |
+A technique for helping protect the computers in an organization by requiring that the computers authenticate each other's identity before exchanging information, and refusing connection requests from computers that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table. |
+
Encryption zone |
+A subset of the computers in an isolated domain that process sensitive data. Computers that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Computers that are part of the encryption zone also typically are subject to the access control restrictions of server isolation. |
+
Firewall rule |
+A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall. +By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+
Internet Protocol security (IPsec) |
+A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP). |
+
IPsec policy |
+A collection of connection security rules that provide the required protection to network traffic entering and leaving the computer. The protection includes authentication of both the sending and receiving computer, integrity protection of the network traffic exchanged between them, and can include encryption. |
+
Isolated domain |
+An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member computers by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones). +In this guide, the term isolated domain refers to the IPsec concept of a group of computers that can share authentication. The term Active Directory domain refers to the group of computers that share a security database by using Active Directory. |
+
Server isolation |
+A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting computer to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group. |
+
Solicited network traffic |
+Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through. |
+
Unsolicited network traffic |
+Network traffic that is not a response to an earlier request, and that the receiving computer cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic. |
+
Zone |
+A zone is a logical grouping of computers that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted computers. The encryption zone requires that all connections be encrypted. +This is not related to the term zone as used by Domain Name System (DNS). |
+
| Feature/functionality | +Windows Server 2008 R2 | +Windows Server 2012 | +
|---|---|---|
Internet Key Exchange version 2 (IKEv2) for IPsec transport mode |
++ | X |
+
Windows Store app network isolation |
++ | X |
+
Windows PowerShell cmdlets for Windows Firewall |
++ | X |
+
| Content type | +References | +
|---|---|
Deployment |
+[Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](../p_server_archive/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) | [Isolating Windows Store Apps on Your Network](../p_server_archive/isolating-windows-store-apps-on-your-network.md) | [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md) |
+
Troubleshooting |
+[Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012](http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx) |
+