deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/server-isolation-gpos.md
Joey Caparas 1ef74488de from rs1
2016-07-29 15:54:21 +10:00

2.0 KiB
Raw Blame History

title, description, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author
title description ms.assetid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype author
Server Isolation GPOs (Windows 10) Server Isolation GPOs c97b1f2f-51d8-4596-b38a-8a3f6f706be4 w10 deploy library security brianlic-msft

Server Isolation GPOs

Applies to

  • Windows 10
  • Windows Server 2016

Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose.

All of the device accounts for devices in the SQL Server server isolation zone are added to the group CG_SRVISO_WGBANK_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone.

GPO_SRVISO

This GPO is identical to the GPO_DOMISO_Encryption GPO with the following changes:

  • The firewall rule that enforces encryption is modified to include the NAGs on the Users and Computers tab of the rule. The NAGs granted permission include CG_NAG_SQL_Users and CG_NAG_SQL_Computers.

    Important:  Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect.

**Next: **Planning GPO Deployment