deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
4f0595933f3e5e24d207502a55d76e64df86f81c
windows-itpro-docs/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
Paolo Matarazzo 7234912151 bulk update tiering info and docfx for Windows Firewall
2023-02-24 07:47:14 -05:00

3.4 KiB
Raw Blame History

title, description, ms.prod, ms.topic, ms.date, appliesto
title description ms.prod ms.topic ms.date appliesto
Checklist Configuring Rules for the Isolated Domain (Windows) Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. windows-client conceptual 09/07/2021
<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
<a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>

Checklist: Configuring Rules for the Isolated Domain

The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.

Checklist: Configuring isolated domain rules

Task Reference
Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. Checklist: Creating Group Policy Objects
Copy a GPO to Create a New GPO
If you're working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they're correct for the isolated domain zone and the version of Windows for which this GPO is intended. Modify GPO Filters to Apply to a Different Zone or Version of Windows
Configure IPsec to exempt all ICMP network traffic from IPsec protection. Exempt ICMP from Authentication
Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. Create an Authentication Exemption List Rule
Configure the key exchange (main mode) security methods and algorithms to be used. Configure Key Exchange (Main Mode) Settings
Configure the data protection (quick mode) algorithm combinations to be used. Configure Data Protection (Quick Mode) Settings
Configure the authentication methods to be used. Configure Authentication Methods
Create the rule that requests authentication for all inbound network traffic. Create an Authentication Request Rule
Link the GPO to the domain level of the AD DS organizational unit hierarchy. Link the GPO to the Domain
Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group. Add Test Devices to the Membership Group for a Zone
Verify that the connection security rules are protecting network traffic to and from the test computers. Verify That Network Traffic Is Authenticated

Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.