5.1 KiB
title, description, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author
| title | description | ms.assetid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | author |
|---|---|---|---|---|---|---|---|
| Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10) | Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone | ccc09d06-ef75-43b0-9c77-db06f2940955 | w10 | deploy | library | security | brianlic-msft |
Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
Applies to
- Windows 10
- Windows Server 2016
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone.
The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
Checklist: Configuring rules for isolated servers
| Task | Reference |
|---|---|
| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | Checklist: Creating Group Policy Objects Copy a GPO to Create a New GPO |
| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | Modify GPO Filters to Apply to a Different Zone or Version of Windows |
| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | Exempt ICMP from Authentication |
| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | Create an Authentication Exemption List Rule |
| Configure the key exchange (main mode) security methods and algorithms to be used. | Configure Key Exchange (Main Mode) Settings |
| Configure the data protection (quick mode) algorithm combinations to be used. | Configure Data Protection (Quick Mode) Settings |
| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional. | Configure Authentication Methods |
| Create a rule that requests authentication for all inbound network traffic. Important: Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate. |
Create an Authentication Request Rule |
| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | Configure the Rules to Require Encryption |
| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers. | Create a Group Account in Active Directory |
| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG. | Restrict Server Access to Members of a Group Only |
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | Link the GPO to the Domain |
| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group. | Add Test Devices to the Membership Group for a Zone |
| Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. |