Overview of the Windows Server 2008 Firewall with Advanced Security Part 3b: Introduction to Domain Isolation

by [Published on 23 July 2008 / Last Updated on 23 July 2008]

Creating the client and server domain isolation rule that will require security (authentication) and also configuring the server to accept inbound ping connections so that we can test the rule.

If you would like to read the other parts in this article series please go to:

If you would like to be notified when Thomas Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

In the first part of this two part series on how to create a domain isolation policy using IPsec and the Windows Firewall with Advanced Security console integrated into the Windows Server 2008 Group Policy Editor, I went over how to configure the default IPsec policy to apply ESP encryption on the connections secured by IPsec, and then showed you how to create the domain controllers IPsec policy rule.

In this, part 2 and final part of the series on how to create IPsec domain isolation policy on a simple network, we’ll create the client and server domain isolation rule that will require security (authentication) and also configure the server to accept inbound ping connections so that we can test the rule. At the end of this article we’ll test the rule to confirm that IPsec is being applied to the connections and that the connections are being encrypted using ESP.

Creating the Client and Server Domain Isolation Rule

The next rule we will create is the Client and Server Domain Isolation Rule. This rule will not just request security like the previous rule we created for connections to the domain controller, this rule will require authentication and security when domain members connect to each other. This rule will require authentication for inbound connections, and will request security for outbound connections.

When you require security for inbound connection, this will require computers that want to connect to any domain member to authenticate to that domain member using Kerberos. If the machine can’t authenticate, the connection will fail. If the computer can authenticate, then the connection will be allowed. This rule allows domain members to establish secure connections with one another while at the same time allowing domain members to connect to non-domain members who cannot authenticate.

Navigate to the Connection Security Rules node in the left pane of the Group Policy Editor as you did when you created the previous rule.

Right click Connection Security Rules and click New Rule.


Figure 1

On the Rule Type page, select the Isolation option and click Next.


Figure 2

On the Authentication Method page, select Default and click Next.


Figure 3

On the Name page give the rule a name. In this example we’ll name the rule Client/Server Domain Isolation and enter a description Encrypts and secure connections between all machines that are not DCs or infrastructure servers (DNS, DHCP, Default Gateway, WINS).

Click Next.


Figure 4

Notice the rule in the list of connection security rules. You might wonder if we’re going to have a problem here, since the Client/Server Domain Isolation rule includes all IP addresses, including the domain controller’s IP address.

This isn’t a problem because rules are evaluated from most specific to least specific. So, the more specific rule is evaluated before the less specific rule. In the case of the two rules we have here, the DC Request Security rule is more specific because Endpoint 2 is an IP address, while in the Client/Server Domain Isolation rule the Endpoint 2 is any IP address.


Figure 5

Note that in a production environment we would need to create some exception rules, where certain devices are exempted from authentication. This would include DHCP, DNS, WINS and default gateway addresses that must be used by machines that are not domain members and thus can’t authenticate using Kerberos. The links at the end of this article will help you with the more advanced planning and configuration required for a production network implementation of domain isolation.

Create a Firewall Rule to Allow Inbound Ping

In order to test the configuration, you’ll probably want to be able to use the ping command to ping the server from the Vista client. In order to do this, you will need to allow inbound ICMP ping requests to the server for the test. To do this, you’ll need to create a rule that allows the Vista client to ping the server using the Windows Firewall with Advanced Security MMC.

On the server, open the Windows Firewall with Advanced Security from the Administrative Tools menu.

In the left pane of the Windows Firewall with Advanced Security console, right click the Inbound Rules node in the left pane and click New Rule.


Figure 6

On the Rule Type page, select the Custom option. Click Next.


Figure 7

On the Program page, select the All Programs option and click Next.


Figure 8

On the Protocol and Ports page, click the down arrow in the Protocol Type drop down list, and select the ICMPv4 option.

Click the Customize button. In the Customize ICMP Settings dialog box, select the Specific ICMP types option. Then put a checkmark in the Echo Request checkbox. Click OK.


Figure 9

Click Next on the Protocol and Ports page.


Figure 10

In the Scope dialog box, accept the default settings for the local and remote IP addresses, which is Any IP address. Click Next.


Figure 11

On the Action page, select the Allow the connection option and click Next.


Figure 12

On the Profile page, remove the checkmarks from the Private and Public checkboxes and click Next.


Figure 13

On the Name page, give the rule a name. In this example we’ll name the rule Allow ICMP Request. Click Finish.


Figure 14

You can see the Allow ICMP Request rule in the list of inbound rules.


Figure 15

View the Connection Security Activity

OK, now we’re ready to see if things work! Go to the server and open the Windows Firewall with Advanced Security console and click on the Connection Security Rules node in the left pane of the console. You should see the rules that you created in Group Policy. If you don’t see these rules, do the following:

  • At the domain controller, open a command prompt and type gpupdate /force and press ENTER to update group policy on the domain controller
  • After updating group policy on the domain controller, update group policy on the server by opening a command prompt and typing gpupdate /force and press ENTER to update group policy on the server
  • If this doesn’t work, try restarting the server and logging on again

Then refresh the view for the Connection Security Rules on the server to see the updated list of rules. This is the same list that you see in the Group Policy Editor.


Figure 16

Click the Main Mode node in the left pane of the console. You should see that the server has established secure connections to both the domain controller and the Vista client. If you don’t see secure connections to the Vista client, do the following:

  • Run gpupdate /force on the Vista client
  • Configure that the Connection Security Rules have been applied on the Vista client by checking them in the Windows Firewall with Advanced Security MMC snap-in on the Vista client.
  • If that doesn’t work, restart the Vista client computer
  • Ping the Vista client computer from the server

After doing this steps, you should see secure IPsec connections between the server and the domain controller and the Vista client.


Figure 17

When you double click on one of the entries in the Main Mode details pane, you can see details of the secure connection.


Figure 18

Click on the Quick Mode node in the left pane of the console. You should see secure connections to both the domain controller and the Vista client.


Figure 19

If you double click on one of the entries in the details pane of the Quick Mode node, you can see details of the connection. Notice that ESP confidentiality has been applied and is using AES-128 bit encryption. This means the connection is secure over the network and cannot be intercepted by intruders.


Figure 20

Summary

In this article we went over how to configure the client/server domain isolation rule and then configured the firewall on the server to allow inbound ping requests. We then checked to see if everything worked as expected by using the monitoring features included in the Windows Firewall with Advanced Security console. This article series focused on how to create a simple domain isolation policy to demonstrate how easy it is to configure domain isolation policies using the new tools included in Windows Server 2008 and Vista. More importantly, we demonstrated how you can use Group Policy to centralize the configuration so that domain isolation policy is a “one-touch” management solution.

For more information on domain isolation and planning for domain isolation in your network environment check out: Server and Domain Isolation.

In a future article I will demonstrate server isolation. Server isolation is helpful when machines aren’t domain members. In that case, we’ll see how you can use alternate authentication methods to secure the connections between non-domain member machines. See you then! –Tom.

If you would like to read the other parts in this article series please go to:

If you would like to be notified when Thomas Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

See Also