[THIN] Download Pick of the Week: Server and Domain Isolation using IPSEC & Group Policy
- From: "Jim Kenzig Kenzig.com" <jkenzig@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
- Date: Mon, 21 Mar 2005 12:48:48 -0800 (PST)
OverviewServer and domain isolation provide a number of business benefits. Most
importantly, it provides a layer of network security that can significantly
reduce the threat of untrusted hosts accessing trusted domain members on an
organization's internal network. Server and domain isolation can be an
important strategy in the defense against virus propagation, internal hackers,
employee misuse of technology assets, and information theft. In addition, it
can be used to require domain membership of all clients that seek access to
trusted resources, either clients or servers, so that they can be better
managed by professional IT staff. Server and domain isolation can also be used
either as a primary or an additional strategy for meeting data privacy or other
protection requirements for data in network traffic, without modifying existing
Microsoft® Windows® applications or deploying virtual private networking (VPN)
tunneling hardware on the network.
At its core, server and domain isolation allows IT administrators to restrict
TCP/IP communications of domain members that are trusted computers. These
trusted computers can be configured to allow only incoming connections from
other trusted computers, or a specific group of trusted computers. The access
controls are centrally managed by using Active Directory® Group Policy to
control network logon rights. Nearly all TCP/IP network connections are able to
be secured without application changes, because Internet Protocol security
(IPsec) works at the network layer below the application layer to provide
authentication and per-packet, state-of-the-art security end-to-end between
computers. Network traffic can be authenticated, or authenticated and
encrypted, in a variety of customizable scenarios. The Group Policy and IPsec
configurations are centrally managed in the Active Directory.
The concept of logical isolation presented in this guide embodies two solutions
? server isolation to ensure that a server accepts network connections only
from trusted domain members or a specific group of domain members, and domain
isolation to isolate domain members from untrusted connections. These solutions
can be used separately or together as part of an overall logical isolation
solution.
Download the doc at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en
or
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
Regards,
Jim Kenzig
http://thin.net
Other related posts:
- » [THIN] Download Pick of the Week: Server and Domain Isolation using IPSEC & Group Policy
