OverviewServer and domain isolation provide a number of business benefits. Most importantly, it provides a layer of network security that can significantly reduce the threat of untrusted hosts accessing trusted domain members on an organization's internal network. Server and domain isolation can be an important strategy in the defense against virus propagation, internal hackers, employee misuse of technology assets, and information theft. In addition, it can be used to require domain membership of all clients that seek access to trusted resources, either clients or servers, so that they can be better managed by professional IT staff. Server and domain isolation can also be used either as a primary or an additional strategy for meeting data privacy or other protection requirements for data in network traffic, without modifying existing Microsoft® Windows® applications or deploying virtual private networking (VPN) tunneling hardware on the network. At its core, server and domain isolation allows IT administrators to restrict TCP/IP communications of domain members that are trusted computers. These trusted computers can be configured to allow only incoming connections from other trusted computers, or a specific group of trusted computers. The access controls are centrally managed by using Active Directory® Group Policy to control network logon rights. Nearly all TCP/IP network connections are able to be secured without application changes, because Internet Protocol security (IPsec) works at the network layer below the application layer to provide authentication and per-packet, state-of-the-art security end-to-end between computers. Network traffic can be authenticated, or authenticated and encrypted, in a variety of customizable scenarios. The Group Policy and IPsec configurations are centrally managed in the Active Directory. The concept of logical isolation presented in this guide embodies two solutions ? server isolation to ensure that a server accepts network connections only from trusted domain members or a specific group of domain members, and domain isolation to isolate domain members from untrusted connections. These solutions can be used separately or together as part of an overall logical isolation solution. Download the doc at: http://www.microsoft.com/downloads/details.aspx?FamilyId=404FB62F-7CF7-48B5-A820-B881F63BC005&displaylang=en or http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx Regards, Jim Kenzig http://thin.net