Windows Insider

Isolation Automation Exploration: Part I

Vista makes system-to-system IPSec authentication MUCH easier, if you know how to use it.

Entire books have been written on network security and IPSec. Full of three-letter acronyms for encryption technologies and concepts like "data integrity" versus "data authorization," network security can make your head swim.

Before Windows Vista, setting up IPSec for system-to-system authentication was complex, sometimes requiring hundreds of filters to secure traffic between domain controllers while at the same time not inhibiting log-ons for older operating systems. When a non-IPSec-aware client tried to connect to an IPSec-enabled server, it often resulted in no connection at all.

Thankfully, with Windows Vista's improvements to IPSec, it all gets a lot easier. It's now possible to create isolation groups that mandate machine-to-machine authentication between sets of computers on your network.

Additional Authentication
So what's an isolation group? It's a way of using network rules to further protect potentially open spots on your network. Let's say an administrator accidentally shares a sensitive folder on your file server with Full Control permissions to the Everyone group. Suddenly, all that sensitive data is immediately exposed to anyone. If the data is on a human resources or other highly sensitive server, you're really in trouble. Isolation domains leverage IPSec to ensure that any machine attempting to connect to that share must authenticate via Kerberos before it can transfer data. Think of an isolation domain as an extra access control list (ACL) -- like NTFS and share permissions-but way down at the network level. This extra computer-based ACL ensures that only the correct machines get access to sensitive data and can only transfer that data securely.

Here's how it works. When you log in to a computer, your user account goes through a Kerberos authentication process that ensures you are who you say you are. Adding in an isolation group with IPSec means that any time your computer tries to access another computer, the computer itself goes through an additional authentication. If your computer successfully authenticates, then you can access the data. This assumes of course that you then have the correct share and NTFS rights. If your computer can't authenticate, the server either rejects the request or allows a fallback to clear text communication.

All this was possible in Windows 2003, but IPSec was notoriously difficult to set up. In Windows Vista, IPSec configuration has been merged with the Windows Firewall and is now called Windows Firewall with Advanced Security.

In setting up an isolation group, four types of canned rules are available or a custom rule can be created:

• Isolation: This will create a group of machines that are isolated from other computers. This group can be for all machines in the Active Directory Kerberos boundary, or can be an identified list of machines by IP address. Authentication can occur for either inbound or outbound traffic, or both.

• Authentication Exemption: This will create a group of machines exempt from any authentication requirements.

• Server to Server: This will create an authenticated connection between two specific groups of computers. Think of this as the "one-to-one" connection where the Isolation group would be the "many-to-many" connection.

• Tunnel: Like Server to Server, but usually used for bridging traffic across the Internet, this will create an authenticated connection between two computers utilizing an Internet-facing gateway server.

• Custom Connection: A connection that can be created using a combination of the four different rules.

Next month I'll give step-by-step instructions for setting up an isolation group on your network and go over some other tips on how to protect your network from the inside out.

About the Author

Greg Shields is a senior partner and principal technologist with Concentrated Technology. He also serves as a contributing editor and columnist for TechNet Magazine and Redmond magazine, and is a highly sought-after and top-ranked speaker for live and recorded events. Greg can be found at numerous IT conferences such as TechEd, MMS and VMworld, among others, and has served as conference chair for 1105 Media’s TechMentor Conference since 2005. Greg has been a multiple recipient of both the Microsoft Most Valuable Professional and VMware vExpert award.

comments powered by Disqus

Reader Comments:

Sun, Feb 2, 2014

Have you possibly pendored including a little bit more than simply your own articles and reviews? What i'm saying is, anything you express are actually important and every thing. On the other hand think about once you included some great graphics and films to grant your own blogposts far more, pop ! Your content is excellent nevertheless together with graphics in addition to video, this site could definitely turn out to be one of the primary inside the industry. Amazing web page! [url=]mbsavi[/url] [link=]lzgcoyuy[/link]

Mon, Jan 20, 2014

This isn't totally http://q DOT When setting up SSL encryption between the SQL Server and a client connection, if the force encryption checkbox is setup on the server there is no client configuration change which is needed. The SQL Server Native Client and the SQL Server will automatically negotiate a secure connection.The only time you need to configure anything on the client is if encryption on the server is an option and you want to require it. In SSMS this is done via a checkbox. In other applications this is done through a connection string attribute.

Sun, Jan 19, 2014

Hi There. I found your weblog the in gogloe. This is a good article. I will make sure to bookmark it and return to learn more of your helpful information. Thank you for the post. I’ll certainly return.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.