In this series I will cover some lesser-known features, built right into Windows, which can be used to secure your Windows infrastructure. I’m going to start the series by discussing a feature known as “Domain Isolation”. Domain Isolation (along with Server Isolation) is relatively easy to implement, transparent to users, and best of all, does not require any additional hardware, software or licenses.
Domain isolation is provided by the Windows Firewall with Advanced Security and provides two services: authentication, and optionally, encryption. Using Group Policy Objects, computers and servers in an Active Directory forest can be required to authenticate before communicating, or, in more secure environments, encryption of network traffic can be required. Once implemented, the computers of visitors such as guests and consultants can share the same physical network segment, however all network traffic between these systems and domain-joined systems will be blocked by the Windows firewall.
Before requiring authentication or encryption, all systems in the forest must first be configured to request authentication. Unless a system is able to request authentication, it will never be able to communicate with systems that require authentication or encryption. In other words, configuring a system to request authentication enables its ability to be part of an isolated domain.
After that policy has been implemented and verified, the next step is to select systems that will require authentication, and a policy to enable this feature must be deployed. Domain Controllers and infrastructure servers such as DNS and DHCP servers generally should not be configured to require authentication, since computers that are not domain-joined may require their services. Publically accessible systems such as web and email servers must also be omitted from the policy. After authentication is required on a system, it will not even respond to pings from unauthenticated hosts, so it’s critical to have a good understanding of your environment and what the implications of this change will be.
Lastly, encryption of all traffic to certain hosts can be required. Encryption uses IPSec transport mode, which encrypts just the contents of a packet, unlike a more common IPSec tunnel, in which the entire packet is encrypted. Servers holding the most sensitive information would be good choices for this policy, as well as Hyper-V host servers. One advantage of encrypting traffic between Hyper-V hosts is that it will protect replication traffic without requiring the configuration of certificates from within the Hyper-V settings.
I hope this quick overview of Domain and Server Isolation helped you understand the capabilities and benefits of this powerful and easy to use security feature. If you’d like assistance implementing Domain and Server Isolation in your environment, or if you have questions or concerns about the security of your infrastructure in general, please feel free to contact us at any time.