Server and Domain Isolation
Updated: December 1, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
In a Windows-based network, you can logically isolate server and domain resources to limit access to authenticated and authorized computers. For example, you can create a logical network inside the existing physical network where computers share a common set of requirements for secure communications. Each computer in this logically isolated network must provide authentication credentials to other computers in the isolated network in order to establish connectivity. Network traffic from computers and users that either cannot authenticate, or that authenticate as a computer or user that is not on the authorized list, is dropped. This isolation prevents unauthorized computers and programs from gaining access to resources.
Server and domain isolation can help protect high-value servers and data as well as protect managed computers from unmanaged or rogue computers and users.
You can use two types of isolation to protect a network:
Server isolation. In this scenario, a server is configured with IPsec connection security rules that require communications from other computers to be both authenticated and authorized, and optionally encrypted. For example, you might configure the database server to accept connections from the web application server only. Another common scenario is to protect the sensitive payroll servers by restricting them to accepting communications only from computers that can authenticate as an authorized member of the payroll client computer group.
Domain isolation. To isolate a domain, you use Active Directory domain membership as criteria in connection security rules to ensure that domain-member computers accept only authenticated communications from other domain-member computers. Communications from non-domain members are dropped. You can create exception rules that permit unauthenticated communications from specific non-domain member computers. The isolated network consists only of computers that are part of the domain, as shown in Figure 1.