Exemption List

Applies To: Windows Server 2008, Windows Server 2008 R2

When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all computers on the internal network, yet secured from network attacks. However, if they must remain available to all computers on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.

Some services, such as DNS, do not work well with the Fall back to clear setting when one of the computers takes three seconds between a failed IKE attempt and the follow-up plaintext attempt. This delay causes performance and timeout errors for many services. The "Simple Policy Update" for Windows XP with SP2 and Windows Server 2003 with SP1 (available at http://go.microsoft.com/fwlink/?linkid=110514) reduces the delay to one-half second. Later service packs for both Windows XP and Windows Server 2003 have the update built in. For many services, this reduction in the delay means that the services do not require exemption. This keeps the size of the exemption list as small as possible.

With Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 the delay is eliminated. When Fall back to clear is specified, both IPsec and plaintext connection attempts are made at the same time. If the remote computer responds to the IPsec request, then the plaintext attempt is abandoned. If the remote computer does not respond to the IPsec request, then the plaintext attempt is permitted to proceed, and the IPsec request eventually times out.

However, if you have any computers in your organization that are running operating systems that cannot run the Simple Policy Update, then you must maintain a comprehensive exemption list.

In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted computers cannot use IPsec to access, which would be added to the exemption list.

Generally, the following conditions are reasons to consider adding a computer to the exemption list:

  • If the computer must be accessed by trusted computers but it does not have a compatible IPsec implementation.

  • If the computer must provide services to both trusted and untrusted computers, but does not meet the criteria for membership in the boundary zone.

  • If the computer must run a program that is adversely affected by IPsec encapsulation of program traffic.

  • If the computer must support so many clients at the same time and you find that IPsec causes an unacceptable drop in performance.

  • If the computer must be accessed by trusted computers from different isolated domains that do not have an Active Directory trust relationship established with each other.

  • If the computer is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista.

  • If the computer must support trusted and untrusted computers, but cannot use IPsec to help secure communications to trusted computers.

For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all computers in your isolated domain to run at least Windows XP with SP2 or Windows Server 2003 with SP1 with the Simple Policy Update, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every computer that receives the GPO, including the following:

  • Reduces the overall effectiveness of isolation.

  • Creates a larger management burden (because of frequent updates).

  • Increases the size of the IPsec policy, which means that it consumes more memory and CPU resources, slows down network throughput, and increases the time required to download and apply the GPO containing the IPsec policy.

To keep the number of exemptions as small as possible, you have several options:

  • Carefully consider the communications requirements of each isolation zone, especially server-only zones. They might not be required to communicate with every exemption in the domain-level policy for clients.

  • Consolidate server functions. If several exempt services can be hosted at one IP address, the number of exemptions is reduced.

  • Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address.

As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the Boundary Zone section.

Next: Isolated Domain