Applies To: Windows Server 2008, Windows Server 2008 R2

This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client computers that are running Windows 7 or Windows Vista.

Because client computers can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile.

General settings

This GPO provides the following settings:

  • No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the Firewall GPOs section) in order to share them with all clients in all isolation zones with minimum redundancy.

  • The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting.

  • Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, such as Windows 7, Windows Vista, Windows Server 2008 or Windows Server 2008 R2, they can remove the weaker key exchange algorithms, and use only the stronger ones.

  • The registry settings shown in the following table. For more information, see the description of the registry settings in Isolated Domain.

    Setting Value

    Enable PMTU Discovery


    IPsec Exemptions


    Enable IPsec over NAT-T


  • The main mode security method combinations in the order shown in the following table.

    Integrity Encryption

    Secure Hash Algorithm (SHA-1)

    Advanced Encryption Standard (AES-128)



  • The following quick mode security data integrity algorithms combinations in the order shown in the following table.

    Protocol Integrity Key Lifetime (minutes/KB)




  • The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table.

    Protocol Integrity Encryption Key Lifetime (minutes/KB)










Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows.

Connection Security Rules

This GPO provides the following rules:

  • A connection security rule named Isolated Domain Rule with the following settings:

    • From Any IP address to Any IP address.

    • Require inbound and request outbound authentication requirements.


On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the computers were successfully communicating by using IPsec, they switched the GPOs to require authentication.

  - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for computers that cannot run Windows or cannot join the domain, but must still participate in the isolated domain.  
  - For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box.  
  • A connection security rule to exempt computers that are in the exemption list from the requirement to authenticate:

    • The IP addresses of all computers on the exemption list must be added individually under Endpoint 2.

    • Authentication mode is set to Do not authenticate.

Next: GPO_DOMISO_IsolatedDomain_Servers_WS2008