Boundary Zone
Applies To: Windows Server 2008, Windows Server 2008 R2
In most organizations, some computers must be able to receive network traffic from computers that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted computers, create a boundary zone within your isolated domain.
Computers in the boundary zone are trusted computers that can accept communication requests both from other isolated domain member computers and from untrusted computers. Boundary zone computers try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating computer. However, if no IKE response is received, the computer will "fall back to clear" and begin communicating in plaintext without IPsec.
The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it.
Because these boundary zone computers can receive unsolicited inbound communications from untrusted computers that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a computer to the boundary zone. For example, completing a formal business justification process before adding each computer to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
.gif)
The goal of this process is to determine whether the risk of adding a computer to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the Planning Group Policy Deployment for Your Isolation Zones section.
GPO settings for boundary zone servers running Windows Server 2008 or Windows Server 2008 R2
The boundary zone GPO for computers running Windows Server 2008 or Windows Server 2008 R2 should include the following:
IPsec default settings that specify the following options:
Exempt all ICMP traffic from IPsec.
Key exchange (main mode) security methods and algorithm. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices. If these computers must communicate with hosts in the encryption zone, ensure that you include an algorithm that is compatible with the requirements of the encryption zone GPOs.
Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
The following connection security rules:
A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
A connection security rule, from Any IP address to Any IP address, that requests inbound and outbound authentication.
A registry policy that includes the following values:
Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in Appendix A: Sample GPO Template Files for Settings Used in this Guide sets the value to 1.
Enforce the default IPsec protocol exemptions of ISAKMP only. This setting is documented in Knowledge Base article 810207 at https://go.microsoft.com/fwlink/?linkid=110516. The sample GPO preferences XML file in Appendix A: Sample GPO Template Files for Settings Used in this Guide sets this value to 3.
If required by the organization, enable IPsec over NAT-T. This setting is documented in Knowledge Base article 120492 at https://go.microsoft.com/fwlink/?linkid=120492. The sample GPO preferences XML file in Appendix A: Sample GPO Template Files for Settings Used in this Guide sets this value to 0 (the default). To enable IPsec over NAT-T, you must change this value to either 1 or 2, as required by your environment.
Note
For a sample template for these registry settings, see Appendix A: Sample GPO Template Files for Settings Used in this Guide.
GPO settings for boundary zone servers running Windows 2000 or Windows Server 2003
You must create a new IPsec policy instead of modifying an existing IPsec policy in a copied GPO. Because all GPOs share a common store of IPsec policies, if you modify an IPsec policy in a copied GPO, you are modifying the shared one used by other GPOs. Make sure that your newly created IPsec policy is the one assigned in the GPO.
The GPOs for computers that are running Windows 2000 or Windows Server 2003 should include the following:
An IPsec policy that includes the following settings and security rules:
Key exchange settings that specify main mode security methods and algorithms. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
A permit rule for all ICMP traffic using My IP Address to Any IP Address.
A permit rule for all computers on the exempted list. Be sure to include all your Active Directory domain controllers on this list. Take advantage of the ability to enter subnet addresses, if applicable in your environment.
A negotiate rule for all network addresses using My IP Address to communicate with subnet addresses that make up the network address space. The filter action should specify Negotiate security, and then specify the same integrity and encryption protocols that are used by your other computers. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices.
To make the policy request authentication for inbound and outbound traffic, select both of the Accept unsecured communication and Allow fallback to unsecured communication check boxes.
Make sure that your GPOs for stationary computers, such as desktop and server computers, assign all rules to all profiles. For portable computers, you might want to allow more profile flexibility to enable users to communicate successfully when they are not connected to the organization's network.
Next: Encryption Zone