森林設計模型對應設計需求Mapping Design Requirements to Forest Design Models

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您在組織中的大部分群組可以分享單一組織的樹系由群組單一資訊 (IT) 技術和包含帳號及分享樹系的群組的所有的資源。Most groups in your organization can share a single organizational forest that is managed by a single information technology (IT) group and that contains the user accounts and resources for all of the groups that share the forest. 此分享的樹系,稱為初始組織樹系是組織的樹系設計模式的基本知識。This shared forest, called the initial organizational forest, is the foundation of the forest design model for the organization.

初始組織的樹系可以裝載組織中的多個群組,因為樹系擁有者,所有當事人了都解他們的預期必須建立服務層級合約每個群組。Because the initial organizational forest can host multiple groups in the organization, the forest owner must establish service level agreements with each group so that all the parties understand what is expected of them. 這可透過建立服務同意入預期保護樹系擁有者和個人的群組。This protects both the individual groups and the forest owner by establishing agreed-on service expectations.

如果不是在組織中的群組的所有可以共用單一組織樹系,您必須展開樹系設計容納不同群組的需求。If not all of the groups in your organization can share a single organizational forest, you must expand your forest design to accommodate the needs of the different groups. 這牽涉到找出的設計需求適用於群組依據他們的需求的自主隔離及它們有連接有限的網路,然後找出您可以使用容納那些需求的樹系模型。This involves identifying the design requirements that apply to the groups based on their needs for autonomy and isolation and whether or not they have a limited-connectivity network, and then identifying the forest model that you can use to accommodate those requirements. 下表列出根據自主性、 隔離,以及連接因素樹系設計模型案例。The following table lists forest design model scenarios based on the autonomy, isolation, and connectivity factors. 您找出最符合您需求的樹系設計案例之後,判斷您需要做出任何其他符合您的設計規格。After you identify the forest design scenario that best matches your requirements, determine if you need to make any additional decisions to meet your design specifications.

注意

如果規格列示為 n/A,它不考量因為其他需求也容納該規格。If a factor is listed as N/A, it is not a consideration because other requirements also accommodate that factor.

案例Scenario 連接限制Limited connectivity 隔離的資料Data isolation 資料自主性Data autonomy 隔離服務Service isolation 服務自主Service autonomy
案例 1: 加入現有的樹系的資料自主性Scenario 1: Join an existing forest for data autonomy 否]No 否]No [是]Yes 否]No 否]No
案例 2: 使用組織的樹系或網域服務自主Scenario 2: Use an organizational forest or domain for service autonomy 否]No 否]No 不適用N/A 否]No [是]Yes
案例 3: 使用服務隔離的樹系組織或是資源Scenario 3: Use an organizational forest or resource forest for service isolation 否]No 否]No 不適用N/A [是]Yes 不適用N/A
案例 4: 使用資料隔離的樹系組織或是限制的存取權Scenario 4: Use an organizational forest or restricted access forest for data isolation 不適用N/A [是]Yes 不適用N/A 不適用N/A 不適用N/A
案例 5: 使用組織的樹系,或重新設定限制連接防火牆Scenario 5: Use an organizational forest, or reconfigure the firewall for limited connectivity [是]Yes 否]No 不適用N/A 否]No 否]No
案例 6: 使用網域或組織的樹系和重新設定限制連接的服務自主防火牆Scenario 6: Use an organizational forest or domain, and reconfigure the firewall for service autonomy with limited connectivity [是]Yes 否]No 不適用N/A 否]No [是]Yes
案例 7: 使用資源樹系,並重新設定有限連接的服務隔離防火牆Scenario 7: Use a resource forest, and reconfigure the firewall for service isolation with limited connectivity [是]Yes 否]No 不適用N/A [是]Yes 不適用N/A

案例 1: 加入現有的樹系的資料自主性Scenario 1: Join an existing forest for data autonomy

您可以只要裝載組織單位 (Ou) 在現有的樹系組織中的群組符合資料自主性的需求。You can meet a requirement for data autonomy simply by hosting the group in organizational units (OUs) in an existing organizational forest. 委派 Ou 控制資料的系統管理員,從達成資料自主性該群組。Delegate control over the OUs to data administrators from that group to achieve data autonomy. 如需有關如何使用 Ou 委派控制的詳細資訊,請建立組織單位設計For more information about delegating control by using OUs, see Creating an Organizational Unit Design.

案例 2: 使用組織的樹系或網域服務自主Scenario 2: Use an organizational forest or domain for service autonomy

如果您在組織中的群組辨識服務自主為需求,我們建議您第一次重新考慮此需求。If a group in your organization identifies service autonomy as a requirement, we recommend that you first reconsider this requirement. 實現服務自主建立多個管理負荷和組織的額外成本。Achieving service autonomy creates more management overhead and additional costs for the organization. 確定服務自主需求不只是為了方便,您可以以致於無法平衡會議此需求的相關費用。Ensure that the requirement for service autonomy is not simply for convenience and that you can justify the costs involved in meeting this requirement.

您可以符合服務自主需求,執行下列其中一個動作:You can meet a requirement for service autonomy by doing one of the following:

  • 建立組織的樹系。Creating an organizational forest. 將使用者、 群組和需要服務自主到不同的組織樹系的群組的電腦。Place the users, groups, and computers for the group that requires service autonomy into a separate organizational forest. 指派個人的樹系擁有者該群組。Assign an individual from that group to be the forest owner. 如果需要與在組織中其他樹系存取或共用資源群組,他們可以建立他們組織的樹系和其他的樹系之間信任。If the group needs to access or share resources with other forests in the organization, they can establish a trust between their organizational forest and the other forests.

  • 使用組織網域。Using organizational domains. 使用者、 群組和電腦放在現有的組織樹系不同的網域。Place the users, groups, and computers in a separate domain in an existing organizational forest. 此模型網域層級服務自主性只提供,並不是完整服務自主權服務隔離或隔離的資料。This model provides for domain-level service autonomy only and not for full service autonomy, service isolation, or data isolation.

如需有關如何使用網域組織的詳細資訊,請查看使用組織網域森林模型For more information about using organizational domains, see Using the Organizational Domain Forest Model.

案例 3: 使用服務隔離的樹系組織或是資源Scenario 3: Use an organizational forest or resource forest for service isolation

您可以符合服務隔離的需求,執行下列其中一個動作:You can meet a requirement for service isolation by doing one of the following:

  • 使用組織的樹系。Using an organizational forest. 將使用者、 群組和需要服務到不同的組織樹系的隔離群組的電腦。Place the users, groups, and computers for the group that requires service isolation into a separate organizational forest. 指派個人的樹系擁有者該群組。Assign an individual from that group to be the forest owner. 如果需要與在組織中其他樹系存取或共用資源群組,他們可以建立他們組織的樹系和其他的樹系之間信任。If the group needs to access or share resources with other forests in the organization, they can establish a trust between their organizational forest and the other forests. 不過,我們不建議這種方式因為經驗透過通用群組資源存取信任的樹系案例中限制。However, we do not recommend this approach because resource access through universal groups is heavily restricted in forest trust scenarios.

  • 使用資源樹系。Using a resource forest. 資源與服務帳號放不同的資源樹系帳號保留現有的組織森林中。Place resources and service accounts into a separate resource forest, keeping user accounts in an existing organizational forest. 必要時,可以建立替代帳號資源樹系存取資源森林中的資源,如果組織的樹系無法使用。If necessary, alternate accounts can be created in the resource forest to access resources in the resource forest if the organizational forest becomes unavailable. 替代帳號必須登入資源樹系和維護資源的控制項組織的樹系恢復之前所需的授權。The alternate accounts must have the authority required to log on to the resource forest and maintain control of the resources until the organizational forest is back online.

    建立信任之間的資源和樹系組織,讓使用者可以使用一般的使用者的帳號存取森林中的資源。Establish a trust between the resource and organizational forests, so that the users can access the resources in the forest while using their regular user accounts. 這項設定可讓使用者帳號的集中的管理,同時讓使用者改為使用資源樹系替代帳號如果組織的樹系無法使用。This configuration enables centralized management of user accounts while allowing users to fall back to alternate accounts in the resource forest if the organizational forest becomes unavailable.

服務隔離的注意事項如下:Considerations for service isolation include the following:

  • 建立服務隔離的樹系可以信任的其他森林網域,但不是能包含他們的服務的系統管理員群組中其他樹系的使用者。Forests created for service isolation can trust domains from other forests but must not include users from other forests in their service administrators groups. 如果隔離森林中的系統管理群組中有其他的樹系的使用者,安全性隔離的樹系可能可以受到因為服務中的系統管理員樹系不能排除控制。If users from other forests are included in administrative groups in the isolated forest, the security of the isolated forest potentially can be compromised because the service administrators in the forest do not have exclusive control.

  • 只要網域控制站在網路上的存取,是受到攻擊 (例如阻服務攻擊) 來自該網路上的惡意軟體。As long as domain controllers are accessible on a network, they are subject to attacks (such as denial-of-service attacks) from malicious software on that network. 您可以執行下列命令以防止攻擊:You can do the following to protect against the possibility of an attack:

    • 只有在被認為是安全網路上的主機網域控制站。Host domain controllers only on networks that are considered secure.

    • 存取權的網路或網路裝載的網域控制站限制。Limit access to the network or networks hosting the domain controllers.

  • 服務隔離需要額外的樹系建立。Service isolation requires the creation of an additional forest. 評估是否維護基礎結構,以支援其他樹系的成本超過遺失資源因無法使用組織樹系的存取權的相關費用。Evaluate whether the cost of maintaining the infrastructure to support the additional forest outweighs the costs associated with loss of access to resources due to an organizational forest being unavailable.

案例 4: 使用資料隔離的樹系組織或是限制的存取權Scenario 4: Use an organizational forest or restricted access forest for data isolation

您可以隔離的資料,執行下列其中一個動作:You can achieve data isolation by doing one of the following:

  • 使用組織的樹系。Using an organizational forest. 將使用者、 群組和需要資料到不同的組織樹系的隔離群組的電腦。Place the users, groups, and computers for the group that requires data isolation into a separate organizational forest. 指派個人的樹系擁有者該群組。Assign an individual from that group to be the forest owner. 如果需要與在組織中其他樹系存取或共用資源群組,建立信任的樹系組織和其他的樹系。If the group needs to access or share resources with other forests in the organization, establish a trust between the organizational forest and the other forests. 新的組織樹系存在於只需要機密資訊的存取權的使用者。Only the users who require access to the classified information exist in the new organizational forest. 使用者必須帳號他們自己的樹系存取這兩個歸類資料和其他的樹系未分類的資料使用透過信任關係的方式。Users have one account that they use to access both classified data in their own forest and unclassified data in other forests by means of trust relationships.

  • 使用限制的存取樹系。Using a restricted access forest. 這是不同的樹系包含限制的資料和使用者帳號,用來存取該資料。This is a separate forest that contains the restricted data and the user accounts that are used to access that data. 另外帳號會保留現有的組織樹系用於存取網路上的無限制的資源。Separate user accounts are maintained in the existing organizational forests that are used to access the unrestricted resources on the network. 不信任會建立有限的存取樹系和其他企業中的樹系。No trusts are created between the restricted access forest and other forests in the enterprise. 您可以在使其無法連接到其他樹系進一步限制樹系部署獨立實體網路上的樹系。You can further restrict the forest by deploying the forest on a separate physical network, so that it cannot connect to other forests. 如果您部署不同的網路上的樹系,使用者必須具有兩個工作站: 一個用於限制的樹系,一個用於存取 nonrestricted 的區域網路的存取。If you deploy the forest on a separate network, users must have two workstations: one for accessing the restricted forest and one for accessing the nonrestricted areas of the network.

建立的資料隔離的樹系的注意事項如下:Considerations for creating forests for data isolation include the following:

  • 組織的資料隔離建立的樹系可以信任網域其他樹系,但其他樹系使用者必須不會包含在下列其中一項:Organizational forests created for data isolation can trust domains from other forests, but users from other forests must not be included in any of the following:

    • 負責管理服務或群組,可以管理的服務管理員群組成員資格群組Groups responsible for service management or groups that can manage the membership of service administrator groups

    • 已儲存的電腦系統控制群組受保護的資料Groups that have administrative control over computers that store protected data

    • 群組,存取受保護的資料或群組負責管理物件使用者或群組物件存取受保護的資料Groups that have access to protected data or groups that are responsible for the management of user objects or group objects that have access to protected data

    如果另一部樹系的使用者參與了個群組,危害的樹系可能會導致隔離的樹系危害和公開受保護資料。If users from another forest are included in any of these groups, a compromise of the other forest might lead to a compromise of the isolated forest and to disclosure of protected data.

  • 其他的樹系可以信任的樹系建立資料獨立的隔離森林中的使用者可以存取其他森林中的資源,組織設定。Other forests can be configured to trust the organizational forest created for data isolation so that users in the isolated forest can access resources in other forests. 不過,隔離的樹系的使用者必須從未互動方式登入信任的樹系工作站。However, users from the isolated forest must never interactively log on to workstations in the trusting forest. 信任的樹系在的電腦可能會受到惡意軟體,可以用來擷取的使用者登入認證。The computer in the trusting forest can potentially be compromised by malicious software and can be used to capture the logon credentials of the user.

    注意

    若要防止信任的樹系的伺服器模擬使用者從隔離的樹系,並且再存取隔離森林中的資源,樹系擁有者可以停用委派的驗證,或使用功能有限的委派。To prevent servers in a trusting forest from impersonating users from the isolated forest, and then accessing resources in the isolated forest, the forest owner can disable delegated authentication or use the constrained delegation feature. 如需有關委派的驗證限制的委派,查看委派驗證 (http://go.microsoft.com/fwlink/?LinkId=106614)。For more information about delegated authentication and constrained delegation, see Delegating authentication (http://go.microsoft.com/fwlink/?LinkId=106614).

  • 您可能需要建立組織的樹系和其他的樹系防火牆組織限制使用者以外的樹系資訊的存取。You might need to establish a firewall between the organizational forest and the other forests in the organization to limit user access to information outside of their forest.

  • 雖然建立不同的樹系讓資料隔離,,只要網域控制站的隔離的樹系和電腦存取網路上的受保護的主機資訊,都受遭受網路上的電腦。Although creating a separate forest enables data isolation, as long as the domain controllers in the isolated forest and computers that host protected information are accessible on a network, they are subject to attacks launched from computers on that network. 選擇攻擊的風險得太高,或攻擊或安全性違反的結果是也變得更好的組織必須限制的存取權的網路或裝載的網域控制站的網路,並裝載電腦的受保護資料。Organizations that decide that the risk of attack is too high or that the consequence of an attack or security violation is too great need to limit access to the network or networks that are hosting the domain controllers and the computers that are hosting protected data. 利用技術,例如防火牆 」 和 「 網際網路通訊協定的安全性 (IPsec) 可以完成限制的存取。Limiting access can be done by using technologies such as firewalls and Internet Protocol security (IPsec). 萬一極端,組織可能選擇維護組織中已不實體連接到任何其他網路獨立網路上的受保護的資料。In extreme cases, organizations might choose to maintain the protected data on an independent network that has no physical connection to any other network in the organization.

    注意

    如果任何網路連接限制的存取樹系和其他網路,可能會有被傳輸到其他網路限制區域中的資料。If any network connectivity exists between a restricted access forest and another network, the possibility exists for data in the restricted area to be transmitted to the other network.

案例 5: 使用組織的樹系,或重新設定限制連接防火牆Scenario 5: Use an organizational forest, or reconfigure the firewall for limited connectivity

若要符合有限的連接需求,您可以執行下列其中一個動作:To meet a limited connectivity requirement, you can do one of the following:

  • 放現有組織樹系的使用者,然後打開防火牆達到允許 Active Directory 流量通過。Place users into an existing organizational forest, and then open the firewall enough to allow Active Directory traffic to pass through.

  • 使用組織的樹系。Use an organizational forest. 另外組織樹系放使用者、 群組和電腦連接的有限的群組。Place the users, groups, and computers for the group for which connectivity is limited into a separate organizational forest. 指派個人的樹系擁有者該群組。Assign an individual from that group to be the forest owner. 組織的樹系防火牆另一邊提供不同的環境。The organizational forest provides a separate environment on the other side of the firewall. 樹系包括帳號及管理樹系的的資源,讓使用者透過防火牆完成日常工作,不需要。The forest includes user accounts and resources that are managed within the forest, so that users do not need to go through the firewall to accomplish their daily tasks. 特定的使用者或應用程式可能需要的功能通過連絡其他的樹系防火牆特殊需求。Specific users or applications might have special needs that require the capability to pass through the firewall to contact other forests. 您可以在防火牆,包括所需的任何信任運作打開適當的介面,排列處理這些需求。You can address these needs individually by opening the appropriate interfaces in the firewall, including those necessary for any trusts to function.

設定使用防火牆 Active Directory Domain Services (AD DS) 的相關詳細資訊,會看到網路分段防火牆在 Active Directory (http://go.microsoft.com/fwlink/?LinkId=37928)。For more information about configuring firewalls for use with Active Directory Domain Services (AD DS), see Active Directory in Networks Segmented by Firewalls (http://go.microsoft.com/fwlink/?LinkId=37928).

案例 6: 使用網域或組織的樹系和重新設定限制連接的服務自主防火牆Scenario 6: Use an organizational forest or domain, and reconfigure the firewall for service autonomy with limited connectivity

如果您在組織中的群組辨識服務自主為需求,我們建議您第一次重新考慮此需求。If a group in your organization identifies service autonomy as a requirement, we recommend that you first reconsider this requirement. 實現服務自主建立多個管理負荷和組織的額外成本。Achieving service autonomy creates more management overhead and additional costs for the organization. 確定服務自主需求不只是為了方便,您可以以致於無法平衡會議此需求的相關費用。Ensure that the requirement for service autonomy is not simply for convenience and that you can justify the costs involved in meeting this requirement.

如果有限的連接時會發生的問題,您有適用於服務自主需求,您可以執行下列其中一個動作:If limited connectivity is an issue, and you have a requirement for service autonomy, you can do one of the following:

  • 使用組織的樹系。Use an organizational forest. 將使用者、 群組和需要服務自主到不同的組織樹系的群組的電腦。Place the users, groups, and computers for the group that requires service autonomy into a separate organizational forest. 指派個人的樹系擁有者該群組。Assign an individual from that group to be the forest owner. 組織的樹系防火牆另一邊提供不同的環境。The organizational forest provides a separate environment on the other side of the firewall. 樹系包括帳號及管理樹系的的資源,讓使用者透過防火牆完成日常工作,不需要。The forest includes user accounts and resources that are managed within the forest, so that users do not need to go through the firewall to accomplish their daily tasks. 特定的使用者或應用程式可能需要的功能通過連絡其他的樹系防火牆特殊需求。Specific users or applications might have special needs that require the capability to pass through the firewall to contact other forests. 您可以在防火牆,包括所需的任何信任運作打開適當的介面,排列處理這些需求。You can address these needs individually by opening the appropriate interfaces in the firewall, including those necessary for any trusts to function.

  • 使用者、 群組和電腦放在現有的組織樹系不同的網域。Place the users, groups, and computers in a separate domain in an existing organizational forest. 此模型網域層級服務自主性只提供,並不是完整服務自主權服務隔離或隔離的資料。This model provides for domain-level service autonomy only and not for full service autonomy, service isolation, or data isolation. 森林中的其他群組必須信任新的網域服務系統的管理員相同程度他們信任的樹系擁有者。Other groups in the forest must trust the service administrators of the new domain to the same degree that they trust the forest owner. 基於這個原因,我們不建議這種方式。For this reason, we do not recommend this approach. 如需有關如何使用網域組織的詳細資訊,請查看使用組織網域森林模型For more information about using organizational domains, see Using the Organizational Domain Forest Model.

您也需要開放防火牆達到允許 Active Directory 流量通過。You also need to open the firewall enough to allow Active Directory traffic to pass through. 設定使用防火牆 AD DS 的相關詳細資訊,會看到網路分段防火牆在 Active Directory (http://go.microsoft.com/fwlink/?LinkId=37928)。For more information about configuring firewalls for use with AD DS, see Active Directory in Networks Segmented by Firewalls (http://go.microsoft.com/fwlink/?LinkId=37928).

案例 7: 使用資源樹系,並重新設定有限連接的服務隔離防火牆Scenario 7: Use a resource forest, and reconfigure the firewall for service isolation with limited connectivity

如果有限的連接時會發生的問題,您有服務隔離的需求,您可以執行下列其中一個動作:If limited connectivity is an issue, and you have a requirement for service isolation, you can do one of the following:

  • 使用組織的樹系。Use an organizational forest. 將使用者、 群組和需要服務到不同的組織樹系的隔離群組的電腦。Place the users, groups, and computers for the group that requires service isolation into a separate organizational forest. 指派個人的樹系擁有者該群組。Assign an individual from that group to be the forest owner. 組織的樹系防火牆另一邊提供不同的環境。The organizational forest provides a separate environment on the other side of the firewall. 樹系包括帳號及管理樹系的的資源,讓使用者透過防火牆完成日常工作,不需要。The forest includes user accounts and resources that are managed within the forest, so that users do not need to go through the firewall to accomplish their daily tasks. 特定的使用者或應用程式可能需要的功能通過連絡其他的樹系防火牆特殊需求。Specific users or applications might have special needs that require the capability to pass through the firewall to contact other forests. 您可以在防火牆,包括所需的任何信任運作打開適當的介面,排列處理這些需求。You can address these needs individually by opening the appropriate interfaces in the firewall, including those necessary for any trusts to function.

  • 使用資源樹系。Use a resource forest. 資源與服務帳號放不同的資源樹系帳號保留現有的組織森林中。Place resources and service accounts into a separate resource forest, keeping user accounts in an existing organizational forest. 它可能需要建立某些其他使用者帳號資源樹系維護資源樹系存取如果組織的樹系無法使用。It might be necessary to create some alternate user accounts in the resource forest to maintain access to the resource forest if the organizational forest becomes unavailable. 替代帳號必須登入資源樹系和維護資源的控制項組織的樹系恢復之前所需的授權。The alternate accounts must have the authority required to log on to the resource forest and maintain control of the resources until the organizational forest is back online.

    建立信任之間的資源和樹系組織,讓使用者可以使用一般的使用者的帳號存取森林中的資源。Establish a trust between the resource and organizational forests, so that the users can access the resources in the forest while using their regular user accounts. 這項設定可讓使用者帳號的集中的管理,同時讓使用者改為使用資源樹系替代帳號如果組織的樹系無法使用。This configuration enables centralized management of user accounts while allowing users to fall back to alternate accounts in the resource forest if the organizational forest becomes unavailable.

服務隔離的注意事項如下:Considerations for service isolation include the following:

  • 建立服務隔離的樹系可以信任的其他森林網域,但不是能包含他們的服務的系統管理員群組中其他樹系的使用者。Forests created for service isolation can trust domains from other forests but must not include users from other forests in their service administrators groups. 如果隔離森林中的系統管理群組中有其他的樹系的使用者,安全性隔離的樹系可能可以受到因為服務中的系統管理員樹系不能排除控制。If users from other forests are included in administrative groups in the isolated forest, the security of the isolated forest potentially can be compromised because the service administrators in the forest do not have exclusive control.

  • 只要網域控制站在網路上的存取,它們會受到攻擊 (例如阻服務攻擊) 的電腦在網路上。As long as domain controllers are accessible on a network, they are subject to attacks (such as denial-of-service attacks) from computers on that network. 您可以執行下列命令以防止攻擊:You can do the following to protect against the possibility of an attack:

    • 只有在被認為是安全網路上的主機網域控制站。Host domain controllers only on networks that are considered secure.

    • 存取權的網路或網路裝載的網域控制站限制。Limit access to the network or networks hosting the domain controllers.

  • 服務隔離需要額外的樹系建立。Service isolation requires the creation of an additional forest. 評估是否維護基礎結構,以支援其他樹系的成本超過遺失資源因無法使用組織樹系的存取權的相關費用。Evaluate whether the cost of maintaining the infrastructure to support the additional forest outweighs the costs associated with loss of access to resources due to an organizational forest being unavailable.

    特定的使用者或應用程式可能需要的功能通過連絡其他的樹系防火牆特殊需求。Specific users or applications might have special needs that require the capability to pass through the firewall to contact other forests. 您可以在防火牆,包括所需的任何信任運作打開適當的介面,排列處理這些需求。You can address these needs individually by opening the appropriate interfaces in the firewall, including those necessary for any trusts to function.

設定使用防火牆 AD DS 的相關詳細資訊,會看到網路分段防火牆在 Active Directory (http://go.microsoft.com/fwlink/?LinkId=37928)。For more information about configuring firewalls for use with AD DS, see Active Directory in Networks Segmented by Firewalls (http://go.microsoft.com/fwlink/?LinkId=37928).