Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Greg.

« Active Directory User Isolation with IIS's FTP | Main | SDI Virtual Lab: One of the better ones I've seen »

Windows Server and Domain Isolation: What it is and what it does

I'm in the process now of building my TechMentor slide deck titled "Another Brick in the Wall: Isolation Groups and the Windows Firewall". Here, we're going to discuss some simple examples of how to implement Server and Domain Isolation in a Windows network, both with Server 2003 and Server 2008.

But, what is Server and Domain Isolation? To give you a sneak peek of the TechMentor presentation...

...here is Microsoft's explanation (compliments of their Introduction to Server and Domain Isolation white paper):

Server and Domain Isolation creates a layer of end-to-end protection that can greatly reduce the risk of costly malicious attacks and unauthorized access to your networked resources. Based on Microsoft® Windows® IPsec and Active Directory® Group Policy, this solution enables you to dynamically segment your Windows environment into more secure and isolated logical networks. There are different ways to create an isolated network, offering you the flexibility to logically isolate an entire managed domain or create more secure virtual networks of specific servers, sensitive data and clients, thus limiting access to only authenticated and authorized users.

Much of the documentation on SDI is quite difficult to understand. It almost goes into too much detail of the security protocols that surround the technology without really giving you a good sense of how it works. So, here's my definition:

It's a way of using network rules to further protect potentially open spots in your Windows domain.


Let's say an administrator accidentally shares a sensitive folder on your file server with Full Control permissions to the Everyone group. Suddenly, all that sensitive data is immediately exposed to anyone. If the data is on a human resources or other highly sensitive server, you're really in trouble.

Isolation groups leverage IPSec to ensure that any machine attempting to connect to that share must authenticate via Kerberos before it can transfer data.

Think of an isolation group as an extra access control list (ACL) -- like NTFS and share permissions-but way down at the network level. This extra computer-based ACL ensures that only the correct machines get access to sensitive data and can only transfer that data securely.

Isolation groups can involve “Domain Isolation” or “Server Isolation” – or both!

The learning curve on this technology is a little steep, but as you continue to wade through the text, you find more and more bits to pull it all together.

Are you using SDI in your environment? What kind of experience have you had with it so far?

Tags:          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Greg Shields on August 3, 2007 12:30 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-windowsserver.com/type/mt-tb.cgi/301

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Greg Shields' Bio:

Greg Shields, is an independent author, instructor, and IT consultant based in Denver, Colorado, and a co-founder of Concentrated Technology. With nearly 15 years of experience in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft systems management, remote application, and virtualization technologies. Greg is a Contributing Editor for Redmond Magazine, MCPmag.com, and Virtualization Review Magazine and is the author of five books, including Windows Server 2008:  What’s New / What’s Changed. Greg is also a highly sought-after instructor and speaker, speaking regularly at conferences like TechMentor Events, and producing computer-based training curriculum for CBT Nuggets.  Greg is a recipient of Microsoft "Most Valuable Professional" award with a specialization in Windows Terminal Services.