Using IPsec to Isolate Servers in Windows 7, Windows Server 2008, and Windows Vista

Configuring Exemptions
In some situations, you'll want to exempt computers, groups, or ranges of IP addresses assigned to computers from being required to authenticate when initiating a connection to an isolated host—regardless of other Connection Security Rules. For example, you might use exemption to grant access to infrastructure computers (e.g., AD DCs, DHCP or CA servers) that the isolated host must communicate with before authentications can be performed.

A word of warning: Be very careful configuring isolation rules that can affect infrastructure servers. CA, DC, DHCP, DNS, and other infrastructure servers shouldn't have any requirement for IPsec communication for inbound or outbound connectivity. If rules are created, they should be crafted extremely carefully so that unauthenticated computers can authenticate and get access to these services. Member servers and workstations should be configured to neither request nor require authorization to those servers, and the exception rules should be used to configure that.

To configure exemption, start the New Inbound Rule Wizard again by right-clicking Connection Security Rules, then select Authentication Exemption and click Next. On the next screen, you can click Add to add computers, IP ranges, or specific computer types that will be exempted from authentication. When you make your choice, click Next and select the network profile that this rule will apply to. Then, name the rule and click Finish.

Using Group Policy
The most convenient way to enable server isolation on several computers is through Group Policy. Be aware that, to apply server isolation through Group Policy, you need to have Server 2008 domain controllers (DCs), as these options are not available in Windows Server 2003 Group Policy objects. However, if you have Windows Server 2003 DCs, you can still use IPSec policy options. Before creating and linking a Group Policy Object (GPO), you should group hosts with the same isolation requirements into separate organizational units (OUs).

After you’ve created an OU structure and moved servers to their proper OUs, open the Group Policy Management Console from Administrative Tools. Create a new GPO inside the Group Policy Objects container, right-click it, and select Edit to open it. Navigate to the Computer Configuration node, and expand Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security. In the Group Policy Management Editor's right pane, you'll see the same UI you’d see if you were running this console locally. Click Connection Security Rules, start the New Inbound Rule Wizard, and implement your desired options as I described earlier.

After you finish, you'll have a Connection Security Rule created inside the GPO. If you right-click the rule, select Properties, and go to the Computers tab, you can specify rule endpoints—computers to which this rule will apply. You can specify one or more computers as either endpoint. You can specify a specific IP address, a subnet, a predefined address, or an IP address range. Be aware that the Connection Security Rule will apply to communications between any computer in Endpoint 1 and any computer in Endpoint 2. After you configured all necessary options, you can link the GPO to the OU that contains the hosts that need to be isolated.

Complementary Security
Server isolation provides an extra layer of security and access control that complements other security technologies such as antivirus, anti-spyware, firewall, and intrusion detection system (IDS) solutions. It lets you use Group Policy settings to create, distribute, and centrally manage Connection Security Rules to isolate specific hosts.

This solution also results in a zero-touch deployment experience and an unchanged experience for end-users. No additional end-user training is necessary, and there's no need to install new software or visit each computer during deployment—a great benefit of this technology!