Thursday, February 23, 2012 4:51 AM
Is there a way to great a Group Policy Object that I can apply to a member server on my network, that will only allow inbound connections to the server if the requesting connection is from a specific user or computer within the domain? Does this need to be applied at the Firewall level, or at the Server level itself?
Example: I want to isolate domain member SERVERX from all attempts to connect to it, unless the connection is coming from either Domain\User1 or from SERVERB.
Thursday, February 23, 2012 8:09 AM
Server and Domain Isolation can probably be helpful here. By using IPSec policies you can decide who is able to connect to your server based on the results from the IPSec authentication.
User based authentication in IPSec depends on the version of Windows you are running on your server and clients as Windows 2003 & XP can only handle machine authentication and you need to step to Windows 2008 & Vista or above to be able to use user based IPSec authentication.
Read more about SDI:
Thursday, February 23, 2012 8:38 AM
Yes, our entire environment is all native Windows 2008 R2 servers and Windows 7 Pro hosts.
What do I need to enable IPSec policies? Do I need to create a PKI based infrastructure to use IPSec policies?
Thursday, February 23, 2012 9:21 AM
You do not need to have PKI to be able to run SDI and use IPSec within a domain. You can use IPSec with Kerberos authentication between domain mmebers. If you intend to use IPSec between computers not member of active directory domain, you need to have other methods of authentication and can either use PKI/certificates (recommended) or PSK/shared secrets (not recommended unless the last option available).
Please use the “Windows Firewall with Advanced Security Design and Deployment Guide” http://www.microsoft.com/download/en/details.aspx?id=17077 and check the “Server Isolation Policy Design” chapter and the example steps described in the document.
Tuesday, February 28, 2012 2:45 AMModerator