Tuesday, 25 October 2011

Windows Domain Isolation

I will cover off on the actual process of how to implement Domain Isolation in a Windows Domain based architecture in coming weeks. As this does require that I include images, it will need to wait until I am past the current round of conferences.


Domain isolation is a set of technologies that have been pulled together by Microsoft and which have controls under Group Policy that all you to limit the risk of unauthorised access to trusted systems. Attacks by trusted administrators is of course a separate issue that this type of control does not mitigate (here we need Segmentation of Duties and related non-technical controls).

Domain isolation uses a combination of IPSec and local host firewalls. It can be used to restrict the access to a trusted system to only allow those protocols needed to connect to the system (IPSec, ESP, AH; Kerberos etc.) and to block all access even when a host is situated on the Internet. If a host is on the Internet and is mobile, the need to allow DHCP and other local protocols does complicate the configuration, but it does not make this impossible.

If you install RADIUS (either that provided with Windows Server in IAS or a third party service) you can also integrate other devices (such as a Cisco or Juniper router or switch) into the domain and IPSec policy groups (I will also get to documenting how this can be done in time).

You can further improve the security of a site with the inclusion of strong per-packet mutual authentication, integrity, anti-replay and encryption.

This will allow your systems to only communicate with allowed trusted domain members. In doing this, you can restrict inbound network access (actually this applies to both ingress and egress controls but the easiest quick win is to secure the incoming connections and then restrict egress when the system architecture has been updated). This restriction can easily be limited to host security groups that consist of only selected of domain member hosts and these hosts can be set differently by user and host in group policy.

No comments: