Improving Network Security Using Improving Network Security Using Windows Server 2008Windows Server 2008

Published: May 2008

Server & Domain IsolationServer & Domain Isolation

Domain IsolationDomain IsolationProtect managed computers from unmanaged Protect managed computers from unmanaged

or rogue computers and usersor rogue computers and users

Protect specific high-value servers and dataProtect specific high-value servers and dataServer IsolationServer Isolation

Isolation Solution DetailsIsolation Solution Details

Policies are created, distributed, and managed through Active Directory® Policies are created, distributed, and managed through Active Directory® Security Groups and Group Policy:Security Groups and Group Policy:

● Domain membership is required to access trusted resources.Domain membership is required to access trusted resources.● Expands the use of supportive tools like Microsoft Systems Management Server Expands the use of supportive tools like Microsoft Systems Management Server

(SMS) 2003 or Windows Server® Update Service (WSUS).(SMS) 2003 or Windows Server® Update Service (WSUS).

Authentication is based on machine and user credentials:Authentication is based on machine and user credentials:● Kerberos, X.509 certificatesKerberos, X.509 certificates, , NTLM version 2 (NTLMv2), NAP health certificatesNTLM version 2 (NTLMv2), NAP health certificates

Policies are enforced at the network layer by IPsec:Policies are enforced at the network layer by IPsec:● Uses IPsec transport mode for end-to-end security and Network Address Uses IPsec transport mode for end-to-end security and Network Address

Translation (NAT) traversalTranslation (NAT) traversal● Packets encapsulated with Encapsulating Security Payload (ESP) or Packets encapsulated with Encapsulating Security Payload (ESP) or

Authentication Header (AH) for authentication and integrity Authentication Header (AH) for authentication and integrity ● Optionally, encryption of highly sensitive network trafficOptionally, encryption of highly sensitive network traffic

Policy ManagementPolicy Management AuthenticationAuthentication EnforcementEnforcement

Windows Firewall IntegrationWindows Firewall Integration● Integrated host firewall and IPsec management:Integrated host firewall and IPsec management:

● New management tools (the Windows Firewall with Advanced New management tools (the Windows Firewall with Advanced Security MMC snap-in; Security MMC snap-in; netsh advfirewall netsh advfirewall command-line tool)command-line tool)

● Reduces conflicts and coordination overhead amongReduces conflicts and coordination overhead amongtechnologiestechnologies

● Firewall rules becomeFirewall rules becomemore intelligent:more intelligent:● Specify securitySpecify security

requirements suchrequirements suchas authenticationas authenticationand encryptionand encryption

● Specify ActiveSpecify ActiveDirectory computerDirectory computeror user groupsor user groups

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. respective owners.