What the Heck is 'Domain Isolation'?
====================== DISCLAIMER ====================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================
To answer this let me quote from the “Introduction to Server and Domain Isolation with Microsoft Windows” document listed below:
“With the Microsoft® Windows® operating systems, you can logically isolate your domain and server resources to limit access to authenticated and authorized computers. For example, you can create a logical network consisting of computers that share a common security framework and a set of requirements for secure communication. A logical network is a group of network nodes that is independent of the physical network topology. For example, with virtual LAN (VLAN) technology, you can create logical networks by grouping computers regardless of their physical connection to a set of switches. Each computer on the logically isolated network can provide authentication credentials to the other computers on the isolated network to prove its membership. Requests for communication that originate from computers that are not part of the isolated network are ignored.
Isolating and logically grouping computers occurs at Layer 3 (the Network layer) of the Open Systems Interconnection (OSI) model. Therefore, the isolated network can span hubs, switches, and routers across the physical and geographical boundaries of your organization network”
Domain Isolation
Basically, you create a barrier between your domain members and non-members by using IPsec policies. Computers inside your domain can talk to one another with no problems but outside computers cannot initiate communication with your domain members. Basically, all you do is create IPsec policies and distribute and assign them using AD. Of course there are a few steps involved in the process (and some great documentation for domain isolation), but that’s really all you do.
Does It Really Work?
Yup! In fact Microsoft has deployed IPsec across several domains (including the largest one). I didn’t even notice it. No bumps, hiccups, outages, no problems. (the “Improving Security with Domain Isolation” document covers the whole experience). I have set this up in a lab (using Virtual Server over Remote Desktop) and it went without a single significant problem.
Domain Isolation White Papers
This first post has been a really brief overview (I have to get back to work - wink), but there are a whole set of brand spanking-new white papers available from Microsoft on planning and deploying domain isolation. Unfortunately, they are damn-near impossible to find (they’re fixing this soon), so I will list them here:
"Introduction to Server and Domain Isolation with Microsoft Windows"
This is the place to start if you are new to IPsec or domain isolation. Also, at the end of the paper is a roadmap to all the other domain isolation docs (quoted in part below).
https://www.microsoft.com/downloads/details.aspx?FamilyId=F9D90728-1D76-4A73-8225-CE3A059B5638&displaylang=en
"Domain Isolation with Microsoft Windows Explained"
This paper provides a detailed overview of domain isolation. It explains how domain isolation protects domain member computers and the benefits of deploying domain isolation. It also provides a brief overview of how to deploy domain isolation. This paper is intended for IT professionals in organizations that are investigating using the Microsoft implementation of Internet Protocol security (IPsec) in Windows to deploy domain isolation. It assumes that you are somewhat familiar with the Microsoft implementation of IPsec and would like more detailed information about using that technology to deploy domain isolation.
https://www.microsoft.com/downloads/details.aspx?FamilyId=FFC03439-10B8-4476-9527-4B67F90CFFF5&displaylang=en
"Server Isolation with Microsoft Windows Explained"
This paper provides a detailed overview of server isolation. It explains how server isolation protects isolated servers and the benefits of deploying server isolation. It also provides a brief overview of how to deploy server isolation. This paper is intended for IT professionals in organizations that are investigating using the Microsoft implementation of IPsec in Windows to deploy server isolation. It assumes that you are somewhat familiar with the Microsoft implementation of IPsec and would like more detailed information about using that technology to deploy server isolation.
https://www.microsoft.com/downloads/details.aspx?FamilyId=15E5FC29-B52C-41A4-9EE5-D95916FFE53E&displaylang=en
"Domain Isolation Planning Guide for IT Managers"
Designed for enterprise IT managers who are investigating using IPsec in Microsoft Windows to deploy domain isolation, this paper will help you and your IT staff to gather the information required to develop a domain isolation deployment plan and to design your IPsec policies. It includes an overview of the deployment process, a step-by-step guide to the planning process, and links to resources that you can use to plan and design your deployment. It does not explain how to deploy domain isolation.
https://www.microsoft.com/downloads/details.aspx?FamilyId=495E8245-F977-4BB4-9D17-A6B9B3E3F56F&displaylang=en
"A Guide to Domain Isolation for Security Architects"
Designed for network architects of enterprise organizations that are investigating using IPsec in Microsoft Windows to deploy domain isolation, this paper describes the implications of deploying domain isolation in an enterprise environment and explains how to assess the enterprise environment and plan domain isolation. Read this guide after you have developed a working knowledge of domain isolation.
https://www.microsoft.com/downloads/details.aspx?FamilyId=07AD33AA-F5B3-401F-BD91-DF06F1E23077&displaylang=en
"Setting Up IPsec Server and Domain Isolation in a Test Lab"
This paper demonstrates how to set up IPsec domain and server isolation in a limited test environment. It provides procedures for setting up a basic deployment, which you can use as the basis for your own deployment. This paper is designed for network architects who are investigating using IPsec in Microsoft Windows to deploy server and domain isolation.
https://www.microsoft.com/downloads/details.aspx?FamilyId=5ACF1C8F-7D7A-4955-A3F6-318FEE28D825&displaylang=en
"Interoperability Considerations for IPsec Server and Domain Isolation"
This paper describes interoperability between IPsec-secured hosts running Windows Server 2003, Windows XP with Service Pack 2 (SP2), and Windows 2000 Server with Service Pack 4 (SP4) in a domain or server isolation scenario and hosts that cannot use IPsec, including computers running earlier versions of Windows or non-Microsoft operating systems. It is intended for IT professionals in organizations that are investigating using IPsec in Microsoft Windows to deploy server and domain isolation.
https://www.microsoft.com/downloads/details.aspx?FamilyId=10359569-EF11-499A-9E1F-85DA3FCA608C&displaylang=en
In addition to these, Microsoft IT has a rather detailed and comprehensive paper on how they deployed domain isolation - "Improving Security with Domain Isolation"
https://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx