For a better understanding about this technology I advise to address on the following references:
http://technet.microsoft.com/ru-ru/library/cc755490%28WS.10%29.aspx
http://technet.microsoft.com/ru-ru/library/cc755490%28WS.10%29.aspx
I want to add a little to this information.
In view of that there is a possibility of isolation not only domains,
servers, the computers which are not entering into the domain. There is
also a possibility on isolation of the computers entering into the
existing MS Windows domain. Tell, and for what it can be necessary? For
example, for isolation of the kopyyuter entering into the MS Windows
domain which appeared are infected with a network virus (worm) but for
which access to some resources of the domain is necessary. Not
absolutely safely, truth? But, we will protect other computers of a
network from direct interaction with the infected workplace. Besides,
always there is a possibility to protect this computer and physically,
having forced it to work through the allocated station of safety, for
example, as through a lock which, in turn, will begin to block an
undesirable traffic. All this quite flexibly can be adjusted for rainy
day by means of AD (GPO) security policies, and then, as required, to
add in this policy the hosts needing isolation. It is worth to remember
also and about possibility of a filtration of a traffic on ports with
IPSec use since it can protect from some types of network viruses which
use not system ports for the work. But, unfortunately, such
possibilities modern viruses leave ever less. And everywhere IT services
divisions still use the NetBIOS protocol for the publication of the
general resources in a network that harmful influences security of hosts
in a local network. And it was possible to use AD possibilities for the
publication in the AD catalog, then the quantity used system ports on
hosts in a network was reduced a little, system resources from refusal
of use of superfluous services would increase, there would be impossible
an infection with some network viruses and would make impossible
attacks to the NetBIOS protocol. Yes, for critics, in such policy of the
organization of the domain it is possible to add and exceptions to the
rules, for print servers, for example.
I will add from myself still that the present possibilities already
were present from the MS Windows 2000 platform, but nobody paid to them
attention, or didn’t want to study new possibilities on improvement of
level of safety in the MS Windows network and whether a little still
why. And still the present possibilities of very few people uses.
The author of these lines already used possibilities on isolation of
domains in the work in 2004, but then to me the organizations which
would like to improve information security didn’t meet and to simplify
response to these or those инцинденты information security though offers
were brought by me and I acquainted the management with this
technology. And it is a pity! It is not necessary to mark time, it is
necessary to develop infrastructure and completely to use the
possibilities offered by the producer of these platforms – Microsoft,
instead of to look for not certificated and doubtful decisions of
foreign producers which, as a rule, aren’t free and demand additional
financial allocations.
Small addition to this article. Isolation of domains can be realized
with IPSec use, without installation of additional components as it
advises Microsoft, will work without problems. It is a pity, what about
it there is no mention on a site of technical support of Microsoft,
probably, they and didn’t think of such possibility? Good luck!
https://nikitushkinandrey.wordpress.com/2012/07/17/isolation-of-domains-on-the-ms-windows-server-platforms-and-not-only/
Комментариев нет:
Отправить комментарий