1 00:00:01,240 --> 00:00:04,060 Now let me address a very important point, indeed. 2 00:00:04,060 --> 00:00:06,980 If you've spent quite a bit of time outfitting one of your 3 00:00:06,980 --> 00:00:11,520 Windows Server hosts with custom policy here in Windows 4 00:00:11,520 --> 00:00:14,340 Defender Firewall with Advanced Security, 5 00:00:14,340 --> 00:00:17,740 you certainly aren't going to want to manually recreate those rules, 6 00:00:17,740 --> 00:00:21,440 especially if you might have dozens of servers to work with. 7 00:00:21,440 --> 00:00:26,340 Now one solution, of course, is to use central policy with Group Policy, 8 00:00:26,340 --> 00:00:31,080 but another one is you can actually right‑click the root node here, 9 00:00:31,080 --> 00:00:33,730 and notice that you can do Import/Exports. 10 00:00:33,730 --> 00:00:35,040 Isn't that convenient? 11 00:00:35,040 --> 00:00:41,590 And so we can export this, I'm on dc1, as a WFW policy file, 12 00:00:41,590 --> 00:00:46,510 and then on another server, we can import that policy, 13 00:00:46,510 --> 00:00:51,050 and that provides you one way to share policy in Windows Defender 14 00:00:51,050 --> 00:00:54,740 Firewall with Advanced Security on multiple hosts. 15 00:00:54,740 --> 00:00:58,560 All right, so let's finish this by coming into Group Policy Management, 16 00:00:58,560 --> 00:01:01,480 and let's operate on the Default Domain Policy, 17 00:01:01,480 --> 00:01:06,740 and let's say that we have a use case where our security is such that all 18 00:01:06,740 --> 00:01:09,990 communication that takes place between two of our servers, 19 00:01:09,990 --> 00:01:15,560 MEM1 and DC1, should be encrypted and provide mutual authentication. 20 00:01:15,560 --> 00:01:20,420 So there's a good real‑world example of using IPsec isolation rules. 21 00:01:20,420 --> 00:01:22,570 And we can deploy this policy, 22 00:01:22,570 --> 00:01:26,740 we probably want to be more intentional than linking it to the domain, 23 00:01:26,740 --> 00:01:30,840 but I'm going to do this demo, nonetheless I'm going to forge ahead, 24 00:01:30,840 --> 00:01:32,920 at the Default Domain Policy. 25 00:01:32,920 --> 00:01:36,540 All right, so what we want to do here is come down under Policy, 26 00:01:36,540 --> 00:01:40,540 Windows Settings, Security Settings, 27 00:01:40,540 --> 00:01:43,860 Windows Defender Firewall with Advanced Security, 28 00:01:43,860 --> 00:01:47,160 and notice here that we can come in and we can 29 00:01:47,160 --> 00:01:50,110 right‑click and we can create Inbound, Outbound, 30 00:01:50,110 --> 00:01:54,630 and Connection Security Rules specific to this Group Policy, 31 00:01:54,630 --> 00:01:55,340 right? 32 00:01:55,340 --> 00:01:59,140 Right‑click Security Rules and click New Rule. 33 00:01:59,140 --> 00:02:02,760 Now the type of IPsec connection security you can do, 34 00:02:02,760 --> 00:02:06,040 there is the list right here, of course you've got Custom. 35 00:02:06,040 --> 00:02:09,190 Tunnel would be something akin to a VPN, 36 00:02:09,190 --> 00:02:10,490 and technically, 37 00:02:10,490 --> 00:02:14,490 Tunnel would work fine in this case where DC1 is one end 38 00:02:14,490 --> 00:02:17,990 of the tunnel and MEM2 is the other, but instead, 39 00:02:17,990 --> 00:02:21,600 I want to authenticate between two servers. 40 00:02:21,600 --> 00:02:25,060 Now, there's some other variants that we might want to look at. 41 00:02:25,060 --> 00:02:30,740 The Isolation policy restricts connections based on authentication criteria. 42 00:02:30,740 --> 00:02:33,860 That would allow you to create a rule, for instance, 43 00:02:33,860 --> 00:02:38,820 that would involve encryption and authentication depending upon who 44 00:02:38,820 --> 00:02:42,000 is making the connection from machine to machine. 45 00:02:42,000 --> 00:02:44,920 But I'm just going to choose Server‑to‑server in this. 46 00:02:44,920 --> 00:02:49,100 So regardless of the calling user who's making use of that 47 00:02:49,100 --> 00:02:51,440 server‑to‑server network connection, 48 00:02:51,440 --> 00:02:53,300 I want to make sure that the connection is 49 00:02:53,300 --> 00:02:56,340 authenticated and potentially even encrypted, 50 00:02:56,340 --> 00:02:58,920 and we can leverage IPsec for this. 51 00:02:58,920 --> 00:03:04,140 In this case, the computers that are Endpoint 1 are going to be specific IPs. 52 00:03:04,140 --> 00:03:07,560 Now of course, this means I need to do a little bit of homework here, 53 00:03:07,560 --> 00:03:12,140 so let me invoke a PowerShell session, 54 00:03:12,140 --> 00:03:18,840 and let me just try an IPv4 ping on dc1.timw.info, 55 00:03:18,840 --> 00:03:24,140 and let me do the same thing on mem1 so I can get its IP address. 56 00:03:24,140 --> 00:03:33,330 So it looks like 10.1.10, and then we've got 163 and 165, 10.1.10.163. 57 00:03:33,330 --> 00:03:36,840 Now notice we can do a predefined computer set, 58 00:03:36,840 --> 00:03:39,110 but that's not granular enough, 59 00:03:39,110 --> 00:03:42,530 I want to specifically pick out IP addresses here. 60 00:03:42,530 --> 00:03:52,360 Now that's 163, that's node 1, and then Endpoint 2 is going to be 10.1.10.165. 61 00:03:52,360 --> 00:03:56,440 So that's defining our two endpoints in the Server‑to‑server rule. 62 00:03:56,440 --> 00:03:58,090 And here we first are asked, 63 00:03:58,090 --> 00:04:02,940 are we requesting authentication or are we requiring it? 64 00:04:02,940 --> 00:04:07,630 And even at that, are we requiring authentication only for inbound, 65 00:04:07,630 --> 00:04:11,910 or are we requiring authentication mutually for inbound and outbound? 66 00:04:11,910 --> 00:04:14,140 That's the most secure option. 67 00:04:14,140 --> 00:04:15,740 Let's click Next. 68 00:04:15,740 --> 00:04:19,820 Now the ways that the servers can authenticate to each other, 69 00:04:19,820 --> 00:04:23,440 the preferred way if you have a public key infrastructure, 70 00:04:23,440 --> 00:04:27,400 would be to use computer certificates that are installed on each server, 71 00:04:27,400 --> 00:04:31,620 but we can also go to Advanced and there's some more relaxed options here. 72 00:04:31,620 --> 00:04:33,390 Notice you can choose a fallback, 73 00:04:33,390 --> 00:04:37,060 you can choose a First and Second authentication type. 74 00:04:37,060 --> 00:04:38,160 Let's click Add. 75 00:04:38,160 --> 00:04:41,810 The least overhead option is Kerberos V5. 76 00:04:41,810 --> 00:04:44,530 You also can do NTLM, which I wouldn't recommend, 77 00:04:44,530 --> 00:04:48,600 it's an old protocol, or we've got certificates, 78 00:04:48,600 --> 00:04:51,440 or we've got preshared key. 79 00:04:51,440 --> 00:04:54,040 Kerberos I think is going to be fine in this case, 80 00:04:54,040 --> 00:04:56,490 and I won't do a second level authentication, 81 00:04:56,490 --> 00:04:59,340 I'll just do the first one. 82 00:04:59,340 --> 00:05:00,640 Click Next. 83 00:05:00,640 --> 00:05:03,000 We're asked, what rules does this apply to? 84 00:05:03,000 --> 00:05:07,440 I'm going to say that this applies only to the Domain profile. 85 00:05:07,440 --> 00:05:11,540 Let me go back to make sure I didn't miss something here. 86 00:05:11,540 --> 00:05:12,740 Okay. 87 00:05:12,740 --> 00:05:18,940 And I'm going to call this dc1‑mem1‑auth. 88 00:05:18,940 --> 00:05:20,440 Well, let's click Finish. 89 00:05:20,440 --> 00:05:23,640 All right, now we could create an analogous rule. 90 00:05:23,640 --> 00:05:27,650 We can create an inbound rule to each machine that 91 00:05:27,650 --> 00:05:30,650 enforces IPsec encryption as well. 92 00:05:30,650 --> 00:05:33,040 That would be something else we could try. 93 00:05:33,040 --> 00:05:40,840 Now let me right‑click Inbound Rule, and we'll go Custom here for all programs, 94 00:05:40,840 --> 00:05:46,620 all protocols and ports, and the IP addresses are going to be the same as before, 95 00:05:46,620 --> 00:05:57,740 10.1.10.163 is one endpoint, the other endpoint is 10.1.10.165. 96 00:05:57,740 --> 00:06:01,340 We're going to allow the connection only if it's secure. 97 00:06:01,340 --> 00:06:03,090 We're already doing authentication, 98 00:06:03,090 --> 00:06:08,240 so I'm going to say Require the connection to be encrypted, 99 00:06:08,240 --> 00:06:09,740 all right? 100 00:06:09,740 --> 00:06:14,170 Next, this is where we can layer in, since we went down the Custom route, 101 00:06:14,170 --> 00:06:17,380 where we can only allow connections from particular 102 00:06:17,380 --> 00:06:19,960 Active Directory users and groups as well. 103 00:06:19,960 --> 00:06:21,840 I won't do that. 104 00:06:21,840 --> 00:06:26,940 Only allow connections from these computers, and then we have Exceptions. 105 00:06:26,940 --> 00:06:29,460 I'm already specifying those machines, 106 00:06:29,460 --> 00:06:32,180 but I might as well just add them in here to be safe, 107 00:06:32,180 --> 00:06:35,490 DC1 and then MEM1. 108 00:06:35,490 --> 00:06:38,240 Sometimes I'm a little superstitious. 109 00:06:38,240 --> 00:06:41,320 And we want this rule to apply at the Domain scope, 110 00:06:41,320 --> 00:06:47,840 and I will call this dc1‑mem1‑encryption, 111 00:06:47,840 --> 00:06:49,440 and click Finish. 112 00:06:49,440 --> 00:06:52,470 And so now we have a custom Inbound Rule, 113 00:06:52,470 --> 00:06:57,440 as well as a Connection Security Rule set defined in Group Policy. 114 00:06:57,440 --> 00:06:59,490 You're wondering how you can track this. 115 00:06:59,490 --> 00:07:03,740 I mean, we'll need to propagate Group Policy for this to go into effect. 116 00:07:03,740 --> 00:07:10,840 We can always open up that Advanced Security security console on each server, 117 00:07:10,840 --> 00:07:15,120 or we could open up an MMC console and just make a remote connection. 118 00:07:15,120 --> 00:07:19,910 But you can come under Monitoring to take a look at your Connection Security 119 00:07:19,910 --> 00:07:25,400 Rules that are active; and then specifically the mechanics, 120 00:07:25,400 --> 00:07:29,490 the key and integrity and key integrity status, 121 00:07:29,490 --> 00:07:38,000 all of that kind of stuff of the Security Association that that server is involved with, is surfaced here as well.