Firewalls are the simplest and most basic way to give a computer a degree of isolation, mostly as protection against direct attacks on the server. All versions of Windows ship with Microsoft's own basic but reasonably useful firewall product, which can be used to lock in everything that doesn't need to be accessed. It works both by port and by application, so it has that much more flexibility for incoming as well as outgoing traffic. However, it doesn't do anything to protect the traffic itself -- if someone sends plaintext to the server and it responds as plaintext, anyone who can capture those packets will know what's going on.
Virtual network segmentation/subnetting
Network segmentation or subnetting is another way to isolate a given computer: Give the computer in question and any clients that need access to it their own network segment. This makes it a little more difficult to get access to the computer in question, but it's still not impossible since it may still be connected to the same physical network segment. Someone running Snort, for instance, on the same physical network may be able to sniff traffic.
It's also possible to isolate the computer and any needed clients on their own wires, but this is often not very practical unless you already have space set aside for it. In one of my previous jobs, before wireless networking was feasible, we created a separate physical network for testing by running CAT5 cables up into the ceiling spaces and back and forth between offices. It worked, but it was inconvenient at best -- and once someone else found out what was up, we had to dismantle the whole thing.
One very elegant way to secure Windows Server machines is by using IPSec, a strongly integrated network security mechanism that works at the packet level. Packets are encrypted and only exchanged between the server and trusted clients according to policies created on the server. IPSec's other big benefit, aside from encryption, is verification: Are the packets from the correct server?
Another particularly handy thing about IPSec is that it can use Windows' own built-in authentication scheme, Kerberos, so there's less fuss when you use it than you might think. Also, since it's integrated into Windows' own IP stack and not an adjunct to it (like a firewall), you can have a good deal of confidence in it. This allows you to exchange protected traffic with, for example, another domain controller in another subnet. For many people, IPSec may be one of the easiest ways to selectively isolate a server without actually removing it from the network entirely.
"Clean room" isolation
A "clean room" computer is a machine with no network connectivity at all -- it's an isolated PC, most likely hidden behind locked doors as well. The types of circumstances that require this degree of isolation are vanishingly few, but they do exist. For instance, a certification authority for internal use (such as code signing) could be hosted on such a system; certificate requests would have to be brought in and out by hand. Such a machine should have strict control over hardware and software -- it should not allow software to be installed, nor any new hardware devices, without administrative access. This will prevent someone from, for instance, installing a wireless USB networking device or plugging in a flash drive.
Even if you have no need in your organization for a totally isolated machine, you should at least set up policies and physical space so that you can physically isolate a machine if you have to. Having such methods and space available is always good if, for instance, you need to work with a PC that's been hit with a virus or some other calamity, or you need to check a PC for that occurrence.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This was first published in July 2006