Problem solve Get help with specific problems with your technologies, process and projects.

Network isolation: When to pull the plug

When security comes up, there is always a discussion of isolating a sensitive server, but this is often impractical. Contributor Serdar Yegulalp discusses four ways to isolate sensitive servers and their data.

When people talk about computer security, there's almost always a discussion of isolating a computer. A machine that has sensitive data or that should only be accessed by certain people might be behind closed doors and without network access, just for the sake of safety. As someone else once put it, the only truly secure computer is one that's in a locked room and not connected to a network (and probably not plugged in or turned on, either).

Isolating a server isn't an all-or-nothing proposition, however. There are degrees of isolation that can be performed on a system, from simple firewalling to total physical isolation. If you're nervous about the possible effects of having a system exposed to the outside world (or even to parts of your own organization), a partial lockdown may be every bit as effective as a total lockdown depending on your needs.


Firewalls are the simplest and most basic way to give a computer a degree of isolation, mostly as protection against direct attacks on the server. All versions of Windows ship with Microsoft's own basic but reasonably useful firewall product, which can be used to lock in everything that doesn't need to be accessed. It works both by port and by application, so it has that much more flexibility for incoming as well as outgoing traffic. However, it doesn't do anything to protect the traffic itself -- if someone sends plaintext to the server and it responds as plaintext, anyone who can capture those packets will know what's going on.

Virtual network segmentation/subnetting

Network segmentation or subnetting is another way to isolate a given computer: Give the computer in question and any clients that need access to it their own network segment. This makes it a little more difficult to get access to the computer in question, but it's still not impossible since it may still be connected to the same physical network segment. Someone running Snort, for instance, on the same physical network may be able to sniff traffic.

It's also possible to isolate the computer and any needed clients on their own wires, but this is often not very practical unless you already have space set aside for it. In one of my previous jobs, before wireless networking was feasible, we created a separate physical network for testing by running CAT5 cables up into the ceiling spaces and back and forth between offices. It worked, but it was inconvenient at best -- and once someone else found out what was up, we had to dismantle the whole thing.


One very elegant way to secure Windows Server machines is by using IPSec, a strongly integrated network security mechanism that works at the packet level. Packets are encrypted and only exchanged between the server and trusted clients according to policies created on the server. IPSec's other big benefit, aside from encryption, is verification: Are the packets from the correct server?

Another particularly handy thing about IPSec is that it can use Windows' own built-in authentication scheme, Kerberos, so there's less fuss when you use it than you might think. Also, since it's integrated into Windows' own IP stack and not an adjunct to it (like a firewall), you can have a good deal of confidence in it. This allows you to exchange protected traffic with, for example, another domain controller in another subnet. For many people, IPSec may be one of the easiest ways to selectively isolate a server without actually removing it from the network entirely.

"Clean room" isolation

A "clean room" computer is a machine with no network connectivity at all -- it's an isolated PC, most likely hidden behind locked doors as well. The types of circumstances that require this degree of isolation are vanishingly few, but they do exist. For instance, a certification authority for internal use (such as code signing) could be hosted on such a system; certificate requests would have to be brought in and out by hand. Such a machine should have strict control over hardware and software -- it should not allow software to be installed, nor any new hardware devices, without administrative access. This will prevent someone from, for instance, installing a wireless USB networking device or plugging in a flash drive.

Even if you have no need in your organization for a totally isolated machine, you should at least set up policies and physical space so that you can physically isolate a machine if you have to. Having such methods and space available is always good if, for instance, you need to work with a PC that's been hit with a virus or some other calamity, or you need to check a PC for that occurrence.

For more information

Network Access Control Learning Guide:
Learn how unauthorized users gain network access, how to block and secure untrusted endpoints, and get Windows-specific and universal access control policies and procedures.

Web Server Isolation Domain:
As the means of compromising Web servers continue to multiply, deploying a secure Web server is becoming increasingly difficult. No longer is the threat of attack, intrusion or denial of service limited to highly-trained well-educated rogue programmers and crackers

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Dig Deeper on Windows Server troubleshooting