Network access control will not work for every organization and it is not compatible with some existing security controls such as access control lists, firewall rules, or Active Directory.
In this section, we’ll walk through each of the topics in more detail.
The Access Control Services (ACS) suite of security controls for Windows Server 2008 R2 provides a broad range of functionality. This is your first stop when you are creating Windows Server 2008 R2 Domain Controllers, Kerberos DSS, DNS, SYSVOL, SRV, and RDP to protect Windows Server 2008 R2 hosts.
This section describes the basic concepts, steps, and parameters for the management of Windows Server 2008 R2 domain controllers.
Configure Access Control Lists (ACLs)
Access Control Lists (ACLs) are a mechanism used to configure security in the hosts and domain controllers. A good first step to configure ACLs is to configure the corresponding System Management Server (SMS) role. You can use the SMS console to configure ACLs on a Windows Server 2008 R2 domain controller or you can use the SMS on a Windows Server 2008 R2 workstation.
Configure Domain and Network Security Policy (DNSPolicy)
The next major step is to configure the Domain Security Policy and the Network Security Policy. They both reside in the Group Policy Object Editor (GPO) (see Figure 1).
(see Figure 1).Group Policy Object Editor for Domain Security Policy
The Domain Security Policy controls how the global Administrators group, Domain Admins, and Domain Users access the security devices that support the GPOs.
The Network Security Policy controls the security policies and the rules that apply to the port range of a TCP port or a Windows Firewall rule. Network Security Policies also contain policy settings for other services such as Microsoft Exchange ActiveSync or a Mailbox Servers mailbox filter. You can configure Group Policy settings for these items as well and we also suggest using a BYOD system.
Network Security Policy settings are used in conjunction with other security configurations. For example, there are other GPOs that control the default ports on TCP, the Kerberos key pair, and Windows Internet Authentication.
You can also apply the Group Policy settings to Group Policy objects (GPOs) in the domain in which the domain controllers are located. For example, if you have Group Policy that restricts network access to Internet Explorer 9, you would apply this policy to the GPO for Internet Explorer 10. If you require more fine-grained controls for Internet Explorer, you could create a GPO that restricts access to Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
When you select the Security tab of the GPO in the Group Policy Object Editor (GPO), the Security tab appears with a list of global security settings. If you have additional security settings that you want to apply for the domain, you can perform an organizational seal or authentication policy change or you can apply policies that require a minimum and maximum set of credentials. Consult providers like www.eatelbusiness.com/business-phone on how they can help you secure your network.
For security policy controls that apply to an organization-wide network policy, you can change the policy settings at the source GPO and then add and apply them to domain controllers that are running Windows Server 2008 R2. You can change the policy settings for all users by selecting Apply to all users at the top of the group policy object.