Windows Server Domain Isolation

Network segregation configured with a simple policy, setup servers and computers to only accept connections that are authenticated members on a isolated domain.

Typically, deployments of these see a set of IPsec rules configured within the basic firewall design policies, to only allow connections from other members of a specified isolated domain. After this rule is deployed any network traffic originating from outside of the isolation domain will be dropped.

Doing so provides a logical premiter between servers and computers on the network, even spanning multiple domains in a forest or forest trust relationships with two way trusts configured. Certain services such as DHCP, old school WINS and PROXY servers can be configured to be within a trusted zone by an expection rule.

Other types of zones consist of:

-Isolated Domain: Computers that rely on authentication rules for network traffic
-Boundary Zone: Computers that are within the Isolated domain that allow traffic from untrusted devices, a great use case would be a DMZ or PROXY server.
-Untrusted: Computers that are now managed by the orgnaiztion and the security posture is unknown.

Azure Chaos Studio

Cause chaos with a click of a button…

Chaos Studio allows Administrators to experiment with their applications to improve resilience by testing for real work outages.

A fully managed platform to design and deploy a variety of tests to find overlooked design faults at any stage of development, allowing for an application to be built with redundancy in mind. Common faults such as connection issues to storage accounts, network latency, expired secrets/keys, and a full datacenter/zone outage, are deployed to visualise disruptions before they occur in production.

Insights are gathered in real time to instantly see results on how the application is responding to the fault. Microsoft has an ever expanding library of faults that may cause application downtime.

Microsoft engineers are using this internally to validate and test their cloud resilience.

Zero Trust DNS (ZTDNS)

An exciting innovation for DNS has recently been announced by Microsoft known as ZTDNS.

Enabling the server administrator to use domain names as identifiers for network traffic, integrating with the Windows DNS client and the Windows Filtering Platform, we can deploy a “protective” DNS server that can only resolve specific domain names – potentially containing a list of allowed subnets to be allowed for destinations without a FQDN.

To further restrict and protect the network all outbound traffic is blocked apart from connections to this “protective” DNS server, once a response is received an outbound expectation for the specific IP address is allowed.

The minimum requirement is either DNS over HTTPS (DoH) or DNS over TLS (DoT), as ZTDNS will prevent the use of plain-text DNS by Windows server.

A few considerations are needed when deploying this, such as File and Print services, VoIP and other Media streams- due to the resolution of such services taking place over traditional mDNS or STUN/TURN.