I’ve had an idea for a while now to write a series of posts covering configuration of the Windows Firewall, including topics such as:
- Basic configuration of various types of endpoints
- How to utilize IPSec to control access using Kerberos identities instead of IP addresses
- Certificate-based authentication
- How to safely and securely make all of your infrastructure internet-facing and accessible. Yes, everything. Even Domain Controllers.
I’ll be going over a number of topics; this page will serve as the index for all of them.
- Part 1: The Basics & Securing Clients
- Part 2: Securing Servers & Domain Controllers
- Part 3: Domain IPSec Configuration
- Part 4: Identity-based access control via Kerberos
- Part 5: Bootstrapping Kerberos via Certificate Authentication
- Part 6: Azure AD Joined Clients
- Part 7: Final Thoughts
A number of assumptions are made about existing infrastructure. Below, I’ve listed these and parts they are relevant to.
- Active Directory Domain Services infrastructure (all parts)
- Various domain-joined servers and clients (all parts)
- Publicly-resolvable domain DNS (parts 5 and 6)
- Domain Controllers with publicly-accessible IP addresses (parts 5 and 6)
- Active Directory Certificate Services infrastructure (parts 5 and 6)
- Azure AD Connect (part 6)
- Intune-managed Azure AD joined clients (part 6)
- Intune Certificate Connector (part 6)
In this series, I make reference to my lab configuration many times. Please see https://ajf8729.com/lab-configuration/ for more information.