In a network, administrators can logically detach server and domain resources to restrict access to authenticated and authorized computers. For example, you can create a logical network in an existing physical network, which requires common settings for a computer to share secure communications in a logical network. Each computer in this logically delimited network must be referred to a computer in other logical separate networks for authentication to establish a connection.
This separation prevents unauthorized computers and programs from obtaining improper access to resources. Requests from computers that are not part of a detached network are ignored.
Two kinds of separation that you can use to protect your network:
"Server detach: In a server detach scenario, the development server can be configured with IPSec policy and only receive authorized communication from other computers." For example, the database server can be configured to accept only serv1er connections for network applications.
Domain separation: For a separate domain, administrators can use Active Directory domain members to ensure that domain member computers receive authenticated security communications from other domain member computers. This detached network is composed only of computers and is part of the domain. Domain separation use IPSec policy to provide protection for traffic that is emitted between domain members of the server computer that includes all customers.
Server and domain separation can help protect specific high-value servers and data, while protecting managed computers from rogue computers and user attacks.