Server isolation
To isolate a specific server or servers, sensitive data, and associated clients, you use an Active Directory domain and domain membership to enforce the following network policy: specific server computers that are domain members accept authenticated and secured communications only from other domain member computers. This network policy isolates specific servers from non-domain-member computers. For example, to protect database traffic, you would configure and deploy server isolation Group Policy settings to require secured traffic between domain member client computers and their database servers. With server isolation, the isolated network consists of the server computers and domain member client computers, both of which belong to an Active Directory domain.
You can also create the following group-specific server isolation network policy: specific server computers that are domain members will accept authenticated and secured communications only from other domain member computers that are members of specific Active Directory security groups. Group-specific server isolation provides an additional layer of authorization and isolates specific servers from both non-domain-member computers and unauthorized domain member computers. Only an authorized domain member computer that has the business need can access the isolated server. With group-specific server isolation, the isolated network consists of the server computers and the group of authorized domain member client computers.