Role-based Administration in ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 allows you to apply administrative roles to users and groups. After you determine which groups are allowed to configure or view ISA Server policy and monitoring information, you can assign roles appropriately.

Scenario: Role-Based Administration

You can use role-based administration to organize ISA Server administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you allow that user permissions to perform specific tasks. Role-based administration involves Microsoft Windows Server® 2003 or Windows® 2000 Server users and groups. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.

Because ISA Server controls access to your network, you should take special care in assigning permissions to the ISA Server computer and related components. Carefully determine who should have permission to log on to the ISA Server computer. Then, configure the logon rights accordingly.

Role-Based Administration Features

Similar to any application in your environment, when you define the permissions for ISA Server, you should consider the roles of the ISA Server administrators and assign them only necessary permissions. To simplify the process, ISA Server uses administrative roles. When you assign a role to a user, you essentially allow that user permissions to perform specific tasks. A user that has one role, such as ISA Server Full Administrator, can perform specific ISA Server tasks that a user with another role, such as ISA Server Basic Monitoring, cannot perform. Role-based administration involves Windows users and groups. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.

Members of these ISA Server administrative groups can be any Windows user. No special privileges or Windows permissions are required.

Note

The only exception is that to view the ISA Server performance counters, using Perfmon or the ISA Server Dashboard, the user must be a member of the Windows Server 2003 Performance Monitor Users group

Users with administrator permissions on the ISA Server Enterprise Edition computer automatically have ISA Server enterprise-level permissions. Note, that users that belong to the Administrators group on the Configuration Storage server can control the enterprise configuration. This is because they can directly modify any data on the Configuration Storage server

Administrative Roles (Standard Edition)

The following table describes the ISA Server Standard Edition roles.

Standard Edition role Description

ISA Server Monitoring Auditor

Users and groups assigned this role can monitor basic ISA Server computer and network activity, but cannot view the ISA Server configuration.

ISA Server Auditor

Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert definition configuration, and can view the ISA Server configuration.

ISA Server Full Administrator

Users and groups assigned this role can perform any ISA Server task, including rule configuration, applying of network templates, and monitoring.

Note

Administrators with ISA Server Auditor permissions can export, import, and decrypt information such as passwords stored in the configuration.

Roles and Activities

Each ISA Server role has a specific list of ISA Server tasks associated with it. The following table lists some ISA Server administrative tasks along with the roles in which they are performed.

Activity ISA Server Monitoring Auditor ISA Server Auditor ISA Server Full Administrator

View Dashboard, alerts, connectivity, sessions, services

Allowed

Allowed

Allowed

Acknowledge alerts

Allowed

Allowed

Allowed

View log information

Not allowed

Allowed

Allowed

Create alert definitions

Not allowed

Not allowed

Allowed

Create reports

Not allowed

Allowed

Allowed

Stop and start sessions and services

Not allowed

Allowed

Allowed

View firewall policy

Not allowed

Allowed

Allowed

Configure firewall policy

Not allowed

Not allowed

Allowed

Configure cache

Not allowed

Not allowed

Allowed

Configure a virtual private network (VPN)

Not allowed

Not allowed

Allowed

Administrators who have ISA Server Auditor role permissions can configure all report properties with the following exceptions:

  • Cannot configure a different user account when publishing reports.
  • Cannot customize report contents.

Array-Level Administrative Roles (Enterprise Edition)

You can organize array-level administrators into separate, predefined roles, each with its own set of tasks. The following table describes the ISA Server Enterprise Edition array-level roles.

Role Description

ISA Server Array Monitoring Auditor

Users and groups assigned this role can monitor basic ISA Server computer and network activity, but cannot view the ISA Server configuration.

ISA Server Array Auditor

Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert definition configuration, and can view the ISA Server configuration.

ISA Server Array Administrator

Users and groups assigned this role can perform any ISA Server task on the specific array, including rule configuration, applying of network templates, and monitoring.

Note

Administrators with ISA Server Array Auditor permissions can configure all report properties with the following exceptions:

  • Cannot configure a different user account when publishing reports.
  • Cannot customize report contents.
    A user assigned the ISA Server Array Administrator role can run highly privileged processes on the ISA Server computer.

Roles and Activities

Each ISA Server role has a specific list of ISA Server tasks associated with it. The following table lists some ISA Server administrative tasks along with the roles in which they are performed.

Activity ISA Server Array Monitoring Auditor ISA Server Array Auditor ISA Server Array Administrator

View Dashboard, alerts, connectivity, sessions, services

Allowed

Allowed

Allowed

Acknowledge and reset alerts

Allowed

Allowed

Allowed

View log information

Not allowed

Allowed

Allowed

Create alert definitions

Not allowed

Not allowed

Allowed

Create reports

Not allowed

Allowed

Allowed

Stop and start sessions and services

Not allowed

Allowed

Allowed

View firewall policy

Not allowed

Allowed

Allowed

Configure firewall policy

Not allowed

Not allowed

Allowed

Configure cache

Not allowed

Not allowed

Allowed

Configure a virtual private network (VPN)

Not allowed

Not allowed

Allowed

Drain and stop network load balanced (NLB) firewall or Web Proxy load balanced server

Not allowed

Allowed

Allowed

View local configuration (in registry of array member)

Not allowed

Allowed

Allowed

Change local configuration (in registry of array member)

Not allowed

Not allowed

Not allowed

Enterprise-Level Administrative Roles (Enterprise Edition)

You can use role-based administration to organize ISA Server 2006 enterprise administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you allow that user permissions to perform specific tasks. Role-based administration involves Windows users and groups. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.

ISA Server distinguishes between enterprise-level roles and array-level roles. The following table describes the ISA Server roles for enterprise administration.

Role Description

ISA Server Enterprise Auditor

Users and groups assigned this role can view the enterprise configuration and all array configurations. They can also view the local configuration (in the registry of an array member)

ISA Server Enterprise Administrator

Users and groups assigned this role have full control over the enterprise and all array configurations. The Enterprise Administrator can also assign roles to other users and groups. They can also view and change the local configuration (in the registry of an array member)

Note

A user assigned the ISA Server Enterprise Administrator role can run highly privileged processes on the ISA Server computers in the enterprise.
ISA Server also provides a policy administrator role. A user with this role can view and change specific policies.

Roles and Activities

Each ISA Server role has a specific list of ISA Server tasks associated with it. The following table lists some ISA Server administrative tasks along with the roles in which they are performed.

Activity ISA Server Enterprise Administrator ISA Server Enterprise Auditor

View enterprise policies

Allowed

Allowed

Create enterprise policies

Allowed

Not allowed

Apply enterprise policies to an array

Allowed

Not allowed

View array-level firewall policy

Allowed

Allowed

View array configuration

Allowed

Allowed

Modify array configuration

Allowed

Not allowed

Create an array

Allowed

Not allowed

View local configuration (in registry of array member)

Allowed

Allowed

Change local configuration (in registry of array member)

Allowed

Not allowed

Roles for Domain and Workgroup (Enterprise Edition)

Depending on the specific topology of your network, different permissions should be configured for the roles accessing the Configuration Storage server.

Computer Running ISA Server Services Belongs to a Workgroup

If the computer running the ISA Server services belongs to a workgroup, but the Configuration Storage server belongs to a domain, user accounts configured on the domain should be used to access the Configuration Storage server.

Create mirrored accounts on each array member, for intra-array communication and administration. The accounts should be created with the same settings as the user account specified on the initial array member.

For example, suppose that the Configuration Storage server belongs to the Microsoft.com domain. Two computers running ISA Server services each belong to a workgroup. The enterprise administrator, with user name Adina, will administer this enterprise. Adina must belong to the Enterprise Administrators group. For this example, the following actions are required:

  • Create mirrored accounts for Adina on both computers running ISA Server services. (The accounts must have identical credentials.)
  • Add Adina's domain user name to the users allowed to access the Configuration Storage server.
  • Add the user name (specified in the mirrored account) to the list of mirrored accounts used for monitoring this array.

When the enterprise administrator connects to the enterprise, the following actions are performed:

  1. Specifies the credentials of the user who is logged on when specifying how to connect to the Configuration Storage server.
  2. Specifies different credentials when specifying how to connect to each array member.
  3. Specifies Adina as the user name for the array member credentials.

Computer Running ISA Server Services Belongs to a Domain

If the computer running the ISA Server services belongs to a domain, but the Configuration Storage server belongs to a workgroup, create an administrative account on the Configuration Storage server.

Note that in this scenario, only one Configuration Storage server can be used for the enterprise. Create domain accounts for intra-array communication and administration.

Computer Running ISA Server Services and Configuration Storage Server Belong to a Workgroup

If both the computer running the ISA Server services and the Configuration Storage server belong to the same workgroup, create a single administrative account.

Note that in this scenario, only one Configuration Storage server can be used for the enterprise. You do not have to create domain accounts for intra-array communication and administration.

Create mirrored accounts on each array member for intra-array communication and administration. You may want to create mirrored accounts for each administrator. Alternatively, create mirrored accounts for each role.

Credentials

When requested to present credentials, use strong passwords. A password is considered strong if it provides an effective defense against unauthorized access. A strong password does not contain all or part of the user account name, and contains at least three of the four following categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, or #).

Best Practices

Consider the following best practices.

Permissions

Apply the principle of least privilege when configuring permissions for ISA Server administrators, as described in the following section. Carefully determine who is allowed to log on to the ISA Server computer, eliminating access to those who are not critical to the server functions.

Least Privileges

Apply the principle of least privilege, where a user has the minimum privileges necessary to perform a specific task. This helps ensure that if a user account is compromised, the impact is minimized by the limited privileges held by that user.

Keep the Administrators group and other user groups as small as possible. A user who belongs to the Administrators group on the ISA Server computer, for example, can perform any task on the ISA Server computer.

In Standard Edition, users in the Administrators group are implicitly assigned the role of ISA Server Full Administrator. They have full rights to configure and monitor ISA Server.

In Enterprise Edition, users who belong to the Administrators group on the Configuration Storage server can control the enterprise configuration. They can directly modify any data on the Configuration Storage server.

Logging On and Configuring

When you log on to the ISA Server computer, log on with the least privileged account necessary to do the task. For example, to configure a rule, you should log on as an ISA Server administrator. However, if you only want to view a report, log on with lesser privileges.

In general, use an account with restrictive permissions to perform routine tasks that are unrelated to administration, and use an account with broader permissions only when performing specific administrative tasks.

Guest Accounts

We recommend that you do not enable the Guest account on the ISA Server computer.

When a user logs on to the ISA Server computer, the operating system checks whether the credentials match a known user. If the credentials do not match a known user, the user is logged on as Guest, with the same privileges allowed to the Guest account.

ISA Server recognizes the Guest account as the default All Authenticated Users user set.

Discretionary Access Control Lists

With a new installation, ISA Server discretionary access control lists (DACLs) are appropriately configured. In addition, ISA Server reconfigures DACLs when you modify administrative roles and when the Microsoft ISA Server Control service (isactrl) is restarted. For more information, see the section Role-Bas e d Administration Features earlier in this document.

Warning

Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure.
Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users:
Folder for reports (when you select to publish the reports).
Configuration files created when exporting or backing up the configuration.
Log files that are backed up to a different location.
Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by ISA Server, be sure to keep the data source name (DSN) secure.
Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry.
If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is Inherit permission from parent.

Tip

We recommend that you do not save critical data (such as executables and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitionsTip

Revoking User Permissions

When you revoke administrative permissions for an ISA Server administrator, we recommend that you delete the user account from Active Directory® directory service, to ensure that the user no longer has access.

Removing Administrator Permissions

To remove administrator permissions, remove the user from the specific administrator group.

To remove ISA Server administrators who are logged on, from a security group, and add them into a new group, perform the following steps

  1. Add the administrator account into the new group.

  2. Log off and then log on with the administrator account, so that the new settings take effect

Remove the administrator account from the original group