ISA Server 2004 System Policy
Microsoft Internet Security and Acceleration (ISA) Server 2004 includes a default system policy configuration, which allows use of services commonly required for the network infrastructure to function properly.
In general, from a security perspective, we strongly recommend that you configure the system policy so that access to services that are not required to manage your network is not allowed. After installation, carefully review the system policy rules configured. Similarly, after you perform major administration tasks, review the system policy configuration again.
This document describes services that are enabled by system policy rules.
Network Services
Authentication Services
Remote Management
Firewall Client Share
Diagnostic Services
Connectivity Verifiers
SMTP
Scheduled Download Jobs
Accessing the Microsoft Web Site
Additional Resources
Network Services
When you install ISA Server, basic network services are enabled. After installation, ISA Server can access name resolution servers and time synchronization services on the Internal network.
If the network services are available on a different network, you should modify the applicable configuration group sources to apply to the specific network. For example, suppose the DHCP server is not located on the Internal network, but on a perimeter network. Modify the source for the DHCP configuration group to apply to that perimeter network.
You can modify the system policy, so that only particular computers on the Internal network can be accessed. Alternatively, you can add additional networks, if the services are found elsewhere.
The following table shows the system policy rules that apply to network services.
| Configuration group | Rule name | Rule description |
|---|---|---|
DHCP |
Allow DHCP requests from ISA Server to Internal Allow DHCP replies from DHCP servers to ISA Server |
Allows the ISA Server computer to access the Internal network using the DHCP (reply) and DHCP (request) protocols. |
DNS |
Allow DNS from ISA Server to selected servers |
Allows the ISA Server computer to access all networks using the DNS protocol. |
NTP |
Allow NTP from ISA Server to trusted NTP servers |
Allows the ISA Server computer to access the Internal network using the NTP (UDP) protocol. |
DHCP Services
If your DHCP server is not located on the Internal network, you will have to modify the system policy rule, so that it applies to the network on which the DHCP server is located. For example, if the DHCP server is located on the External network, perform the following steps.
Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
In the console tree of ISA Server Management, click Microsoft ISA Server 2004, click the server_name, and then click Firewall Policy.
On the Tasks tab, click Edit System Policy.
In the System Policy Editor, in the Configuration Groups tree, click DHCP.
.gif)
On the From tab, click Add.
In Add Network Entities , select a network object.
.gif)
Note
We recommend that, if you know the IP address of the DHCP server, create a computer set with just that IP address and select that computer set. We strongly recommend this when the DHCP server is located on an untrusted network.
Click Add and then click Close.
Authentication Services
One of the fundamental capabilities of ISA Server is the ability to apply a firewall policy to specific users. To authenticate users, however, ISA Server must be able to communicate with the authentication servers. For this reason, by default, ISA Server can communicate with Active Directory servers (for Windows authentication) and with RADIUS servers located on the Internal network.
The following table shows the system policy rules that apply to authentication services.
| Configuration group | Rule name | Rule description |
|---|---|---|
Active Directory |
Allow access to directory services for authentication purposes Allow RPC from ISA Server to trusted servers Allow Microsoft CIFS from ISA Server to trusted servers Allow Kerberos authentication from ISA Server to trusted servers |
Allows the ISA Server computer to access the Internal network using various LDAP protocols, RPC (all interfaces) protocol, various Microsoft CIFS protocols, and various Kerberos protocols, using Active Directory directory service. |
RSA SecurID |
Allow SecurID authentication from ISA Server to trusted servers |
Allows the ISA Server computer to access the Internal network using the RSA SecurID® protocol. |
RADIUS |
Allow RADIUS authentication from ISA Server to trusted RADIUS servers |
Allows the ISA Server computer to access the Internal network using various RADIUS protocols. |
Certificate Revocation List |
Allow HTTP from ISA Server to all networks for CRL downloads |
Authentication Services: Allows HTTP from ISA Server to selected networks for downloading updated certificate revocation lists (CRLs). |
DCOM
If you require use of the DCOM protocol—for example, to remotely manage the ISA Server computer—be sure that you do not enable Enforce strict RPC compliance. To verify that Enforce strict RPC compliance is not selected, perform the following steps.
Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
In the console tree of ISA Server Management, click Microsoft ISA Server 2004, click the server_name, and then click Firewall Policy.
On the Tasks tab, click Edit System Policy.
In the System Policy Editor, in the Configuration Groups tree, click Active Directory.
Verify that Enforce strict RPC compliance is not selected.
.gif)
Note
DCOM is often required for various services, including remote management and auto-enrollment.
Windows and RADIUS Authentication Services
If you do not require Windows authentication or RADIUS authentication, you should perform the following steps to disable the applicable system policy configuration groups.
Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
In the console tree of ISA Server Management, click Microsoft ISA Server 2004, click the server_name, and then click Firewall Policy.
On the Tasks tab, click Edit System Policy.
In the System Policy Editor, in the Configuration Groups tree, click Active Directory.
.gif)
On the General tab, verify that Enable is not selected.
Note
When you disable the Active Directory system policy configuration group, access to all LDAP protocols is effectively disabled. If you require the LDAP protocols, create an access rule allowing use of these protocols.
Repeat steps 4 and 5 for the RADIUS configuration group.
Note
If you require only Windows authentication, be sure to configure the system policy, disabling use of all other authentication mechanisms.
RSA SecurID Authentication Services
Communication with RSA SecurID authentication servers is not enabled by default. If your firewall policy requires RSA SecurID authentication, be sure to enable this configuration group.
CRL Authentication Services
Certificate revocation lists (CRLs) cannot be downloaded by default. This is because the CRL Download configuration group is not enabled by default. To enable CRL download, perform the following steps.
- Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
- In the console tree of ISA Server Management, click Microsoft ISA Server 2004, click the server_name, and then click Firewall Policy.
- On the Tasks tab, click Edit System Policy.
- In the System Policy Editor, in the Configuration Groups tree, click CRL Download.
- On the General tab, verify that Enable is selected.
- On the To tab, select the network entities from which certificate revocation lists can be downloaded.
.gif)
All HTTP traffic will be allowed from the Local Host network (the ISA Server computer) to network entities listed on the To tab.
Remote Management
Often, you will manage ISA Server from a remote computer. Carefully determine which remote computers are allowed to manage and monitor ISA Server. The following table shows the system policy rules that should be configured.
| Configuration group | Rule name | Rule description |
|---|---|---|
Microsoft Management Console |
Allow remote management from selected computers using MMC Allow MS Firewall Control communication to selected computers |
Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the MS Firewall Control and RPC (all interfaces) protocols. |
Terminal server |
Allow remote management from selected computers using Terminal Server |
Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the RDP (Terminal Services) protocol. |
ICMP (Ping) |
Allow ICMP (PING) requests from selected computers to ISA Server |
Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the Ping protocol, and vice versa. |
By default, the system policy rules allowing remote management of ISA Server are enabled. ISA Server can be managed by running a remote Microsoft Management Console (MMC) snap-in, or by using Terminal Services.
By default, these rules apply to the built-in Remote Management Computers computer set. When you install ISA Server, this empty computer set is created. Add to this empty computer set all computers that will remotely manage ISA Server. Until you do so, remote management is effectively not available from any computer.
Note
Limit remote management to specific computers by configuring the system policy rules to apply only to specific IP addresses.
To enable remote management, perform the following steps.
- Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
- In the console tree of ISA Server Management, click Microsoft ISA Server 2004, click the server_name, and then click Firewall Policy.
- On the Toolbox tab, click Network Objects.
.gif)
- On the toolbar beneath Network Objects, under Computer Sets, right-click Remote Management Computers and then click Properties.
.gif)
- Click Add and then click Computer.
- In Name, type the name of the computer.
- In Computer IP address, type the IP address of the computer that can remotely manage ISA Server.
Remote Monitoring and Logging
By default, remote logging and monitoring is disabled. The following configuration groups are disabled by default:
- Remote Logging (NetBIOS)
- Remote Logging (SQL)
- Remote Performance Monitoring
- Microsoft Operations Manager
The following table provides a description of the configuration groups.
| Configuration group | Rule name | Rule description |
|---|---|---|
Remote logging (NetBIOS) |
Allow remote logging to trusted servers using NetBIOS |
Allows the ISA Server computer to access the Internal network using various NetBIOS protocols. |
Remote Logging (SQL) |
Allow remote SQL logging from ISA Server to selected servers |
Allows the ISA Server computer to use Microsoft (SQL) protocols to access the Internal network. |
Remote Performance Monitoring |
Allow remote performance monitoring of ISA Server from trusted servers |
Allows computers in the Remote Management Computers computer set to access the ISA Server computer using various NetBIOS protocols. |
Microsoft Operations Manager |
Allow remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent |
Allows the ISA Server computer to access the Internal network using the Microsoft Operations Manager agent. |
Enabling Remote Logging and Monitoring
To enable remote monitoring and logging, perform the following steps.
- Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
- In the console tree of ISA Server Management, click Microsoft ISA Server 2004, click the server_name, and then click Firewall Policy.
- On the Tasks tab, click Edit System Policy.
- In the System Policy Editor, in the Configuration Groups tree, select one or more of the following configuration groups:
- Remote Logging (NetBIOS)
- Remote Logging (SQL)
- Remote Performance Monitoring
- Microsoft Operations Manager
- On the General tab, verify that Enable is selected.
Firewall Client Share
If you installed the Firewall Client Share component when you installed ISA Server, the Firewall Client Installation Share configuration group is enabled, by default. All computers on the Internal network can access the shared folder. The following table shows the system policy configuration group (and rule) that is enabled.
| Configuration group | Rule name | Rule description |
|---|---|---|
Firewall client setup |
Allow access from trusted computers to the Firewall Client installation share on ISA Server |
Allows computers on the Internal network to access the ISA Server computer using various Microsoft CIFS and NetBIOS protocols. When you enable this rule, access is allowed to the ISA Server computer using SMB from any network or computer specified. Access is not limited only to the Firewall Client installation shared folder. |
If you did not install the Firewall Client Share component, this configuration group is not enabled.
Diagnostic Services
By default, the system policy rules allowing access to diagnostics services are enabled, with the following permissions:
- ICMP. This is allowed to all networks. This service is important for determining connectivity to other computers.
- Windows networking. This allows NetBIOS communication, by default to computers on the Internal network.
- Microsoft error reporting. This allows HTTP access to the Microsoft Error Reporting sites URL set, to allow reporting of error information. By default, this URL set includes specific Microsoft sites.
- Connectivity verifiers. This allows the ISA Server computer to use HTTP and HTTPS protocols to check whether a specific computer is responsive.
The following table shows the system policy configuration groups that are enabled by default.
| Configuration group | Rule name | Rule description |
|---|---|---|
ICMP |
Allow ICMP requests from ISA Server to selected servers |
Allows the ISA Server computer to access all networks using various ICMP protocols and the Ping protocol. |
Windows networking |
Allow NetBIOS from ISA Server to trusted servers |
Allows the ISA Server computer to access all networks using various NetBIOS protocols. |
Communication to Microsoft (Microsoft Error Reporting) |
Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites |
Allows the ISA Server computer to access members of the Microsoft Error Reporting sites URL set using HTTP or HTTPS protocols. |
Connectivity Verifiers
In addition, the following diagnostic service is not enabled by default: HTTP Connectivity Verifiers.
When you create a connectivity verifier, the HTTP Connectivity Verifiers configuration group is enabled, allowing the Local Host network to use HTTP or HTTPS to access computers on any other network. The following table describes the HTTP Connectivity Verifiers configuration group.
| Configuration group | Rule name | Rule description |
|---|---|---|
HTTP Connectivity Verifiers |
Allow HTTP/HTTPS from firewall to all networks, for HTTP connectivity verifiers |
Allows the ISA Server computer to check for connectivity by sending HTTP GET requests to the specified computer. |
We recommend that you limit this access to the specific computers whose connectivity you want to verify. To limit this access, perform the following steps.
- Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
- In the console tree of ISA Server Management, click Microsoft ISA Server 2004, click the server_name, and then click Firewall Policy.
- On the Tasks tab, click Edit System Policy.
- In the System Policy Editor, in the Configuration Groups tree, click HTTP Connectivity Verifiers.
.gif)
- On the To tab, click All Networks (and Local Host) and then click Remove.
- Click Add and then select the network entities whose connectivity you want to verify. All HTTP traffic will be allowed from the Local Host network (the ISA Server computer) to network entities listed on the To tab.
SMTP
By default, the SMTP configuration group is enabled, allowing SMTP communication from ISA Server to computers on the Internal network. This is required, for example, when you want to send alert information in an e-mail message. The following table describes the SMTP configuration group.
| Configuration group | Rule name | Rule description |
|---|---|---|
SMTP |
Allow SMTP from ISA Server to trusted servers |
Allows the ISA Server computer to access the Internal network using the SMTP protocol. |
Scheduled Download Jobs
By default, the scheduled download jobs feature is disabled. The following table describes the Scheduled Download Jobs configuration group.
| Configuration group | Rule name | Rule description |
|---|---|---|
Scheduled Download Jobs |
Allow HTTP from ISA Server to selected computers for Content Download Jobs |
Allows the ISA Server computer to access all networks using the HTTP protocol. |
When you create a content download job, you will be prompted to enable this system policy rule. ISA Server will be able to access the sites specified in the content download job.
Accessing the Microsoft Web Site
The default system policy allows HTTP and HTTPS access from the Local Host network (that is, the ISA Server computer) to the microsoft.com Web site. This is required for a few reasons:
- Error reporting (as described in the Diagnostic Services section)
- Access to useful documentation on the ISA Server Web site and on other related Web sites
By default, the Allowed Sites configuration group is enabled, allowing ISA Server to access content on specific sites that belong to the System Policy Allowed Sites domain name set. The following table describes the Allowed Sites configuration group.
| Configuration group | Rule name | Rule description |
|---|---|---|
Allowed Sites |
Allow HTTP/HTTPS requests from ISA Server to specified sites |
Allows the ISA Server computer to access members of the System Policy Allowed Sites URL set using HTTP and HTTPS protocols. |
This URL set includes various Microsoft Web sites, by default. You can modify the domain name set to include additional Web sites, which ISA Server will be allowed to access.
To modify the URL set to include additional Web sites, perform the following steps.
- Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
- In the console tree of ISA Server Management, click Microsoft ISA Server 2004, click the server_name, and then click Firewall Policy.
- On the Toolbox tab, click Network Objects.
.gif)
- Under Domain Name Sets, right-click System Policy Allowed Sites and then click Properties.
- On the General tab, click New and then type the URL for the specific Web site.
.gif)
HTTP and HTTPS access will be allowed to the specified Web sites.
Additional Resources
For information about Microsoft ISA Server, see the Microsoft ISA Server Web site.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.