Help Secure Web and Outlook Web Access Servers

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Published: January 7, 2003

Internet Security and Acceleration (ISA) Server 2000 Feature Pack 1 enhances the security of Web servers and servers running Microsoft Outlook Web Access by helping to:

  • Protect against evolving types of Internet attacks.

  • Control access with improved authentication.

ISA Server Feature Pack 1 also includes enhancements for Microsoft Exchange Server. See Help Secure E-Mail Servers for more information.

Help Protect Your Servers from Evolving Types of Internet Attacks

More and more applications are using HTTP and HTTPS for communication. This situation has led to the prevalence of application-layer worms and viruses that travel over HTTP and HTTPS to attack corporate networks. Unfortunately, most traditional packet filtering and stateful inspection firewalls are not capable of stopping these types of attacks. To stop them, you can use an application-layer firewall. ISA Server with Feature Pack 1 helps stop malicious Web requests at the ISA Server computer before they enter your network, and can simplify the administration of security settings by reducing configuration complexity.

URLScan 2.5 for ISA Server

Web-based attacks typically request unusual actions, have a large number of characters, or are encoded using an alternate character set. These types of attacks include Unicode decode and directory traversal attacks. URLScan enables ISA Server to help detect and stop these attacks. Running URLScan on the server running ISA Server instead of on every Web server and server running Outlook Web Access in the internal network can complement existing URLScan installations or reduce configuration complexity.

URLScan diagram

Help Control Access to Servers with Improved Authentication

With ISA Server Feature Pack 1, ISA Server has been improved to support RSA SecurID authentication and to help limit traffic to Web servers and servers running Outlook Web Access by allowing only valid requests through to the corporate network. Multiple authentication dialog boxes are also eliminated.

RSA SecurID Authentication

ISA Server Feature Pack 1 enables strong, two-factor RSA SecurID authentication for Web servers and servers running Outlook Web Access at ISA Server. SecurID authentication is based on something you know (a password or personal identification number) and something you have (an authenticator). When a user attempts to gain access to SecurID-protected Web pages, the server running ISA Server (on behalf of the server it is protecting) prompts the user for his or her SecurID user name and PASSCODE. The RSA ACE/Agent on ISA Server passes these credentials to the RSA ACE/Server for validation. If the credentials validate successfully, a cookie is delivered to the user's browser for subsequent activity during the session and the user is granted access to the protected content.

Web RSA screen shot

Configuring ISA Server for SecurID authentication in the Properties section of the Web publishing rule.

Delegation for RSA SecurID and Basic Authentication

Authentication delegation helps increase security by enabling ISA Server to pre-authenticate Internet clients instead of passing the authentication to the published server. This delegation also eliminates multiple logon prompts. After ISA Server validates the user, the authentication information passes back to the protected server. With ISA Server Feature Pack 1, delegation is possible with SecurID and basic (user name and password) authentication, and can be enabled for each Web publishing rule.