FW_H_EnableIntrusion

To enable intrusion detection of common attacks

1. In the console tree of ISA Server Management, click General.

2. In the details pane, click Enable Intrusion Detection and DNS Attack Detection.

3. On the Common Attacks tab, click Enable intrusion detection.

4. Select one or more of the following:

   • Windows out-of-band (WinNuke). Select this option when ISA Server will generate an event if an out-of-band denial of service attack is attempted against a computer protected by ISA Server.
   • Land. Select this option when ISA Server will generate an event if a TCP SYN packet is sent with a spoofed source IP address and port number that matches that of the destination IP address and port number.
   • Ping of death. Select this option when ISA Server will generate an event if an IP fragment is received with more data than the maximum IP packet size.
   • IP half scan. Select this option when ISA Server will generate an event if repeated attempts to connect to a destination computer are made and no corresponding ACK packets are communicated.
   • UDP bomb. Select this option when ISA Server will generate an event if there is an attempt to send an illegal User Datagram Protocol (UDP) packet. Although an event will be generated when the attack occurs, you must specifically enable and configure an alert to trigger an action.
   • Port scan. Select this option when ISA Server will generate an event if an attempt is made to count the services running on a computer by probing each port for a response. If you select this option, also specify the following:
     Detect after attacks on well-known ports. Type the maximum number of well-known ports that can be scanned before generating an event when a port scan attack is detected. A well-known port is any port in the range from 1 through 2048.
     Detect after attacks on ports. Type the maximum number of ports that can be scanned before generating an event when a port scan attack is detected.