Hardening the Windows Infrastructure on the ISA Server 2004 Computer
Because Microsoft Internet Security and Acceleration (ISA) Server 2004 is used to protect your network or other resources from attack by malicious users, take special care in hardening the ISA Server computer. We recommend that you apply the configurations described in the Windows Server 2003 Security Guide (https://go.microsoft.com/fwlink/?LinkId=31584). Specifically, you should apply the Microsoft Baseline Security Policy security template. However, do not implement the Internet Protocol security (IPsec) filters or any of the server role policies.
In addition, you should consider ISA Server functionality and harden the operating system accordingly. This document describes how to harden Microsoft Windows Server 2003 and Windows 2000 Server running on the ISA Server computer. For further security guidelines, see the ISA Server Security Hardening Guide (https://go.microsoft.com/fwlink/?LinkId=24507). The ISA Server Security Hardening Guide includes these instructions, in addition to more detailed security considerations.
Note
We recommend that you harden the Windows infrastructure after you have completely installed ISA Server. For ISA Server Enterprise Edition, install all the necessary Configuration Storage servers and the array members. Then, harden the computers.
The Microsoft Windows Server 2003 operating system with Service Pack (SP1) includes an attack surface reduction tool called the Security Configuration Wizard (SCW). Depending on the server role you select, the SCW determines the minimum functionality required, and disables functionality that is not required.
When you install Microsoft Windows Server 2003 SP1 on the ISA Server computer, you can install the SCW and use the wizard to harden the computer.
The SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with the SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS).
The SCW includes a role for ISA Server computers. To apply the appropriate ISA Server roles, perform the following steps:
On the ISA Server computer, click Start, click Administrative Tools, and then click Security Configuration Wizard.
In the Security Configuration Wizard, on the Welcome page, click Next.
On the Configuration Action page, select Create a new security policy.
On the Select Server page, in Server, type the name or IP address of the ISA Server computer.
On the Processing Security Configuration Database page, click Next.
On the Welcome page of the Role-based Service Configuration page, click Next.
On the Select Server Roles page, select the following and then click Next.
Select Microsoft Internet Security and Acceleration Server 2004, if you are hardening a computer running the ISA Server services (for ISA Server Enterprise Edition, an array member).
Select Remote Access/VPN Server, if you will be using the ISA Server computer for virtual private network (VPN) functionality.
Note
Do not select any specific server roles for a Configuration Storage server.
On the Select Client Features page, select the default client roles, as appropriate. No special client roles are specifically required for hardening ISA Server. Then, click Next.
On the Select Administration and Other Options page, select the following options:
- Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: Configuration Storage, if the Configuration Storage server is installed on this computer (for ISA Server Enterprise Edition only).
- Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: Client installation share, if the Firewall Client share is installed on this computer.
- Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: MSDE Logging, if ISA Server advanced logging options are installed on this computer.
On the Select Additional Services page, select the appropriate services and click Next.
Click Next until you finish the wizard.
For more technical guidance about the SCW, see “Security Configuration Wizard for Windows Server 2003” at the Microsoft Windows Server 2003 Web site.
If Windows Server 2003 SP1 is not installed on the computer, you can configure the service startup mode, as described in this section. You configure the computer as the Security Configuration Wizard does.
Note that we recommend that you use the SCW to harden the computer, because it is best optimized to secure the ISA Server computer.
The following table lists the core services that must be enabled for ISA Server and the ISA Server computer to function properly.
| Service name | Rationale | Startup mode |
|---|---|---|
COM+ Event System |
Core operating system |
Manual |
Cryptographic Services |
Core operating system (security) |
Automatic |
Event Log |
Core operating system |
Automatic |
IPSec Services |
Core operating system (security) |
Automatic |
Logical Disk Manager |
Core operating system (disk management) |
Automatic |
Logical Disk Manager Administrative Service |
Core operating system (disk management) |
Manual |
Microsoft Firewall |
Required for normal functioning of ISA Server |
Automatic |
Microsoft ISA Server Control |
Required for normal functioning of ISA Server |
Automatic |
Microsoft ISA Server Job Scheduler |
Required for normal functioning of ISA Server |
Automatic |
Microsoft ISA Server Storage |
Required for normal functioning of ISA Server |
Automatic |
MSSQL$MSFW |
Required when MSDE logging is used for ISA Server |
Automatic |
Network Connections |
Core operating system (network infrastructure) |
Manual |
NTLM Security Support Provider |
Core operating system (security) |
Manual |
Plug and Play |
Core operating system |
Automatic |
Protected Storage |
Core operating system (security) |
Automatic |
Remote Access Connection Manager |
Required for normal functioning of ISA Server |
Manual |
Remote Procedure Call (RPC) |
Core operating system |
Automatic |
Secondary Logon |
Core operating system (security) |
Automatic |
Security Accounts Manager |
Core operating system |
Automatic |
Server |
Required for ISA Server Firewall Client Share |
Automatic |
Smart Card |
Core operating system (security) |
Manual |
SQLAgent$MSFW |
Required when MSDE logging is used for ISA Server |
Manual |
System Event Notification |
Core operating system |
Automatic |
Telephony |
Required for normal functioning of ISA Server |
Manual |
Virtual Disk Service (VDS) |
Core operating system (disk management) |
Manual |
Windows Management Instrumentation (WMI) |
Core operating system (WMI) |
Automatic |
WMI Performance Adapter |
Core operating system (WMI) |
Manual |
The ISA Server computer may function in additional capacities, or roles, depending on how you use the computer. The following table lists possible server roles, describes when they may be required, and lists the services that should be activated when you enable the role.
| Server role | Usage scenario | Services required | Startup mode |
|---|---|---|---|
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Routing and Remote Access |
Manual |
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Remote Access Connection Manager |
Manual |
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Telephony |
Manual |
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Workstation |
Automatic |
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Server |
Automatic |
Terminal Server for Remote Desktop Administration |
Select this role to enable remote management of the ISA Server computer. |
Server |
Automatic |
Terminal Server for Remote Desktop Administration |
Select this role to enable remote management of the ISA Server computer. |
Terminal Services |
Manual |
The ISA Server computer may function in additional capacities, or roles, depending on how you use the computer. The following table lists possible server roles, describes when they may be required, and lists the services that should be activated when you enable the role.
| Server role | Usage scenario | Services required | Startup mode |
|---|---|---|---|
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Routing and Remote Access |
Manual |
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Remote Access Connection Manager |
Manual |
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Telephony |
Manual |
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Workstation |
Automatic |
Routing and Remote Access Server |
Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. |
Server |
Automatic |
Terminal Server for Remote Desktop Administration |
Select this role to enable remote management of the ISA Server computer. |
Server |
Automatic |
Terminal Server for Remote Desktop Administration |
Select this role to enable remote management of the ISA Server computer. |
Terminal Services |
Manual |
Note
The startup mode for the Server service should be Automatic in the following cases:
- You install ISA Server 2004: Client Installation Share.
- You use Routing and Remote Access Management, rather than ISA Server Management, to configure a virtual private network (VPN).
- Other tasks or roles, as described in the preceding table, require the service.
- The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.
Note that the Server service is required only if you use Routing and Remote Access Management (rather than ISA Server Management) to configure a VPN.
For a server to perform necessary tasks, specific services must be enabled, based on the roles that you select. Unnecessary services should be disabled. The following table lists possible server tasks for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.
| Client role | Usage scenario | Services required | Startup mode |
|---|---|---|---|
Application installation from Group Policy |
Required to install, uninstall, or repair applications using the Microsoft Installer Service. |
Windows Installer |
Manual |
Backup |
Required if using NTBackup or other backup program on the ISA Server computer. |
Microsoft Software Shadow Copy Provider |
Manual |
Backup |
Required if using NTBackup or other backup program on the ISA Server computer. |
Volume Shadow Copy |
Manual |
Backup |
Required if using NTBackup or other backup program on the ISA Server computer. |
Removable Storage service |
Manual |
Error Reporting |
Use to enable error reporting, thereby helping improve Windows reliability by reporting critical faults to Microsoft for analysis. |
Error Reporting Service |
Automatic |
Help and Support |
Allows collection of historical computer data for Microsoft Product Support Services incident escalation. |
Help and Support |
Automatic |
ISA Server 2004: Client installation share |
Required to allow computers to connect to and install from the Firewall Client share on the ISA Server computer. |
Server |
Automatic |
ISA Server 2004: MSDE logging |
Required to allow logging using MSDE databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the Log Viewer in off-line mode |
SQLAgent$MSFW |
Manual |
ISA Server 2004: MSDE logging |
Required to allow logging using MSDE databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the Log Viewer in off-line mode |
MSSQL$MSFW |
Automatic |
Performance data collection |
Allows background collecting of performance data on the ISA Server computer. |
Performance Logs and Alerts |
Automatic |
Allows printing from the ISA Server computer. |
Print Spooler |
Automatic |
|
Allows printing from the ISA Server computer. |
TCP/IP NetBIOS Helper |
Automatic |
|
Allows printing from the ISA Server computer. |
Workstation |
Automatic |
|
Remote Windows administration |
Allows remote management of the Windows server (not required for remote management of ISA Server). |
Server |
Automatic |
Remote Windows administration |
Allows remote management of the Windows server (not required for remote management of ISA Server). |
Remote Registry |
Automatic |
Time Synchronization |
Allows the ISA Server computer to contact an NTP server to synchronize its clock. From a security perspective, an accurate clock is important for event auditing and other security protocols. |
Windows Time |
Automatic |
Remote Assistance Expert |
Allows the Remote Assistance feature to be used on this computer. |
Help and Support |
Automatic |
Remote Assistance Expert |
Allows the Remote Assistance feature to be used on this computer. |
Remote Desktop Help Session Manager |
Manual |
Remote Assistance Expert |
Allows the Remote Assistance feature to be used on this computer. |
Terminal Services |
Manual |
Note
Time client applications require that either the Wireless or the Server service is running in order to function properly.
Servers can be clients of other servers. Client roles are dependent on role-specific services being enabled. The following table lists possible client roles for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.
| Client role | Usage scenario | Services required | Startup mode |
|---|---|---|---|
Automatic Update client |
Select this role to allow automatic detection and update from Microsoft Windows Update. |
Automatic Updates |
Automatic |
Automatic Update client |
Select this role to allow automatic detection and update from Microsoft Windows Update. |
Background Intelligent Transfer Service |
Manual |
DHCP client |
Select this role if the ISA Server computer receives its IP address automatically from a DHCP server. |
DHCP Client |
Automatic |
DNS client |
Select this role if the ISA Server computer needs to receive name resolution information from other servers. |
DNS Client |
Automatic |
Domain member |
Select this role if the ISA Server computer belongs to a domain. |
Network location awareness (NLA) |
Manual |
Domain member |
Select this role if the ISA Server computer belongs to a domain. |
Net logon |
Automatic |
Domain member |
Select this role if the ISA Server computer belongs to a domain. |
Windows Time |
Automatic |
DNS registration client |
Select this role to allow the ISA Server computer to automatically register its name and address information with a DNS Server. |
DHCP Client |
Automatic |
Microsoft Networking client |
Select this role if the ISA Server computer has to connect to other Windows clients. If you do not select this role, the ISA Server computer will not be able to access shares on remote computers; for example, to publish reports. |
TCP/IP NetBIOS Helper |
Automatic |
Microsoft Networking client |
Select this role if the ISA Server computer has to connect to other Windows clients. If you do not select this role, the ISA Server computer will not be able to access shares on remote computers; for example, to publish reports. |
Workstation |
Automatic |
WINS client |
Select this role if the ISA Server computer uses WINS-based name resolution. |
TCP/IP NetBIOS Helper |
Automatic |
You can create a template, using the Security Templates Microsoft Management Console (MMC) snap-in. The template includes information about which services should be enabled, as well as their startup mode. By using a security template, you can easily configure a security policy and then apply it to each ISA Server computer.
To create a security template, perform the following steps:
To open Security Templates, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in and then click Add.
Select Security Templates, click Add, click Close, and then click OK.
.gif)
In the console tree, click the Security Templates node, right-click the folder where you want to store the new template, and click New Template.
.gif)
In Template name, type the name for your new security template.
In Description, type a description of your new security template, and then click OK.
Expand the new template, and then click System Services.
.gif)
In the details pane, right-click COM+ Event System and then click Properties.
Select Define this policy setting in the template and then click the startup mode. (For COM+ Event System, the startup mode is Automatic.)
.gif)
Repeat steps 8 and 9 for each of the services listed in the following table.
| Service name | Short Name | Startup mode |
|---|---|---|
Automatic Updates |
wuauserv |
Automatic |
Background Intelligent Transfer Service |
BITS |
Manual |
COM+ Event System |
EventSystem |
Manual |
Cryptographic Services |
CryptSvc |
Automatic |
DHCP Client |
Dhcp |
Automatic |
DNS Client |
Dnscache |
Automatic |
Error Reporting Service |
ERSvc |
Automatic |
Event Log |
Eventlog |
Automatic |
Help and Support |
Helpsvc |
Automatic |
IPsec Services |
PolicyAgent |
Automatic |
Logical Disk Manager |
dmserver |
Automatic |
Logical Disk Manager Administrative Service |
dmadmin |
Manual |
Microsoft Firewall |
Fwsrv |
Automatic |
Microsoft ISA Server Control |
ISACtrl |
Automatic |
Microsoft ISA Server Job Scheduler |
ISASched |
Automatic |
Microsoft ISA Server Storage |
ISASTG |
Automatic |
Microsoft Software Shadow Copy Provider |
SWPRV |
Manual |
MSSQL$MSFW |
MSSQL$MSFW |
Automatic |
Network Connections |
Netman |
Manual |
Network Location Awareness (NLA) |
NLA |
Manual |
NTLM Security Support Provider |
NtLmSsp |
Manual |
Performance Logs and Alerts |
SysmonLog |
Automatic |
Plug and Play |
PlugPlay |
Automatic |
Protected Storage |
ProtectedStorage |
Automatic |
Remote Access Connection Manager |
RasMan |
Manual |
Remote Desktop Help Session Manager |
RDSessMgr |
Manual |
Remote Procedure Call (RPC) |
RpcSs |
Automatic |
Removable Storage |
NtmsSvc |
Manual |
Routing and Remote Access |
None |
Manual |
Secondary Logon |
seclogon |
Automatic |
Security Accounts Manager |
SamSs |
Automatic |
Server |
lanmanserver |
Manual |
Smart Card |
SCardSvr |
Manual |
System Event Notification |
SENS |
Automatic |
TCP/IP NetBIOS Helper |
LmHosts |
Automatic |
Telephony |
TapiSrv |
Manual |
Terminal Services |
TermService |
Manual |
Virtual Disk Service (VDS) |
VDS |
Manual |
Volume Shadow Copy |
VSS |
Manual |
Windows Installer |
MSIServer |
Manual |
Windows Management Instrumentation |
winmgmt |
Automatic |
Windows Time |
W32time |
Automatic |
Wireless Configuration |
WZCSVC |
Automatic |
WMI Performance Adapter |
WmiApSrv |
Manual |
Workstation |
lanmanworkstation |
Automatic |
Note
The startup mode for the Server service should be Automatic in the following cases:
- You install ISA Server 2004: Client Installation Share.
- You use Routing and Remote Access Management, rather than ISA Server Management, to configure a VPN.
- Other tasks or roles, as described in the preceding table, require the service.
- The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.
- Time client applications require that either the Wireless or the Server service is running in order to function properly.
To apply the new template to the ISA Server computer, perform the following steps:
To open Security Templates, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in and then click Add.
Select Security Configuration and Analysis, click Add, click Close, and then click OK.
.gif)
In the console tree, click Security Configuration and Analysis.
Right-click Security Configuration and Analysis and then click Open Database.
Type a new database name, and then click Open.
Select a security template to import, and then click Open. Select the security template that you created previously.
.gif)
Right-click Security Configuration and Analysis and then click Configure Computer Now.
For more detailed information and guidelines on hardening ISA Server and the ISA Server computer, see the ISA Server Security Hardening Guide, available on the Microsoft Web site.
For information about Microsoft ISA Server, see the Microsoft ISA Server Web site.
Do you have comments about this document? Send feedback.