Securing the ISA Server Computer

  • Article

An important step in securing ISA Server is verifying that the ISA Server computer is physically safe, and that you apply basic security configuration recommendations. Information about the following topics is provided:

  • Managing updates
  • Physical access
  • Determining domain membership
  • Hardening the Windows infrastructure
  • Managing roles and permissions
  • Reducing the attack surface
  • Lockdown mode

The following sections describe these issues and how to implement security recommendations.

Managing Updates

As a security best practice, we strongly recommend that you always install the latest updates for the operating system, for ISA Server, and for other components installed by ISA Server: Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) and Office Web Components 2002 (OWC). Do the following:

We also recommend that you analyze system security periodically, using Microsoft Baseline Security Analyzer (MBSA). You can download MBSA at the Microsoft TechNet Web site.

Physical Access

Ensure that the ISA Server computer is stored in a physically secure location. Physical access to a server is a high security risk. Physical access to a server by an intruder could result in unauthorized access or modification, as well as installation of hardware or software designed to circumvent security. To maintain a secure environment, you must restrict physical access to the ISA Server computer.

If you suspect that the ISA Server computer was compromised, reinstall ISA Server.

Protecting Confidential Information in Case of Theft

For ISA Server Enterprise Edition, each array member contains encrypted, confidential information about the other array members. The array member also has the keys to decrypt the information.

For this reason, in case any array member is stolen, confidential information about the other array members is potentially at risk. In case of theft of any array member, modify all confidential information on all the other array members. Confidential information includes user credential passwords (for example, used for logging on to a computer running SQL Server), Remote Authentication Dial-In User Service (RADIUS) shared secrets, or preshared Internet Protocol security (IPsec) keys.

Determining Domain Membership

In many cases, you may want to set up the ISA Server computer as a member of a domain. For example, if you will create a policy that relies on domain user authentication, ISA Server should belong to a domain.

If the ISA Server computer is protecting the edge of your network, we recommend that you install it in a separate forest (rather than in the internal forest of your corporate network). You help protect the internal forest from being compromised, even if an attack is mounted on the forest of the ISA Server computer. To experience the administrative and security benefits of ISA Server as a domain member, we recommend that you deploy the ISA Server computer in a separate forest with a one-way trust to the corporate forest. (One-way trust is supported on Windows Server 2003 domains only.)

Note that when you install ISA Server as a domain member, you can lock down the ISA Server computer using Group Policy, rather than by configuring only a local policy.

For security reasons, if you do not require domain or Active Directory directory service functionality for the ISA Server computer, consider installing the ISA Server computer in a workgroup. For example, if ISA Server is protecting the edge of the network, consider installing the computer in a workgroup.

Hardening the Windows Infrastructure

As previously mentioned, this guide assumes that you applied the configurations recommended in the Windows Server 2003 Security Guide. Specifically, you should apply the Microsoft Baseline Security Policy security template. However, do not implement the Internet Protocol security (IPsec) filters or any of the server role policies.

In addition, you should consider ISA Server functionality and harden the operating system accordingly.

Note

We recommend that you harden the Windows infrastructure after you have completely installed ISA Server. For ISA Server Enterprise Edition, install all the necessary Configuration Storage servers and the array members. Then, harden the computers.

Using the Security Configuration Wizard

The Microsoft Windows Server 2003 operating system with Service Pack 1 (SP1) includes an attack surface reduction tool called the Security Configuration Wizard (SCW). Depending on the server role you select, the SCW determines the minimum functionality required, and disables functionality that is not required.

When you install Windows Server 2003 SP1 on the ISA Server computer, you can install the SCW and use the wizard to harden the computer.

The SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with the SCW are .xml files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS). The SCW includes a role for ISA Server computers.

To apply the appropriate ISA Server roles, perform the following steps

  1. On the ISA Server computer, click Start, point to Administrative Tools, and then click Security Configuration Wizard.

  2. In the Security Configuration Wizard, on the Welcome page, click Next.

  3. On the Configuration Action page, select Create a new security policy.

  4. On the Select Server page, in Server, type the name or IP address of the ISA Server computer.

  5. On the Processing Security Configuration Database page, click Next.

  6. On the Welcome page of the Role-based Service Configuration page, click Next.

  7. On the Select Server Roles page, select the following, and then click Next:

    1. Select Microsoft Internet Security and Acceleration Server 2004, if you are hardening a computer running the ISA Server services (for ISA Server Enterprise Edition, an array member).

    2. Select Remote Access/VPN Server, if you will be using the ISA Server computer for virtual private network (VPN) functionality.

      Note

      Do not select any specific server roles when hardening a Configuration Storage server.

  8. On the Select Client Features page, select the default client roles, as appropriate. No special client roles are specifically required for hardening ISA Server. Then, click Next.

  9. On the Select Administration and Other Options page, select the following options:

    1. Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: Configuration Storage, if the Configuration Storage server is installed on this computer (for ISA Server Enterprise Edition only).
    2. Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: Client installation share, if the Firewall Client share is installed on this computer.
    3. Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: MSDE Logging, if ISA Server advanced logging options are installed on this computer.
    4. Select Remote Access Quarantine Agent, if you will enable quarantine for ISA Server. (You must have selected the Remote Access/VPN Server server role in step 7.)

  10. On the Select Additional Services page, select the appropriate services and click Next.

  11. Click Next until you finish the wizard.

For more technical guidance about the SCW, see Security Configuration Wizard for Windows Server 2003 at the Microsoft Windows Server System Web site.

Hardening the Computer Manually

If Windows Server 2003 SP1 is not installed on the computer, you can configure the service startup mode, as described in this section. You configure the computer as the Security Configuration Wizard does.

Note that we recommend that you use the SCW to harden the computer, because it is best optimized to secure the ISA Server computer.

Core Services

The following table lists the core services that must be enabled for ISA Server and the ISA Server computer to function properly.

Service name Rationale Startup mode

COM+ Event System

Core operating system

Manual

Cryptographic Services

Core operating system (security)

Automatic

Event Log

Core operating system

Automatic

IPsec Services

Core operating system (security)

Automatic

Logical Disk Manager

Core operating system (disk management)

Automatic

Logical Disk Manager Administrative Service

Core operating system (disk management)

Manual

Microsoft Firewall

Required for normal functioning of ISA Server

Automatic

Microsoft ISA Server Control

Required for normal functioning of ISA Server

Automatic

Microsoft ISA Server Job Scheduler

Required for normal functioning of ISA Server

Automatic

Microsoft ISA Server Storage

Required for normal functioning of ISA Server

Automatic

MSSQL$MSFW

Required when MSDE logging is used for ISA Server

Automatic

Microsoft Distributed Transaction Coordinator (MS DTC)

Distributed Transaction Coordinator

Automatic

Network Connections

Core operating system (network infrastructure)

Manual

NTLM Security Support Provider

Core operating system (security)

Manual

Plug and Play

Core operating system

Automatic

Protected Storage

Core operating system (security)

Automatic

Remote Access Connection Manager

Required for normal functioning of ISA Server

Manual

Remote Procedure Call (RPC)

Core operating system

Automatic

Secondary Logon

Core operating system (security)

Automatic

Security Accounts Manager

Core operating system

Automatic

Server

Required for ISA Server Firewall Client Share

Automatic

Smart Card

Core operating system (security)

Manual

SQLAgent$MSFW

Required when MSDE logging is used for ISA Server

Manual

System Event Notification

Core operating system

Automatic

Telephony

Required for normal functioning of ISA Server

Manual

Virtual Disk Service (VDS)

Core operating system (disk management)

Manual

Windows Management Instrumentation (WMI)

Core operating system (WMI)

Automatic

WMI Performance Adapter

Core operating system (WMI)

Manual

ISA Server Server Roles

The ISA Server computer may function in additional capacities, or roles, depending on how you use the computer. The following table lists possible server roles, describes when they may be required, and lists the services that should be activated when you enable the role.

Server role Usage scenario Services required Startup mode

Remote Access/VPN Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Routing and Remote Access

Manual

Remote Access Connection Manager

Manual

Telephony

Manual

Workstation

Automatic

Server

Automatic

Terminal Server

Select this role to enable remote management of the ISA Server computer.

Server

Automatic

Terminal Services

Manual

Note

The startup mode for the Server service should be Automatic in the following cases:
•You install ISA Server 2004: Client Installation Share.
•You use Routing and Remote Access Management, rather than ISA Server Management, to configure a virtual private network (VPN).
•Other tasks or roles, as described in the preceding table, require the service.
The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.
Note that the Server service is required only if you use Routing and Remote Access Management (rather than ISA Server Management) to configure a VPN.

ISA Server Administration and Other Tasks

For a server to perform necessary tasks, specific services must be enabled, based on the roles that you select. Unnecessary services should be disabled. The following table lists possible server tasks for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.

Server task Usage scenario Services required Startup mode

Application Installation locally using Windows Installer

Required to install, uninstall, or repair applications using the Microsoft Installer Service.

Windows Installer

Manual

Backup

Required if using a backup program on the ISA Server computer.

Microsoft Software Shadow Copy Provider

Manual

Volume Shadow Copy

Manual

Removable Storage service

Manual

Error Reporting

Use to enable error reporting, thereby helping improve Windows reliability by reporting critical faults to Microsoft for analysis.

Error Reporting Service

Automatic

Help and Support

Allows collection of historical computer data for Microsoft Product Support Services incident escalation.

Help and Support

Automatic

ISA Server 2004: Client installation share

Required to allow computers to connect to and install from the Firewall Client share on the ISA Server computer.

Server

Automatic

ISA Server 2004: MSDE logging

Required to allow logging using MSDE databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the log viewer in offline mode.

SQLAgent$MSFW

Manual

MSSQL$MSFW

Automatic

Performance Data Collection

Allows background collecting of performance data on the ISA Server computer.

Performance Logs and Alerts

Automatic

Print

Allows printing from the ISA Server computer.

Print Spooler

Automatic

TCP/IP NetBIOS Helper

Automatic

Workstation

Automatic

Remote Windows administration

Allows remote management of the Windows server (not required for remote management of ISA Server).

Server

Automatic

Remote Registry

Automatic

Time Synchronization

Allows the ISA Server computer to contact an NTP server to synchronize its clock. From a security perspective, an accurate clock is important for event auditing and other security protocols.

Windows Time

Automatic

Remote Assistance Expert

Allows the Remote Assistance feature to be used on this computer.

Help and Support

Automatic

Remote Desktop Help Session Manager

Manual

Terminal Services

Manual

Note


•To function properly, time client applications require that either the Wireless or the Server service is running.
•To function properly, performance counters require that both the Remote Registry and Server services are running.

ISA Server Client Roles

Servers can be clients of other servers. Client roles are dependent on role-specific services being enabled. The following table lists possible client roles for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.

Client role Usage scenario Services required Startup mode

Automatic Update client

Select this role to allow automatic detection and update from Microsoft Windows Update.

Automatic Updates

Automatic

Background Intelligent Transfer Service

Manual

DHCP client

Select this role if the ISA Server computer receives its IP address automatically from a DHCP server.

DHCP Client

Automatic

DNS client

Select this role if the ISA Server computer needs to receive name resolution information from other servers. Also select the DNS Client role when ISA Server requires name resolution information (DNS and HOSTS file).

DNS Client

Automatic

Domain member

Select this role if the ISA Server computer belongs to a domain.

Network location awareness (NLA)

Manual

Net logon

Automatic

Windows Time

Automatic

DNS registration client

Select this role to allow the ISA Server computer to automatically register its name and address information with a DNS Server.

DHCP Client

Automatic

Microsoft Networking client

Select this role if the ISA Server computer has to connect to other Windows clients. If you do not select this role, the ISA Server computer will not be able to access shares on remote computers, for example, to publish reports.

TCP/IP NetBIOS Helper

Automatic

Workstation

Automatic

WINS client

Select this role if the ISA Server computer uses WINS-based name resolution.

TCP/IP NetBIOS Helper

Automatic

Creating a Security Template

You can create a template, using the Security Templates Microsoft Management Console (MMC) snap-in. The template includes information about which services should be enabled, as well as their startup mode. By using a security template, you can easily configure a security policy and then apply it to each ISA Server computer.

To create a security template, perform the following steps

  1. To open Security Templates, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Select Security Templates, click Add, click Close, and then click OK.

  4. In the console tree, click the Security Templates node, right-click the folder where you want to store the new template, and click New Template.

  5. In Template name, type the name for your new security template.

  6. In Description, type a description of your new security template, and then click OK.

  7. Expand the new template, and then click System Services.

  8. In the details pane, right-click COM+ Event System, and then click Properties.

  9. Select Define this policy setting in the template, and then select the startup mode. (For COM+ Event System, the startup mode is Automatic.)

  10. Repeat step 8 and step 9 for each of the services listed in the following table.

Service name Short name Startup mode

Automatic Updates

wuauserv

Automatic

Background Intelligent Transfer Service

BITS

Manual

COM+ Event System

EventSystem

Manual

Cryptographic Services

CryptSvc

Automatic

DHCP Client

Dhcp

Automatic

DNS Client

Dnscache

Automatic

Error Reporting Service

ERSvc

Automatic

Event Log

Eventlog

Automatic

Help and Support

Helpsvc

Automatic

IPsec Services

PolicyAgent

Automatic

Logical Disk Manager

dmserver

Automatic

Logical Disk Manager Administrative Service

dmadmin

Manual

Microsoft Firewall

Fwsrv

Automatic

Microsoft ISA Server Control

ISACtrl

Automatic

Microsoft ISA Server Job Scheduler

ISASched

Automatic

Microsoft ISA Server Storage

ISASTG

Automatic

Microsoft Software Shadow Copy Provider

SWPRV

Manual

MSSQL$MSFW

MSSQL$MSFW

Automatic

Network Connections

Netman

Manual

Network Location Awareness (NLA)

NLA

Manual

NTLM Security Support Provider

NtLmSsp

Manual

Performance Logs and Alerts

SysmonLog

Automatic

Plug and Play

PlugPlay

Automatic

Protected Storage

ProtectedStorage

Automatic

Remote Access Connection Manager

RasMan

Manual

Remote Desktop Help Session Manager

RDSessMgr

Manual

Remote Procedure Call (RPC)

RpcSs

Automatic

Removable Storage

NtmsSvc

Manual

Routing and Remote Access

None

Manual

Secondary Logon

seclogon

Automatic

Security Accounts Manager

SamSs

Automatic

Server

lanmanserver

Manual

Smart Card

SCardSvr

Manual

System Event Notification

SENS

Automatic

TCP/IP NetBIOS Helper

LmHosts

Automatic

Telephony

TapiSrv

Manual

Terminal Services

TermService

Manual

Virtual Disk Service (VDS)

VDS

Manual

Volume Shadow Copy

VSS

Manual

Windows Installer

MSIServer

Manual

Windows Management Instrumentation

winmgmt

Automatic

Windows Time

W32time

Automatic

Wireless Configuration

WZCSVC

Automatic

WMI Performance Adapter

WmiApSrv

Manual

Workstation

lanmanworkstation

Automatic

Note

The startup mode for the Server service should be Automatic in the following cases:

  • You install ISA Server 2004: Client Installation Share.
  • You use Routing and Remote Access Management, rather than ISA Server Management, to configure a VPN.
  • Other tasks or roles, as described in the preceding table, require the service.

The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.

To function properly, time client applications require that either the Wireless or the Server service is running.

To apply the new template to the ISA Server computer, perform the following steps:

  1. To open Security Templates, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Select Security Configuration and Analysis, click Add, click Close, and then click OK.

  4. In the console tree, click Security Configuration and Analysis.

  5. Right-click Security Configuration and Analysis, and then click Open Database.

  6. Type a new database name, and then click Open.

  7. Select a security template to import, and then click Open. Select the security template that you created previously.

  8. Right-click Security Configuration and Analysis, and then click Configure Computer Now.

Managing Roles and Permissions

Because ISA Server controls access to your network, you should take special care in assigning permissions to the ISA Server computer and related components. Carefully determine who should have permission to log on to the ISA Server computer. Then, configure the logon rights accordingly.

ISA Server allows you to apply administrative roles to users and groups. After you determine which groups are allowed to configure or view ISA Server policy and monitoring information, you can assign roles appropriately.

The following sections detail considerations when assigning administrative roles and permissions.

Administrative Roles

As with any application in your environment, when you define the permissions for ISA Server, you should consider the roles of your ISA Server administrators and assign them only the necessary permissions. To simplify the process, ISA Server uses administrative roles. You can use role-based administration to organize your ISA Server administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you essentially allow that user permissions to perform specific tasks. A user that has one role, such as ISA Server Full Administrator, can perform specific ISA Server tasks that a user with another role, such as ISA Server Basic Monitoring, cannot perform. Role-based administration involves Windows users and groups. These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the ISA Server Standard Edition roles.

Standard Edition role Description

ISA Server Basic Monitoring

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

ISA Server Extended Monitoring

Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring role.

ISA Server Full Administrator

Users and groups assigned this role can perform any ISA Server task, including rule configuration, applying of network templates, and monitoring.

The following table describes the ISA Server Enterprise Edition roles.

Enterprise Edition role Description

ISA Server Array Monitoring Auditor

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

ISA Server Array Auditor

Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring role in Standard Edition.

ISA Server Array Administrator

Users and groups assigned this role can perform any ISA Server task, including rule configuration, applying of network templates, and monitoring.

ISA Server Enterprise Administrator

Users and groups assigned this role have full control over the enterprise and all array configurations. The Enterprise Administrator can also assign roles to other users and groups.

ISA Server Enterprise Auditor

Users and groups assigned this role can view the enterprise configuration and all array configurations.

Members of these ISA Server administrative groups can be any Windows user. No special privileges or Windows permissions are required. The only exception is that to view the ISA Server performance counters, using perfmon or the ISA Server Dashboard, the user must be a member of the Windows Server 2003 Performance Monitor Users group.

Note that administrators with ISA Server Extended Monitoring permissions can export and import all configuration information, including secret configuration information. This means that they can decrypt secret information.

Users with administrator permissions on the ISA Server computer do not automatically have ISA Server array-level permissions or enterprise-level permissions. You must specifically assign these users the appropriate roles. Note, however, that users that belong to the Administrators group on the Configuration Storage server can essentially control the enterprise configuration. This is because they can directly modify any data on the Configuration Storage server.

To assign administrative roles for ISA Server Standard Edition, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2004 and then click Server_Name.

  3. On the Tasks tab, click Define Administrative Roles.

  4. On the Welcome page of the ISA Server Administration Delegation Wizard, click Next.

  5. Click Add.

  6. In Group (recommended) or User, type the name of the group or user to which the specific administrative permissions will be assigned.

  7. In Role, select the applicable administrative role.

To assign administrative roles for ISA Server Enterprise Edition, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).

  3. On the Tasks tab, click Assign Administrative Roles.

  4. If the computer running the ISA Server services is in a domain, on the Assign Roles tab, click the upper Add button. Then, in Group or User, type the name of the group or user that can access the Configuration Storage server. In Role, select one of the following:

    • ISA Server Array Administrator. Allows the specified group or user full control permissions for the array. The administrator can also view the enterprise policy applied to the array.
    • ISA Server Array Auditor. Allows the specified group or user monitoring permissions and to view the array configuration.
    • ISA Server Array Monitoring Auditor. Allows the specified group or user some monitoring permissions.

  5. If the computer running the ISA Server services is in a workgroup, on the Assign Roles tab, click the lower Add button. Then, in Group or User, type the name of the group or user that can access the Configuration Storage server. In Role, select one of the following:

    • ISA Server Array Administrator. Allows the specified group or user full control permissions for the array. The administrator can also view the enterprise policy applied to the array.
    • ISA Server Array Auditor. Allows the specified group or user monitoring permissions and to view the array configuration.
    • ISA Server Array Monitoring Auditor. Allows the specified group or user some monitoring permissions.

Credentials

When requested to present credentials, use strong passwords. A password is considered strong if it provides an effective defense against unauthorized access. A strong password does not contain all or part of the user account name, and contains at least three of the four following categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, or #).

Permissions

Apply the principle of least privilege when configuring permissions for ISA Server administrators, as described in the following section. Carefully determine who is allowed to log on to the ISA Server computer, eliminating access to those who are not critical to the server’s functioning.

Least Privileges

Apply the principle of least privilege, where a user has the minimum privileges necessary to perform a specific task. This helps ensure that, if a user account is compromised, the impact is minimized by the limited privileges held by that user.

Keep the Administrators group and other user groups as small as possible. A user who belongs to the Administrators group on the ISA Server computer, for example, can perform any task on the ISA Server computer.

In Standard Edition, users in the Administrators group are implicitly assigned the role of ISA Server Full Administrator. They have full rights to configure and monitor ISA Server. For more information about roles, see the Administrative Roles section.

In Enterprise Edition, users who belong to the Administrators group on the Configuration Storage server can control the enterprise configuration. They can directly modify any data on the Configuration Storage server.

Logging On and Configuring

When you log on to the ISA Server computer, log on with the least privileged account necessary to do the task. For example, to configure a rule, you should log on as an ISA Server administrator. However, if you only want to view a report, log on with lesser privileges.

In general, use an account with restrictive permissions to perform routine tasks that are unrelated to administration, and use an account with broader permissions only when performing specific administrative tasks.

Guest Accounts

We recommend that you do not enable the Guest account on the ISA Server computer.

When a user logs on to the ISA Server computer, the operating system checks whether the credentials match a known user. If the credentials do not match a known user, the user is logged on as Guest, with the same privileges allowed to the Guest account.

ISA Server recognizes the Guest account as the default All Authenticated Users user set.

Discretionary Access Control Lists

With a new installation, ISA Server discretionary access control lists (DACLs) are appropriately configured. In addition, ISA Server reconfigures DACLs appropriately when you modify administrative roles (for more information, see the Administrative Roles section) and when the ISA Server Control Service (isactrl) is restarted.

Warning

Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure.

Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users:

  • Folder for reports (when you select to publish the reports).
  • Configuration files created when exporting or backing up the configuration.
  • Log files that are backed up to a different location.

Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an ODBC connection that will be used by ISA Server, be sure to keep the Data Source Name (DSN) secure.

Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry.

If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is "Inherit permission from parent."

Tip

We recommend that you do not save critical data (such as executables and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitions.

Revoking User Permissions

When you revoke administrative permissions for an ISA Server administrator, be sure to also perform the following:

  • On the ISA Server computer, delete the user's account.
  • On the Configuration Storage server (for ISA Server Enterprise Edition), review the Active Directory Application Mode (ADAM) objects. Modify the ownership of objects that belong to the revoked account.
  • Modify the ownership of objects that belong to the revoked account.

Reducing the Attack Surface

To further secure the ISA Server computer, apply the principle of reduced attack surface. To reduce the breadth of your attack surface, follow these guidelines:

  • Do not run unnecessary applications and services on the ISA Server computer. Disable services and functions not critical to the current task, as described in the Hardening the Windows Infrastructure section.
  • Disable ISA Server features that you do not use. For example, if you do not require caching, disable caching. If you do not require the VPN functionality of ISA Server, disable VPN client access.
  • Identify those services and tasks not critical to how you manage your network, and then disable the associated system policy rules.
  • Limit the applicability of the system policy rules to required network entities only. For example, the Active Directory system policy configuration group, enabled by default, applies to all computers on the Internal network. You could limit this to apply only to a specific Active Directory group on the Internal network.

The following sections describe how you can reduce the attack surface of the ISA Server computer.

Disabling ISA Server Features

Depending on your specific networking needs, you may not require the rich set of features included with ISA Server. You should carefully consider your specific needs, and determine whether you need the following:

  • VPN client access
  • Caching
  • Add-ins

If you do not require a specific feature, disable that feature.

VPN Client Access

VPN client access is disabled by default. This means that the relevant system policy rule, named Allow VPN client traffic to ISA Server, is also disabled. The default network rule, named VPN Clients to Internal Network, is enabled, even when VPN client access is disabled. If VPN client access had been previously enabled, you can disable it, if it is not required.

To verify that VPN client access is disabled, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Virtual Private Networks (VPN):

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Virtual Private Networks (VPN).

  3. In the details pane, click the VPN Clients tab, and then click Verify that VPN Client Access is Enabled.

  4. On the General tab, verify that Enable VPN client access is not selected.

Caching

Caching is disabled by default. This means that all relevant caching features, including scheduled content download, are disabled. If caching was previously enabled for ISA Server, you can disable it.

To verify that caching is disabled, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Cache:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Cache.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Cache.

  3. In the details pane, for Enterprise Edition, click the Cache Drives tab. For Standard Edition, click the Cache Rules tab.

  4. On the Tasks tab, click Disable caching.

    Note

    If caching is disabled, you will not see the option.

Add-ins

When you install ISA Server, a suite of application filters and Web filters are also installed. You can subsequently install additional add-ins, provided by third-party vendors. Follow these security guidelines:

  • Do not install application filters or Web filters that you do not require.
  • Never install a filter from an untrusted source.
  • Save the dynamic-link library (DLL) associated with the add-in in a protected library (for example, %ProgramFiles%\Microsoft ISA Server). Be sure to configure strict ACLs for this library.
  • Disable application and Web filters that you do not require.

To disable an add-in, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Add-ins:

    • For ISA Server 2004 Enterprise Edition, for array-level add-ins, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Add-ins.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Add-ins.

  3. On the details pane, select the applicable add-in.

  4. On the Tasks tab, click Disable Selected Filters.

System Policy

ISA Server includes a default system policy configuration, which allows use of services commonly required for the network infrastructure to function properly.

In general, from a security perspective, we strongly recommend that you configure the system policy so that access to services that are not required to manage your network is not allowed. After installation, carefully review the system policy rules configured. Similarly, after you perform major administration tasks, review the system policy configuration again.

The following sections describe services that are enabled by system policy rules.

Network Services

When you install ISA Server, basic network services are enabled. After installation, ISA Server can access name resolution servers and time synchronization services on the Internal network.

If the network services are available on a different network, you should modify the applicable configuration group sources to apply to the specific network. For example, suppose the DHCP server is not located on the Internal network, but on a perimeter network. Modify the source for the DHCP configuration group to apply to that perimeter network.

You can modify the system policy, so that only particular computers on the Internal network can be accessed. Alternatively, you can add additional networks, if the services are found elsewhere.

The following table shows the system policy rules that apply to network services.

Configuration group Rule name Rule description

DHCP

Allow DHCP requests from ISA Server to Internal Allow DHCP replies from DHCP servers to ISA Server

Allows the ISA Server computer to access the Internal network using Dynamic Host Configuration Protocol (DHCP) (reply) and DHCP (request).

DNS

Allow DNS from ISA Server to selected servers

Allows the ISA Server computer to access all networks using the Domain Name System (DNS) protocol.

NTP

Allow NTP from ISA Server to trusted NTP servers

Allows the ISA Server computer to access the Internal network using the NTP (UDP) protocol.
DHCP Services

If your DHCP server is not located on the Internal network, you must modify the system policy rule, so that it applies to the network on which the DHCP server is located. For example, if the DHCP server is located on the External network, perform the following procedure.

To modify the system policy rule, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  3. On the Tasks tab, click Edit System Policy.

  4. In System Policy Editor, in the Configuration Groups tree, click DHCP.

  5. On the From tab, click Add.

  6. In Add Network Entities, select a network object.

    Tip

    We recommend that, if you know the IP address of the DHCP server, create a computer set with just that IP address and select that computer set. We strongly recommend this when the DHCP server is located on an untrusted network.

  7. Click Add, and then click Close.

Authentication Services

One of the fundamental capabilities of ISA Server is the ability to apply a firewall policy to specific users. To authenticate users, however, ISA Server must be able to communicate with the authentication servers. For this reason, by default, ISA Server can communicate with Active Directory servers (for Windows authentication) and with RADIUS servers located on the Internal network.

The following table shows the system policy rules that apply to authentication services.

Configuration group Rule name Rule description

Active Directory

Allow access to directory services for authentication purposes Allow RPC from ISA Server to trusted servers Allow Microsoft CIFS from ISA Server to trusted servers Allow Kerberos authentication from ISA Server to trusted servers

Allows the ISA Server computer to access the Internal network using various Lightweight Directory Access Protocol (LDAP) protocols, remote procedure call (RPC) (all interfaces) protocol, various Microsoft common Internet file system (CIFS) protocols, and various Kerberos protocols, using Active Directory directory service.

RSA SecurID

Allow SecurID authentication from ISA Server to trusted servers

Allows the ISA Server computer to access the Internal network using the RSA SecurID protocol.

RADIUS

Allow RADIUS authentication from ISA Server to trusted RADIUS servers

Allows the ISA Server computer to access the Internal network using various RADIUS protocols.

Certificate Revocation List

Allow HTTP from ISA Server to all networks for CRL downloads

Authentication Services: Allows Hypertext Transfer Protocol (HTTP) from ISA Server to selected networks for downloading updated certificate revocation lists (CRLs).
DCOM

If you require use of the DCOM protocol—for example, to remotely manage the ISA Server computer—be sure that you do not enable Enforce strict RPC compliance.

To verify that Enforce strict RPC compliance is not selected, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  3. On the Tasks tab, click Edit System Policy.

  4. In System Policy Editor, in the Configuration Groups tree, click Active Directory.

  5. Verify that Enforce strict RPC compliance is not selected.

Tip

DCOM is often required for various services, including remote management and auto-enrollment.

Windows and RADIUS Authentication Services

If you do not require Windows authentication or RADIUS authentication, you should perform the following steps to disable the applicable system policy configuration groups.

To disable the applicable system policy configuration groups, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  3. On the Tasks tab, click Edit System Policy.

  4. In System Policy Editor, in the Configuration Groups tree, click Active Directory.

  5. On the General tab, verify that Enable is not selected.

    Note

    When you disable the Active Directory system policy configuration group, access to all LDAP protocols is effectively disabled. If you require the LDAP protocols, create an access rule allowing use of these protocols.

  6. Repeat step 4 and step 5 for the RADIUS configuration group.

Tip

If you require only Windows authentication, be sure to configure the system policy, disabling use of all other authentication mechanisms.

RSA SecurID Authentication Services

Communication with RSA SecurID authentication servers is not enabled by default. If your firewall policy requires RSA SecurID authentication, be sure to enable this configuration group.

CRL Authentication Services

Certificate revocation lists (CRLs) cannot be downloaded by default. This is because the CRL Download configuration group is not enabled by default.

To enable CRL download, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  3. On the Tasks tab, click Edit System Policy.

  4. In System Policy Editor, in the Configuration Groups tree, click CRL Download.

  5. On the General tab, verify that Enable is selected.

  6. On the To tab, select the network entities from which certificate revocation lists can be downloaded.

All HTTP traffic will be allowed from the Local Host network (the ISA Server computer) to network entities listed on the To tab.

Remote Management

Often, you will manage ISA Server from a remote computer. Carefully determine which remote computers are allowed to manage and monitor ISA Server. The following table shows the system policy rules that should be configured.

Configuration group Rule name Rule description

Microsoft Management Console

Allow remote management from selected computers using MMC Allow MS Firewall Control communication to selected computers

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the MS Firewall Control and RPC (all interfaces) protocols.

Terminal server

Allow remote management from selected computers using Terminal Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the RDP (Terminal Services) protocol.

ICMP (Ping)

Allow ICMP (PING) requests from selected computers to ISA Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the PING protocol, and vice versa.

By default, the system policy rules allowing remote management of ISA Server are enabled. ISA Server can be managed by running a remote Microsoft Management Console (MMC) snap-in, or by using Terminal Services.

By default, these rules apply to the built-in Remote Management Computers computer set. When you install ISA Server, this empty computer set is created. Add to this empty computer set all computers that will remotely manage ISA Server. Until you do so, remote management is effectively not available from any computer.

Tip

Limit remote management to specific computers by configuring the system policy rules to apply only to specific IP addresses.

To enable remote management, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  3. On the Toolbox tab, click Network Objects.

  4. Expand Computer Sets, right-click Remote Management Computers, and then click Properties.

  5. Click Add, and then click Computer.

  6. In Name, type the name of the computer.

  7. In Computer IP Address, type the IP address of the computer that can remotely manage ISA Server.

Remote Monitoring and Logging

By default, remote logging and monitoring is disabled. The following configuration groups are disabled by default:

  • Remote Logging (NetBIOS)
  • Remote Logging (SQL)
  • Remote Performance Monitoring
  • Microsoft Operations Manager

The following table provides a description of the configuration groups.

Configuration group Rule name Rule description

Remote logging (NetBIOS)

Allow remote logging to trusted servers using NetBIOS

Allows the ISA Server computer to access the Internal network using various NetBIOS protocols.

Remote Logging (SQL)

Allow remote SQL logging from ISA Server to selected servers

Allows the ISA Server computer to use Microsoft (SQL) protocols to access the Internal network.

Remote Performance Monitoring

Allow remote performance monitoring of ISA Server from trusted servers

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using various NetBIOS protocols.

Microsoft Operations Manager

Allow remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent

Allows the ISA Server computer to access the Internal network using the Microsoft Operations Manager agent.
Enabling Remote Logging and Monitoring

Use the following procedure to enable remote logging and monitoring.

To enable remote monitoring and logging, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  3. On the Tasks tab, click Edit System Policy.

  4. In System Policy Editor, in the Configuration Groups tree, select one or more of the following configuration groups:

    • Remote Logging (NetBIOS)
    • Remote Logging (SQL)
    • Remote Performance Monitoring
    • Microsoft Operations Manager

  5. On the General tab, verify that Enable is selected.

Firewall Client Share

If you installed the Firewall Client Share component when you installed ISA Server, the Firewall Client Installation Share configuration group is enabled, by default. All computers on the Internal network can access the shared folder. The following table shows the system policy configuration group (and rule) that is enabled.

Configuration group Rule name Rule description

Firewall client setup

Allow access from trusted computers to the Firewall Client installation share on ISA Server

Allows computers on the Internal network to access the ISA Server computer using various Microsoft CIFS and NetBIOS protocols. When you enable this rule, access is allowed to the ISA Server computer using SMB from any network or computer specified. Access is not limited only to the Firewall Client installation shared folder.

If you did not install the Firewall Client Share component, this configuration group is not enabled.

Diagnostic Services

By default, the system policy rules allowing access to diagnostics services are enabled, with the following permissions:

  • ICMP. This is allowed to all networks. This service is important for determining connectivity to other computers.
  • Windows networking. This allows NetBIOS communication, by default to computers on the Internal network.
  • Microsoft error reporting. This allows HTTP access to the Microsoft Error Reporting sites URL set, to allow reporting of error information. By default, this URL set includes specific Microsoft sites.
  • Connectivity verifiers. This allows the ISA Server computer to use HTTP and secure HTTP (HTTPS) protocols to check whether a specific computer is responsive.

The following table shows the system policy configuration groups that are enabled by default.

Configuration group Rule name Rule description

ICMP

Allow ICMP requests from ISA Server to selected servers

Allows the ISA Server computer to access all networks using various ICMP protocols and the PING protocol.

Windows networking

Allow NetBIOS from ISA Server to trusted servers

Allows the ISA Server computer to access all networks using various NetBIOS protocols.

Communication to Microsoft (Microsoft Error Reporting)

Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites

Allows the ISA Server computer to access members of the Microsoft Error Reporting sites URL set using HTTP or HTTPS protocols.
Connectivity Verifiers

In addition, the following diagnostic service is not enabled by default: HTTP Connectivity Verifiers.

When you create a connectivity verifier, the HTTP Connectivity Verifiers configuration group is enabled, allowing the Local Host network to use HTTP or HTTPS to access computers on any other network. The following table describes the HTTP Connectivity Verifiers configuration group.

Configuration group Rule name Rule description

HTTP Connectivity Verifiers

Allow HTTP/HTTPS from firewall to all networks, for HTTP connectivity verifiers

Allows the ISA Server computer to check for connectivity by sending HTTP GET requests to the specified computer.

We recommend that you limit this access to the specific computers whose connectivity you want to verify.

To limit this access, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  3. On the Tasks tab, click Edit System Policy.

  4. In System Policy Editor, in the Configuration Groups tree, click HTTP Connectivity verifiers.

  5. On the To tab, click All Networks (and Local Host) and then click Remove.

  6. Click Add and then select the network entities whose connectivity you want to verify. All HTTP traffic will be allowed from the Local Host network (the ISA Server computer) to network entities listed on the To tab.

SMTP

By default, the Simple Mail Transfer Protocol (SMTP) configuration group is enabled, allowing SMTP communication from ISA Server to computers on the Internal network. This is required, for example, when you want to send alert information in an e-mail message. The following table describes the SMTP configuration group.

Configuration group Rule name Rule description

SMTP

Allow SMTP from ISA Server to trusted servers

Allows the ISA Server computer to access the Internal network using SMTP.
Scheduled Download Jobs

By default, the scheduled download jobs feature is disabled. The following table describes the Scheduled Download Jobs configuration group.

Configuration group Rule name Rule description

Scheduled Download Jobs

Allow HTTP from ISA Server to selected computers for Content Download Jobs

Allows the ISA Server computer to access all networks using HTTP.

When you create a content download job, you will be prompted to enable this system policy rule. ISA Server will be able to access the sites specified in the content download job.

Accessing the Microsoft Web Site

The default system policy allows HTTP and HTTPS access from the Local Host network (the ISA Server computer) to the Microsoft.com Web site. This is required for:

  • Error reporting (as described in the Diagnostic Services section).
  • Access to useful documentation on the ISA Server Web site and on other related Web sites.

By default, the Allowed Sites configuration group is enabled, allowing ISA Server to access content on specific sites that belong to the System Policy Allowed Sites domain name set. The following table describes the Allowed Sites configuration group.

Configuration group Rule name Rule description

Allowed Sites

Allow HTTP/HTTPS requests from ISA Server to specified sites

Allows the ISA Server computer to access members of the System Policy Allowed Sites URL set using HTTP and HTTPS protocols.

This URL set includes various Microsoft Web sites, by default. You can modify the domain name set to include additional Web sites, which ISA Server will be allowed to access.

To modify the URL set to include additional Web sites, perform the following steps:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.

  3. On the Toolbox tab, click Network Objects.

  4. Expand Domain Name Sets, right-click System Policy Allowed Sites, and then click Properties.

  5. On the General tab, click New, and then type the URL for the specific Web site.

HTTP and HTTPS access will be allowed to the specified Web sites.

Lockdown Mode

A critical function of a firewall is to react to an attack. When an attack occurs, it may seem that the first line of defense is to disconnect from the Internet, isolating the compromised network from malicious outsiders. However, this is not the recommended approach. Although the attack must be handled, normal network connectivity must be resumed as quickly as possible, and the source of the attack must be identified.

The lockdown feature introduced with ISA Server 2004 combines the need for isolation with the need to stay connected. Whenever a situation occurs that causes the Microsoft Firewall service to shut down, ISA Server enters the lockdown mode. This occurs when:

  • An event triggers the Firewall service to shut down. When you configure alert definitions, you decide which events will cause the Firewall service to shut down. Essentially, you configure when ISA Server enters lockdown mode.
  • The Firewall service is manually shut down. If you become aware of malicious attacks, you can shut down the Firewall service, while configuring the ISA Server computer and the network to handle the attacks.

Affected Functionality

When in lockdown mode, the following functionality applies:

  • The Firewall Packet Filter Engine (fweng) applies the firewall policy.
  • Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response, on the same connection.
  • No incoming traffic is allowed, unless a system policy rule that specifically allows the traffic is enabled. The one exception is DHCP traffic, which is always allowed. DHCP requests on UDP port 67 are allowed from the Local Host network to all networks, and DHCP replies on UDP port 68 are allowed back in.
  • The following system policy rules are still applicable:
    • Allow ICMP from trusted servers to the local host.
    • Allow remote management of the firewall using MMC (RPC through port 3847).
    • Allow remote management of the firewall using RDP.
  • VPN remote access clients cannot access ISA Server. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
  • Any changes to the network configuration while in lockdown mode are applied only after the Firewall service restarts and ISA Server exits lockdown mode. For example, if you physically move a network segment and reconfigure ISA Server to match the physical changes, the new topology is in effect only after ISA Server exits lockdown mode.
  • ISA Server does not trigger any alerts.

Leaving Lockdown Mode

When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as previously. Any changes made to the ISA Server configuration are applied after ISA Server exits lockdown mode.