Security Guide

This guide is designed to provide you with essential information about how to harden and securely administer computers running Microsoft® Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition or ISA Server 2006 Standard Edition. In addition to practical, specific configuration recommendations, this guide includes ISA Server deployment strategies.

For computers running the Microsoft Windows Server® 2003 operating system, this guide is a companion to the "Windows Server 2003 Security Guide," located at the Microsoft TechNet Web site. Specifically, many of the procedures in this guide are related directly to security recommendations introduced in the "Windows Server 2003 Security Guide." Therefore, before you perform the procedures presented in this guide, we recommend that you first read the "Windows Server 2003 Security Guide."

Scope of This Guide

This guide focuses explicitly on the operations required to help create and maintain a secure ISA Server 2006 environment. You should use this guide as part of your overall security strategy for ISA Server 2006, and not as a complete reference for creating and maintaining a secure environment.

Specifically, this guide provides detailed answers to the following questions:

  • What are the recommended steps for securing the ISA Server computer?

  • What security considerations should be applied to the ISA Server configuration?

  • What guidance is available to help prepare for a secure ISA Server 2006 deployment?

Securing the ISA Server Computer

An important step in securing ISA Server is verifying that the ISA Server computer is physically safe, and that you apply basic security configuration recommendations. Information about the following topics is provided:

  • Managing updates

  • Physical access

  • Determining domain membership

  • Hardening the Windows infrastructure

  • Managing roles and permissions

  • Reducing the attack surface

  • Lockdown mode

The following sections describe these issues and how to implement security recommendations.

Managing Updates

As a security best practice, we strongly recommend that you always install the latest updates for the operating system, ISA Server, and other components installed by ISA Server, including Microsoft SQL Server™ 2000 Desktop Engine (MSDE 2000) and Office Web Components 2003. Run Windows Update to make sure you have all of the latest updates installed.

We also recommend that you analyze system security periodically, using Microsoft Baseline Security Analyzer (MBSA). You can download MBSA at the Microsoft TechNet Web site.

Physical Access

Ensure that the ISA Server computer is stored in a physically secure location. Physical access to a server is a high security risk. Physical access to a server by an unauthorized user could result in unauthorized access or modification, as well as installation of hardware or software designed to circumvent security. To maintain a secure environment, you must restrict physical access to the ISA Server computer.

If you suspect that the ISA Server computer was compromised, reinstall ISA Server.

Protecting Confidential Information in Case of Theft

For ISA Server Enterprise Edition, the Configuration Storage server and each array member contain encrypted, confidential information about the other array members and about the ISA Server enterprise. The array member also has the keys to decrypt the information.

For this reason, if a Configuration Storage server or an array member is stolen, confidential information about all the array members is potentially at risk. In addition, in the case of theft of a Configuration Storage server, the server could potentially be reconnected to the enterprise and be used to modify the existing configuration.

To mitigate these security issues:

  • If a Configuration Storage server or an array member is stolen, do the following:

  • Modify all confidential information on all the other array members. Confidential information includes user credential passwords (for example, used for logging on to a computer running SQL Server), Remote Authentication Dial-In User Service (RADIUS) shared secrets, or preshared Internet Protocol security (IPsec) keys.

  • Revoke any certificates that were installed on the stolen server. These certificates can be certificates that were installed on array members for Web publishing or site-to-site VPN authentication, and certificates installed on the Configuration Storage server for authentication over a Secure Sockets Layer (SSL)-encrypted channel.

  • In addition, when a Configuration Storage server is stolen and there is a replica Configuration Storage server configured, the stolen Configuration Storage server should be removed from the Active Directory® Application Mode (ADAM) server configuration as a replica set using the RepAdmin tool. For more information about the RepAdmin tool, see the ADAM product documentation.

Determining Domain Membership

In many cases, you may want to set up the ISA Server computer to authenticate domain users. For example, do this if you will create a Web publishing rule that requires authentication to users who are a member of a domain.

To achieve domain authentication, you can install and configure the ISA Server computer using the following methods:

  • Install the ISA Server computer in a separate forest (rather than in the internal forest of your corporate network). You help protect the internal forest from being compromised, even if an attack is mounted on the forest of the ISA Server computer. To experience the administrative and security benefits of ISA Server as a domain member, we recommend that you deploy the ISA Server computer in a separate forest with a one-way trust to the corporate forest.

    Note the following:

    • When you install ISA Server as a domain member, you can lock down the ISA Server computer using Group Policy, rather than by configuring only a local policy.

    • When you install an ISA Server computer in a separate forest or domain, the use of Kerberos constrained delegation is not a viable authentication delegation method. This is because the ISA Server computer and the published Web servers must be in the same domain, and the ISA Server computer and user must be in the same domain.

  • Install the ISA Server computer in a workgroup and configure Lightweight Directory Access Protocol (LDAP) authentication. You help protect the internal domain from being compromised, even if an attack is mounted on the ISA Server computer in the workgroup. For more information about authentication, see "Authentication in ISA Server 2006" at the Microsoft TechNet Web site.

    Note the following:

    • Only Web publishing authentication with the following type of client credentials are available when using LDAP authentication: Basic and forms-based authentication (password only).

    • Firewall Client software depends on access to domain user accounts. Therefore, Firewall Client software will not work in a workgroup setting.

For security reasons, if you do not require domain or Active Directory functionality for the ISA Server computer, consider installing the ISA Server computer in a workgroup. For example, if ISA Server is protecting the edge of the network, consider installing the computer in a workgroup. For more information about installing ISA Server in a workgroup, see "ISA Server Enterprise Edition in a Workgroup" at the Microsoft TechNet Web site.

Hardening the Windows Infrastructure

As previously mentioned, this guide assumes that you applied the configurations recommended in the "Windows Server 2003 Security Guide." Specifically, you should apply the Microsoft Baseline Security Policy security template. However, do not implement the IPsec filters or any of the server role policies.

In addition, you should consider ISA Server functionality and harden the operating system accordingly.

Note

We recommend that you harden the Windows infrastructure after you have completely installed ISA Server. For ISA Server Enterprise Edition, install all the necessary Configuration Storage servers and the array members. Then, harden the computers.

Using the Security Configuration Wizard

The Microsoft Windows Server 2003 operating system with Service Pack 1 (SP1) includes an attack surface reduction tool called the Security Configuration Wizard. Depending on the server role you select, the Security Configuration Wizard determines the minimum functionality required, and disables functionality that is not required.

When you install Windows Server 2003 SP1 on the ISA Server computer, you can install the Security Configuration Wizard and use the wizard to harden the computer.

To install the Security Configuration Wizard on a server with Windows Server 2003 with SP1 installed, use the following procedure.

To install the Security Configuration Wizard

  1. Click Start, and then click Run. In the Command Prompt window, type appwiz.cpl, and then click OK to open the Add or Remove Programs dialog box.

  2. Click Add/Remove Windows Components.

  3. Select Security Configuration Wizard and click Next.

Note

You might be prompted for the location of the Windows Server 2003 with SP1 source files.

  1. Click Finished, and then click the Close button for the Add or Remove Programs dialog box.

Note

To update the Security Configuration Wizard to include the ISA Server 2006 server roles, see "How to Update the Security Configuration Wizard for the ISA Server 2006 Server Roles" at the Microsoft TechNet Web site.

The Security Configuration Wizard guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with the Security Configuration Wizard are .xml files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS). The Security Configuration Wizard includes a role for ISA Server computers.

To apply the appropriate ISA Server roles

  1. On the ISA Server computer, click Start, point to Administrative Tools, and then click Security Configuration Wizard.

  2. In the Security Configuration Wizard, on the Welcome page, click Next.

  3. On the Configuration Action page, select Create a new security policy.

  4. On the Select Server page, in Server, type the name or IP address of the ISA Server computer.

  5. On the Processing Security Configuration Database page, click Next.

  6. On the Welcome page of the Role-based Service Configuration page, click Next.

  7. On the Select Server Roles page, select the following, and then click Next:

    • Select Microsoft Internet Security and Acceleration Server 2006, if you are hardening a computer running the ISA Server services (for ISA Server Enterprise Edition, an array member).

    • Select Remote Access/VPN Server, if you will be using the ISA Server computer for virtual private network (VPN) functionality.

    Note

    Do not select any specific server roles when hardening a Configuration Storage server.

  8. On the Select Client Features page, select the default client roles. No special client roles are specifically required for hardening ISA Server. Then, click Next.

  9. On the Select Administration and Other Options page, select the following options:

    1. Select Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition: Configuration Storage, if the Configuration Storage server is installed on this computer (for ISA Server Enterprise Edition only).

    2. Select Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition: Client installation share, if the Firewall Client share is installed on this computer.

    3. Select Remote Access Quarantine Agent, if you will enable quarantine for ISA Server. (You must have selected the Remote Access/VPN Server role in step 7.)

  10. On the Select Additional Services page, select the appropriate services and click Next.

  11. Click Next until you finish the wizard.

For more technical guidance about the Security Configuration Wizard, see "Security Configuration Wizard for Windows Server 2003" at the Microsoft Windows Server System Web site.

To manually harden your computer that is running Windows Server 2003, see Appendix A: Manually Hardening Windows Server 2003.

Managing Roles and Permissions

Because ISA Server controls access to your network, you should take special care in assigning permissions to the ISA Server computer and related components. Carefully determine who should have permission to log on to the ISA Server computer. Then, configure the logon rights accordingly.

ISA Server allows you to apply administrative roles to users and groups. After you determine which groups are allowed to configure or view ISA Server policy and monitoring information, you can assign roles appropriately.

The following sections detail considerations when assigning administrative roles and permissions.

Administrative Roles

As with any application in your environment, when you define the permissions for ISA Server, you should consider the roles of your ISA Server administrators and assign them only the necessary permissions. To simplify the process, ISA Server uses administrative roles. You can use role-based administration to organize your ISA Server administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you essentially allow that user permissions to perform specific tasks. A user that has one role, such as ISA Server Full Administrator, can perform specific ISA Server tasks that a user with another role, such as ISA Server Basic Monitoring, cannot perform. Role-based administration involves Windows users and groups. These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the ISA Server Standard Edition roles.

Standard Edition role Description

ISA Server Basic Monitoring

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

ISA Server Extended Monitoring

Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring role.

ISA Server Full Administrator

Users and groups assigned this role can perform any ISA Server task, including rule configuration, applying of network templates, and monitoring.

The following table describes the ISA Server Enterprise Edition roles.

Enterprise Edition role Description

ISA Server Array Monitoring Auditor

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

ISA Server Array Auditor

Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring role in Standard Edition.

ISA Server Array Administrator

Users and groups assigned this role can perform any ISA Server task, including rule configuration, applying of network templates, and monitoring.

ISA Server Enterprise Administrator

Users and groups assigned this role have full control over the enterprise and all array configurations. The Enterprise Administrator can also assign roles to other users and groups.

ISA Server Enterprise Auditor

Users and groups assigned this role can view the enterprise configuration and all array configurations.

Members of these ISA Server administrative groups can be any Windows user. No special privileges or Windows permissions are required. The only exception is that to view the ISA Server performance counters, using perfmon or the ISA Server Dashboard, the user must be a member of the Windows Server 2003 Performance Monitor Users group.

Note that administrators with ISA Server Extended Monitoring permissions can export and import all configuration information, including secret configuration information. This means that they can decrypt secret information.

Users with administrator permissions on the ISA Server computer do not automatically have ISA Server array-level permissions or enterprise-level permissions. You must specifically assign these users the appropriate roles. Note, however, that users that belong to the Administrators group on the Configuration Storage server can essentially control the enterprise configuration. This is because they can directly modify any data on the Configuration Storage server.

To assign administrative roles for ISA Server Standard Edition

  1. In the console tree of ISA Server Management, click Microsoft Internet Security and Acceleration Server 2006 and then click Server_Name.

  2. On the Tasks tab, click Define Administrative Roles.

  3. On the Welcome page of the ISA Server Administration Delegation Wizard, click Next.

  4. Click Add.

  5. In Group (recommended) or User, type the name of the group or user to which the specific administrative permissions will be assigned.

  6. In Role, select the applicable administrative role.

To assign administrative roles for ISA Server Enterprise Edition

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, and then click Array_Name.

  2. On the Tasks tab, click Configure Array Properties.

  3. Select the Assign Roles tab

  4. If the computer running the ISA Server services is in a domain, on the Assign Roles tab, click the upper Add button. Then, in Group or User, type the name of the group or user that can access the Configuration Storage server. In Role, select one of the following:

    • ISA Server Array Administrator. Allows the specified group or user full control permissions for the array. The administrator can also view the enterprise policy applied to the array.

    • ISA Server Array Auditor. Allows the specified group or user monitoring permissions and to view the array configuration.

    • ISA Server Array Monitoring Auditor. Allows the specified group or user some monitoring permissions.

  5. If the computer running the ISA Server services is in a workgroup, on the Assign Roles tab, click the lower Add button. Then, in Group or User, type the name of the group or user that can access the Configuration Storage server. In Role, select one of the following:

    • ISA Server Array Administrator. Allows the specified group or user full control permissions for the array. The administrator can also view the enterprise policy applied to the array.

    • ISA Server Array Auditor. Allows the specified group or user monitoring permissions and to view the array configuration.

    • ISA Server Array Monitoring Auditor. Allows the specified group or user some monitoring permissions.

    Note

    When ISA Server is in a workgroup, you need to assign ISA Server roles to mirrored accounts. For more information about mirrored accounts, see the product Help.

Credentials

When requested to set credentials, use strong passwords. A password is considered strong if it provides an effective defense against unauthorized access. A strong password does not contain all or part of the user account name, and contains at least three of the four following categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, or #).

Permissions

It is important to provide users with the minimum permission level, while still enabling users to do their jobs. This also applies to assigning permissions to users who will be ISA Server administrators as described in the following section. Carefully determine who is allowed to log on to the ISA Server computer, eliminating access to those who are not critical to the server's functioning.

Least privileges

Apply the principle of least privilege, where a user has the minimum privileges necessary to perform a specific task. This helps ensure that, if a user account is compromised, the impact is minimized by the limited privileges held by that user.

Keep the Administrators group and other user groups as small as possible. A user who belongs to the Administrators group on the ISA Server computer, for example, can perform any task on the ISA Server computer.

In Standard Edition, users in the Administrators group are implicitly assigned the role of ISA Server Full Administrator. They have full rights to configure and monitor ISA Server. For more information about roles, see the Administrative Roles section.

In Enterprise Edition, users who belong to the Administrators group on the Configuration Storage server can control the enterprise configuration. They can directly modify any data on the Configuration Storage server.

Logging on and configuring

When you log on to the ISA Server computer, log on with the least privileged account necessary to do the task. For example, to configure a rule, you should log on as an ISA Server administrator. However, if you only want to view a report, log on with lesser privileges.

In general, use an account with restrictive permissions to perform routine tasks that are unrelated to administration, and use an account with broader permissions only when performing specific administrative tasks.

Guest accounts

We recommend that you do not enable the Guest account on the ISA Server computer.

When a user logs on to the ISA Server computer, the operating system checks whether the credentials match a known user. If the credentials do not match a known user, the user is logged on as Guest, with the same privileges allowed to the Guest account.

ISA Server recognizes the Guest account as the default All Authenticated Users user set.

Discretionary access control lists

With a new installation, ISA Server discretionary access control lists (DACLs) are appropriately configured. In addition, ISA Server reconfigures DACLs appropriately when you modify administrative roles (for more information, see the Administrative Roles section) and when the ISA Server Control Service (isactrl) is restarted.

Warning

Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure.

Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users:

  • Folder for reports (when you select to publish the reports).

  • Configuration files created when exporting or backing up the configuration.

  • Log files that are backed up to a different location.

Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by ISA Server, be sure to keep the data source name (DSN) secure.

Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry.

If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is "Inherit permission from parent."

Tip

We recommend that you do not save critical data (such as executable files and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitions.

Revoking user permissions

When you revoke administrative permissions for an ISA Server administrator, be sure to also perform the following:

  • On the ISA Server computer, delete the user's account.

  • On the Configuration Storage server (for ISA Server Enterprise Edition), review the ADAM objects.

  • Modify the ownership of objects that belong to the revoked account.

Reducing the Attack Surface

To further secure the ISA Server computer, apply the principle of reduced attack surface. To reduce the breadth of your attack surface, follow these guidelines:

  • Do not run unnecessary applications and services on the ISA Server computer. Disable services and functions not critical to the current task, as described in the Hardening the Windows Infrastructure section.

  • Disable ISA Server features that you do not use. For example, if you do not require caching, disable caching. If you do not require the VPN functionality of ISA Server, disable VPN client access.

  • Identify those services and tasks not critical to how you manage your network, and then disable the associated system policy rules.

  • Limit the applicability of the system policy rules to required network entities only. For example, the Active Directory system policy configuration group, enabled by default, applies to all computers on the Internal network. You could limit this to apply only to a specific Active Directory group on the Internal network.

The following sections describe how you can reduce the attack surface of the ISA Server computer.

Disabling ISA Server Features

Depending on your specific networking needs, you may not require the entire set of features included with ISA Server. You should carefully consider your specific needs, and determine whether you need the following:

  • VPN client access

  • Caching

  • Web proxy

  • Add-ins

If you do not require a specific feature, disable that feature.

VPN client access

VPN client access is disabled by default. This means that the relevant system policy rule, named Allow VPN client traffic to ISA Server, is also disabled. The default network rule, named VPN Clients to Internal Network, is enabled, even when VPN client access is disabled. If VPN client access had been previously enabled, you can disable it, if it is not required.

To verify that VPN client access is disabled

  1. In the console tree of ISA Server Management, click Virtual Private Networks (VPN):

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Virtual Private Networks (VPN).

  2. In the details pane, click the VPN Clients tab, and then click Verify that VPN Client Access is Enabled.

  3. On the General tab, verify that Enable VPN client access is not selected.

Caching

Caching is disabled by default. This means that all relevant caching features, including scheduled content download, are disabled. If caching was previously enabled for ISA Server, you can disable it.

To verify that caching is disabled

  1. In the console tree of ISA Server Management, click Cache:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click Cache.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click Cache.

  2. In the details pane, for Enterprise Edition, click the Cache Drives tab. For Standard Edition, click the Cache Rules tab.

  3. On the Tasks tab, click Disable caching.

Note

If caching is disabled, you will not see the option.

Web proxy

Web proxy is enabled by default and is one of the central deployment scenarios of ISA Server 2006. We recommend that you disable Web proxy in scenarios when Web proxy is not used.

The following is a listing of scenarios when ISA Server does not use the Web proxy service:

  • ISA Server is used only for VPN connections.

  • There is no requirement for the following additional ISA Server features:

  • Caching

  • HTTP compression

  • Application-layer filtering

  • There is another ISA Server computer providing Web proxy services.

To disable Web proxy on an ISA Server computer, you need to create a new protocol with TCP port 80 and verify that Web Proxy Filter is not selected for the new protocol. When you create an access rule to allow HTTP traffic with the new protocol, the following applies:

  • Users must have a default gateway properly defined or use the Firewall Client.

  • Name resolution must be properly defined.

  • Web proxy settings must be cleared.

To re-enable Web proxy, use the original HTTP protocol that ISA Server creates during setup in any access rule.

To disable Web proxy

In the console tree of ISA Server Management, click Firewall Policy:

For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

In the details pane, click the Toolbox tab, and then click Protocols.

Click New and select Protocol.

Type http1, for the Protocol definition name.

Define the Primary Connection Information by clicking New and typing 80 for the From and To properties.

Do not define any Secondary Connections.

Click Finish to create the new protocol.

Note   Do not bind Web Proxy Filter to the created protocol because this will enable Web proxy.

Add-ins

When you install ISA Server, a suite of application filters and Web filters are also installed. You can subsequently install additional add-ins, provided by third-party vendors. Follow these security guidelines:

  • Do not install application filters or Web filters that you do not require.

  • Never install a filter from an untrusted source.

  • Save the dynamic-link library (DLL) associated with the add-in in a protected library (for example, %ProgramFiles%\Microsoft ISA Server). Be sure to configure strict access control lists (ACLs) for this library.

  • Disable application and Web filters that you do not require.

To disable an add-in

  1. In the console tree of ISA Server Management, click Add-ins:

    • For ISA Server 2006 Enterprise Edition, for array-level add-ins, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click Add-ins.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click Add-ins.

  2. On the details pane, select the applicable add-in.

  3. On the Tasks tab, click Disable Selected Filters.

System Policy

ISA Server includes a default system policy configuration, which allows use of services commonly required for the network infrastructure to function properly.

In general, from a security perspective, we strongly recommend that you configure the system policy so that access to services that are not required to manage your network is not allowed. After installation, carefully review the system policy rules. Similarly, after you perform major administration tasks, review the system policy configuration again.

The following sections describe services that are enabled by system policy rules.

For more information about system policy configuration, see "ISA Server System Policy" at the Microsoft TechNet Web site.

Network services

When you install ISA Server, basic network services are enabled. After installation, ISA Server can access name resolution servers and time synchronization services on the Internal network.

If the network services are available on a different network, you should modify the applicable configuration group sources to apply to the specific network. For example, suppose the Dynamic Host Configuration Protocol (DHCP) server is not located on the Internal network, but on a perimeter network. Modify the source for the DHCP configuration group to apply to that perimeter network.

You can modify the system policy so that only particular computers on the Internal network can be accessed. Alternatively, you can add additional networks, if the services are found elsewhere.

The following table shows the system policy rules that apply to network services.

Configuration group Rule name Rule description

DHCP

Allow DHCP requests from ISA Server to Internal

Allow DHCP replies from DHCP servers to ISA Server

Allows the ISA Server computer to access the Internal network using DHCP (reply) and DHCP (request).

DNS

Allow DNS from ISA Server to selected servers

Allows the ISA Server computer to access all networks using the Domain Name System (DNS) protocol.

NTP

Allow NTP from ISA Server to trusted NTP servers

Allows the ISA Server computer to access the Internal network using the NTP (UDP) protocol.

DHCP services

If your DHCP server is not located on the Internal network, you must modify the system policy rule so that it applies to the network on which the DHCP server is located. For example, if the DHCP server is located on the External network, perform the following procedure.

To modify the system policy rule

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, click DHCP.

  4. On the From tab, click Add.

  5. In Add Network Entities, select a network object.

    Tip

    We recommend that if you know the IP address of the DHCP server, create a computer set with just that IP address and select that computer set. We strongly recommend this when the DHCP server is located on an untrusted network.

  6. Click Add, click Close, and then click OK.

Authentication Services

One of the fundamental capabilities of ISA Server is the ability to apply a firewall policy to specific users. To authenticate users, however, ISA Server must be able to communicate with the authentication servers. For this reason, by default, ISA Server can communicate with Active Directory servers (for Windows authentication) and with RADIUS servers located on the Internal network.

The following table shows the system policy rules that apply to authentication services. You can disable the rules for authentication types not being used.

Configuration group Rule name Rule description

Active Directory

Allow access to directory services for authentication purposes

Allow RPC from ISA Server to trusted servers

Allow Microsoft CIFS from ISA Server to trusted servers

Allow Kerberos authentication from ISA Server to trusted servers

Allows the ISA Server computer to access the Internal network using various LDAP protocols, remote procedure call (RPC) (all interfaces) protocol, various Microsoft common Internet file system (CIFS) protocols, and various Kerberos protocols, using Active Directory directory service.

RSA SecurID

Allow SecurID authentication from ISA Server to trusted servers

Allows the ISA Server computer to access the Internal network using the RSA SecurID® protocol.

RADIUS

Allow RADIUS authentication from ISA Server to trusted RADIUS servers

Allows the ISA Server computer to access the Internal network using various RADIUS protocols.

Certificate Revocation List (CRL) Download

Allow HTTP traffic from ISA Server to all networks (for CRL downloads)

Allows Hypertext Transfer Protocol (HTTP) from ISA Server to all networks for downloading updated certificate revocation lists (CRLs).

DCOM

If you require use of the DCOM protocol—for example, to remotely manage the ISA Server computer—be sure that you do not enable Enforce strict RPC compliance.

To verify that Enforce strict RPC compliance is not selected

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, click Active Directory.

  4. Verify that Enforce strict RPC compliance is not selected.

Tip

DCOM is often required for various services, including remote management and certificate auto-enrollment.

Windows and RADIUS authentication services

If you do not require Windows authentication or RADIUS authentication, you should perform the following steps to disable the applicable system policy configuration groups.

To disable the applicable system policy configuration groups

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, click Active Directory.

  4. On the General tab, verify that Enable this configuration group is not selected.

    Note

    When you disable the Active Directory system policy configuration group, access to all LDAP protocols is no longer allowed. If you require the LDAP protocols, create an access rule allowing use of these protocols.

  5. Repeat step 3 and step 4 for the RADIUS configuration group.

    Tip

    If you require only Windows authentication, be sure to configure the system policy, disabling use of all other authentication mechanisms.

RSA SecurID authentication services

Communication with RSA SecurID authentication servers is not enabled by default. If your firewall policy requires RSA SecurID authentication, be sure to enable this configuration group.

CRL authentication services

Certificate revocation lists (CRLs) cannot be downloaded by default. This is because the CRL Download configuration group is not enabled by default.

To enable CRL download

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, click CRL Download.

  4. On the General tab, verify that Enable this configuration group is selected.

  5. On the To tab, select the network entities from which CRLs can be downloaded.

Important

The most common method to download the CRL is via HTTP. Therefore, when you enable CRL Download, all HTTP traffic will be allowed from the Local Host network (the ISA Server computer) to network entities listed on the To tab. If your certificates use another protocol to download the CRL, you need to create an access rule for these protocols.

Remote management

Often, you will manage ISA Server from a remote computer. Carefully determine which remote computers are allowed to manage and monitor ISA Server. The following table shows the system policy rules that should be configured.

Configuration group Rule name Rule description

Microsoft Management Console

Allow remote management from selected computers using MMC

Allow MS Firewall Control communication to selected computers

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the MS Firewall Control and RPC (all interfaces) protocols.

Terminal server

Allow remote management from selected computers using Terminal Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the RDP (Terminal Services) protocol.

Web Management

Allow remote management from selected computers using a Web application

Allows remote management from selected computers using a Web application.

ICMP (Ping)

Allow ICMP (PING) requests from selected computers to ISA Server

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using the PING protocol, and vice versa.

By default, the system policy rules allowing remote management of ISA Server are enabled except for the Web Management configuration group. ISA Server can be managed by running a remote Microsoft Management Console (MMC) snap-in, or by using Terminal Services.

By default, these rules apply to the built-in Remote Management Computers computer set. When you install ISA Server, this empty computer set is created. Add to this empty computer set all computers that will remotely manage ISA Server. Until you do so, remote management is effectively not available from any computer.

Tip

Limit remote management to specific computers by configuring the Remote Management Computers computer set.

To enable remote management

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. Expand Computer Sets, right-click Remote Management Computers, and then click Properties.

  4. Click Add, and then click Computer.

  5. In Name, type the name of the computer.

  6. In Computer IP Address, type the IP address of the computer that can remotely manage ISA Server.

Note

When you create an array during the installation of ISA Server Firewall services, the Configuration Storage server is automatically added to the Remote Management Computers computer set. If you create the array before installing the ISA Server firewall, you will need to manually add the Configuration Storage server to the Remote Management Computers computer set.

Remote logging and monitoring

By default, remote logging and monitoring are disabled. Only the SMTP configuration group is enabled by default, allowing Simple Mail Transfer Protocol (SMTP) communication from ISA Server to computers on the Internal network. This is required, for example, when you want to send alert information in an e-mail message. The following configuration groups are disabled by default:

  • Remote Logging (NetBIOS)

  • Remote Logging (SQL)

  • Remote Performance Monitoring

  • Microsoft Operations Manager

The following table provides a description of the configuration groups.

Configuration group Rule name Rule description

Remote Logging (NetBIOS)

Allow remote logging to trusted servers using NetBIOS

Allows the ISA Server computer to access the Internal network using various NetBIOS protocols.

Remote Logging (SQL)

Allow remote SQL logging from ISA Server to selected servers

Allows the ISA Server computer to use Microsoft (SQL) protocols to access the Internal network.

Remote Performance Monitoring

Allow remote performance monitoring of ISA Server from trusted servers

Allows computers in the Remote Management Computers computer set to access the ISA Server computer using various NetBIOS protocols.

Microsoft Operations Manager

Allow remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent

Allows the ISA Server computer to access the Internal network using the Microsoft Operations Manager agent.

SMTP

Allow SMTP from ISA Server to trusted servers

Allows the ISA Server computer to access the Internal network using SMTP.

Enabling remote logging and monitoring

Use the following procedure to enable remote logging and monitoring.

To enable remote logging and monitoring

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, select one or more of the following configuration groups:

    • Remote Logging (NetBIOS)

    • Remote Logging (SQL)

    • Remote Performance Monitoring

    • Microsoft Operations Manager

    • SMTP

  4. On the General tab, verify that Enable this configuration group is selected.

Diagnostic services

By default, the system policy rules allowing access to diagnostics services are enabled, except for the HTTP Connectivity verifiers group, with the following permissions:

  • ICMP. This is allowed to All Networks (and Local Host). This service is important for determining connectivity to other computers.

  • Windows Networking. This allows NetBIOS communication, by default to computers on the Internal network.

  • Microsoft Error Reporting. This allows HTTP access to the Microsoft Error Reporting sites URL set, to allow reporting of error information. By default, this URL set includes specific Microsoft sites, and should not be modified.

  • HTTP Connectivity verifiers. This allows the ISA Server computer to use HTTP and Secure HTTP (HTTPS) protocols to check whether a specific computer is responsive.

The following table shows the system policy configuration groups that are enabled by default.

Configuration group Rule name Rule description

ICMP

Allow ICMP requests from ISA Server to selected servers

Allows the ISA Server computer to access all networks using various ICMP protocols and the PING protocol.

Windows networking

Allow NetBIOS from ISA Server to trusted servers

Allows the ISA Server computer to access all networks using various NetBIOS protocols.

Communication to Microsoft (Microsoft Error Reporting)

Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites

Allows the ISA Server computer to access members of the Microsoft Error Reporting sites URL set using HTTP or HTTPS protocols.

In addition, the following diagnostic service is not enabled by default: HTTP Connectivity verifiers.

When you create a connectivity verifier, the HTTP Connectivity verifiers configuration group is enabled, allowing the Local Host network to use HTTP or HTTPS to access computers on any other network. The following table describes the HTTP Connectivity verifiers configuration group.

Configuration group Rule name Rule description

HTTP Connectivity verifiers

Allow HTTP/HTTPS requests from ISA Server to selected servers for connectivity verifiers

Allows the ISA Server computer to check for connectivity by sending HTTP GET requests to the specified computer.

We recommend that you limit this access to the specific computers whose connectivity you want to verify.

To limit this access

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, click HTTP Connectivity verifiers.

  4. On the To tab, click All Networks (and Local Host) and then click Remove.

  5. Click Add and then select the network entities whose connectivity you want to verify. All HTTP traffic will be allowed from the Local Host network (the ISA Server computer) to network entities listed on the To tab.

Scheduled download jobs

By default, the scheduled download jobs feature is disabled. The following table describes the Scheduled Download Jobs configuration group.

Configuration group Rule name Rule description

Scheduled Download Jobs

Allow HTTP from ISA Server to selected computers for Content Download Jobs

Allows the ISA Server computer to access all networks using HTTP.

When you create a content download job, you will be prompted to enable this system policy rule. ISA Server will be able to access the sites specified in the content download job.

Allowed sites

The default system policy allows HTTP and HTTPS access from the Local Host network (the ISA Server computer) to the Microsoft.com Web site. This is required for:

  • Error reporting (as described in the Diagnostic services).

  • Maintenance and management.

By default, the Allowed Sites configuration group is enabled, allowing ISA Server to access content on specific sites that belong to the System Policy Allowed Sites domain name set. The following table describes the Allowed Sites configuration group.

Configuration group Rule name Rule description

Allowed Sites

Allow HTTP/HTTPS requests from ISA Server to specified sites

Allows the ISA Server computer to access members of the System Policy Allowed Sites URL set using HTTP and HTTPS protocols.

This URL set includes various Microsoft Web sites, by default. You cannot modify the System Policy Allowed Sites domain set, however you can create a new Domain Name Set and add it to Allowed Sites system policy group to include additional Web sites, which ISA Server will be allowed to access.

To modify the URL set to include additional Web sites

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, click Allowed Sites.

  4. On the To tab, click Add, and then select the required domain name set.

HTTP and HTTPS access will be allowed to the specified Web sites.

Lockdown Mode

A critical function of a firewall is to react to an attack. When an attack occurs, it may seem that the first line of defense is to disconnect from the Internet, isolating the compromised network from malicious outsiders. However, this is not the recommended approach. Although the attack must be handled, normal network connectivity must be resumed as quickly as possible, and the source of the attack must be identified.

The lockdown feature combines the need for isolation with the need to stay connected. Whenever a situation occurs that causes the Microsoft Firewall service to shut down, ISA Server enters lockdown mode. This occurs when:

  • An event triggers the Firewall service to shut down. When you configure alert definitions, you decide which events will cause the Firewall service to shut down. Essentially, you configure when ISA Server enters lockdown mode.

  • The Firewall service is manually shut down. If you become aware of malicious attacks, you can shut down the Firewall service, while configuring the ISA Server computer and the network to handle the attacks.

Affected Functionality

When in lockdown mode, the following functionality applies:

  • The Firewall Packet Filter Engine (fweng) applies the firewall policy.

  • Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response, on the same connection.

  • No incoming traffic is allowed, unless a system policy rule that specifically allows the traffic is enabled. The one exception is DHCP traffic, which is always allowed. DHCP requests on User Datagram Protocol (UDP) port 67 are allowed from the Local Host network to all networks, and DHCP replies on UDP port 68 are allowed back in.

  • The following system policy rules are still applicable:

    • Allow ICMP from trusted servers to the local host.

    • Allow remote management of the firewall using MMC (RPC through port 3847).

    • Allow remote management of the firewall using RDP.

  • VPN remote access clients cannot access ISA Server. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.

  • Any changes to the network configuration while in lockdown mode are applied only after the Firewall service restarts and ISA Server exits lockdown mode. For example, if you physically move a network segment and reconfigure ISA Server to match the physical changes, the new topology is in effect only after ISA Server exits lockdown mode.

  • ISA Server does not trigger any alerts.

Leaving Lockdown Mode

When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as previously. Any changes made to the ISA Server configuration are applied after ISA Server exits lockdown mode.

Securing the Configuration

When you configure the ISA Server firewall policy in conjunction with your corporate security policy, follow the principle to deny all traffic that is not explicitly allowed. ISA Server by default implements this policy. A default firewall policy rule, named Default rule, denies access by all users to all networks. Because this rule is processed last, any traffic not explicitly allowed will be denied.

Security Best Practices for Enterprise Management

ISA Server 2006 Enterprise Edition introduces a multi-tiered architecture, in which configuration information is stored on the Configuration Storage server. Array members communicate with the Configuration Storage server to get up-to-date configuration information. In addition, array members communicate with each other. To help secure this deployment model, follow the security best practices listed in this topic.

Securing the Configuration Storage Server

To secure the Configuration Storage server, follow these guidelines:

  • We recommend that you install the Configuration Storage server on a dedicated computer that is not used for additional tasks.

  • Safeguard the security of the Configuration Storage server. Ensure that the computer is physically secure.

  • After you create administrator roles, avoid performing any tasks on the Configuration Storage server. Changes to the Configuration Storage server should be done using Enterprise Administrator credentials on an ISA Server array computer or remote management computer.

  • Users that belong to the Administrators group on the Configuration Storage server effectively have Enterprise Administrator permissions. This is because they can directly modify any data on the Configuration Storage server.

  • We recommend that you do not place the Configuration Storage server at the edge of the network. Rather, place it behind a computer running ISA Server services, which will help protect it from potential attacks.

  • Audit changes to permissions on the Configuration Storage server.

  • When possible, we recommend deploying a Configuration Storage server only in the corporate headquarters, and not in the branch offices. For example, if a branch office has a good connection to headquarters, you should deploy a Configuration Storage server in headquarters to ensure a secured physical location for the Configuration Storage server. However, you may require a Configuration Storage server in the branch office when its network connection to headquarters is slow and there is a secured physical location for the Configuration Storage server at the branch office.

Firewall account lockout

The Configuration Storage server recognizes each ISA Server array member by a unique account, especially created for this purpose. This account is not subject to account lockout, thus preventing potential denial of service attacks.

The default password on this account, created when you install the array member, is a strong password. If you change this password, we recommend that you configure a strong password.

Securing Intra-Array Communication

To secure intra-array communication, follow these guidelines:

  • Upon installation, a pair of private and public keys are created for each array member. These keys are used to transfer confidential data between array members. If you believe that the keys have been compromised, create a new key pair by uninstalling and then installing ISA Server.

  • We recommend that you use a dedicated network adapter in a network used only for intra-array communication.

Validating Configuration After Upgrade

ISA Server 2004 policy can be upgraded to ISA Server 2006. After you have upgraded to ISA Server 2006, carefully review the upgraded policy, making sure that the firewall policy is still configured in accordance with your organization's security policy.

For more information about upgrading to ISA Server 2006, see "Upgrading to ISA Server 2006 Standard Edition" at the Microsoft TechNet Web site and "Upgrading to ISA Server 2006 Enterprise Edition" at the Microsoft TechNet Web site.

Validating the Firewall Policy Configuration

After you create a firewall policy, we recommend that you actively check the policy. Validate that traffic that you want to pass through is being allowed. Also validate that only applicable ports are open.

For example, use port scanning to verify that only the applicable ports are actually open.

Local Domains

We recommend that you include all local domain names in the domains that are considered local to the Internal network. Otherwise, ISA Server may send a name resolution request to an external DNS server, thereby potentially exposing names of internal domains.

To configure the local domain table

  1. In the console tree of ISA Server Management, click Networks:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click Networks.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click Networks.

  2. In the details pane, click the Networks tab, and then select the Internal network.

  3. On the Tasks tab, click Edit Selected Network.

  4. On the Domains tab, click Add. Then, type the domain name in the Enter a domain name to include box.

Backing Up and Restoring

ISA Server includes an export and import feature that enables you to back up and restore configuration information. The configuration parameters can be exported and stored locally in an .xml file. You can save your configuration to any folder and file name. The exported .xml file may contain sensitive information and should be stored accordingly.

When you restore a configuration file, you potentially change the existing firewall policy. For this reason, take special care that you use only trusted configuration files when restoring (importing) the configuration information.

Virtual Private Networking

It is important to follow best practices for security when using ISA Server 2006 as a virtual private network (VPN) server. The following is a list of recommendations for securing your ISA Server computer in its role as a VPN server:

  • Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPsec) connections are recommended for the strongest encryption. We recommend that you implement and enforce a strong password policy, thereby reducing the chance of a dictionary attack. When you implement such a policy, you can disable account lockout, thereby reducing the chance that an attacker will trigger account lockout.

  • Consider requiring your remote VPN clients to run particular operating systems (such as Microsoft Windows Server 2003 or Windows XP). Not all operating systems have equal levels of security in their file systems and in their user accounting. Also, not all remote access features are available on all operating systems.

  • Use authentication methods that provide adequate security. The most secure method of authentication is Extensible Authentication Protocol-Transport Level Security (EAP-TLS) when used in conjunction with smart cards.

  • Use the ISA Server Quarantine Control feature to provide phased network access for remote VPN clients. With Quarantine Control, clients are restricted to a quarantine mode before allowed access to the network. Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network.

Virus Protection with VPN

Virus infected VPN client computers are not automatically blocked from flooding the ISA Server computer or the networks it protects with requests. To prevent this occurrence, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification to use e-mail messages. If an infected VPN client computer is identified, either:

  • Use the remote access policy to exclude the user from the VPN clients who are allowed to connect.

  • Restrict VPN access by IP address. Do this by creating a new network to contain external IP addresses that are blocked, and move the IP address of the client out of the External network to the new network.

Flood mitigation

ISA Server 2006 can help you detect and mitigate the virus outbreaks and subsequent flooding of connections that are a prevalent corporate reality. The ISA Server flood mitigation features include various functions, which you can configure and monitor to help ensure that your network stays protected from malicious attacks. By default, flood mitigation is enabled with default settings and is configured to log traffic blocked by the flood mitigation settings.

To modify or view flood mitigation settings

  1. In the console tree of ISA Server Management, click General:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click General.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click General.

  2. In the details pane, click Configure Flood Mitigation Settings.

  3. Click Edit to modify the values of the desired setting.

Authentication for VPN

Use authentication methods that provide adequate VPN security.

Client access VPN

The most secure method of authentication is Extensible Authentication Protocol-Transport Level Security (EAP-TLS) when used in conjunction with smart cards. Despite the deployment challenges involved in using EAP-TLS and smart cards, which require a public key infrastructure (PKI), this is considered the most secure authentication method. Enable EAP-TLS, which is disabled by default on the profile of a remote access policy.

When you use the EAP-TLS authentication protocol, you must install a computer certificate on the Internet Authentication Service (IAS) server. For client and user authentication, you can install a certificate on the client computer, or you can use smart cards. Before you deploy certificates, you must design the certificate with the correct requirements.

If you use password-based authentication, enforce strong password policies on your network to make dictionary attacks more difficult.

Consider requiring your remote VPN clients to be authenticated with more secure authentication protocols, such as Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Extensible Authentication Protocol (EAP), rather than allowing them to use protocols such as Password Authentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP), and Challenge Handshake Authentication Protocol (CHAP).

We strongly recommend that PAP, SPAP, and CHAP be disabled. PAP, SPAP, and CHAP are disabled by default.

Site-to-site VPN

The use of certificates for authentication of site-to-site VPN connections is the recommended deployment scenario. The following security considerations need to be addressed when using certificates:

  • You should use a dedicated internal certification authority (CA) to issue the required certificates for site-to-site VPN connections. This is due to the fact that IPsec does not match the name of the certificate to the name of the site. If the certificates come from the same CA, this is sufficient for authentication.

  • Enforce certificate revocation list (CRL) checking. By default, IPsec will attempt to download the CRL from the issuing CA during the establishment of the VPN connection. If the CRL cannot be downloaded for any reason, IPsec still considers the certificate to be valid and allows the establishment of the VPN connection. If an array member is stolen, the system or the exported certificate could potentially be used to establish a site-to-site VPN connection with another array member even if the certificate has been revoked. To mitigate this risk, configure StrongCRLCheck checking on all array members. StrongCRLCheck checking forces the array member to check the validity of each certificate that is presented against the CRL. If the array member cannot download the CRL, the certificate is considered to be not valid and the connection will be refused.

To configure StrongCRLCheck

  1. Configure an additional CRL distribution point on the issuing CA. The host name used in the CRL distribution point should be resolvable on the Internet.

  2. Reduce the validity period of a CRL. The validity period of a CRL is the period of time that the CRL is considered authoritative by a verifier of a certificate. As long as the verifier of a certificate has a valid CRL in its local cache, it will not attempt to retrieve another CRL from the CA. The validity period of a CRL is based upon the CRL publishing interval plus a maximum of 10 percent to allow for replication. The default CRL publishing interval is one week. For more information about CRL distribution points, CRL publishing, and certificate revocations, see Windows Server 2003 product Help.

  3. Reissue all certificates already issued, to include the new CRL distribution point value in the certificate.

  4. Publish the new CRL distribution point to the Internet using the ISA Server Web Publishing Wizard.

  5. Specify that the VPN tunnel cannot be established unless the certificate has been checked against the CRL:

    • Set the StrongCRL value in the registry, under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\ key, add a new Oakley subkey, with a DWORD entry: StrongCRLCheck, and assign it a value of 2.    
  6. Then restart the Policy Agent service and the Microsoft Firewall service.

    Note

    When the Policy Agent is stopped and restarted, the IPsec site-to-site VPN connection no longer functions correctly. TCP SYN and UDP packets will leave ISA Server in plain text and any replies will be dropped by ISA Server because they are in plain text. To correct this issue, after restarting the Policy Agent, stop and start the Microsoft Firewall service or restart the server.

Note

By default, IPsec will wait 10 seconds to complete the CRL retrieval process. If the CRL cannot be retrieved at that time, IPsec will cause the authentication to fail when StrongCRLCheck has been set to a value of 2. On a connection with slow links, this can cause a site-to-site VPN connection to fail.

For more information about IPsec, see "How IPSec Works" at the Microsoft TechNet Web site.

IPsec Traffic

ISA Server does not block any encapsulating security payload (ESP) or authentication header traffic, which is part of IPsec traffic. Furthermore, such traffic is never considered spoofed, because these protocols are considered secure by design.

Branch Office VPN Connectivity Wizard Answer File

After a site-to-site VPN network has been created, an ISA Server administrator can create an answer file by running the Create Answer File for Remote VPN site task. The answer file can be used when running the Branch Office VPN Connectivity Wizard.

Important

The answer file contains confidential information and should be treated accordingly. Transfer the answer file to the branch office ISA Server computer only in a secure way.

Network Load Balancing

For Enterprise Edition, for Network Load Balancing (NLB), follow these guidelines:

  • When you enable NLB, follow the security best practices detailed in "Network Load Balancing: Security Best Practices for Windows 2000 and Windows Server 2003" at the Microsoft TechNet Web site.

  • When you enable NLB, place a router in front of the NLB-enabled array. Configure the router so that it blocks raw IP traffic. Otherwise, all the array members will handle the traffic simultaneously.

  • When NLB is enabled, it synchronizes array members by using pure Ethernet protocol communication. This low-level traffic is not protected by ISA Server. To help secure that traffic, we strongly recommend that you place a Layer-3 router between the Internet and the NLB-enabled array. Also, place a Layer-3 router between the ISA Server computers and any network with untrusted computers.

  • This Layer-3 router will not allow the low-level Ethernet protocol to pass, thereby helping protect the array from potentially malicious Ethernet traffic from the Internet, intended to disrupt the operation of NLB.

Cache Array Routing Protocol

For Enterprise Edition, when you enable Cache Array Routing Protocol (CARP), follow these guidelines:

  • We recommend that you deploy a dedicated network for intra-array communication, and use this network for CARP communication. Otherwise, use a dedicated network for CARP communication. Configure IPsec for this network.

  • Networks for which CARP is enabled should be accessible only to array members.

The link translation feature of ISA Server 2006 translates HTTP headers, regardless of whether link translation is enabled. This implies that when you publish a Web server, specifying that Any domain name can be used, an attacker could send malicious content in the header. If the published server redirects requests to a page on any computer, the response could be poisoned. (It would be modified to contain the URL from the header sent by the attacker.) If this page is cached by a downstream server, a user accessing the page would be redirected to the Web site configured by the attacker.

For this reason, we recommend that you specify specific domain names to which the Web publishing rule applies.

To specify specific domain names

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. In the details pane, select the applicable Web publishing rule.

  3. On the Tasks tab, click Edit Selected Rule.

  4. On the Public Name tab, under This rule applies to, select Requests for the following Web sites.

  5. Click Add.

  6. In Public domain name or IP address, type the specific domain name to which the Web publishing rule should apply.

Flood Mitigation

ISA Server limits the number of connections at any given time. You can configure the limit, specifying a maximum number of concurrent connections. When the maximum number of connections has been reached, any new client requests for that Web listener will be denied.

You can limit the total number of UDP, ICMP, and other Raw IP session creations allowed by a server publishing or access rule, per second. These limitations do not apply to TCP connections. When the specified number of connections is surpassed, new connections will not be created. Existing connections will not be disconnected.

The following table lists the flood mitigation properties and the default settings.

Property Default value

Maximum TCP connect requests per minute per IP address

Limit: 600

Maximum concurrent TCP connections per IP address

Limit: 160

Maximum half-open TCP connections

Limit: 80

Not configurable

Maximum HTTP requests per minute per IP address

Limit: 600

Maximum new non-TCP sessions per minute per rule

Limit: 1,000

Maximum concurrent UDP sessions per IP address

Limit: 160

Specify how many denied packets trigger an alert

Limit: 600

We strongly recommend that you do not change these preconfigured limits. If you must modify the connection limits, make small incremental changes until you reach the desired effect.

To configure connection limits

  1. In the console tree of ISA Server Management, click General:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click General.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click General.

  2. In the details pane, click Configure Flood Mitigation Settings.

  3. Select Edit for the desired property and change to the desired value.

Forms Customization

You can specify a different folder for forms than the default folder provided by ISA Server 2006. All the files found in the folder where you create your customized forms are accessible by anonymous users. You need to make sure that none of the files in the specified folder contain sensitive information.

ISA Server Management

The ISA Server Management Microsoft Management Console (MMC) snap-in stores sensitive files in the user's Documents and Settings folder on the console computer. To secure these files, ISA Server Management should be installed on a computer whose system drive is formatted for the NTFS file system.

Custom Protocols

When creating a custom protocol, carefully configure the use of secondary connection ranges. If the configured secondary range overlaps with ports already defined on the ISA Server firewall, a connection to a different server could potentially be established on one of the defined secondary ports, after a session is created on the primary port.

To mitigate this risk:

  • Confirm that the secondary protocol port range does not overlap with a well-known ISA Server port or port range.

  • Use a server publishing rule to publish an application and not an access rule.

Note

If you are developing applications, you should follow the Secure Winsock Programming standards, available at the MDSN Web site.

Web Publishing

This section discusses security issues specific to Web publishing.

Kiosk Stations

Users should be educated to properly log off from kiosks or public workstations. This is especially important when using published applications that do not have a logoff button and when single sign on (SSO) is configured.

If a user is accessing a published application, a cookie is stored on the local computer. If the application does not have a logoff button, and the user browses to another Web page and then leaves the kiosk without logging off, the cookie is still on the computer and still valid. Another user could use this cookie to access any other published application that has been configured as an SSO published application.

The following best practices should be used when using public computers to access the Internet:

  • Do not select This is a private computer.

  • Perform logoff on published applications, if available.

  • Delete cookies after you finish using published applications.

  • Delete temporary Internet files.

  • Delete temporary files that Office created when working with Microsoft Office SharePoint® Portal Server.

  • Delete any files that were manually downloaded to the kiosk.

  • Close all browser windows.

  • Log off from Windows, if possible.

Important

When a Web listener is configured to use persistent cookies, ISA Server downloads a persistent cookie to the user’s computer after the user has successfully authenticated. A persistent cookie will remain on the user’s computer even when the user closes the browser. This cookie could be used by an unauthorized user to gain access to the published applications. Persistent cookies are more susceptible to being used by spyware applications. A non-persistent cookie, also known as a session cookie, is only valid for the browser window that the cookie was created for. When the browser window is closed, non-persistent session cookies are deleted and cannot be used by an unauthorized user. Note that when a non-persistent session cookie is used, the user will be prompted to authenticate every time a new window is opened, such as when opening an Office Word document from a SharePoint Portal Server portal, which might be confusing to the user. For more information about cookie settings, see ISA Server Help.

Single Sign On

The following sections discuss security items with SSO.

Single sign on domain

When enabling SSO, be sure to provide a specific SSO domain. Providing a generic domain, such as .co.uk, will allow the Web browser to send the ISA Server SSO cookie to any Web site in that domain, creating a security risk.

Single sign on and session riding

You should ensure that your Web application is designed to resist session riding attacks (also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before publishing the application using ISA Server.

Domain Name

We do not recommend publishing two sites with the same host name. If you had two internal Web sites, https://site1 and https://site2, do not publish them using the same host name, https://external.contoso.com/site1 and https://external.contoso.com/site2.

The more secure publishing method is to publish each site with a unique host name, https://site1.contoso.com and https://site2.contoso.com. Publishing each Web site with a unique host name isolates each application, limiting the security risks to an application in case a vulnerability is found in one of the applications.

Web Server Farms

ISA Server 2006 can publish a group of servers hosting the same data, also known as a server farm. When you protect your server farm with ISA Server 2006, you will distribute client requests between the Web servers while maintaining client affinity. We recommend that the servers in the server farm be located on a separate network from the users, to ensure that ISA Server can properly determine when the servers are available and not available.

Firewall Clients

ISA Server supports a more secure way of communication between the Firewall client and ISA Server, which involves the use of encryption using a TCP control channel. We recommend that you configure ISA Server to accept connections only from clients communicating in this secure way. This includes using the Firewall Client software for ISA Server 2006 computers. Note that this prevents versions of Firewall Client software prior to ISA Server 2004 from connecting.

To configure Firewall clients

  1. In the console tree of ISA Server Management, click General:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click General.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click General.

  2. In the details pane, click Define Firewall Client Settings.

  3. On the Connection tab, verify that Allow non-encrypted Firewall client connections is not selected.

Firewall Chaining

When configuring firewall chaining, we recommend that you use IPsec to secure the communication channel between the ISA Server computer and the upstream server.

Securing the Deployment

The first step in securing ISA Server is verifying that the ISA Server computer is physically safe and that you apply basic security configuration recommendations.

After you secure the ISA Server computer and apply security guidelines when configuring the policy on the server, you should consider how to deploy the network infrastructure. This section describes security guidelines to consider when deploying a network secured by ISA Server.

Securing the Network Environment

To secure the network environment, perform the following:

  • Protect against Layer 2 attacks by deploying security solutions such as Layer 2 IDS and static MAC or port associations on switches.

  • Where possible, configure IPsec in the network.

  • To help protect from man-in-the-middle attacks on the Address Resolution Protocol (ARP) cache, we recommend that you place a router before the ISA Server computer. This is because ARP packets cannot be routed through a router. When ISA Server shares a physical network with an untrusted network, we recommend that you configure ISA Server to perform static ARP. For optimal security, we recommend that you add a static ARP entry for the default gateway and on other hosts on the same physical network.

  • Do not install Internet Protocol version 6 (IPv6) on an ISA Server computer. ISA Server does not inspect IPv6 traffic. IPv6 traffic will pass without inspection through an ISA Server computer.

For Enterprise Edition:

  • A dedicated network is recommended for intra-array communications.

  • For an NLB-enabled network, a router should be used.

Authentication

We strongly recommend that you use a secure connection, such as Secure Sockets Layer (SSL), with any authentication method.

Client Authentication

When HTTP authentication is used to connect to the ISA Server firewall without SSL, the request is potentially subject to a man-in-the-middle attack. The request could be altered by an attacker, during or after authentication.

To mitigate this attack, use HTTP authentication only with SSL-enabled connections.

Using RADIUS Servers

Remote Authentication Dial-In User Service (RADIUS) is an industry standard protocol used to provide authentication. A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates the RADIUS client request, and sends back a RADIUS message response.

We recommend that you configure the RADIUS server as follows:

  • If you are using a RADIUS server for authentication, create a connectivity verifier that monitors the server status. Configure the alerts so that an appropriate action is taken when the RADIUS server is not available.

  • Untrusted users should not have access to the network between a RADIUS server and ISA Server. If untrusted users must have access, use IPsec on this network.

  • Use IPsec to provide additional security for RADIUS clients and servers.

Web proxy-based authentication

The only authentication method for RADIUS authentication for Web publishing and Web proxy is PAP.

VPN authentication

In addition, follow these guidelines when implementing a VPN or firewall policy that requires RADIUS authentication:

  • The RADIUS User-Password hiding mechanism might not provide sufficient security for passwords. The RADIUS hiding mechanism uses the RADIUS shared secret, the Request Authenticator, and the use of the MD5 hashing algorithm to encrypt the User-Password and other attributes, such as Tunnel-Password and MS-CHAP-MPPE-Keys. RFC 2865 notes the potential need for evaluating the threat environment and determining whether additional security should be used.

  • You can provide additional protection for hidden attributes by using IPsec with Encapsulating Security Payload (ESP) and an encryption algorithm, such as Triple DES (3DES), to provide data confidentiality for the entire RADIUS message. Follow these recommended guidelines:

    • Use IPsec to provide additional security for RADIUS clients and servers.

    • Require the use of strong user passwords.

    • Use authentication counting and account lockout to help prevent a dictionary attack against a user password.

    • Use a long shared secret with a random sequence of letters, numbers, and punctuation. Change it often to help protect your IAS server.

  • When you use password-based authentication, enforce strong password policies on your network to make dictionary attacks more difficult.

  • When user names are specified in any language other than English, ISA Server uses the current code page installed on the ISA Server computer to translate the user data. The user can be authenticated only if the client also uses the same code page.

  • If you change the RADIUS server policy while RADIUS-authenticated users are logged on, the new policy is not applied to users who are currently logged on. This is because ISA Server caches the credentials of users who are logged on, when users accessing the published Outlook Web Access server authenticate using RADIUS authentication. To apply the RADIUS server policy immediately, you can disconnect the session.

Using LDAP Servers

ISA Server 2006 supports LDAP authentication for Web publishing only. The LDAP servers must be running on a Windows Server 2003 or Windows 2000 Server domain controller. We recommend that the communications between the ISA Server computer and the LDAP server be secured by configuring LDAPS on the domain controllers. For more information about enabling LDAP over SSL, see "How to enable LDAP over SSL with a third-party certification authority" at the Microsoft Help and Support Web site.

Verifying Connectivity to Authentication Servers

If you are using a RADIUS server or an LDAP server for authentication, create a connectivity verifier that monitors the server status. Configure the alerts so that an appropriate action is taken when the RADIUS or LDAP server is not functioning.

To verify connectivity

  1. In the console tree of ISA Server Management, click Monitoring:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Monitoring.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Monitoring.

  2. In the details pane, click the Connectivity Verifiers tab.

  3. On the Tasks tab, click Create New Connectivity Verifier.

  4. On the Welcome page of the wizard, type a name for the connectivity verifier, and then click Next.

  5. On the Connectivity Verification Details page, do the following:

    1. In Monitor connectivity to this server or URL, type the name of the server to monitor.

    2. In Verification method, select a verification method. Click Next and then click Finish.

Note the following:

  • To verify an LDAP server, select Establish a TCP connection to port, and then select the appropriate LDAP service.

  • To verify a RADIUS server, select Send a Ping request.

  • If the system policy rule that allows HTTP connectivity verification is not enabled, and you selected Send an HTTP "Get" request, you will be prompted to enable the system policy rule. Click Yes.

  1. In the details pane, select the rule you just created.

  2. On the Tasks tab, click Edit Selected Verifier.

  3. On the Properties tab, verify that Trigger an alert if the server response is not within the specified timeout is selected.

Deploying Authentication Servers

For security reasons, we recommend that you place authentication servers in a highly secured network. Consider placing the authentication servers on a separate network (apart from the Internal and perimeter networks), when possible. You will effectively prevent direct access from any hosts on the Internal and perimeter networks to the authentication servers.

In this case, you should modify the applicable system policy rule, so that it applies to the network on which the authentication server is located.

To deploy authentication servers

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, under Authentication Services, click the applicable authentication method.

  4. On the To tab, click Add.

  5. In Add Network Entities, select the network on which the authentication server is located.

DNS Servers

Domain Name System (DNS) is the name resolution protocol for IP networks, such as the Internet. A DNS server hosts the information that enables client computers to resolve memorable, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.

ISA Server includes a name resolution mechanism similar to the DNS server name resolution mechanism. When a client makes a request to a host on another network, specifying the URL of the host computer, ISA Server can resolve the host computer name. ISA Server sends a name resolution request to the DNS server that you configure for its use.

To prevent DNS cache poisoning, we strongly recommend that you configure ISA Server to use a trusted DNS server (for example, a Windows DNS server), with the option to prevent cache pollution enabled. This DNS server should be located on the Internal network.

If you deploy a DNS server on an untrusted network (for example, on the External network), we recommend that you also install a DNS server on a trusted network (for example, a perimeter network). Then, configure the DNS server on the trusted network to forward requests to the DNS server on the untrusted network.

Follow these guidelines when deploying DNS servers:

  • Deploy a DNS server in the Internal network.

  • On the ISA Server computer, configure the network adapter connected to the Internal network to use the DNS server in the Internal network for all name resolution requests.

  • Verify that no other network adapter on the ISA Server computer uses an untrusted DNS server.

  • Create an access rule that allows only the internal DNS server to access the Internet for DNS resolution.

Important

Only the trusted DNS server should send name resolution requests to the untrusted DNS server. No other server in the Internal network should directly access the untrusted DNS server.

To configure DNS

  1. On the ISA Server computer, click Start, click Control Panel, and then double-click Network Connections.

  2. Right-click the connection you want to configure, and then click Properties.

  3. On the General tab, in This connection uses the following items, click Internet Protocol (TCP/IP), and then click Properties.

  4. Select Use the following DNS server addresses.

  5. In Preferred DNS server and in Alternate DNS server, type the IP addresses of a trusted DNS server on the Internal network.

Monitoring and Troubleshooting

An important and routine task that you will perform is monitoring the network traffic allowed to pass through ISA Server. A central part of the monitoring function is a careful analysis of the log and auditing information.

The following sections provide tips and hints about helping ensure log information integrity.

Logging

Logging gives you the opportunity to review network activity, checking who has been accessing resources on your network. Review the logs regularly and carefully, checking for suspicious access and usage of network resources. Follow these guidelines to make the best use of ISA Server logging:

  • Configure alerts to send notifications to administrators. Implement a rapid response procedure.

  • Save the logs to a separate NTFS disk partition for maximum security. Only administrators of the ISA Server computer should have access to the logs.

  • When you save log information to an SQL database, use Windows authentication (and not SQL authentication).

  • If you are logging the information to a remote database, configure encryption and data signature for the log information being copied to the remote database.

  • For maximal security, configure IPsec for the communication between the ISA Server computer and SQL Server.

  • If log information cannot be saved for any reason, lock down the ISA Server computer. To do so, configure an alert definition for the Log Failure event that stops the Firewall service.

Log Storage Limits

Configure the Log Storage Limits alert definition to stop the ISA Server services when the log is full. Use the log maintenance feature wisely, to ensure that the disk on which log information is stored does not become full. Only allow access when the access can be appropriately audited by functioning logging and storage.

To configure log storage limits

  1. In the console tree of ISA Server Management, click Monitoring:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Monitoring.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Monitoring.

  2. In the details pane, click the Alerts tab.

  3. On the Tasks tab, click Configure Alert Definitions.

  4. In Alert Definitions, click Log Storage Limits, and then click Edit.

  5. On the General tab, select Enable.

  6. On the Actions tab, click Stop selected services, and then click Select.

  7. In Services, select Microsoft Firewall and Microsoft ISA Server Job Scheduler.

Auditing

Enable Windows auditing, so that you can monitor who logs on to the ISA Server computer and, more importantly, who tried but failed.

To enable auditing

  1. On the ISA Server computer, click Start, point to All Programs, point to Administrative Tools, and then click Local Security Policy.

  2. Expand Security Settings, expand Local Policies, and then click Audit Policy.

  3. In the details pane, right-click Audit logon events, and then click Properties.

  4. Select Success and Failure.

Flood Attacks

A flood attack occurs when an attempt is made to deny services to legitimate users by intentionally overloading a network. Flood attacks might occur, for example, when a worm tries to propagate outside of your corporate network.

The first symptoms that show that ISA Server is experiencing a flood attack are a sudden surge in CPU utilization, increased memory consumption, or very high logging rates on the ISA Server computer.

If you determine that the ISA Server computer is experiencing a flood attack, use the log viewer to determine the source of the offending traffic. Specifically, look for the following:

  • Log entries for denied traffic. Pay special attention to traffic that is denied because the quota is exceeded, spoofed packets, and packets with corrupted CHECKSUM. These usually are indicative of a malicious client. In ISA Server 2006 Standard Edition, connections that are terminated due to exceeding the connections limit will have a result code of 0x80074e23. In ISA Server 2006 Enterprise Edition, the result will appear as text, which clearly indicates the connection termination reason.

  • Logs that indicate numerous connections that are created and then immediately closed. This often indicates that a client computer is scanning an IP address range for a specific vulnerability.

Another way to detect and list the offending computers is to temporarily reconfigure the Connection Limit alerts to be triggered every one second (instead of using the Manually Reset option). A list of alerts is generated, each one indicating the offending IP address in the alert text. After you identify the list of offending IP addresses, perform the following procedure to improve the performance of ISA Server during the flood.

To improve ISA Server performance during a flood

  1. Disable logging. Disable logging either on the specific rule that matches the flood or altogether until the flood attack is stopped.

  2. Reconfigure the Connections Limit alerts (or any other types of alerts that may be triggered repeatedly as a result of the specific attack) by selecting Manually Reset.

Connection Limit Alert

When a Connection Limit alert occurs, determine whether your network is being attacked, or whether there is simply a heavy load of valid traffic. If the limit was exceeded due to malicious traffic, try the following:

  • If the malicious traffic appears to originate from the Internal network, this may indicate a virus on the Internal network. Identify the source IP address, and disconnect the computer from the network immediately.

  • If the malicious traffic appears to originate from a small range of IP addresses on an External network, create a rule denying access to a computer set that includes the source IP addresses.

  • If the traffic appears to originate from a large range of IP addresses, evaluate the overall status of your network. Consider setting a smaller connection limit, so that ISA Server can better protect your network.

In addition, we recommend that you limit the number of connections, because this can help prevent flood attacks. When a UDP or raw IP flood attack occurs, many requests are sent from spoofed source IP addresses, eventually resulting in a denial of service.

Protecting from Floods Caused by Worms and Viruses

Your Internal network could be exposed to infection by the following types of worms:

  • Worms that infiltrate using a specific protocol.

  • Worms that are destined for specific IP addresses.

  • Worms that originate from specific IP addresses.

To help protect your Internal network from worms and other malicious software, we recommend the following:

  • Enable quarantine protection on the VPN Clients network.

  • Create an access rule that denies traffic to and from infected clients, and denies use of the protocols used by the worms. This rule should be the first rule, to make sure that it is enforced first. Do not enable logging for this rule.

  • Configure a disconnected network that includes IP addresses of infected clients. Any traffic originating from these clients will be dropped as spoofed.

Creating a disconnected network

A disconnected network represents a range of IP addresses that are not physically connected to the ISA Server computer.

To create a disconnected network

  1. In the console tree of ISA Server Management, click Networks:

    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click Networks.

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click Networks.

  2. In the details pane, click the Networks tab.

  3. On the Tasks tab, click Create a New Network.

  4. On the Welcome page, type the name of the network. For example, type Disconnected, and then click Next.

  5. On the Network Type page, select External Network, and then click Next.

  6. On the Network Addresses page, click Add Range. Then, in Start address and in End address, type the IP addresses of the infected clients. Click OK, click Next, and then click Finish.

  7. In the details pane, click the Network Rules tab. Check that there are no network rules that apply to this network.

    Note

    Be sure to update this network each time another client is identified as infected.

Configuring the routing table

By adjusting the local routing table on the ISA Server computer, you can help ensure that infected clients are not allowed access to resources on your Internal network. Do the following:

  • Add another network adapter to the ISA Server computer. Do not associate it with any ISA Server network.

  • Use the route add command to add static routes to the IP addresses of the infected clients using the IP address of this network adapter.

Hostile code

If a user unknowingly executes hostile code, and that hostile code has been packaged with additional files including modified versions of system DLLs, the hostile code could load its own versions of those DLLs, potentially increasing the type and degree of damage the code can render. Configure the registry key MSS: Enable Safe DLL search mode (recommended) to a value of Enabled.

For more information about this registry key, see "Chapter 10: Additional Registry Settings" in the "Threats and Countermeasures Guide" at the Microsoft TechNet Web site.

Additional Resources

Additional ISA Server 2006 documents are available at the Microsoft TechNet Web site.

Appendix A: Manually Hardening Windows Server 2003

This appendix provides information about hardening the computer manually and creating a security template.

Hardening the Computer Manually

If you want to harden your server manually, you can configure the service startup mode, as described in this section. You configure the computer similar to that of the Security Configuration Wizard.

Note

We recommend that you use the Security Configuration Wizard to harden the computer, because it is best optimized to secure the ISA Server computer.

ISA Server Administration and Other Tasks

For a server to perform necessary tasks, specific services must be enabled, based on the roles that you select. Unnecessary services should be disabled. The following table lists possible server tasks for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.

Server task Usage scenario Services required Startup mode

Application Installation locally using Windows Installer

Required to install, uninstall, or repair applications using the Microsoft Installer Service.

Windows Installer

Manual

Backup

Required if using a backup program on the ISA Server computer.

Microsoft Software Shadow Copy Provider

Volume Shadow Copy

Removable Storage service

Volume Shadow Copy

Removable Storage service

Manual

Manual

Manual

Manual

Manual

Error Reporting

Use to enable error reporting, thereby helping improve Windows reliability by reporting critical faults to Microsoft for analysis.

Error Reporting Service

Automatic

Help and Support

Allows collection of historical computer data for Microsoft Product Support Services incident escalation.

Help and Support

Automatic

ISA Server 2006: MSDE logging

Required to allow logging using MSDE databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the log viewer in offline mode.

SQLAgent$MSFW

MSSQL$MSFW

Manual

Automatic

Performance Data Collection

Allows background collecting of performance data on the ISA Server computer.

Performance Logs and Alerts

Automatic

Print

Allows printing from the ISA Server computer.

Print Spooler

TCP/IP NetBIOS Helper

Workstation

Automatic

Automatic

Automatic

Remote Windows administration

Allows remote management of the Windows server (not required for remote management of ISA Server).

Server

Remote Registry

Automatic

Automatic

Time Synchronization

Allows the ISA Server computer to contact an NTP server to synchronize its clock. From a security perspective, an accurate clock is important for event auditing and other security protocols.

Windows Time

Automatic

Remote Assistance Expert

Allows the Remote Assistance feature to be used on this computer.

Help and Support

Remote Desktop Help Session Manager

Terminal Services

Automatic

Manual

Manual

Notes

  • To function properly, time client applications require that either the Wireless or the Server service is running.

  • To function properly, performance counters require that both the Remote Registry and Server services are running.

  • The startup mode for the Server service should be Automatic when you use Routing and Remote Access Management, rather than ISA Server Management, to configure a virtual private network (VPN).

    • The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.

    • The Server service is required only if you use Routing and Remote Access Management (rather than ISA Server Management) to configure a VPN.

ISA Server Client Roles

Servers can be clients of other servers. Client roles are dependent on role-specific services being enabled. The following table lists possible client roles for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.

Client role Usage scenario Services required Startup mode

Automatic Update client

Select this role to allow automatic detection and update from Microsoft Windows Update.

Automatic Updates

Background Intelligent Transfer Service

Automatic

Manual

DHCP client

Select this role if the ISA Server computer receives its IP address automatically from a DHCP server.

DHCP Client

Automatic

DNS client

Select this role if the ISA Server computer needs to receive name resolution information from other servers.

Also select the DNS Client role when ISA Server requires name resolution information (DNS and Hosts file).

DNS Client

Automatic

Domain member

Select this role if the ISA Server computer belongs to a domain.

Network location awareness

Net logon

Windows Time

Manual

Automatic

Automatic

DNS registration client

Select this role to allow the ISA Server computer to automatically register its name and address information with a DNS server.

DHCP Client

Automatic

Microsoft Networking client

Select this role if the ISA Server computer has to connect to other Windows clients. If you do not select this role, the ISA Server computer will not be able to access shares on remote computers, for example, to publish reports.

TCP/IP NetBIOS Helper

Workstation

Automatic

Automatic

WINS client

Select this role if the ISA Server computer uses WINS-based name resolution.

TCP/IP NetBIOS Helper

Automatic

Creating a Security Template

You can create a template, using the Security Templates Microsoft Management Console (MMC) snap-in. The template includes information about which services should be enabled, as well as their startup mode. By using a security template, you can easily configure a security policy and then apply it to each ISA Server computer. For more information about creating and deploying a security template, see "Windows Server 2003 Security Guide" at the Microsoft TechNet Web site.