Hardening the Windows Infrastructure on the ISA Server 2004 Computer

Because Microsoft Internet Security and Acceleration (ISA) Server 2004 is used to protect your network or other resources from attack by malicious users, take special care in hardening the ISA Server computer. We recommend that you apply the configurations described in the Windows Server 2003 Security Guide (https://go.microsoft.com/fwlink/?LinkId=31584). Specifically, you should apply the Microsoft Baseline Security Policy security template. However, do not implement the Internet Protocol security (IPsec) filters or any of the server role policies.

In addition, you should consider ISA Server functionality and harden the operating system accordingly. This document describes how to harden Microsoft Windows Server 2003 and Windows 2000 Server running on the ISA Server computer. For further security guidelines, see the ISA Server Security Hardening Guide (https://go.microsoft.com/fwlink/?LinkId=24507). The ISA Server Security Hardening Guide includes these instructions, in addition to more detailed security considerations.

Note

We recommend that you harden the Windows infrastructure after you have completely installed ISA Server. For ISA Server Enterprise Edition, install all the necessary Configuration Storage servers and the array members. Then, harden the computers.

Using the Security Configuration Wizard

The Microsoft Windows Server 2003 operating system with Service Pack (SP1) includes an attack surface reduction tool called the Security Configuration Wizard (SCW). Depending on the server role you select, the SCW determines the minimum functionality required, and disables functionality that is not required.

When you install Microsoft Windows Server 2003 SP1 on the ISA Server computer, you can install the SCW and use the wizard to harden the computer.

The SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with the SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS).

The SCW includes a role for ISA Server computers. To apply the appropriate ISA Server roles, perform the following steps:

  1. On the ISA Server computer, click Start, click Administrative Tools, and then click Security Configuration Wizard.

  2. In the Security Configuration Wizard, on the Welcome page, click Next.

  3. On the Configuration Action page, select Create a new security policy.

  4. On the Select Server page, in Server, type the name or IP address of the ISA Server computer.

  5. On the Processing Security Configuration Database page, click Next.

  6. On the Welcome page of the Role-based Service Configuration page, click Next.

  7. On the Select Server Roles page, select the following and then click Next.

    1. Select Microsoft Internet Security and Acceleration Server 2004, if you are hardening a computer running the ISA Server services (for ISA Server Enterprise Edition, an array member).

    2. Select Remote Access/VPN Server, if you will be using the ISA Server computer for virtual private network (VPN) functionality.

      Note

      Do not select any specific server roles for a Configuration Storage server.

  8. On the Select Client Features page, select the default client roles, as appropriate. No special client roles are specifically required for hardening ISA Server. Then, click Next.

  9. On the Select Administration and Other Options page, select the following options:

    1. Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: Configuration Storage, if the Configuration Storage server is installed on this computer (for ISA Server Enterprise Edition only).
    2. Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: Client installation share, if the Firewall Client share is installed on this computer.
    3. Select Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition: MSDE Logging, if ISA Server advanced logging options are installed on this computer.
  10. On the Select Additional Services page, select the appropriate services and click Next.

  11. Click Next until you finish the wizard.

For more technical guidance about the SCW, see “Security Configuration Wizard for Windows Server 2003” at the Microsoft Windows Server 2003 Web site.

Hardening the Computer Manually

If Windows Server 2003 SP1 is not installed on the computer, you can configure the service startup mode, as described in this section. You configure the computer as the Security Configuration Wizard does.

Note that we recommend that you use the SCW to harden the computer, because it is best optimized to secure the ISA Server computer.

Core Services

The following table lists the core services that must be enabled for ISA Server and the ISA Server computer to function properly.

Service name Rationale Startup mode

COM+ Event System

Core operating system

Manual

Cryptographic Services

Core operating system (security)

Automatic

Event Log

Core operating system

Automatic

IPSec Services

Core operating system (security)

Automatic

Logical Disk Manager

Core operating system (disk management)

Automatic

Logical Disk Manager Administrative Service

Core operating system (disk management)

Manual

Microsoft Firewall

Required for normal functioning of ISA Server

Automatic

Microsoft ISA Server Control

Required for normal functioning of ISA Server

Automatic

Microsoft ISA Server Job Scheduler

Required for normal functioning of ISA Server

Automatic

Microsoft ISA Server Storage

Required for normal functioning of ISA Server

Automatic

MSSQL$MSFW

Required when MSDE logging is used for ISA Server

Automatic

Network Connections

Core operating system (network infrastructure)

Manual

NTLM Security Support Provider

Core operating system (security)

Manual

Plug and Play

Core operating system

Automatic

Protected Storage

Core operating system (security)

Automatic

Remote Access Connection Manager

Required for normal functioning of ISA Server

Manual

Remote Procedure Call (RPC)

Core operating system

Automatic

Secondary Logon

Core operating system (security)

Automatic

Security Accounts Manager

Core operating system

Automatic

Server

Required for ISA Server Firewall Client Share

Automatic

Smart Card

Core operating system (security)

Manual

SQLAgent$MSFW

Required when MSDE logging is used for ISA Server

Manual

System Event Notification

Core operating system

Automatic

Telephony

Required for normal functioning of ISA Server

Manual

Virtual Disk Service (VDS)

Core operating system (disk management)

Manual

Windows Management Instrumentation (WMI)

Core operating system (WMI)

Automatic

WMI Performance Adapter

Core operating system (WMI)

Manual

ISA Server Server Roles

The ISA Server computer may function in additional capacities, or roles, depending on how you use the computer. The following table lists possible server roles, describes when they may be required, and lists the services that should be activated when you enable the role.

Server role Usage scenario Services required Startup mode

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Routing and Remote Access

Manual

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Remote Access Connection Manager

Manual

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Telephony

Manual

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Workstation

Automatic

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Server

Automatic

Terminal Server for Remote Desktop Administration

Select this role to enable remote management of the ISA Server computer.

Server

Automatic

Terminal Server for Remote Desktop Administration

Select this role to enable remote management of the ISA Server computer.

Terminal Services

Manual

ISA Server Server Roles

The ISA Server computer may function in additional capacities, or roles, depending on how you use the computer. The following table lists possible server roles, describes when they may be required, and lists the services that should be activated when you enable the role.

Server role Usage scenario Services required Startup mode

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Routing and Remote Access

Manual

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Remote Access Connection Manager

Manual

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Telephony

Manual

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Workstation

Automatic

Routing and Remote Access Server

Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.

Server

Automatic

Terminal Server for Remote Desktop Administration

Select this role to enable remote management of the ISA Server computer.

Server

Automatic

Terminal Server for Remote Desktop Administration

Select this role to enable remote management of the ISA Server computer.

Terminal Services

Manual

Note

The startup mode for the Server service should be Automatic in the following cases:

  • You install ISA Server 2004: Client Installation Share.
  • You use Routing and Remote Access Management, rather than ISA Server Management, to configure a virtual private network (VPN).
  • Other tasks or roles, as described in the preceding table, require the service.
  • The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.

Note that the Server service is required only if you use Routing and Remote Access Management (rather than ISA Server Management) to configure a VPN.

ISA Server Administration and Other Options

For a server to perform necessary tasks, specific services must be enabled, based on the roles that you select. Unnecessary services should be disabled. The following table lists possible server tasks for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.

Client role Usage scenario Services required Startup mode

Application installation from Group Policy

Required to install, uninstall, or repair applications using the Microsoft Installer Service.

Windows Installer

Manual

Backup

Required if using NTBackup or other backup program on the ISA Server computer.

Microsoft Software Shadow Copy Provider

Manual

Backup

Required if using NTBackup or other backup program on the ISA Server computer.

Volume Shadow Copy

Manual

Backup

Required if using NTBackup or other backup program on the ISA Server computer.

Removable Storage service

Manual

Error Reporting

Use to enable error reporting, thereby helping improve Windows reliability by reporting critical faults to Microsoft for analysis.

Error Reporting Service

Automatic

Help and Support

Allows collection of historical computer data for Microsoft Product Support Services incident escalation.

Help and Support

Automatic

ISA Server 2004: Client installation share

Required to allow computers to connect to and install from the Firewall Client share on the ISA Server computer.

Server

Automatic

ISA Server 2004: MSDE logging

Required to allow logging using MSDE databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the Log Viewer in off-line mode

SQLAgent$MSFW

Manual

ISA Server 2004: MSDE logging

Required to allow logging using MSDE databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the Log Viewer in off-line mode

MSSQL$MSFW

Automatic

Performance data collection

Allows background collecting of performance data on the ISA Server computer.

Performance Logs and Alerts

Automatic

Print

Allows printing from the ISA Server computer.

Print Spooler

Automatic

Print

Allows printing from the ISA Server computer.

TCP/IP NetBIOS Helper

Automatic

Print

Allows printing from the ISA Server computer.

Workstation

Automatic

Remote Windows administration

Allows remote management of the Windows server (not required for remote management of ISA Server).

Server

Automatic

Remote Windows administration

Allows remote management of the Windows server (not required for remote management of ISA Server).

Remote Registry

Automatic

Time Synchronization

Allows the ISA Server computer to contact an NTP server to synchronize its clock. From a security perspective, an accurate clock is important for event auditing and other security protocols.

Windows Time

Automatic

Remote Assistance Expert

Allows the Remote Assistance feature to be used on this computer.

Help and Support

Automatic

Remote Assistance Expert

Allows the Remote Assistance feature to be used on this computer.

Remote Desktop Help Session Manager

Manual

Remote Assistance Expert

Allows the Remote Assistance feature to be used on this computer.

Terminal Services

Manual

Note

Time client applications require that either the Wireless or the Server service is running in order to function properly.

ISA Server Client Roles

Servers can be clients of other servers. Client roles are dependent on role-specific services being enabled. The following table lists possible client roles for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.

Client role Usage scenario Services required Startup mode

Automatic Update client

Select this role to allow automatic detection and update from Microsoft Windows Update.

Automatic Updates

Automatic

Automatic Update client

Select this role to allow automatic detection and update from Microsoft Windows Update.

Background Intelligent Transfer Service

Manual

DHCP client

Select this role if the ISA Server computer receives its IP address automatically from a DHCP server.

DHCP Client

Automatic

DNS client

Select this role if the ISA Server computer needs to receive name resolution information from other servers.

DNS Client

Automatic

Domain member

Select this role if the ISA Server computer belongs to a domain.

Network location awareness (NLA)

Manual

Domain member

Select this role if the ISA Server computer belongs to a domain.

Net logon

Automatic

Domain member

Select this role if the ISA Server computer belongs to a domain.

Windows Time

Automatic

DNS registration client

Select this role to allow the ISA Server computer to automatically register its name and address information with a DNS Server.

DHCP Client

Automatic

Microsoft Networking client

Select this role if the ISA Server computer has to connect to other Windows clients. If you do not select this role, the ISA Server computer will not be able to access shares on remote computers; for example, to publish reports.

TCP/IP NetBIOS Helper

Automatic

Microsoft Networking client

Select this role if the ISA Server computer has to connect to other Windows clients. If you do not select this role, the ISA Server computer will not be able to access shares on remote computers; for example, to publish reports.

Workstation

Automatic

WINS client

Select this role if the ISA Server computer uses WINS-based name resolution.

TCP/IP NetBIOS Helper

Automatic

Creating a Security Template

You can create a template, using the Security Templates Microsoft Management Console (MMC) snap-in. The template includes information about which services should be enabled, as well as their startup mode. By using a security template, you can easily configure a security policy and then apply it to each ISA Server computer.

To create a security template, perform the following steps:

  1. To open Security Templates, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in and then click Add.

  3. Select Security Templates, click Add, click Close, and then click OK.

  4. In the console tree, click the Security Templates node, right-click the folder where you want to store the new template, and click New Template.

  5. In Template name, type the name for your new security template.

  6. In Description, type a description of your new security template, and then click OK.

  7. Expand the new template, and then click System Services.

  8. In the details pane, right-click COM+ Event System and then click Properties.

  9. Select Define this policy setting in the template and then click the startup mode. (For COM+ Event System, the startup mode is Automatic.)

  10. Repeat steps 8 and 9 for each of the services listed in the following table.

Service name Short Name Startup mode

Automatic Updates

wuauserv

Automatic

Background Intelligent Transfer Service

BITS

Manual

COM+ Event System

EventSystem

Manual

Cryptographic Services

CryptSvc

Automatic

DHCP Client

Dhcp

Automatic

DNS Client

Dnscache

Automatic

Error Reporting Service

ERSvc

Automatic

Event Log

Eventlog

Automatic

Help and Support

Helpsvc

Automatic

IPsec Services

PolicyAgent

Automatic

Logical Disk Manager

dmserver

Automatic

Logical Disk Manager Administrative Service

dmadmin

Manual

Microsoft Firewall

Fwsrv

Automatic

Microsoft ISA Server Control

ISACtrl

Automatic

Microsoft ISA Server Job Scheduler

ISASched

Automatic

Microsoft ISA Server Storage

ISASTG

Automatic

Microsoft Software Shadow Copy Provider

SWPRV

Manual

MSSQL$MSFW

MSSQL$MSFW

Automatic

Network Connections

Netman

Manual

Network Location Awareness (NLA)

NLA

Manual

NTLM Security Support Provider

NtLmSsp

Manual

Performance Logs and Alerts

SysmonLog

Automatic

Plug and Play

PlugPlay

Automatic

Protected Storage

ProtectedStorage

Automatic

Remote Access Connection Manager

RasMan

Manual

Remote Desktop Help Session Manager

RDSessMgr

Manual

Remote Procedure Call (RPC)

RpcSs

Automatic

Removable Storage

NtmsSvc

Manual

Routing and Remote Access

None

Manual

Secondary Logon

seclogon

Automatic

Security Accounts Manager

SamSs

Automatic

Server

lanmanserver

Manual

Smart Card

SCardSvr

Manual

System Event Notification

SENS

Automatic

TCP/IP NetBIOS Helper

LmHosts

Automatic

Telephony

TapiSrv

Manual

Terminal Services

TermService

Manual

Virtual Disk Service (VDS)

VDS

Manual

Volume Shadow Copy

VSS

Manual

Windows Installer

MSIServer

Manual

Windows Management Instrumentation

winmgmt

Automatic

Windows Time

W32time

Automatic

Wireless Configuration

WZCSVC

Automatic

WMI Performance Adapter

WmiApSrv

Manual

Workstation

lanmanworkstation

Automatic

Note

The startup mode for the Server service should be Automatic in the following cases:

  • You install ISA Server 2004: Client Installation Share.
  • You use Routing and Remote Access Management, rather than ISA Server Management, to configure a VPN.
  • Other tasks or roles, as described in the preceding table, require the service.
  • The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.
  • Time client applications require that either the Wireless or the Server service is running in order to function properly.

To apply the new template to the ISA Server computer, perform the following steps:

  1. To open Security Templates, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in and then click Add.

  3. Select Security Configuration and Analysis, click Add, click Close, and then click OK.

  4. In the console tree, click Security Configuration and Analysis.

  5. Right-click Security Configuration and Analysis and then click Open Database.

  6. Type a new database name, and then click Open.

  7. Select a security template to import, and then click Open. Select the security template that you created previously.

  8. Right-click Security Configuration and Analysis and then click Configure Computer Now.

Additional Resources

For more detailed information and guidelines on hardening ISA Server and the ISA Server computer, see the ISA Server Security Hardening Guide, available on the Microsoft Web site.

For information about Microsoft ISA Server, see the Microsoft ISA Server Web site.

Do you have comments about this document? Send feedback.