8/15/2006 -- If you are the person responsible for securing your network and servers, most likely you have implemented some sort of security measures to protect your Domain Controllers, member servers, Web servers and the like -- an obvious necessity. In this article I will discuss some of the best practices for securing another important server: Internet Security and Acceleration (ISA) Server 2004 (Enterprise or Standard edition).
This article assumes that you've followed best practices and installed your ISA Server 2004 on Windows 2003, and have updated both Windows Server 2003 and ISA with all the latest patches, service packs and updates, including for ISA Server components such as Microsoft SQL Server 2000 Desktop Engine and Office Web Components 2002.
Tip #1: Get Physical When it comes to security, physical security is extremely important. This is true for any computer that you want to secure, but for a computer acting as a firewall the stakes are even higher. Ensure that ISA Server is not only physically secure, but that you also have appropriate power protection with a UPS and some kind of fault tolerance implementation in case of hard drive or other hardware failure.
Tip #2: Domain vs. Workgroup When you install ISA Server 2004, one of the decisions that you need to make is whether to install it in a workgroup or make it a member server in the domain. My preference is to install ISA Server 2004 in a workgroup. However, there are situations that may require configuring ISA Server 2004 as a domain member. For example, if you create a policy that depends on domain authentication, then the ISA Server should be a member of the domain. As a domain member, you will also be able to lock the server down using a Group Policy. If you must install ISA Server as a domain member, it is best to have another hardware-based firewall on the outside, such as PIX firewall.
Although my preference is to install ISA Server 2004 in a workgroup, especially when it's protecting the edge of the network, if you need domain membership for ISA Server 2004, consider installing it in a separate forest. For example, if you are running ISA Server 2004 in a DMZ, install it in a separate forest and then create a one-way trust between your internal forest and your ISA Server 2004 forest.
Tip #3: Adjust Connection Limits The connection limits in ISA Server prevent attacks that can consume valuable resources on your ISA Server. By limiting the number of connections to the server, you can mitigate any attacks from a malicious host.
By default, connection limits for non-TCP connections are set to 1000 connections per second per rule, and to 160 connections per client (TCP and non-TCP), as shown in Figure 1, below. Microsoft recommends that it is best not to modify these default limits. However, if you feel that you need to adjust these numbers, try to configure as few connections as possible. Be careful, though: If you configure the limit to be too low, you may run into a problem with your clients not being able to connect. There are certain situations where people have been able to solve connectivity problems by adjusting these numbers.
[Click on image for larger view.] |
Figure 1: Configuring Connection Limits. |
Tip #4: Configure DNS Properly When you configure ISA Server, make sure your DNS is configured properly. Include all local domain names in the domains that are considered local to your private network. Otherwise, ISA Server may send a name resolution request to a public (external) DNS server. Needless to say, this can potentially expose the names of your private domains to the outside world.
To prevent DNS cache poisoning, point your ISA Server to one of your own DNS servers on your private network. Make sure the DNS server is configured with the option to prevent cache pollution.
Let's say you have an ISA Server with two interfaces. private and public. Here's how I suggest you configure DNS server on your ISA Server:
- Point the network card on the private interface to a DNS on your private network. Leave the gateway and alternate DNS fields blank.
- Configure a gateway on the public interface that points to your ISP but leave both the DNS fields blank.
- Configure your private DNS server to forward requests to your ISP's DNS server.
- Configure an access rule that allows only the private DNS server to access the Internet. This will allow all the internal clients to resolve the private addresses from the internal DNS server and for external name resolution they will be forwarded to your ISP's DNS server.
To summarize, here's what a sample configuration looks like:
Private Interface
|
IP: 10.0.0.1 |
|
Subnet Mask: 255.0.0.0 |
|
Default Gateway: (leave blank) |
|
Primary DNS: 10.0.0.2 |
|
Secondary DNS: (blank) |
Public Interface |
IP: 225.x.x.x |
|
Subnet Mask: 255.255.255.0 |
|
Default Gateway: 225.x.x.1 |
|
Primary DNS: (blank) |
|
Secondary DNS: (blank) |
On the General tab of the public interface, disable all items except "Internet Protocol (TCP/IP)," including Client for Microsoft Networking, File and Printer Sharing for Microsoft Networks, etc. In addition, disable NetBIOS over TCP/IP and uncheck the box Enable LMHOSTS lookup, as shown in Figure 2, below. Make sure you do not disable NetBIOS over TCP/IP on the private interface.
[Click on image for larger view.] |
Figure 2: Disabling NetBIOS over TCP/IP and Lmhosts lookup on public interface. |
Tip #5: Disable Error Reporting By default, Microsoft enables error reporting on Windows Server 2003 as well as ISA Server 2004. You should disable error reporting on both the operating system (under services.msc) and ISA Server 2004 (under System Policy). According to Microsoft's security experts, error reporting should not be enabled on any computer and especially not on an ISA Server computer. Error reporting helps Microsoft improve products by reporting critical faults to Microsoft for analysis. However, the information that is sent to Microsoft is not encrypted. Let someone else be the nice guy, you should avoid any kind of reporting to Microsoft (or to any other vendor.)
To disable error reporting, follow the procedure described below:
- Start ISA Server Management Console and go to Firewall Policy.
- Right-click the Firewall Policy and select Edit System Policy.
- In System Policy Editor, in the Configuration Groups tree, click Diagnostic Services.
- Click Microsoft Error Reporting under the Diagnostic Services folder.
- In the right-hand pan uncheck the Enable box, as shown in Figure 3, below.
[Click on image for larger view.] |
Figure 3: Disabling Microsoft Error Reporting in System Policy Editor. |
NOTE : Some Microsoft TechNet articles incorrectly list error reporting service as a required service for ISA Server and imply that it should be configured to start automatically. You can safely ignore that recommendation and disable the service in Services console as well as System Policy.
Tip #6: Reconfigure System Policy Allowed Sites By default, the Allowed Sites configuration group is enabled, allowing ISA Server to access content on specific sites that belong to the System Policy Allowed Sites domain name set. The default system policy allows HTTP and HTTPS access from the Local Host network (the ISA Server computer) to the Microsoft.com Web site. This is mainly used by Microsoft for error reporting. You should allow only *.windowsupdate.com site and remove all other Web sites listed in that group.
Tip #7: Delegate Administration For larger environments where several people are involved in managing ISA Server computers, consider using the ISA Server Administration Delegation Wizard. You can start the wizard by going to ISA Server Management Console and right-clicking your ISA Server name. The wizard allows you to assign roles to different users and groups so they can monitor arrays. The three roles that can be assigned are:
- ISA Server Array Administrator
- ISA Server Array Auditor
- ISA Server Array Monitoring Auditor
Look for more information about these roles in the ISA Server help file.
Tip #8: Disallow Older Firewall Clients Firewall client for ISA Server uses a protocol that encrypts data transmission between the Firewall client and the ISA Server. Do not allow older versions of Firewall clients because they can't encrypt the communication channel. Ensure that the box "Allow non-encrypted Firewall client connections" is unchecked, as shown in Figure 4, below.
[Click on image for larger view.] |
Figure 4: Restricting connections from older Firewall clients. |
Tip #9: Don't Enable Guest Account Unfortunately, the Guest Account still exists in Windows Server 2003, even though no one ever uses it and Microsoft tells everyone to leave it disabled. Enabling the Guest account on any computer can be bad, but enabling it on ISA Server opens a serious security hole, so double-check to make sure its closed. ISA Server recognizes the guest account as the default All Authenticated Users user set.
Tip # 10: Avoid Running Browsers on ISA Server Do not run a Web browser to surf the Internet on your ISA Server. As we know, surfing the Internet is one of the most common methods of inviting spyware, keyloggers, and malware on your computer. If you are in a bind and you must go to a known site that you trust, run your browser (preferably Mozilla's Firefox -- avoid Internet Explorer) with non-administrative credentials to minimize potential harm. However, it's really hard to justify running a Web browser on any server, let alone a firewall.
Additional Tips Here are some additional tips that you may find helpful in securing your ISA Server:
- If ISA Server ever gets compromised, or you discover a virus or spyware on your ISA Server, you should reinstall ISA Server. Some people try to clean the server with tools that they feel comfortable, but reinstalling is most likely the safest option.
- If you have multiple ISA Server 2004 computers in your environment, you should create a security template and apply it to all your ISA Servers for consistency.
- When configuring firewall chaining, use IP Security (IPSec) to secure the communication channel between your ISA Server computer and the upstream server in the chain.
- Disable services and features that you do not need on ISA Server to reduce the attack surface.
- When making backups, ensure that the backup file is protected with a password.
Want More?
There are lots of additional areas that you can secure on your ISA Server. Check out ISA Server 2004 Security Hardening Guide from Microsoft for additional tips. As I mentioned earlier, don't forget to secure your Windows Server 2003 operating system properly -- otherwise all your techniques for securing ISA may not be very effective.
|