CertCities.com -- The Ultimate Site for Certified IT Professionals
Keep on Top of the Latest Certification News: Subscribe to CertCities.com Newsletter Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+"
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets

CertCities.com
Let us know what you
think! E-mail us at:
 
 
...Home ... Editorial ... Columns ..Column Story Friday: December 6, 2013


Zubair's Security Zone  
Zubair Alexander
Zubair Alexander
Best Practices for Securing ISA Server 2004
Zubair offers his top tips for making sure your ISA Server is as secure as possible.
by Zubair Alexander  
8/15/2006 -- If you are the person responsible for securing your network and servers, most likely you have implemented some sort of security measures to protect your Domain Controllers, member servers, Web servers and the like -- an obvious necessity. In this article I will discuss some of the best practices for securing another important server: Internet Security and Acceleration (ISA) Server 2004 (Enterprise or Standard edition).

This article assumes that you've followed best practices and installed your ISA Server 2004 on Windows 2003, and have updated both Windows Server 2003 and ISA with all the latest patches, service packs and updates, including for ISA Server components such as Microsoft SQL Server 2000 Desktop Engine and Office Web Components 2002.

Tip #1: Get Physical
 When it comes to security, physical security is extremely important. This is true for any computer that you want to secure, but for a computer acting as a firewall the stakes are even higher. Ensure that ISA Server is not only physically secure, but that you also have appropriate power protection with a UPS and some kind of fault tolerance implementation in case of hard drive or other hardware failure.

Tip #2: Domain vs. Workgroup
 When you install ISA Server 2004, one of the decisions that you need to make is whether to install it in a workgroup or make it a member server in the domain. My preference is to install ISA Server 2004 in a workgroup. However, there are situations that may require configuring ISA Server 2004 as a domain member. For example, if you create a policy that depends on domain authentication, then the ISA Server should be a member of the domain. As a domain member, you will also be able to lock the server down using a Group Policy. If you must install ISA Server as a domain member, it is best to have another hardware-based firewall on the outside, such as PIX firewall.

Although my preference is to install ISA Server 2004 in a workgroup, especially when it's protecting the edge of the network, if you need domain membership for ISA Server 2004, consider installing it in a separate forest. For example, if you are running ISA Server 2004 in a DMZ, install it in a separate forest and then create a one-way trust between your internal forest and your ISA Server 2004 forest.

Tip #3: Adjust Connection Limits
 The connection limits in ISA Server prevent attacks that can consume valuable resources on your ISA Server. By limiting the number of connections to the server, you can mitigate any attacks from a malicious host.

By default, connection limits for non-TCP connections are set to 1000 connections per second per rule, and to 160 connections per client (TCP and non-TCP), as shown in Figure 1, below. Microsoft recommends that it is best not to modify these default limits. However, if you feel that you need to adjust these numbers, try to configure as few connections as possible. Be careful, though: If you configure the limit to be too low, you may run into a problem with your clients not being able to connect. There are certain situations where people have been able to solve connectivity problems by adjusting these numbers.

Installing SFU.
[Click on image for larger view.]
Figure 1: Configuring Connection Limits.

Tip #4: Configure DNS Properly
 When you configure ISA Server, make sure your DNS is configured properly. Include all local domain names in the domains that are considered local to your private network. Otherwise, ISA Server may send a name resolution request to a public (external) DNS server. Needless to say, this can potentially expose the names of your private domains to the outside world.

To prevent DNS cache poisoning, point your ISA Server to one of your own DNS servers on your private network. Make sure the DNS server is configured with the option to prevent cache pollution.

Let's say you have an ISA Server with two interfaces. private and public. Here's how I suggest you configure DNS server on your ISA Server:

  1. Point the network card on the private interface to a DNS on your private network. Leave the gateway and alternate DNS fields blank.
  2. Configure a gateway on the public interface that points to your ISP but leave both the DNS fields blank.
  3. Configure your private DNS server to forward requests to your ISP's DNS server.
  4. Configure an access rule that allows only the private DNS server to access the Internet. This will allow all the internal clients to resolve the private addresses from the internal DNS server and for external name resolution they will be forwarded to your ISP's DNS server.

To summarize, here's what a sample configuration looks like:

Private Interface
IP: 10.0.0.1
Subnet Mask: 255.0.0.0
Default Gateway: (leave blank)
Primary DNS: 10.0.0.2
Secondary DNS: (blank)
Public Interface IP: 225.x.x.x
Subnet Mask: 255.255.255.0
Default Gateway: 225.x.x.1
Primary DNS: (blank)
Secondary DNS: (blank)

On the General tab of the public interface, disable all items except "Internet Protocol (TCP/IP)," including Client for Microsoft Networking, File and Printer Sharing for Microsoft Networks, etc. In addition, disable NetBIOS over TCP/IP and uncheck the box Enable LMHOSTS lookup, as shown in Figure 2, below. Make sure you do not disable NetBIOS over TCP/IP on the private interface.

Installing SFU.
[Click on image for larger view.]
Figure 2: Disabling NetBIOS over TCP/IP and Lmhosts lookup on public interface.

Tip #5: Disable Error Reporting
 By default, Microsoft enables error reporting on Windows Server 2003 as well as ISA Server 2004. You should disable error reporting on both the operating system (under services.msc) and ISA Server 2004 (under System Policy). According to Microsoft's security experts, error reporting should not be enabled on any computer and especially not on an ISA Server computer. Error reporting helps Microsoft improve products by reporting critical faults to Microsoft for analysis. However, the information that is sent to Microsoft is not encrypted. Let someone else be the nice guy, you should avoid any kind of reporting to Microsoft (or to any other vendor.)

To disable error reporting, follow the procedure described below:

  1. Start ISA Server Management Console and go to Firewall Policy.
  2. Right-click the Firewall Policy and select Edit System Policy.
  3. In System Policy Editor, in the Configuration Groups tree, click Diagnostic Services.
  4. Click Microsoft Error Reporting under the Diagnostic Services folder.
  5. In the right-hand pan uncheck the Enable box, as shown in Figure 3, below.
Installing SFU.
[Click on image for larger view.]
Figure 3: Disabling Microsoft Error Reporting in System Policy Editor.

NOTE : Some Microsoft TechNet articles incorrectly list error reporting service as a required service for ISA Server and imply that it should be configured to start automatically. You can safely ignore that recommendation and disable the service in Services console as well as System Policy.

Tip #6: Reconfigure System Policy Allowed Sites
 By default, the Allowed Sites configuration group is enabled, allowing ISA Server to access content on specific sites that belong to the System Policy Allowed Sites domain name set. The default system policy allows HTTP and HTTPS access from the Local Host network (the ISA Server computer) to the Microsoft.com Web site. This is mainly used by Microsoft for error reporting. You should allow only *.windowsupdate.com site and remove all other Web sites listed in that group.

Tip #7: Delegate Administration
 For larger environments where several people are involved in managing ISA Server computers, consider using the ISA Server Administration Delegation Wizard. You can start the wizard by going to ISA Server Management Console and right-clicking your ISA Server name. The wizard allows you to assign roles to different users and groups so they can monitor arrays. The three roles that can be assigned are:

  • ISA Server Array Administrator
  • ISA Server Array Auditor
  • ISA Server Array Monitoring Auditor

Look for more information about these roles in the ISA Server help file.

Tip #8: Disallow Older Firewall Clients
 Firewall client for ISA Server uses a protocol that encrypts data transmission between the Firewall client and the ISA Server. Do not allow older versions of Firewall clients because they can't encrypt the communication channel. Ensure that the box "Allow non-encrypted Firewall client connections" is unchecked, as shown in Figure 4, below.

Installing SFU.
[Click on image for larger view.]
Figure 4: Restricting connections from older Firewall clients.

Tip #9: Don't Enable Guest Account
 Unfortunately, the Guest Account still exists in Windows Server 2003, even though no one ever uses it and Microsoft tells everyone to leave it disabled. Enabling the Guest account on any computer can be bad, but enabling it on ISA Server opens a serious security hole, so double-check to make sure its closed. ISA Server recognizes the guest account as the default All Authenticated Users user set.

Tip # 10: Avoid Running Browsers on ISA Server
 Do not run a Web browser to surf the Internet on your ISA Server. As we know, surfing the Internet is one of the most common methods of inviting spyware, keyloggers, and malware on your computer. If you are in a bind and you must go to a known site that you trust, run your browser (preferably Mozilla's Firefox -- avoid Internet Explorer) with non-administrative credentials to minimize potential harm. However, it's really hard to justify running a Web browser on any server, let alone a firewall.

Additional Tips
 Here are some additional tips that you may find helpful in securing your ISA Server:

  • If ISA Server ever gets compromised, or you discover a virus or spyware on your ISA Server, you should reinstall ISA Server. Some people try to clean the server with tools that they feel comfortable, but reinstalling is most likely the safest option.
  • If you have multiple ISA Server 2004 computers in your environment, you should create a security template and apply it to all your ISA Servers for consistency.
  • When configuring firewall chaining, use IP Security (IPSec) to secure the communication channel between your ISA Server computer and the upstream server in the chain.
  • Disable services and features that you do not need on ISA Server to reduce the attack surface.
  • When making backups, ensure that the backup file is protected with a password.

Want More?
There are lots of additional areas that you can secure on your ISA Server. Check out ISA Server 2004 Security Hardening Guide from Microsoft for additional tips. As I mentioned earlier, don't forget to secure your Windows Server 2003 operating system properly -- otherwise all your techniques for securing ISA may not be very effective.
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at .
 

More articles by Zubair Alexander:

-- advertisement --


There are 16 CertCities.com user Comments for “Best Practices for Securing ISA Server 2004”
Page 1 of 2
8/17/06: Thomas W Shinder MD from www.isaserver.org says: While there is some generally good advice here, the recommendation to not make the ISA firewall a domain member is fatally flawed, and the error is compounded by stating that a simple PIX packet filter device is going to provide any "enhanced" protection. This is just rehashed "tribal knowledge" and has no basis in fact. Check my blog for a detailed rebuttal and fact-based ISA Server securtiy information.
8/23/06: Anonymous says: Whose word shall i trust now????? Zubair or Shinder?
8/23/06: Betsy MacKenzie from Seattle says: I'd put my money on Zubair. His articles tend to be well-written, his spelling is correct, he uses visuals, and he writes in conversational language that is easily understood.
8/23/06: Charles from Florida says: First. let me say that my company is currently running ISA server in a workgroup and we also know several other companies that run in a workgroup. Second, the author makes many good points in this article and almost all of them are also recommended by Microsoft. I think it is in bad taste to criticize someone else's writing without any specifics and then simply plug your own Web site. I looked at Shinder's Web site and did not find it very helpful at all. The tips in this article are definitely worth checking out and I will make sure my server complies with these recommendations.
8/24/06: ISA Newb from Seattle says: I did find the link to the MS hardening guide to be useful. Black Hat had a good two day class this year on ISA Server that was useful for folks looking to gain knowledge above the "don't surf the web from your servers" level.
9/6/06: Anonymous says: Fairly good article overall. The point about having failover and power protection for your ISA server though has nothing to do with security so is not a necessity nor even worth mentioning in an article about security. On the point of ISA server being in a domain or workgroup there are cases where this is useful. To put a final point on it unless you actually NEED it in your domain then it is probably a good idea to leave it out. However don't let this scare you off if you require features that can only be used while it is in a domain. The threat to your security from an external source to your domain is negligible if the ISA server is in your domain and the internal security measures you can employ such as user authentication, access control and user based logging can prove much more valuable to many companies. So yes Shinder is mostly correct in what he says but like I said if you don't really require it then there is no harm leaving it out of your domain.
9/6/06: cj9 from philippines says: Zubair, that was amazing. I've never reas such a clear and well explained blog. There are only few of you who can make such a splendid blog. More power to you! www.rbsbrookland.com
9/27/06: Anonymous says: Zubair Way to Go !! Great column - very cleary explained. I would take your comments over Shinder any day of the week.
11/16/06: Josh from USA says: I'll take Thomas Shinder's word over this guy's any day of the week, in regards to ISA Server. To the people who wrote that this is a great article, well, I decided this post would probably get deleted if I finished that thought. I will avoid Zubair's articles in the future. His "tips" are of the most basic level. I would have just glanced over the article and then dismissed it, but these posts got me worked up.
11/30/06: DU from vn says: dEAR SIR, wOULD YOU MIND SEND ME A PRACTICE LAB OF isa2004. tHANKS SO MUCH dU
First Page   Next Page   Last Page
Your comment about: “Best Practices for Securing ISA Server 2004”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top
Home | Microsoft® | Cisco® | Oracle® | A+/Network+" | Linux/Unix | MOS | Security | List of Certs
Advertise | Contact Us | Contributors | Features | Forums | News | Pop Quiz | Tips | Press Releases | RSS Feeds RSS Feeds from CertCities.com
Search | Site Map | Redmond Media Group | TechMentor Conferences | Tech Library Webcasts
This Web site is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc., Microsoft Corp., Oracle Corp., The Computing Technology Industry Association, Linus Torvolds, or any other certification or technology vendor. CiscoÆ and Cisco SystemsÆ are registered trademarks of Cisco Systems, Inc. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corp. OracleÆ is a registered trademark of Oracle Corp. A+Æ, i-Net+T, Network+T, and Server+T are trademarks and registered trademarks of The Computing Technology Industry Association. (CompTIA). LinuxT is a registered trademark of Linus Torvalds. All other trademarks belong to their respective owners.
Reprints allowed with written permission from the publisher. For more information, e-mail
Application Development Trends | Campus Technology | CertCities.com | The Data Warehousing Institute
E-Gov | EduHound | ENTmag.com | Enterprise Systems | Federal Computer Week | FTPOnline.com | Government Health IT
IT Compliance Institute | MCPmag.com | Recharger | Redmond Developer News | Redmond | Redmond Events | Redmond Channel Partner | Redmond Report
TCPmag.com | T.H.E. Journal | Virtualization Review | Visual Studio Magazine | VSLive!
Copyright 1996-2009 1105 Media, Inc. See our Privacy Policy.
1105 Redmond Media Group