Microsoft Internet Security and Acceleration (ISA)
Server 2006 introduces a multi-tiered architecture, in which
configuration information is stored on the Configuration Storage server. Array members
communicate with the Configuration Storage server to get up-to-date
configuration information. In addition, array members communicate
with each other. To help secure this deployment model, follow the
security best practices listed in this topic. In addition, to help
secure computers running ISA Server services, follow the guidelines
listed in Security best practices. You should also review the
ISA Server Security Hardening Guide document available at
TechNet Web site(http://www.microsoft.com/), because it is
updated periodically with new information.
Securing the Configuration Storage server
To secure the Configuration Storage server, follow these
We recommend that you install the Configuration Storage server
on a dedicated computer, which is not used for additional
Safeguard the security of the Configuration Storage server.
Ensure that the computer is physically secure.
After you create administrator roles, avoid performing any
tasks on the Configuration Storage server. Changes to the
Configuration Storage server should be done using enterprise
administrator credentials on an ISA Server array computer, or
remote management computer.
Users that belong to the Administrators group on the
Configuration Storage server essentially have Enterprise
Administrator permissions. This is because they can directly modify
any data on the Configuration Storage server.
We recommend that you do not place the Configuration Storage
server at the edge of the network. Rather, place it behind a
computer running ISA Server services, which will help protect it
from potential attacks.
To secure intra-array communication, follow these
Upon installation, a pair of private and public keys are
created for each array member. These keys are used to transfer
confidential data between array members. If you believe that the
keys have been compromised, create a new key pair by uninstalling
and then installing ISA Server.
We recommend that you use a dedicated network adapter in a
network used only for intra-array communication. This network
should include all the array member's intra-array addresses. For
more information, see Configuring and securing intra-array
When you enable NLB, place a router in front of the NLB-enabled
array. Configure the router so that it blocks raw IP traffic.
Otherwise, all the array members will handle the traffic
When NLB is enabled, it synchronizes array members by using
pure Ethernet protocol
communication. This low-level traffic is not protected by ISA
Server. To help secure that traffic, we strongly recommend that you
place a Layer-3 router between the Internet and the NLB-enabled
array. This Layer-3 router will not allow the low-level Ethernet
protocol to pass, thereby helping protect the array from
potentially malicious Ethernet traffic from the Internet, intended
to disrupt the operation of NLB.