System policy overview

Microsoft Internet Security and Acceleration (ISA) Server 2006 protects your network resources, while connecting them securely for specifically defined needs. ISA Server ensures a balance between security and the need to connect. This often requires defining specific firewall policy rules. It also requires that you put in place a networking infrastructure that allows for basic functionality. Authentication, network diagnostics and logging, and remote management are examples of services you may want to enable to effectively administer and monitor network activity and security. For more information, see System policy rules.

ISA Server introduces a system policy, a set of firewall policy rules that control how the ISA Server computer enables the infrastructure necessary to manage network security and connectivity. ISA Server is installed with a default system policy, designed to address the balance between security and connectivity.

Some system policy rules are enabled upon installation. These are considered the most basic and necessary rules for effectively managing the ISA Server environment. You can subsequently identify those services and tasks that you require to manage your network, and enable the appropriate system policy rules. For more information, see System policy defaults.

Limiting system policy

After you install ISA Server, you can configure the system policy. You identify those services and tasks not critical to how you manage your network, and then disable the associated system policy rules.

In general, from a security perspective, we strongly recommend that you disable all system policy rules that you do not require to manage your network. After installation, carefully review the system policy rules configured. After you perform major administration tasks, review the system policy configuration again.

For instructions, see Enable system policy configuration group.

In addition to disabling unnecessary system policy rules, limit the applicability of the rules to required network entities only. For example, the Active Directory® system policy configuration group, enabled by default, applies to all computers on the Internal network. You could limit this to apply only to a specific Active Directory group on the Internal network.

For instructions, see Edit destinations for a system policy rule.

Note

• Many system policy rules apply to the Local Host network. However, the Local Host network in the context of system policy rules refers to communication with the Microsoft Firewall service, and not with the ISA Server computer. There are some exceptions, for example, the Remote Management configuration group.

---

Get latest ISA Server content at ISA Server Guidance. Send feedback about this page.

• English-to-Russian translation