It is important to follow best practices for security when using
Microsoft Internet Security and Acceleration (ISA) Server 2006
as a virtual private network (VPN) server. The following is
a list of recommendations for securing your ISA Server computer in
its role as a VPN server:
Follow these guidelines when determining which authentication methods to enable:
Use authentication methods that provide adequate security. The
most secure method of authentication is Extensible Authentication
Protocol-Transport Level Security (EAP-TLS) when used in
conjunction with smart cards. Despite the deployment challenges
involved in using EAP-TLS and smart cards, which require a public
key infrastructure (PKI), this is considered the most secure
authentication method.
If you use password-based authentication, enforce strong
password policies on your network to make dictionary attacks more
difficult.
You should consider requiring your remote VPN clients to be
authenticated with more secure authentication protocols,
such as Microsoft Challenge Handshake Authentication Protocol
version 2 (MS-CHAP v2) or Extensible Authentication Protocol
(EAP), rather than allowing them to use protocols such as Password
Authentication Protocol (PAP), Shiva Password Authentication
Protocol (SPAP), and Challenge Handshake Authentication Protocol
(CHAP).
We strongly recommend that PAP, SPAP, and CHAP are disabled.
PAP, SPAP, and CHAP are disabled by default.
Enable EAP-TLS, which is disabled by default on the profile of
a remote access policy. When you use the EAP-TLS authentication
protocol, you must install a computer certificate on the Internet
Authentication Service (IAS) server. For client and user
authentication, you can install a certificate on the client
computer, or you can use smart cards. Before you deploy
certificates, you must design the certificate with the correct
requirements.
We recommend that you implement and enforce a strong password
policy, thereby reducing the chance of a dictionary attack. When
you implement such a policy, you can disable account lockout,
thereby reducing the chance that an attacker will trigger account
lockout.
Consider requiring your remote VPN clients to run particular
operating systems (such as Microsoft
Windows Server™ 2003, Windows® 2000 Server, or
Windows XP). Not all operating systems have equal levels of
security in their file systems and in their user accounting. Also,
not all remote access features are available on all operating
systems.
Use the ISA Server Quarantine Control feature, to provide
phased network access for remote VPN clients. With Quarantine
Control, clients are restricted to a quarantine mode before allowed
access to the network. Although Quarantine Control does not protect
against attackers, computer configurations for authorized users can
be verified and, if necessary, corrected before they can access the
network.
The quarantine feature does not protect against malicious users
on the VPN Clients network.
Virus infected VPN client computers are not automatically
blocked from flooding the ISA Server computer or the networks it
protects with requests. To prevent this occurrence, implement
monitoring practices to detect anomalies such as alerts or unusual
peaks in traffic loads, and configure alert notification to use
e-mail messages. If an infected VPN client computer is identified,
either:
Restrict VPN access by user name by using the remote access
policy to exclude the user from the VPN clients who are allowed to
connect.
Restrict VPN access by IP address. Do this by creating a new
network to contain external IP addresses that are blocked, and move
the IP address of the client out of the External network to the new
network.
Get
latest ISA Server content at ISA
Server Guidance.
Send
feedback about this page.