System policy overview

Microsoft Internet Security and Acceleration (ISA) Server 2006 protects your network resources, while connecting them securely for specifically defined needs. ISA Server ensures a balance between security and the need to connect. This often requires defining specific firewall policy rules. It also requires that you put in place a networking infrastructure that allows for basic functionality. Authentication, network diagnostics and logging, and remote management are examples of services you may want to enable to effectively administer and monitor network activity and security.

ISA Server introduces system policy, a set of firewall policy rules that controls how the ISA Server computer enables the infrastructure necessary to manage network security and connectivity. ISA Server is installed with a default system policy, designed to address the balance between security and connectivity.

Some system policy rules are enabled upon installation. These are considered the most basic and necessary rules for effectively managing the ISA Server environment. You can subsequently identify those services and tasks that you require to manage your network, and enable the appropriate system policy rules.

Limiting system policy

After you install ISA Server, you can configure the system policy. You identify those services and tasks not critical to how you manage your network, and then disable the associated system policy rules.

In general, from a security perspective, we strongly recommend that you disable all system policy rules that you do not require to manage your network. After installation, carefully review the system policy rules configured. After you perform major administrative tasks, review the system policy configuration again.

For instructions, see Enable system policy configuration group.

In addition to disabling unnecessary system policy rules, limit the applicability of the rules to required network entities only. For example, the Active Directory® directory service system policy configuration group, enabled by default, applies to all computers on the Internal network. You could limit this to apply only to a specific Active Directory group on the Internal network.

For instructions, see Edit destinations for a system policy rule.


System policy processing order

For ISA Server 2006 Enterprise Edition, ISA Server processes system policy rules first, before any other array-level rule, and before pre-array enterprise rules. This means that the array administrator can override pre-array enterprise policy rules by configuring the system policy.

web link Get latest ISA Server content at ISA Server Guidance.
Send feedback about this page Send feedback about this page.