Security best practices

Because the computer on which Microsoft Internet Security and Acceleration (ISA) Server 2006 is running is often the primary interface to the External network, we recommend that you secure the computer. In addition to the information in this Help file, you should periodically review the ISA Server Security Hardening Guide document available at the Microsoft TechNet Web site (http://www.microsoft.com/), because it is updated periodically with new information.

Securing the computer

To secure the ISA Server computer, perform the following:

• Install critical updates for the following:
  • Operating system
  • ISA Server (latest updates available at the ISA Server Web site (http://www.microsoft.com/))
  • Additional components installed by ISA Server, including Microsoft SQL Server™ 2000 Desktop Engine (MSDE 2000) and OWC
• We strongly recommend that you run MBSA on computers running ISA Server. When you run MBSA, it will alert you that MSDE 2000 (an optional component installed by ISA Server) uses the Local Service account. You can safely ignore the message, because ISA Server only allows MSDE 2000 local access. It does not allow access to any other network services.
• Ensure that the ISA Server computer is stored in a physically secure location. Physical access to a server is a high security risk. Physical access to a server by an intruder could result in unauthorized access or modification, as well as installation of hardware or software designed to circumvent security. To maintain a secure environment, you must restrict physical access to the ISA Server computer.
• If you suspect that the ISA Server computer was compromised, reinstall ISA Server.
• If a user unknowingly executes hostile code, and that hostile code has been packaged with additional files including modified versions of system DLLs, the hostile code could load its own versions of those DLLs potentially increasing the type and degree of damage the code can render. Configure the registry key MSS: Enable Safe DLL search mode (recommended) to a value of Enabled. For more information about this registry key, see Additional Registry Settings at the Microsoft TechNet Web site (http://www.microsoft.com/).
• When you revoke administrative permissions for an ISA Server administrator, be sure to also perform the following steps:
  1. On the ISA Server computer, delete the user's account.
  2. On the Configuration Storage server (for ISA Server Enterprise Edition), review the Active Directory® Application Mode (ADAM) objects.
  3. Modify the ownership of objects that belong to the revoked account.
• Do not run unnecessary applications and services on the ISA Server computer.

Securing the network environment

To secure the network environment, perform the following:

• Protect against Layer 2 attacks by deploying security solutions such as Layer 2 IDS and static MAC or port associations on switches.
• Where possible, configure Internet Protocol security (IPsec) in the network.
• To help protect from man-in-the-middle attacks on the Address Resolution Protocol (ARP) cache, we recommend that you place a router before the ISA Server computer. This is because ARP packets cannot be routed through a router. When ISA Server shares a physical network with an untrusted network, we recommend that you configure ISA Server to perform static ARP. For optimal security, we recommend that you add a static ARP entry for the default gateway and on other hosts on the same physical network.

Securing the configuration

To secure the configuration, perform the following:

• Apply the principle of least privilege, where a user has the minimum privileges necessary to perform a specific task. This helps ensure that, if a user account is compromised, the impact is minimized by the limited privileges held by that user. Administrators should use an account with restrictive permissions to perform routine, nonadministrative tasks, and use an account with broader permissions only when performing specific administrative tasks. Consider this when you assign ISA Server administrative roles. For more information about role-based administration, see Role-Based Administration Concepts in ISA Server 2006 on the Microsoft ISA Server TechCenter Web site (http://www.microsoft.com).
• Carefully determine who should have permission to log on to the ISA Server computer. Then, configure the logon rights accordingly. For more information, see Windows Help.
• Apply the principle of reduced attack surface, disabling services and functions not critical to the current task. Disable ISA Server features that you do not use. Configure a system policy suited specifically to your network needs, disabling unnecessary functionality. For more information about system policy, see System policy overview.
• When requested to present credentials, use strong passwords. A password is considered strong if it provides an effective defense against unauthorized access. A strong password does not contain all or part of the user account name, and contains at least three of the four following categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, or #).
• When configuring firewall chaining, we recommend that you use IPsec to secure the communication channel between the ISA Server computer and the upstream server.
• After applying configuration changes, test them. For example, use port scanning to verify that only the applicable ports are actually open.
• Restrict membership in the Remote Management Computers computer set to computers that require remote administration access. For example, do not add entire networks, such as the Internal network, to the computer set. This helps protect the firewall from worms that affect those networks.
• Create a network to contain computers that are infected. Do not create any network rules for the network, so that it will not have any access. When a computer is infected, move it into that network. For ISA Server Enterprise Edition, this has to be performed on the array level. Note that each computer that you move into this network creates a gap in the address range of the Internal network, thus fragmenting it. Fragmented networks have a negative performance impact on ISA Server Network Load Balancing (NLB), so this approach should be used carefully, and computers should be returned to their original network as quickly as possible.

RADIUS server configuration recommendations

We recommend that you configure the Remote Authentication Dial-In User Service (RADIUS) server as follows:

• If you are using a RADIUS server for authentication, create a connectivity verifier that monitors the server status. Configure the alerts so that an appropriate action is taken when the RADIUS server is not functioning.
• Untrusted users should not have access to the network between a RADIUS server and ISA Server. If untrusted users must have access, use IPsec on this network.

Logging and alerting recommendations

Follow the recommendations in this section when configuring logging and alerts. We recommend that you configure logging and alerts as follows:

• Review the logs regularly and carefully, checking for suspicious access and usage of network resources.
• Configure alerts to send notifications to administrators. Implement a rapid response procedure.
• Use the log maintenance feature to ensure that the disk on which log information is stored does not become full. .
• Configure the Log Storage Limits alert definition to stop the ISA Server services. In this way, you only allow access when the access can be appropriately audited.
• If log information cannot be saved for any reason, lock down the ISA Server computer. To do so, configure an alert definition for the Log Failure event that stops the Microsoft Firewall service. For instructions, see Add an alert definition.
• When you configure an alert to run an executable file or a script, verify that the executable file or the script is trusted and that you have set appropriate permissions. We further recommend that if the alert is triggered by a network condition (for example, triggered when sending a packet over the network), configure the alert to be triggered only once. Otherwise, a malicious user could potentially generate a denial of service, by causing this alert to be triggered repeatedly. For instructions on configuring how often to trigger the alert, see Edit an alert threshold.
• Save the logs to a separate NTFS file system disk partition for maximum security. Only administrators of the ISA Server computer should have access to the logs.

• For more information about monitoring, logging and reporting, see Monitoring, Logging, and Reporting Concepts in ISA Server 2006 on the Microsoft ISA Server TechCenter Web site (http://www.microsoft.com).

Additional recommendations

Follow the security recommendations for the operating system running on the ISA Server computer. Study and apply the security practices described in the following documentation:

• For Microsoft Windows Server™ 2003, see the Windows Server 2003 Security Guide at the Microsoft Download Center (http://www.microsoft.com/).
• For more information about security in ISA Server, see the documents available at the ISA Server Guidance Site (http://www.microsoft.com/).

Note

• If you do not require MSDE 2000 logging, uninstall the Advanced Logging feature.

---

Get latest ISA Server content at ISA Server Guidance(http://www.microsoft.com/). Send feedback about this page.

• English-to-Russian translation