Follow these recommendations for logs and alerts for Microsoft
Internet Security and Acceleration (ISA) Server 2006:
Review the logs regularly and carefully, checking for
suspicious access and usage of network resources.
Configure alerts to send notifications to administrators.
Implement a rapid response procedure.
Use the log maintenance feature wisely, to ensure that the disk
on which log information is stored does not become full.
Configure the Log Storage Limits alert definition to
stop the ISA Server 2006 services. In this way, you only allow
access when the access can be appropriately audited.
When you configure an alert to run an executable file or a
script, verify that the executable file or the script is trusted
and that you have set appropriate permissions. We further recommend
that if the alert is triggered by a network condition (for example,
triggered when sending a packet over the network), configure the
alert to be triggered only once. Otherwise, a malicious user could
potentially generate a denial of service, by causing this alert to
be triggered repeatedly. For instructions on configuring how often
to trigger the alert, see Edit an alert
threshold.
Save the logs to a separate NTFS disk partition for maximum
security. Only administrators of the ISA Server computer should
have access to the logs.
When you save log information to an SQL database, use Windows
authentication (and not SQL authentication).
If you are logging the information to a remote database,
configure encryption and data signature for the log information
being copied to the remote database.
For maximal security, configure Internet Protocol security
(IPsec) for the communication between the ISA Server computer and
SQL Server.
If log information cannot be saved for any reason, lock the ISA
Server computer. To do so, configure an alert definition for the
Log Failure event that stops the Microsoft Firewall service. For
instructions, see Add an alert definition.
Network issues, such as floods or congestion, may cause
connectivity failure between the ISA Server computer and the
logging server. Such connectivity issues will cause ISA Server to
enter lockdown mode. To avoid such issues, do the following:
Use a private network between the ISA Server computer and the
logging server.
Protect the logging servers from receiving traffic from
untrusted sources.
Configure IPsec for the communication between the ISA Server
computer and the logging server.
Enable Windows auditing. In this way, you can monitor who logs
on to the ISA Server computer.