Implementing a Secure ISA Server

1
Implementing a Secure ISA Server

• Roberta Bragg

2
Step One

• Read Step Ten before actually doing any of these
  steps!

3
Step Two Planning

• What do you want? A firewall? A caching server?
  Both?
• Single server? DMZ? Array?
• Amount of traffic?
• What needs to pass through?
• Machine sizing

4
Step Three- Network Preparations

• Network addresses
• Routers
• Insure internal DNS for internal network clients
• External DNS for ISA Server
• Changes required to network configuration?
  Clients?

5
Step Four Install Clean W2K

• Separate drives/partition system data from
  firewall
• Customization - Uncheck all options!
• Accessories
• IIS
• Custom networking only TCP/IP
• External Card
• Disable DNS automatic registration
• Disable windows networking
• Disable NetBIOS over TCP/IP
• Internal Card as appropriate for your network
• Workgroup not domain

6
Step Five Pre-ISA Install

• Edit systemroot\inf\sysoc.inf and remove the
  hide keyword where it appears
• Use Add/Remove to remove Fax, Image View,
  Pinball, Word Pad be careful here!
• Check Routing Table
• Clean Certificate Store remove unnecessary
  certificates
• Disable services that get installed by default
  are not needed
• Apply Service Pack/patches

• SO, what services do you need?
• DNS client
• Eventlog
• Logical disk manager
• Plug and play
• Protected storage
• Security accounts manager
• Telephony
•  And maybe
• IPSec policy agent
• Network connections manager
• Remote procedure call
• Remote registry service
• Run as

7
Step Six ISA Installation

• Install only services you need
• Do not install H.323 unless going to use!
• Install onto other partition from OS
• If this is Enterprise
• select administrative array/enterprise policies
  as per your organization administrative policy
• only allow publishing if in DMZ
• Enable packet filtering
• Configure LAT so only has addresses in internal
  network

8
Step Seven After Install Test Basic Connectivity

• Ensure LAT only contains addresses from internal
  network
• Connection to Internet?
• Check default site and content rule
• Add Protocol rule
• REMOVE TEST!

9
Step Eight Secure ISA

• Set file /folder/ share permissions
• Mspclnt share Authenticated Users Read
• Inheritance not allowed from parent folder,
  apply settings to folder, subfolders, files
• Installation Directory, Clients directory,
  Urlcache
• Administrators, Creator/Owner, System Full
  Control
• Clients Authenticated Users Read Execute
• Tweak then apply security template
• Follow guidelines for secure configuration
• Of especial importance
• Limit accounts in local database
• Use strong passwords

10
Step Nine Configure and Roll Out

• Configure client access as per plan
• Configure packet filters/intrusion detection as
  per plan
• Do not enable ip routing unless DMZ 3-homed
  firewall/mail server publishing
• Test
• Configure Reporting/Monitoring
• Install and Configure Clients

11
Step Ten

• Never, never, never accept on faith any advice
  from a security guru, government agency, book,
  Microsoft document, SearchWin2000 chat.
• Your network, server, use, requirements may
  differ
• TEST