After securing the computer running ISA Server, the next step is to ensure that your ISA Server configuration is as secure as possible. After installation, ISA Server, Standard Edition, starts with a default configuration that provides a high level of security. As an ISA Server administrator, you must understand what the default configuration is and how you may need to modify it to provide additional security or functionality.
The ISA Server Default Configuration
After a standard installation, ISA Server starts with a default configuration. This configuration provides a high level of security because it does not allow access to any Internet or internal resources through the ISA Server computer. However, the default configuration also includes several other settings.
The default configuration of a newly installed ISA Server means that traffic can occur between the ISA Server computer and other networks. For example, Lightweight Directory Access Protocol (LDAP) traffic is permitted from the ISA Server computer to the internal network. This enables the ISA Server computer to operate as a member of an Active Directory domain. However, by default, no traffic is permitted through the ISA Server computer from one network to another.
Configuring System Policies
When ISA Server 2004 is installed, a default system policy is configured on the server.This system policy includes a variety of access rules that provide an initial configuration for ISA Server 2004. Depending on your organization’s requirements, you may need to modify the system policy configuration, either by disabling some of the rules or enabling and modifying the rules.
System policy rules are used to define what traffic is allowed between the ISA Server computer and the connected networks. All the system policies define access between the Local Network, which is the ISA Server computer itself, and the connected networks rather than defining access between networks.
System Policy Settings A default system policy is applied when you install ISA Server 2004. This policy enables the functionality needed to manage the ISA Server computer and provide network connectivity.
Modifying System Policy After installing ISA Server, you should analyze the default system policy configuration and modify the policy to meet your organization’s requirements.The default system policy enables more options than are required for most organizations. If your organization does not require a specific type of functionality enabled by a system policy rule, then disable the rule. For example, the default system policy enables both RADIUS and Active Directory authentication, and most organizations will use one or the other. If you are using only one type of authentication, then disable the rule pertaining to the other.
Modify the default system policy settings to match your organization’s requirements.First, identify the functionality that you require on the ISA Server computer. Then reviewthe system policy settings and disable all the system policy rules that you do not require.For example, if no users will ever access ISA Server using Remote Desktop, then disablethe Terminal Server system policy that enables Remote Desktop connections.
Another component to securing the ISA Server computer is to configure the ISA Server administrative permissions. As a general rule, user accounts should always be configured with the minimum privileges necessary to perform a specific task. You can use role-based administration to organize your ISA Server administrators into separate,defined roles, each with its own set of privileges and corresponding tasks. The rolesassigned in ISA Server are based on Windows users and groups. If the ISA Server computeris a member of a domain, these users and groups can be either local accounts ordomain accounts. If the ISA Server computer is not a member of a domain, you must assign local users and groups to the roles.
ISA Server includes three administrative roles that are defined in advance:
1- ISA Server Basic Monitoring Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.
2- ISA Server Extended Monitoring Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert-definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring role.
3- ISA Server Full Administrator Users and groups assigned this role can perform any ISA Server task, including rule configuration, application of network templates, and monitoring.
