Lesson 1: Securing ISA Server 2004
Securing the computer running ISA Server is vital to ensuring your organization’s security. To secure the ISA Server computer, ensure the security of the computer itself, the operating system running on the computer, and the ISA Server configuration. After installation, ISA Server starts with a default configuration that blocks all traffic between networks connected to ISA Server but enables some traffic between the ISA Server computer and other networks. As an ISA Server administrator, you will need to modify the default configuration. The third step in ensuring ISA Server security is to manage the administrative permissions users have on ISA Server.
How to Harden the Server :
ISA Server runs on computers running Microsoft Windows 2000 Server or Windows Server 2003, so the first step of securing ISA Server is to ensure that the computer and operating system are as secure as possible. Securing the computer includes the following components:
1 - Securing the network interfaces
2 - Ensuring that only required system services are enabled
3 - Ensuring that security updates are applied.
How to Secure the Network Interfaces
To secure ISA Server, begin by securing the network interfaces connected to the server.By default, network interfaces in both Windows 2000 Server and Windows Server 2003are configured to facilitate connecting other computers on the network to the server.On an ISA Server computer, ensure that clients can connect to the network interfacesonly to access specific resources. Although both the interface connected to the Internetand the interface connected to the Internal network need to be secured, it is particularly important to secure the interface that is connected to the Internet.
Securing the External Network Interface
The external interface of your ISA Server computer is likely to be directly attached to the Internet, where it may be exposed to an attack from anywhere on the Internet. To secure the external interface on the ISA Server computer, complete the following actions:
1- Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks. File and Printer Sharing for Microsoft Networks allows the machine to share Server Message Block/Common Internet File System (SMB/CIFS) resources. The Client for Microsoft Networks allows the machine to access SMB/CIFS resources. These options can enable NetBIOS and Direct Hosting ports, both of which are used for conventional file sharing and access on Microsoft networks.
2- Disable NetBIOS over TCP/IP. NetBIOS over TCP/IP is required if the computer needs to be configured as a Windows Internet Naming Service (WINS) client,needs to send out NetBIOS broadcasts, needs to send out browser service announcements, or needs to access NetBIOS resources. The ISA Server computer should not send or receive any NetBIOS packets to the Internet.
3- Disable the LMHOSTS Lookup option. The LMHOSTS file is used to enable NetBIOS name lookups. The ISA Server computer should not connect to any computers on the Internet using NetBIOS. If you disable LMHOSTS lookup, be aware that this option is disabled for all network interfaces on the ISA Server computer.
4- Disable automatic Domain Name System (DNS) name registration. By default, Windows 2000 and Windows Server 2003 computers attempt to register their IP addresses with a DNS server. The ISA Server computer should not register the IP address for its external interface with DNS servers on the Internet or with DNS servers inside the network.
Securing the computer running ISA Server is vital to ensuring your organization’s security. To secure the ISA Server computer, ensure the security of the computer itself, the operating system running on the computer, and the ISA Server configuration. After installation, ISA Server starts with a default configuration that blocks all traffic between networks connected to ISA Server but enables some traffic between the ISA Server computer and other networks. As an ISA Server administrator, you will need to modify the default configuration. The third step in ensuring ISA Server security is to manage the administrative permissions users have on ISA Server.
How to Harden the Server :
ISA Server runs on computers running Microsoft Windows 2000 Server or Windows Server 2003, so the first step of securing ISA Server is to ensure that the computer and operating system are as secure as possible. Securing the computer includes the following components:
1 - Securing the network interfaces
2 - Ensuring that only required system services are enabled
3 - Ensuring that security updates are applied.
How to Secure the Network Interfaces
To secure ISA Server, begin by securing the network interfaces connected to the server.By default, network interfaces in both Windows 2000 Server and Windows Server 2003are configured to facilitate connecting other computers on the network to the server.On an ISA Server computer, ensure that clients can connect to the network interfacesonly to access specific resources. Although both the interface connected to the Internetand the interface connected to the Internal network need to be secured, it is particularly important to secure the interface that is connected to the Internet.
Securing the External Network Interface
The external interface of your ISA Server computer is likely to be directly attached to the Internet, where it may be exposed to an attack from anywhere on the Internet. To secure the external interface on the ISA Server computer, complete the following actions:
1- Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks. File and Printer Sharing for Microsoft Networks allows the machine to share Server Message Block/Common Internet File System (SMB/CIFS) resources. The Client for Microsoft Networks allows the machine to access SMB/CIFS resources. These options can enable NetBIOS and Direct Hosting ports, both of which are used for conventional file sharing and access on Microsoft networks.
2- Disable NetBIOS over TCP/IP. NetBIOS over TCP/IP is required if the computer needs to be configured as a Windows Internet Naming Service (WINS) client,needs to send out NetBIOS broadcasts, needs to send out browser service announcements, or needs to access NetBIOS resources. The ISA Server computer should not send or receive any NetBIOS packets to the Internet.
3- Disable the LMHOSTS Lookup option. The LMHOSTS file is used to enable NetBIOS name lookups. The ISA Server computer should not connect to any computers on the Internet using NetBIOS. If you disable LMHOSTS lookup, be aware that this option is disabled for all network interfaces on the ISA Server computer.
4- Disable automatic Domain Name System (DNS) name registration. By default, Windows 2000 and Windows Server 2003 computers attempt to register their IP addresses with a DNS server. The ISA Server computer should not register the IP address for its external interface with DNS servers on the Internet or with DNS servers inside the network.
Securing the Internal Network Interface
In addition to securing the external interface,you should secure the internal interface on the computer running ISA Server.However, in many cases, you may require more functionality on the internal interface,so you must ensure that you disable only the components that are not required.
■ Leave File and Printer Sharing for Microsoft Networks enabled on the internal interface if you want internal network clients to access the Firewall Client software.If the client installation files are stored on another computer, you can disableFile and Printer Sharing.
■ Client for Microsoft Networks must also be enabled if you want to access resources on the internal network or authenticate to internal resources.
■ Disable NetBIOS over TCP/IP if you do not have any legacy client computers or Net-BIOS-based applications on the network that need access to the ISA Server computer.
■ Leave automatic DNS name resolution enabled on the internal network interface so that the ISA Server computer’s IP address is registered in DNS. If you do nothave automatic updates enabled on the DNS zone, disable this option and manuallyconfigure the host record in DNS.
