Securing and Maintaining ISA Server 2004

ISA Server and Security Templates
Security templates are the ideal means to configure the security settings on an ISA Server computer. By applying these templates, you can ensure a consistently high level of security on the ISA Server computer. To apply the security templates to the ISA Server computer, perform the following steps:

1. Using the Security Templates MMC snap-in, analyze the security templates included with the Windows Server 2003 Security Guide and determine which template most closely meets your organization’s requirements. Modify those parts of the template that do not match your requirements.
2. Apply the security templates to your ISA Server computer or computers. If your ISA Server computers are members of an Active Directory domain, create an OU that contains only the ISA Server computers and then create a Group Policy Object (GPO) to apply the security template to the servers. If your ISA Server computer is not a member of the domain, use the Security Analysis and Configuration tool to apply the security policy to the ISA Server computer.

Applying Security Updates :

Another critical component in keeping the computer running ISA Server secure is to ensure that all security updates and patches are applied. Security updates are product updates that eliminate known security vulnerabilities. To keep ISA Server secure, you must ensure that the security updates for both ISA Server and the operating system are current by installing the latest fixes. If the operating system is vulnerable, ISA Server is also vulnerable. When a security update becomes available, quickly evaluate your system to determine if the update is relevant to your current situation.

Monitor and install security patches for multiple components for the computer running ISA Server. These include the latest updates for the operating system, for ISA Server, and for other components installed by ISA Server, including Microsoft SQL Server 2000 Desktop Engine (MSDE) and Office Web Components 2002 (OWC).

70-299 : 10 Planning and Implementing Security for Wireless Networks

To configure wireless network security by using a GPO, follow this procedure:

1.Open a blank Microsoft Management Console (MMC) console, and add the Group Policy Object Editor snap-in. Open the GPO you will use to apply the wireless network configuration settings.
2.Expand the GPO, Computer Configuration, Windows Settings, and then Security Settings. Click Wireless Network (IEEE 802.11) Policies.
3.By default, there are no policies. Right-click Wireless Network (IEEE 802.11) Policies,and then click Create Wireless Network Policy. The Wireless Network Policy Wizard appears.
4. Click Next.
5. Type a name for the policy, and then click Next.
6.Select the Edit Properties check box, and then click Finish. The properties dialog box appears.
7.Click the General tab, as shown in Figure 10.8. The security-related settings are Networks To Access, which specifies whether the client is allowed to connect to ad hoc networks, and Automatically Connect To Non-Preferred Networks, which you might want to disable to prevent clients from connecting to potentially dangerous, untrusted wireless networks.
8.Click the Preferred Networks tab.This tab lists preferred networks, which are networks that Windows XP will automatically connect to. There are no preferred networks by default.
9. Click Add.The New Preferred Setting Properties dialog box appears, as shown in Figure 10.9.
The Network Properties tab allows you to specify whether WEP encryption will be used. Generally, you should select the Data Encryption and The Key Is Provided Automatically check boxes. Leave the Network Authentication check box cleared to use open network authentication.
10.Click the IEEE 802.1X tab. Select the Enable Network Access Control Using IEEE 802.1X check box.
11.If you want to be able to manage the computer across a wireless network when no user is logged on, select the Authenticate As Computer When Computer Information Is Available check box.
12.Click the EAP Type list to select either Smart Card Or Other Certificate or Protected EAP. This setting must correspond to the setting specified on the IAS server.
13.Click the Settings button to configure the selected EAP type. This dialog box is exactly the same as the dialog box used to configure wireless clients locally.
14. Click OK three times to return to the MMC console.

Note that you can only create a single wireless network policy for each GPO.

Configuring WAPs :
The final step of the wireless network configuration process is to configure and enable your WAPs. Unfortunately, the user interface varies for each WAP. At a minimum, you will need to configure the following settings:
■ Select WEP or WPA encryption and the encryption level.
■ Specify 802.1X authentication and the authentication method.
■ Specify the SSID.
■ Specify the IP address of the IAS RADIUS servers.
■ Specify a shared key corresponding to the shared secret specified during the IAS configuration.

Lesson 3: Analyzing Security Configurations

Security Configuration And Analysis :

The Security Configuration And Analysis snap-in gives you an immediate, detailed list of security settings on a computer that do not meet your security requirements. Recommendations are presented alongside current system settings, and icons or remarks are used to highlight any areas where the current settings do not match the proposed level of security. Security Configuration And Analysis uses a database to perform analysis and configuration functions. Using a database gives you the ability to compare the current security settings against custom databases that are created by importing one or more security templates.
To analyze a computer’s security settings by comparing it to a security template:
1. Create a new Microsoft Management Console (MMC) console, and add the Security Configuration And Analysis snap-in.
2. Right-click Security Configuration And Analysis, and then click Open Database.
3. In the Open Database dialog box, type a name for the new database, and then click Open.
4. In the Import Template dialog box, select a security template to import. Click Open.
5. If you want to import more than one security template, right-click Security Configuration And Analysis, and then click Import Template. Select the template to import, and then click Open. Repeat this process for each security template you want to import.
6. Right-click Security Configuration And Analysis, and then click Analyze Computer Now.
7. In the Perform Analysis dialog box, click OK.
After the analysis is complete, examine the results by expanding the nodes contained within the Security Configuration And Analysis node.

Microsoft Baseline Security Analyzer—Graphical Interface :

MBSA includes graphical and command-line interfaces that can perform local or remote scans of Windows systems. MBSA runs on computers running Windows 2000, Windows XP, and Windows Server 2003 and will scan for common system misconfigurations in Microsoft Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and SQL Server 2000, Internet Explorer 5.01 and later, and Office 2000 and Office XP. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows
Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and SQL Server 2000, Internet Explorer 5.01 and later, Exchange Server 5.5 and Exchange 2000 Server, and Microsoft Windows Media Player 6.4 and later.
MBSA can determine which critical security updates are applied to a system by referring to an XML file that is continuously updated by Microsoft. The XML file contains information about which security updates are available for particular Microsoft products.
This file contains security bulletin names and titles, and detailed data about product-specific security updates, including the files in each update package and their versions and checksums, registry keys that were applied by the update installation package, information about which updates supersede others, related Microsoft Knowledge Base article numbers, and much more.

Lesson Summary

■ The Security Configuration And Analysis console can be used to apply settings from a security template. However, it is more commonly used to determine which active security settings do not match those specified in a security template.
■ MBSA identifies potential security vulnerabilities, including critical updates that have not been applied, on one or more systems.
■ Mbsacli provides a command-line interface with functionality that is similar to that of MBSA. Mbsacli can be used to create XML files that summarize security vulnerabilities on one or more systems.