>> --> 
Using the Windows Server 2003 Protection Configuration Wizard to Harden the ISA Firewall
by Thomas W Shinder MD, MVP
 
 
Have Queries concerning the report? 
Ask at: 
 
 
The ache was felt on each ends in the aisle  ISA firewall admins felt the ache, along with the Microsoft ISA firewall products group felt it as well. Microsoft was established to right this circumstance and they worked diligently to occur up with thorough ISA firewall hardening guides for that 2004 ISA firewall. If you havent a chance to study them nevertheless, examine them out at  
 
As great as those guides are, you nonetheless have to read them several instances to determine the penalties of one's actions 
Microsoft Office 2010 Professional, after which if something goes haywire, you'll want to figure out a way to again out of your configuration without producing the fix an avocation. 
 
The remedy for ISA firewall admins operating their ISA firewalls on Windows Server 2003 Service Pack one is the Security Configuration Wizard (SCW). The SCW automates the process of hardening the ISA firewall by utilizing security templates specially made to lock down tight like a drum the ISA firewall and its base operating program.
 
The SCW isnt installed by default. Following putting in Windows Server 2003 SP1, open the Management Panel and open the Add/Remove Packages applet. Click on the Add/Remove Windows Parts button and pick the Security Configuration Wizard in the checklist. Soon after the SCW is set up, you can entry the application from the Administrative Equipment menu.
 
NOTE: 
Make certain that ISA Server 2004 Support Pack 1 is installed on the ISA firewall before installing Windows Server 2003 SP1.
 
The illustration offered within this post displays how the SCW functions utilizing a best practices configuration, wherever the ISA firewall has numerous network interfaces and it is a member of the domain. The SCW may detect diverse roles and present you with diverse choices should you run it on an ISA firewall that doesnt meet these specifications for any safe ISA firewall deployment.
 
The 1st web page in the wizard explains what the SCW does. Click Subsequent.
 
Figure 1
 
The second page from the wizard enables you to make a brand new policy, edit an current policy, use an current policy, and best of all, rollback the last utilized security policy. The rollback characteristic is really a great function that aid you conserve your self while in the function that you make the wrong choices as well as the ISA firewall blows up. Because this is actually the very first time were running the SCW on the ISA firewall, choose the Develop a fresh security policy choice.
 
Figure 2
 
On the Pick Server web page you enter the name with the ISA firewall in the Server (use DNS title, NetBIOS name, or IP tackle text box). Because you never ever desire to allow connections to your ISA firewall by itself (besides for the people completely needed), we usually operate the SCW on the firewall and not from an additional host around the network. While the SCW does enable you to do remote profiling and configuration of servers, this need to be prevented when utilizing the SCW to harden the ISA firewall. On this instance, the FQDN of the ISA is isalocal.msfirewall.org so we enter that to the text box. Click on Up coming.
 
Figure 3
 
After clicking Next, the SCW will consider a minute or two to check out the ISA firewalls current configuration versus the SCWs security configuration database. 
 
Figure 4
 
When the SCW is finished carrying out its function, youll see the See Configuration Database button look. Click on the See Configuration Database button.
 
Figure 5
 
This brings up the SCW Viewer, which displays you data regarding the different customer and server roles, admin choices, solutions, ports and also other settings that the SCW has information on and can configure. You can get far more data about each and every setting by clicking the arrow next towards the setting or part. That is a complete checklist and incorporates roles and settings that fall outdoors just the ISA firewall settings. Should you click on on a position or setting that does utilize to the ISA firewall, youll see that the SCW has detected that role or feature. Close the SCW Viewer and click on Up coming on the Processing Safety Configuration Database web page.
 
Figure 6
 
The Role-Based Support Configuration web page explains that the SCW can configure the system according to the role that device plays on the network. Click on Following.
 
Figure 7
 
On the Select Server Roles web page you see the roles that were detected for the ISA firewall system. On this example, the SCW had in fact detected the ISA firewall was configured as each a File server and Microsoft Internet Safety and Acceleration Server 2004. The ISA firewall would should be configured as being a file server should you possess the Firewall client set up reveal set up around the ISA firewall, but if you aren't internet hosting the Firewall client installation share on the ISA firewall, then you definitely ought to remove that position by removing the checkmark. You may get a lot more information in regards to the function by clicking the arrow subsequent to your part. In this example the only role played through the ISA firewall will be the Microsoft Web Protection and Acceleration Server 2004 position. This machine isn't going to host the Firewall customer share, so I eliminated the checkmark that the SCW had put there.
 
Note that in case you are utilizing the ISA firewall being a VPN server or gateway, then you definitely shouldn't pick the Remote access/VPN server option. We want the ISA firewall to get manage in the RRAS configuration, not the SCW. So 
Office 2010 Professional Plus, ensure that the Remote access/VPN server selection is just not selected. Click on Up coming.
 
Figure 8
 
On the Choose Consumer Characteristics page, the consumer functions essential through the ISA firewall are selected by default. However, you might want to assist extra client capabilities. For instance, if you need your VPN customers to browse the network following they connect 
Windows 7 Discount, you need to configure the ISA firewalls internal interface of the ISA firewall using a WINS server deal with. Should you do, then make sure the WINS Client part is selected. Most of the options are legitimate as well as the WINS entry will be the just one that I'd transform. You might desire to take into account taking away the DNS registration customer if youre not employing DDNS. Click on Next.
 
Figure 9
 
The Select Administration and other Choices page exhibits you the admin as well as other alternatives the ISA firewall group decided had been essential for an ISA firewall within our existing configuration. The majority of them are legit 
Windows 7 Product Key, though I eliminated the Software installation from Group Policy alternative given that Im not considering acquiring any programs aside from the ISA firewall computer software set up on the ISA firewall system. Review the consumer roles cautious and click the arrows up coming to every with the choices to find out more in regards to the options. Click Subsequent.
 
Figure 10
 
On the Handling Unspecified Companies web page, you inform the Wizard the way to manage companies that arent installed on the picked server rather than listed in the protection configuration database. While its unlikely that youll have further companies put in around the ISA firewall that arent included in the protection database, it could possibly be feasible that 3rd celebration item would install services that need to commence to be able to operate properly. Because of this, I advise selecting the Usually do not adjust the startup mode from the services selection. Click on Next.
 
Figure 11
 
The Confirm Services Alterations web page shows you the modifications the SCW will make to services working around the ISA firewall. Very carefully critique these adjustments before proceeding. In my runs with all the SCW, I didnt uncover nearly anything modified that I didnt want to adjust. Click on Following.
 
Figure 12
 
The Network Safety web page introduces modifications the SCW may make to Windows Firewall and IPSec settings. Since were operating a stateful packet and application layer inspection firewall, we dont have to configure the Windows Firewall or IPSec settings. Depart the checkmark within the Skip this area checkbox and click on Subsequent.
 
Figure 13
 
The Registry Settings page introduces you to your changes you may make to protocols supported by the ISA firewall device. Most of what youll be configuring in the subsequent pages is connected to RPC and other intradomain communications. Click on Subsequent.
 
Figure 14
 
On the Require SMB Safety Signatures page you configure whether or not or not want SMB signatures enabled and essential. I advise that you just select both the All pc that connect with it satisfy the pursuing minimal operating method specifications and the It's surplus processor capacity that can be employed to signal file and print traffic in case you are internet hosting the Firewall client reveal on the ISA firewall device. If you aren't internet hosting the Firewall client share around the ISA firewall system, then usually do not decide on the It's surplus processor ability that can be used to indicator file and print traffic. Click Subsequent.
 
Figure 15
 
On the Outbound Authentication Strategies page you configure the LAN Manager authenticated supported for when the ISA firewall system itself need to authenticate to yet another personal computer. On this illustration, the ISA firewall is a member in the consumer domain (for enhanced protection) and can also be used being a VPN gateway for site to internet site VPN connections. For that reason I picked the Domain Accounts and Local Accounts around the remote pcs (considering that the remote VPN gateways may not be members with the domain). Nevertheless, that is no reason in any respect that I can visualize supporting connections requiring File sharing passwords on Windows 95, Windows 98, or Windows Millennium Edition. Click Up coming.
 
Figure 16
 
On the Outbound Authentication employing Domain Accounts web page you configure the LAN Supervisor authentication level utilized when generating outbound connections. The default enabled alternative is Windows NT 4.0 Service Pack 6a or later running techniques. Nevertheless, you do possess the choice to pick out Clocks that are synchronized with all the selected servers clock. You are able to verify both if your network safety needs dictate that you do so, but I normally select the primary 1 given that Im connecting to Windows Server 2003 servers/firewalls. Click Up coming.
 
Figure 17
 
The Registry Settings Summary web page exhibits you the changes that may be manufactured towards the Registry to enforce the authentication needs. Assessment these settings carefully then click Subsequent.
 
Figure 18
 
The Audit Policy page explains the purposes and targets with the audit policy configuration possibilities that demonstrate up on subsequent pages. Click on Following after studying this info.
 
Figure 19
 
The choices around the System Audit Policy page allow you to set the audit policy on the ISA firewall system. The default option is Audit profitable things to do. Nevertheless, I want to know whos been productive and unsuccessful, so I will usually pick the Audit productive and unsuccessful activities selection.
 
Figure 20
 
The Audit Policy Summary page reveals the modifications the SCW will make for the latest audit configuration around the ISA firewall system. Assessment these carefully just before continuing. Additionally you possess the option consist of the SCWAUdit.inf security template, which will set technique accessibility controls (SACLs) which will allow auditing from the file program. Notice that the moment the template sets the SACLs around the file method, you wont be able to utilize the rollback function to reset them. Click Next.
 
Figure 21
 
Click Subsequent on the Preserve Security Policy web page to conserve the modifications to a safety policy template. Note that no adjustments will be made towards the ISA firewall system at this time.
 
Figure 22
 
On the Safety Policy File Name web page, enter the identify for your file on the finish in the route offered to suit your needs inside the Security policy file name text box. In this instance, well title the file isafirewallsecpol. Click on the Watch Security Policy button to view the specifics with the safety policy youve configured using the SCW.
 
Figure 23
 
The SCW Viewer appears and exhibits you the facts in the security policy youve configured together with the SCW. Critique these settings carefully to confirm that you just need to make the alterations listed in right here. Near the SCW Viewer.
 
Figure 24
 
Now for your minute of Truth. You've got the selection to save the file and use it later, otherwise you can use the policy youve configured inside the SCW now. If youre not sure you need to make the modifications, choose the Apply later on option and duplicate the file to a lab ISA firewall and examination it there. If you need quick gratification, then choose the Apply now option. Other than for the changes made to the file system ACLs, you can often undo the alterations manufactured from the SCW policy but working the SCW yet again. On this example Ill decide on the Use now option and click Following.
 
Figure 25
 
Click Up coming around the Applying Protection Policy web page after you see it say Software complete.
 
Figure 26
 
Click End around the Completing the Protection Configuration Wizard page.
 
Figure 27
 
 
Have Queries regarding the post? 
Ask at: 
 
 Conclusion
I suggest restarting the ISA firewall device following you use the policy adjustments for the ISA firewall.
 
While the modifications manufactured to your ISA firewall usually do not appear to possess disabled any core features and have not designed an accessibility management troubles that Ive been capable to identify, We have to advise that you just often test your policies in a very lab environment ahead of deploying them in your manufacturing ISA firewall. Your deployment could considerably differ from the very best practices configuration that I suggest for ISA firewalls 
Microsoft Office Professional 2010, or you might have networking or stateful packet inspection or software layer inspection enhancements put in in your ISA firewall. You ought to test your SCW safety polices in the lab, along with your production application setting, prior to deploying them on the true ISA firewall gadget. Youre asking for trouble if you do or else.