This chapter is from the book
This chapter is from the book
This chapter is from the book
Running the Security Wizard
To begin, you need to be aware of the ISA Server Security Wizard. With this handy wizard you can tighten your security on all the servers in an array. Keep in mind that running this security wizard is one way to secure your network—it is not the only way. The ISA Server Security Wizard is a good place to start securing your network, but we will cover other methods that can be used with this wizard to help lock down your network infrastructure effectively.
There are three levels of security that are available using the wizard, as explained here:
Dedicated—Use this setting when your ISA Server is installed as a dedicated standalone Firewall server. When you use this security level, there should be no other servers or applications running on the ISA Server computer. The security templates used by this option offer the highest level of protection. The template tightens the security by configuring stricter password, account lockout, and local policies. It also makes numerous registry changes, such as disallowing server shutdown without a logon, and clearing the pagefile at shutdown.
Limited Services—This is the setting that you should use when your ISA Server is installed as a combined Firewall and Cache server. This is also the setting you should use for ISA Servers that are domain controllers. The templates used by this option offer a medium level of protection. For example, the template on a domain controller will force users to logoff when their logon hours expire. On a Windows 2000 server, it will remove users from the Power Users group.
Secure—You should use this level of security when additional servers are installed on the ISA Server, such as application or database servers. For example, if you are running Exchange or IIS server on the same computer as ISA Server, this is the setting you should use. The templates used by this option offer a relatively lower level of protection. For example, it removes most password restrictions and essentially removes restrictions on account lockout policy. Use this option with care, because it may lessen your security considerably compared to your existing level.Depending on whether there is a Windows 2000 domain controller or a standalone server, the Security Wizard can use one of three security templates to increase security for Windows 2000 components. The security templates are located in the winnt\security\templates folder. Table 3.1 lists the security levels and the templates associated with each level.
TIP
I have seen some administrators use this wizard and then complain about their ISA Server getting "messed up." The wizard makes literally dozens of changes to the registry, file permissions, and user rights. My recommendation is that you read and understand the information in the security templates before you implement them.
Table 3.1 ISA Server Security Configuration
|
Security Level |
Windows 2000 Server Security Templates |
Windows 2000 Domain Controller Security Templates |
|---|---|---|
|
Dedicated (highest level) |
hisecws.inf |
hisecdc.inf |
|
Limited Services (medium level) |
securews.inf |
securedc.inf |
|
Secure (lowest level) |
basicsv.inf |
basicdc.inf |
Now that you have been given some background and specific warnings, let me tell you about my general philosophy about such wizards. Frankly, security wizards make me nervous and I don't always trust them. I am not convinced that the wizards will only make the changes that they are supposed to make. Why is it that a wizard can make the configuration changes one way, but won't let you undo those changes? I don't mind using wizards for certain tasks, but using wizards to secure my server is not my cup of tea.
CAUTION
The ISA Server Security Configuration Wizard doesn't have an "undo" feature. Before you run the wizard, make sure you've backed up your operating system and ISA Server configuration. The Security Wizard, among other things, modifies numerous operating system registry settings, which makes reverting back to the original configuration a very time consuming and difficult task. ISA Server lists the configuration changes to a file called securwiz.log in the ISA Server installation folder, but the log only tells you that it changed the setting, it doesn't tell you what exactly the change was.
To configure the appropriate security level, use the following procedure:
In the ISA Server Management console, click on Servers and Arrays, the name of the array or server, and select Computers.
In the right-hand pane, right-click the ISA Server computer that you want to secure and click on Secure to start the wizard. You will receive the first page of the ISA Server Security Wizard.
Read the warning carefully on the first screen of the ISA Server Security Configuration Wizard.
On the next screen of the wizard, select an appropriate system security level. Use the aforementioned descriptions to decide which level to choose. Secure level is the default.
Click Finish on the next screen to finish the security configuration.
WARNING
If you just go by the name, it may seem that the Secure level is the most secure of the three choices, but in fact it is the least secure level. The Dedicated level offers the highest security, the Limited Services offers a medium-level security, and the Secure level offers the lowest level of security among the three.
Once you are satisfied with the level of protection that is appropriate for your servers (for instance, by running the ISA Server Security Configuration Wizard), you can then configure additional security options by establishing ISA Server rules. This provides even greater control at a more detailed level over your network traffic.
ISA Server rules are generally used to control outgoing traffic from the internal network to the Internet. In the next chapter we will explore IP packet filters, application filters, and intrusion detection filters, all of which are used to control incoming traffic. Now let's examine the ISA Server rules.