Implementing a Secure ISA Server

Download Report

Transcript Implementing a Secure ISA Server 

Implementing a Secure ISA
Server
Roberta Bragg
Step One
Read Step Ten before actually doing
any of these steps!
Step Two – Planning
 What do you want? A firewall? A caching
server? Both?
 Single server? DMZ? Array?
 Amount of traffic?
 What needs to pass through?
 Machine sizing
Step Three- Network
Preparations
 Network addresses
 Routers
 Insure internal DNS for internal network
clients
 External DNS for ISA Server
 Changes required to network configuration?
Clients?
Step Four – Install Clean W2K
 Separate drives/partition system data from firewall
 Customization - Uncheck all options!
– Accessories
– IIS
 Custom networking – only TCP/IP
 External Card:
– Disable DNS automatic registration
– Disable windows networking
– Disable NetBIOS over TCP/IP
 Internal Card – as appropriate for your network
 Workgroup not domain*
Step Five – Pre-ISA Install
 Edit




%systemroot%\inf\sysoc.inf
and remove the ‘hide’ keyword
where it appears
Use Add/Remove to remove
Fax, Image View, Pinball, Word
Pad – be careful here!
Check Routing Table
Clean Certificate Store –
remove unnecessary certificates
Disable services that get
installed by default & are not
needed
 Apply Service
Pack/patches
 SO, what services do you need?
–
–
–
–
–
–
–
–
DNS client
Eventlog
Logical disk manager
Plug and play
Protected storage
Security accounts manager
Telephony
And maybe :
• IPSec policy agent
• Network connections
manager
• Remote procedure call
• Remote registry service
• Run as
Step Six – ISA Installation
 Install only services you need
– Do not install H.323 unless going to use!
 Install onto other partition from OS
 If this is Enterprise
– select administrative array/enterprise policies as per
your organization administrative policy
– only allow publishing if in DMZ
– Enable packet filtering
 Configure LAT so only has addresses in internal
network
Step Seven – After Install Test
Basic Connectivity
 Ensure LAT only contains addresses from
internal network
 Connection to Internet?
– Check default site and content rule
– Add Protocol rule
 REMOVE TEST!
Step Eight – Secure ISA
 Set file /folder/ share permissions
– Mspclnt share: Authenticated Users Read
– Inheritance: not allowed from parent folder, apply
settings to folder, subfolders, files
– Installation Directory, Clients directory, Urlcache:
• Administrators, Creator/Owner, System – Full Control
– Clients – Authenticated Users Read & Execute
 Tweak then apply security template
– Follow guidelines for secure configuration
– Of especial importance
• Limit accounts in local database
• Use strong passwords
Step Nine – Configure and Roll
Out
 Configure client access as per plan
 Configure packet filters/intrusion detection
as per plan
– Do not enable ip routing unless –DMZ 3homed firewall/mail server publishing
 Test
 Configure Reporting/Monitoring
 Install and Configure Clients
Step Ten
 Never, never, never accept on faith any
advice from a security guru, government
agency, book, Microsoft document,
SearchWin2000 chat.
 Your network, server, use, requirements
may differ
TEST