کد:
http://www.isaserver.org/tutorials/Windows-Server-2003-Security-Configuration-Wizard-Harden-ISA-Firewall.html
The pain was felt on both ends of the aisle – ISA firewall admins felt the pain, and the Microsoft ISA firewall product group felt it too. Microsoft was determined to correct this situation and they worked diligently to come up with comprehensive ISA firewall hardening guides for the 2004 ISA firewall. If you haven’t a chance to read them yet, check them out at
http://www.microsoft.com/isaserver/t.../planning.mspx
As good as those guides are, you still have to read them a few times to figure out the consequences of your actions, and then if something goes haywire, you need to figure out a way to back out of your configuration without making the fix an avocation.
The solution for ISA firewall admins running their ISA firewalls on Windows Server 2003 Service Pack 1 is the Security Configuration Wizard (SCW). The SCW automates the process of hardening the ISA firewall by using security templates specially designed to lock down tight as a drum the ISA firewall and its base operating system.
The SCW isn’t installed by default. After installing Windows Server 2003 SP1, open the
Control Panel and open the
Add/Remove Programs applet. Click the
Add/Remove Windows Components button and select the
Security Configuration Wizard from the list. After the SCW is installed, you can access the application from the
Administrative Tools menu.
NOTE:
Make sure that ISA Server 2004 Service Pack 1 is installed on the ISA firewall before installing Windows Server 2003 SP1.
The example provided in this article shows how the SCW works using a best practices configuration, where the ISA firewall has multiple network interfaces and is a member of the domain. The SCW may detect different roles and present you with different options if you run it on an ISA firewall that doesn’t meet these requirements for a secure ISA firewall deployment.
The first page of the wizard explains what the SCW does. Click
Next.
Figure 1 The second page of the wizard enables you to create a new policy, edit an existing policy, apply an existing policy, and best of all, rollback the last applied security policy. The rollback feature is a great feature that help you save yourself in the event that you make the wrong decisions and the ISA firewall blows up. Since this is the first time we’re running the SCW on the ISA firewall, select the
Create a new security policy option.
Figure 2 On the
Select Server page you enter the name of the ISA firewall in the
Server (use DNS name, NetBIOS name, or IP address text box). Since you never want to allow connections to the ISA firewall itself (except for those absolutely necessary), we always run the SCW on the firewall and not from another host on the network. While the SCW does allow you to do remote profiling and configuration of servers, this should be avoided when using the SCW to harden the ISA firewall. In this example, the FQDN of the ISA is
isalocal.msfirewall.org so we enter that into the text box. Click
Next.
Figure 3 After clicking
Next, the SCW will take a minute or two to check the ISA firewall’s current configuration against the SCW’s security configuration database.
Figure 4 When the SCW is done doing its work, you’ll see the
View Configuration Database button appear. Click the
View Configuration Database button.
Figure 5 This brings up the
SCW Viewer, which shows you information about the different client and server roles, admin options, services, ports and other settings that the SCW has information on and can configure. You can get more information about each setting by clicking the arrow next to the setting or role. This is a comprehensive list and includes roles and settings that fall outside just the ISA firewall settings. If you click on a role or setting that does apply to the ISA firewall, you’ll see that the SCW has detected that role or feature. Close the
SCW Viewer and click
Next on the
Processing Security Configuration Database page.
Figure 6 The
Role-Based Service Configuration page explains that the SCW can configure the device based on the role that device plays on the network. Click
Next.
Figure 7 On the
Select Server Roles page you see the roles that were detected for the ISA firewall device. In this example, the SCW had actually detected that the ISA firewall was configured as both a
File server and
Microsoft Internet Security and Acceleration Server 2004. The ISA firewall would need to be configured as a file server
if you have the Firewall client installation share installed on the ISA firewall, but if you are not hosting the Firewall client installation share on the ISA firewall, then you should remove that role by removing the checkmark. You can get more information about the role by clicking the arrow next to the role. In this example the only role played by the ISA firewall is the
Microsoft Internet Security and Acceleration Server 2004 role. This machine does not host the Firewall client share, so I removed the checkmark that the SCW had put there.
Note that if you are using the ISA firewall as a VPN server or gateway, then you should
not select the
Remote access/VPN server option. We want the ISA firewall to take control of the RRAS configuration, not the SCW. So, make sure that the
Remote access/VPN server option is
not selected. Click
Next.
Figure 8 On the
Select Client Features page, the client features required by the ISA firewall are selected by default. However, you may want to support additional client features. For example, if you want your VPN clients to browse the network after they connect, you should configure the ISA firewall’s internal interface of the ISA firewall with a WINS server address. If you do, then make sure the
WINS Client role is selected. Most of the options are valid and the WINS entry is the only one that I would change. You might want to consider removing the
DNS registration client if you’re not using DDNS. Click
Next.
Figure 9 The
Select Administration and Other Options page shows you the admin and other options that the ISA firewall team determined were important for an ISA firewall in our current configuration. Most of them are legit, although I removed the
Application installation from Group Policy option since I’m not interested in having any applications other than the ISA firewall software installed on the ISA firewall device. Review the client roles careful and click the arrows next to each of the options to learn more about the options. Click
Next.
Figure 10 On the
Handling Unspecified Services page, you tell the Wizard how to handle services that aren’t installed on the selected server and not listed in the security configuration database. While its unlikely that you’ll have additional services installed on the ISA firewall that aren’t included in the security database, it could be possible that third party product would install services that need to start in order to work correctly. For this reason, I recommend selecting the
Do not change the startup mode of the service option. Click
Next.
Figure 11 The
Confirm Service Changes page shows you the changes the SCW will make to services running on the ISA firewall. Carefully review these changes before proceeding. In my runs with the SCW, I didn’t find anything changed that I didn’t want to change. Click
Next.
Figure 12 The
Network Security page introduces changes the SCW can make to Windows Firewall and IPSec settings. Since we’re running a stateful packet and application layer inspection firewall, we don’t need to configure the Windows Firewall or IPSec settings. Leave the checkmark in the
Skip this section checkbox and click
Next.
Figure 13 The
Registry Settings page introduces you to the changes you can make to protocols supported by the ISA firewall device. Most of what you’ll be configuring in the following pages is related to RPC and other intradomain communications. Click
Next.
Figure 14 On the
Require SMB Security Signatures page you configure whether or not want SMB signatures enabled and required. I recommend that you select both the
All computer that connect to it satisfy the following minimum operating system requirements and the
It has surplus processor capacity that can be used to sign file and print traffic if you are hosting the Firewall client share on the ISA firewall device. If you are not hosting the Firewall client share on the ISA firewall device, then do not select the
It has surplus processor capacity that can be used to sign file and print traffic. Click
Next.
Figure 15 On the
Outbound Authentication Methods page you configure the LAN Manager authenticated supported for when the ISA firewall device itself must authenticate to another computer. In this example, the ISA firewall is a member of the user domain (for enhanced security) and will also be used as a VPN gateway for site to site VPN connections. For this reason I selected the
Domain Accounts and
Local Accounts on the remote computers (since the remote VPN gateways might not be members of the domain). However, this is
no reason at all that I can imagine supporting connections requiring
File sharing passwords on Windows 95, Windows 98, or Windows Millennium Edition. Click
Next.
Figure 16 On the
Outbound Authentication using Domain Accounts page you configure the LAN Manager authentication level used when making outbound connections. The default enabled option is
Windows NT 4.0 Service Pack 6a or later operating systems. However, you do have the option to select
Clocks that are synchronized with the selected server’s clock. You can check both if your network security requirements dictate that you do so, but I typically select the first one since I’m connecting to Windows Server 2003 servers/firewalls. Click
Next.
Figure 17 The
Registry Settings Summary page shows you the changes that will be made to the Registry to enforce the authentication requirements. Review these settings closely and then click
Next.
Figure 18 The
Audit Policy page explains the purposes and goals of the audit policy configuration options that show up on subsequent pages. Click
Next after reading this information.
Figure 19 The options on the
System Audit Policy page allow you to set the audit policy on the ISA firewall device. The default option is
Audit successful activities. However, I want to know who’s been successful and unsuccessful, so I will typically choose the
Audit successful and unsuccessful activities option.
Figure 20 The
Audit Policy Summary page shows the changes the SCW will make to the current audit configuration on the ISA firewall device. Review these closely before continuing. You also have the option include the
SCWAUdit.inf security template, which will set system access controls (SACLs) which will enable auditing of the file system. Note that once the template sets the SACLs on the file system, you won’t be able to use the rollback feature to reset them. Click
Next.
Figure 21 Click
Next on the
Save Security Policy page to save the changes to a security policy template. Note that no changes will be made to the ISA firewall device at this time.
Figure 22 On the
Security Policy File Name page, enter the name for the file at the end of the path provided for you in the
Security policy file name text box. In this example, we’ll name the file
isafirewallsecpol. Click the
View Security Policy button to view the details of the security policy you’ve configured with the SCW.
Figure 23 The
SCW Viewer appears and shows you the details of the security policy you’ve configured with the SCW. Review these settings closely to confirm that you want to make the changes listed in here. Close the
SCW Viewer.
Figure 24 Now for the moment of Truth. You have the option to save the file and apply it later, or you can apply the policy you’ve configured in the SCW now. If you’re not sure you want to make the changes, choose the
Apply later option and copy the file to a lab ISA firewall and test it there. If you want immediate gratification, then select the
Apply now option. Except for the changes made to the file system ACLs, you can always undo the changes made by the SCW policy but running the SCW again. In this example I’ll select the
Apply now option and click
Next.
Figure 25 Click
Next on the
Applying Security Policy page after you see it say
Application complete.
Figure 26 Click
Finish on the
Completing the Security Configuration Wizard page.
Figure 27
Conclusion
I recommend restarting the ISA firewall device after you apply the policy changes to the ISA firewall.
While the changes made to the ISA firewall do not seem to have disabled any core functionality and have not created an access control issues that I’ve been able to identify, I have to recommend that you
always test your policies in a lab environment before deploying them to your production ISA firewall. Your deployment may significantly differ from the best practices configuration that I recommend for ISA firewalls, or you may have networking or stateful packet inspection or application layer inspection enhancements installed on your ISA firewall. You should test your SCW security polices in the lab, with your production software environment, before deploying them on the actual ISA firewall device. You’re asking for trouble if you do otherwise.