Upload
eugenio-costa
View
228
Download
0
Embed Size (px)
Citation preview
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
1/44
ISA Server 2006 Standard Edition & Enterprise
Edition Common Criteria EvaluationGuidance Documentation Addendum
Internet Security and Acceleration Server Team
Author: Microsoft Corp.
Version: 1.6
Last Saved: 2008-11-12
File Name: MS_ISA2006_ADD_1.6.docx
AbstractThis document is the Guidance Documentation Addendum of ISA Server 2006 Standard Editionand Enterprise Edition.
Keywords
CC, ISA, Common Criteria, Firewall, Guidance Documentation Addendum
MicrosoftInternet Securit
Serve
and Acceleration
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
2/44
Guidance Documentation Addendum Page 2/44
This page intentionally left blank
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
3/44
Guidance Documentation Addendum Page 3/44
Table of Contents
Page
1 INTRODUCTION TO THE GUIDANCE ADDENDUM ....................................................... 61.1 Scope ......................................................................................................................... 61.2 Security Functions and Associated Chapters ............................................................. 71.3 Warnings about Functions and Privileges ................................................................... 71.4 Installation of the Evaluated ISA Server 2006 Standard Edition ................................. 8
1.4.1 Installation Requirements ....................................................................................... 81.4.2 Installation Procedures ........................................................................................... 9
1.5 Installation of the Evaluated ISA Server 2006 Enterprise Edition .............................. 111.5.1 Installation Requirements ..................................................................................... 111.5.2 Installation Procedures ......................................................................................... 12
2 SECURITY FUNCTIONS ................................................................................................ 162.1 SF1 - Web Identification and Authentication ............................................................. 162.2 SF2 - Information Flow Control ................................................................................. 182.3 SF3 - Audit ............................................................................................................... 192.4 Administration-Related Interfaces ............................................................................. 192.5 TOE User Interfaces ................................................................................................. 20
3 OPERATING ENVIRONMENT ........................................................................................ 213.1 Assumptions ............................................................................................................ 213.2 Organizational Security Policies ............................................................................... 223.3
Secure Usage Assumptions - IT Security Requirements for the IT Environment ...... 22
3.4 Security Objectives for the Environment ................................................................... 233.5 Requirements for the Operational Environment ........................................................ 23
4 SECURITY-RELEVANT EVENTS ................................................................................... 255 TOE INTEGRITY ............................................................................................................. 26
5.1 Integrity of the CD-ROM Content.............................................................................. 265.2 Integrity of the Package ............................................................................................ 285.3 Version Number for the TOE .................................................................................... 29
6 ANNOTATIONS .............................................................................................................. 316.1 Authentication methods ............................................................................................ 31
6.1.1 Single Sign On ...................................................................................................... 316.1.2 Authentication Process ......................................................................................... 326.1.3 Client Authentication Methods for Receipt of Client Credentials ............................ 336.1.4 Methods for Validation of Client Credentials ......................................................... 346.1.5 Authentication Delegation ..................................................................................... 35
6.2 Lockdown Mode ....................................................................................................... 366.2.1 Affected functionality ............................................................................................. 376.2.2 Leaving lockdown mode ....................................................................................... 37
7 FLAW REMEDIATION GUIDANCE ................................................................................ 387.1 How to report detected security flaws to Microsoft .................................................... 387.2 How to get informed about Security Flaws and Flaw Remediation ........................... 39
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
4/44
Guidance Documentation Addendum Page 4/44
7.3 Installing a remedy ................................................................................................... 407.4 Authentication of a Fix .............................................................................................. 41
8 REFERENCES AND GLOSSARY .................................................................................. 428.1 References ............................................................................................................... 428.2 Acronyms ................................................................................................................. 438.3 Glossary ................................................................................................................... 43
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
5/44
Guidance Documentation Addendum Page 5/44
List of TablesPage
Table 1.1 Security functions and associated chapters ........................................................... 7Table 1.2 Warnings about functions and privileges ................................................................ 8Table 3.1 Assumptions for the IT environment and intended usage ..................................... 21Table 3.2 Security policies addressed by the TOE .............................................................. 22Table 3.3 TOE security functional requirements for the environment ................................... 22Table 3.4 Security objectives for the environment ............................................................... 23Table 4.1 Security-relevant events ...................................................................................... 25
List of FiguresPage
Figure 1.1 Disable weak algorithms ..................................................................................... 11Figure 1.2 Disable weak algorithms ..................................................................................... 15Figure 2.1 Error messages .................................................................................................. 17Figure 5.1 Example of Integrity check I (successful) ............................................................ 27Figure 5.2 Example of Integrity check II (missing FDIV tool) ................................................ 28Figure 5.3 ISA Server 2006 Standard Edition (Box & CD-ROM) .......................................... 28
Figure 5.4 ISA Server 2006 Enterprise Edition (CD-ROM)................................................... 29Figure 5.5 Version number of ISA Server 2006 Standard Edition ........................................ 29Figure 5.6 Version number of ISA Server 2006 Enterprise Edition....................................... 30Figure 5.7 Identifying ISA Server 2006 Enterprise Edition ................................................... 30Figure 7.1 Installation Instructions for Security Bulletin (example) ....................................... 40
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
6/44
Guidance Documentation Addendum Page 6/44
1 Introduction to the Guidance Addendum
This document is required by Common Criteria for the Microsoft Internet Security andAcceleration (ISA) Server 2006 Standard Edition and Enterprise Edition evaluation. The
document should be used by any administrator who wants to ensure that the deployed ISA
Server 20061 is the evaluated version (see [ST]). It is an addendum to the manual [MSISA]
which is delivered with ISA Server 2006.
1.1 Scope
This document extends the ISA Server 2006 manual [MSISA] and provides required
information for the ISA Server 2006 common criteria evaluation.
The evaluated Guidance Documentation ([MSISA] and this document) is valid for ISAServer 2006 Standard Edition and ISA Server 2006 Enterprise Edition. Its software version is
for both evaluated configurations 5.0.5720.100.
1 ISA Server 2006 references both configurations ISA Server 2006 Standard Edition and ISA Server 2006
Enterprise Edition.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
7/44
Guidance Documentation Addendum Page 7/44
1.2 Security Functions and Associated Chapters
The relevant chapters of the security functionality are summarized in the following table.
Table 1.1 Security functions and associated chapters
Security function (see [ST]) Relevant chapters
SF1 Web Identification andAuthentication
[MSISA] Firewall Policy > Firewall Policy: How To > ConfigureAuthentication > Configure authentication method for a Web listener
see Chapter 6.1
SF2 - Information Flow Control [MSISA] Firewall Policy > Firewall Policy: Concepts
Access Rules:
[MSISA] Firewall Policy > Firewall Policy: How To > Configure Access Rules
(Mail) Server Publishing Rules:
[MSISA] Firewall Policy > Firewall Policy: How To > Configure Serverpublishing rules
Web Publishing Rules:
[MSISA] Firewall Policy > Firewall Policy: How To > Configure Webpublishing rules
System Policy:
[MSISA] Firewall Policy > Firewall Policy: How To > Configure System policy
Application Filter:
[MSISA] Firewall Policy > Firewall Policy: How To > Configure Per-RuleFiltering > Configure RPC filtering
[MSISA] Firewall Policy > Firewall Policy: How To > Configure Per-RuleFiltering > Configure FTP filtering
[MSISA] Add-ins > Add-ins: How To > Configure SMTP filter buffer overflowthresholds
Web Application Filter:
[MSISA] Firewall Policy > Firewall Policy: How To > Configure Per-RuleFiltering > Configure HTTP filtering
[MSISA] Firewall Policy > Firewall Policy: How To > ConfigureAuthentication > Configure authentication method for a Web listener
SF3 - Audit [MSISA] Monitoring > Monitoring: How To > Configure Logging > Configurelogging to an MSDE database
[MSISA] Monitoring > Monitoring: How To > Configure Logging > Filter thelog viewer data
[MSISA] Monitoring > Monitoring: How To > Configure Logging > Specifyfields to log
1.3 Warnings about Functions and Privileges
The administrator guidance contains warnings about functions and privileges that should be
controlled in a secure processing environment. These are listed in following table.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
8/44
Guidance Documentation Addendum Page 8/44
Table 1.2 Warnings about functions and privileges
Aspect Relevant chapters
Overview [MSISA] Administration > Administration: Concepts
Manual [MSISA] Administration > Administration: How To > Assign Administrative roles
Warnings Each chapter identifies and describes the warnings, the assumptions and the securityparameters related to that SF when necessary. The identification and description aremade in a complete and consistent way.
Examples for chapters that contain additional hints:
Important ( marked with a blue sign)
[MSISA] Firewall Policy > Firewall Policy: How To > Configure Authentication >
Configure authentication method for a Web listener
Caution ( marked with a red flag)
[MSISA] Administration > Administration: How To > Back Up and Restore >Import a configuration (Note: This is not a security function according theSecurity Target but gives an example for a caution.)
Warning ( marked with a yellow sign)
[MSISA_ADD] Chapter 2 Security Functions
1.4 Installation of the Evaluated ISA Server 2006 Standard Edition
This document provides detailed installation instructions for Microsoft Internet Security and
Acceleration (ISA) Server 2006 Standard Edition.
1.4.1 Installation Requirements
To use ISA Server, you need:
A personal computer with a 550-megahertz (MHz) or faster processor.
Microsoft Windows Server 2003, Standard Edition (English) Service Pack 1 (SP1)
including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and
update KB907865. Also, ensure that no additional software products have been
installed on this computer.
256 megabytes (MB) of memory.
150 MB of available hard disk space. This is exclusive of hard disk space you want to
use for caching.
One network adapter that is compatible with the computer's operating system, for
communication with the Internal network.
An additional network adapter for each network connected to the ISA Server computer.
One local hard disk partition that is formatted with the NTFS file system.
Please also check Section 3.5 Requirements for the Operational Environment.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
9/44
Guidance Documentation Addendum Page 9/44
1.4.2 Installation Procedures
ISA Server 2006 Standard Edition is composed of the following components:
ISA Server. This is the computer that runs the firewall.
ISA Server Management. The console through which the administrator manages the
enterprise.
Advanced Logging. Note that the Advanced Logging component can only be installed
on a computer running ISA Server services.
To install the evaluated version, the administrator must install ISA Server and ISA Server
Management (file \ISAAutorun.exe). The following pictures show the step-by-step installation
process for ISA Server 2006 Standard Edition.
Startup screen License Agreement
User name and product key Installation options
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
10/44
Guidance Documentation Addendum Page 10/44
No additional components (default) Specify internal networks (example)
Do not allow non-encrypted Firewall clients (default) Service warning
Start of installation process Completion of installation process
After installation, apply the registry settings shown in Figure 1.1. These settings enforce 128 bit
encryption for Forms-based authentication. Without applying the registry keys a 56 bit SSL
connection for Forms-based authentication might be established (e.g. when a client is used
which does not support 128 bit encryption). This means that even when in the HTTPS listener
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
11/44
Guidance Documentation Addendum Page 11/44
128 bit encryption is enforced for the data transfer user credentials will be sent over a weak
encrypted connection.
Figure 1.1 Disable weak algorithms
1.5 Installation of the Evaluated ISA Server 2006 Enterprise Edition
This document provides detailed installation instructions for Microsoft Internet Security and
Acceleration (ISA) Server 2006 Standard Edition.
1.5.1 Installation Requirements
To use ISA Server, you need:
A personal computer with a 550-megahertz (MHz) or faster processor.
Microsoft Windows Server 2003, Standard Edition (English) Service Pack 1 (SP1)
including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and
update KB907865. Also, ensure that no additional software products have been
installed on this computer.
256 megabytes (MB) or more of memory.
150 MB of available hard disk space. This is exclusive of hard disk space you want to
use for caching.
One network adapter that is compatible with the computer's operating system, for
communication with the Internal network.
An additional network adapter for each network connected to the ISA Server computer.
One local hard disk partition that is formatted with the NTFS file system.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
12/44
Guidance Documentation Addendum Page 12/44
Please also check Section 3.5 Requirements for the Operational Environment.
1.5.2 Installation Procedures
ISA Server 2006 Enterprise Edition is composed of the following components:
ISA Server Management. The console through which the administrator manages the
enterprise.
Configuration Storage server. The repository of the enterprise layout and the
configuration for each server in the enterprise. This repository is an instance of Active
Directory Application Mode (ADAM). Each ISA Server computer has a local copy of
its configuration that is a replica of the servers configuration, which is located on the
Configuration Storage server.
ISA Server services. This is the computer that runs the firewall. The computer running
ISA Server services is connected to a Configuration Storage server, which stores the
configuration information.
Additional components. Additional components (Advanced Logging, Firewall Client
Share, and Message Screener) can be installed on separate computers. Note that the
Advanced Logging component can only be installed on a computer running ISA Server
services.
To install the evaluated version, the administrator must install ISA Server Management and the
Configuration Storage server (file \ISAAutorun.exe) on the same machine. The followingpictures show the step-by-step installation process for ISA Server 2006 Enterprise Edition.
Startup screen License Agreement
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
13/44
Guidance Documentation Addendum Page 13/44
User name and product key (picture not shown completely) Installation options
No additional components (default) New ISA Server enterprise (default)
Installation note Specify internal networks (example)
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
14/44
Guidance Documentation Addendum Page 14/44
Do not allow non-encrypted Firewall clients (default) Service warning
Start of installation process Completion of installation process
After installation, apply the registry settings shown in Figure 1.2. These settings enforce 128 bit
encryption for Forms-based authentication. Without applying the registry keys a 56 bit SSL
connection for Forms-based authentication might be established (e.g. when a client is used
which does not support 128 bit encryption). This means that even when in the HTTPS listener
128 bit encryption is enforced for the data transfer user credentials will be sent over a weak
encrypted connection.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
15/44
Guidance Documentation Addendum Page 15/44
Figure 1.2 Disable weak algorithms
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
16/44
Guidance Documentation Addendum Page 16/44
2 Security Functions
This chapter identifies all the security functions available to the administrator. The securityfunctions are derived from the ISA Server 2006 security functions described in the ISA Server
2006 Security Target (ST).
For administration, ISA Server 2006 includes graphical taskpads and wizards. These simplify
navigation and configuration for common tasks. These features are embedded in the Microsoft
Management Console and do not belong to the TOE. They are provided by the environment.
The underlying operating system is the certified Windows Server 2003, Standard Edition
(English) SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027
(KB896422), and update KB907865. (The same installation has been used for Windows
Server 2003 Common Criteria EAL 4+ evaluation; Validation Report Number CCEVS-VR-05-
0131, [WINST] and [WINVR], and referenced as Windows Server 2003 in this document.)
Warnings
The administrator must ensure that ISA Server 2006 is installed and used with
Windows Server 2003. More details can be found in the Security Target of ISA Server
2006 Standard Edition/Enterprise Edition [ST].
The administrator has to observe the Security Bulletins, to ensure that all possible
countermeasures are used.
The administrator should check http://www.microsoft.com/security/ regularly for thelatest ISA Server 2006 service packs and hotfixes.
The administrator should only use programs that are required to administer and
operate the firewall. The administrator should not install additional software which may
compromise the security of the TOE or the underlying operating system.
2.1 SF1 - Web Identification and Authentication
The TOE can be configured in a way that only particular users are allowed to access the
networks through the TOE using Forms-based authentication.
Forms-based authentication is one of the standard methods of authentication for Hypertext
Transfer Protocol (HTTP) transmissions for incoming and outgoing requests. Forms-based
authentication sends and receives user information in plaintext. No encryption is used with
Forms-based authentication.
Secure Sockets Layer (SSL) encryption has to be used to secure the transferred user
identification and authentication credentials, so these credentials cannot be monitored during
transmission to the TOE.
The TOE has been evaluated using Forms-based authentication with SSL encryption for
incoming HTTP connections. The TOE verifies if the user credentials comply with data stored
http://www.microsoft.com/security/http://www.microsoft.com/security/http://www.microsoft.com/security/7/28/2019 CC Guidance Documentation Addendum for ISA 2006
17/44
Guidance Documentation Addendum Page 17/44
in the local user database or a remote authentication server using Remote Authentication Dial-
In User Service (RADIUS).
Important
When trying to connect to a Web site via HTTP (not HTTPS) that is published using ISA Server
2006, you receive an error message (see Figure 2.1), when all the following conditions are
true:
The Web listener has any one of the following authentication methods enabled:
o Basic authentication
o Radius authentication
o Forms-Based authentication
The Web listener is configured to listen for HTTP traffic.
The Require all users to authenticate check box is selected for the Web listener or theWeb publishing rules apply to a user set other than the default All users user set.
You connect to the published Web site by using HTTP instead of by using HTTPS.
Figure 2.1 Error messages
When you use HTTP-to-HTTP bridging, ISA Server 2006 does not enable traffic on the
external HTTP port if the Web listener is configured to request one or more of the following
kinds of credentials:
Basic authentication
Radius authentication
Forms-based authentication
This behavior occurs because these kinds of credentials should be encrypted. These
credentials should not be sent in plaintext over HTTP.
ISA Server 2006 prevents you from entering credentials in plaintext. When you try to do this,
you receive an error message2.
2For ISA Server 2004 versions that are earlier than ISA Server 2004 SP2, you are prompted to enter credentials in
plaintext. This behavior may cause the credentials to be transmitted over the network in plaintext if you have not
If the ISA Server Web listener has Basic authentication enabled, you receive the following error
message:
Error Code: 403 Forbidden.
The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server
administrator. (12211)If the ISA Server Web listener has RADIUS authentication or Microsoft Outlook Web Access
Forms-Based authentication (Cookie-auth) enabled, you receive the following error message:
Error Code: 500 Internal Server Error.
An internal error occurred. (1359)
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
18/44
Guidance Documentation Addendum Page 18/44
Warnings
When using Forms-based authentication, depending on the application on the
computer which could "cache" the password, the user must ensure that the
environment is locked, when it is unattended.
To secure transferred user identification and authentication credentials, ensure that
strong SSL encryption (at least 128 bit) is enforced.
2.2 SF2 - Information Flow Control
The TOE combines several security mechanisms to enforce the security policies at different
network layers: a rule base for incoming and outgoing requests, Web and application filters,
and system security configuration options.
The TOE controls the flow of incoming and outgoing packets and controls information flow on
protocol level. This control has to be active before any information can be transmitted through
the TOE. Information flow control is subdivided into firewall policy rules that consist of access
rules, server publishing rules, mail server publishing rules, Web publishing rules, system
policy, Web application filters, and application filters.
Warning
The following Windows Server 2003 vulnerabilities require that the administrator, on computers
without updates, does not publish certain ports from the local host to the external interface or
that the administrator ensure that a certain configuration has been applied:
MS06-018 requires blocking following ports to the local host at the firewall:
- All unsolicited inbound traffic on ports greater than 1024
- Any other specifically configured RPC port
These ports can be used to initiate a connection with the Microsoft Distributed
Transaction Coordinator. Blocking them at the firewall (to local host) will protect the
operating system to exploit this vulnerability. Also, make sure that you block any other
specifically configured RPC port on the local host. While RPC can use UDP ports 135,
137, 138, 445, and TCP ports 135, 139, 445, and 593, the Microsoft Distributed
Transaction Coordinator service is not vulnerable over those ports.
MS06-032 required to disable IP source routing:
Disabling IP source routing will prevent an affected host from processing IP source-
related packets that could allow an attacker to execute code. IP source routing
processing can be disabled by the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
implemented some other form of network security, such as an external Secure Sockets Layer (SSL) accelerator or
an encrypted tunnel. ISA Server 2006 does not provide these forms of security.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
19/44
Guidance Documentation Addendum Page 19/44
Add the DWORD Value: DisableIPSourceRouting. Set the value to 2. This value
disables IP source routing processing. By default, this key does not exist.
2.3 SF3 - Audit
The TOE stores logging information in different log files:
Firewall service log
The Firewall log contains records of packets that were dropped in the packet filter level.
It is possible to turn on logging for packets that were permitted to traverse the firewall.
Access rules can be configured selectively to create or not to create a log file entry
when a packet has been blocked or permitted.
Web proxy service log
The Web Proxy log stores a line per HTTP request that it gets. Each request (incoming
and outgoing) is always logged.
Windows application event log
The Windows application event log stores important system events and failures.
Warning
It should be assured that there is always enough free disk space. Choosing the right
resource and the right parameters for logging is mandatory. Creating logs that are too
large or creating too many files can lead to problems. Nevertheless, it is possible to
create an alert, which will move or delete old or unneeded log files.
2.4 Administration-Related Interfaces
The administrator interacts with the TOE via a Microsoft Management Console snap-in. (The
Microsoft Management Console is provided by the IT environment.) The application interacts
with the local registry and local file system of the operating system (Windows Server 2003) and
finally with the TOE.
The ISA Server configuration which is stored in the local registry or the file system (ISA 2006
SE) or stored in ADAM and synchronized with the local registry and file system (ISA 2006 EE)
is configured with the MMC.
Warning (Enterprise Edition only)
By default, policy changes are applied within a time frame of 15 seconds since the relevant
configuration data has to be polled from ADAM.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
20/44
Guidance Documentation Addendum Page 20/44
2.5 TOE User Interfaces
There are no user-related manuals provided. (Due to the nature of a firewall product, the
filtering process is transparent to the user.)
The network interface is the only external interface available for the user. To protect
communication between networks, the TOE has an interface to the network layer of the
operating system. Traffic from one network to another network is always passed though the
TOE using this interface. All network traffic generated by users has to pass this interface.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
21/44
Guidance Documentation Addendum Page 21/44
3 Operating Environment
The security environment of the evaluated configurations of ISA Server 2006 is described inthe ISA Server 2006 Standard Edition/Enterprise Edition Security Target [ST] and identifies the
threats to be countered by ISA Server 2006, the organizational security policies, and the usage
assumptions as they relate to ISA Server 2006. The administrator should ensure that the
environment meets the organizational policies and assumptions. They are restated here from
the Security Target.
To use the TOE in the evaluated configuration, the underlying environment must be the
certified Windows Server 2003 operating system (see chapter 3.5).
3.1 AssumptionsTable 3.1 lists the TOE Secure Usage Assumptions for the IT environment and intended
usage.
Table 3.1 Assumptions for the IT environment and intended usage
# Assumption name Description
1 A.DIRECT The TOE is available to authorized administrators only. Personnel who hasphysical access to the TOE and can log in the operating system is assumed toact as an authorized TOE administrator.
2 A.GENPUR The TOE stores and executes security-relevant applications only. It stores onlydata required for its secure operation. Nevertheless the underlying operatingsystem may provide additional applications required for administrating the TOE
or the operating system.3 A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance.
4 A.ENV The environment implements following functionality:
local identification and authentication of user credentials used for webpublishing (see A.WEBI&A for Radius identification and authentication; in caseof a successful authentication the TOE analyses the returned value and allowsor denies the access to network resources depending on that value), reliabletime stamp (log file audit), fi le protection (for log file access protection, registryprotection, and ADAM protection), cryptographic support (for SSL encryption),administration access control, reliable ADAM implementation (for EEconfiguration only), Network Load Balancing (for EE configuration only,disabled by default).
5 A.PHYSEC The TOE is physically secure. Only authorized personal has physical access tothe system which hosts the TOE.
6 A.SECINST Required certificates and user identities are installed using a confidential path.7 A.SINGEN Information can not flow among the internal and external networks unless it
passes through the TOE.8 A.WEBI&A User credentials are verified by a Radius Server. The Radius Server returns a
value if a valid account exists or not.
Web Identification & Authentication with a Radius Server requires that theRadius server is placed on the internal network, so that data (user credentialsand return values) transferred to and from the Radius Server is secured by theTOE from external entities.
9 A.SSL All web publishing rules which support Form-based authentication have to beconfigured by the administrator so that strong encryption for SSL is enforced(at least 128bit encryption).
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
22/44
Guidance Documentation Addendum Page 22/44
3.2 Organizational Security Policies
Security policies to be fulfilled by the TOE are defined in Table 3.2.
Table 3.2 Security policies addressed by the TOE
# Policy name Description
1 P.AUDACC Persons must be accountable for the actions that they conduct. Therefore,audit records must contain sufficient information to prevent an attacker toescape detection.
3.3 Secure Usage Assumptions - IT Security Requirements for the ITEnvironment
This chapter identifies the TOE security functional requirements for the IT environment. Further
information about the Security Functional Requirements can be found in [ST].
Table 3.3 TOE security functional requirements for the environment
# Functional requirement Title
Identification & Authentication
1 FIA_ATD.1 User attribute definition
2 FIA_UID.2 User identification before any action
3 FIA_UAU.2 User authentication before any action
4 FCS_COP.1 Cryptographic operation
Information Flow Control
5 FMT_MSA.1 (1) Management of security attributes (1) UNAUTHENTICATED SFP
6 FMT_MSA.1 (2) Management of security attributes (2) UNAUTHENTICATED_APPL SFP
7 FMT_MSA.1 (3) Management of security attributes (3) AUTHENTICATED SFP
Audit
8 FPT_STM.1 Reliable time stamps
9 FAU_SAR.2 Restricted audit review
10 FAU_STG.1 Protected audit trail storageSecurity Management
11 FMT_SMF.1 Specification of Management Functions
12 FMT_SMR.1 Security roles
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
23/44
Guidance Documentation Addendum Page 23/44
3.4 Security Objectives for the Environment
Table 3.4 lists security objectives for the environment (covers objectives for the IT environment
and non-IT environment).
Table 3.4 Security objectives for the environment
# Objective Name Objective Description
1OE.DIRECT The TOE should be available to authorized administrators only.
2OE.GENPUR The environment should store and execute security-relevant applications
only and should store only data required for its secure operation.
3OE.NOEVIL Authorized administrators should be non-hostile and should follow all
administrator guidance.
4OE.ENV The environment should implement following functionality:
local identification and authentication of user credentials used for webpublishing (see OE.WEBI&A for Radius identification and authentication; in
case of a successful authentication the TOE analyses the returned valueand allows or denies the access to network resources depending on thatvalue), reliable time stamp (log file audit), file protection (for log file accessprotection, registry protection, and ADAM protection), cryptographic support(for SSL encryption), administration access control, reliable ADAMimplementation (for EE configuration only), Network Load Balancing (for EEconfiguration only, disabled by default).
5OE.PHYSEC The system which hosts the TOE should be physically secure.
6OE.SECINST The required user identities (used for user authentication) and required SSL
certificates for server authentication (HTTPS encryption) should be storedusing a confidential path. That means that created certificates and userpasswords should not be available to unauthorized persons (OE.DIRECTensures that unauthorized persons cannot get these information by
accessing the TOE).7
OE.SINGEN Information should not flow among the internal and external networks unlessit passes through the TOE. Thereby the TOE administrator has to guaranteean adequate integration of the TOE into the environment.
8OE.WEBI&A The Radius Server should verify provided user credentials and return if a
valid account exists or not.Data (user credentials and return values) between TOE and the RadiusServer should be transferred in the TOE secured environment, which meansthat the Radius Server should be placed on the internal network for WebIdentification & Authentication.
9OE.SSL All web publishing rules which support Form-based authentication should be
configured by the administrator so that strong encryption for SSL is enforced(at least 128bit encryption).
3.5 Requirements for the Operational Environment
The operational environment is a certified Windows Server 2003 Standard Edition (English)
SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and
patch KB907865 (same installation that has been used for Windows Server 2003 Common
Criteria EAL 4+ Evaluation; Validation Report Number CCEVS-VR-05-0131, [WINST] and
[WINVR]).
The update number listed on the security bulletin corresponds to the Microsoft Knowledge
Base (KB) article ID number. The Microsoft Knowledge Base is a database of technical articles
about Microsoft products and technologies. These articles range from "how to" articles
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
24/44
Guidance Documentation Addendum Page 24/44
describing how to complete a specific task to "bug" articles documenting known issues with
Microsoft products.
When you scan your computer for available updates, through the Windows Update Web site,
the Windows Update Web site displays a number along with the title of the update, for
example, "Update for Windows Media Player 9 Series (KB837272)." This KB number is
included in the security bulletin to help identify the corresponding KB article in the Microsoft
Knowledge Base.
Because the computer on which ISA Server 2006 is running is often the primary interface to
the External network, we recommend to secure this computer. The Security Best Practices
[MSISAHARD]3 document ISA Server 2004 Security Hardening Guide, available on the ISA
Server Web site, containing details how to secure the ISA Server 2004 Enterprise Edition
computer, is applicable to ISA Server 2006 (SE and EE), and is updated periodically with new
information.
Additional information can be found on
http://www.microsoft.com/technet/isa/2006/security_guide.mspx
Warning
The administrator should check http://www.microsoft.com/security/ regularly for the latest
Windows Server 2003 hotfixes.
3 online available:http://go.microsoft.com/fwlink/?LinkID=24507
http://www.microsoft.com/technet/isa/2006/security_guide.mspxhttp://www.microsoft.com/technet/isa/2006/security_guide.mspxhttp://www.microsoft.com/security/http://www.microsoft.com/security/http://go.microsoft.com/fwlink/?LinkID=24507http://go.microsoft.com/fwlink/?LinkID=24507http://go.microsoft.com/fwlink/?LinkID=24507http://go.microsoft.com/fwlink/?LinkID=24507http://www.microsoft.com/security/http://www.microsoft.com/technet/isa/2006/security_guide.mspx7/28/2019 CC Guidance Documentation Addendum for ISA 2006
25/44
Guidance Documentation Addendum Page 25/44
4 Security-Relevant Events
This subsection describes all types of security-relevant events and what administrator action (ifany) to take to maintain security. Security-relevant events that may occur during operation of
ISA Server 2006 must be adequately defined to allow administrator intervention to maintain
secure operation. Security-relevant events are defined as events that signify a security related
change in the system or environment. These changes can be grouped as routine or abnormal.
The routine events are already addressed in subsection Security Functions.
Table 4.1 Security-relevant events
Security function Security-relevant event Relevant chapters
Web Identification andAuthentication
Configure Forms-basedauthentication.
The user has a missing permission toaccess the Internet.
A user is leaving the company, so hisor her rights have to be withdrawn.
Enable strong SSL encryption (atleast 128 bit) for HTTPS.
see Chapter 6.1[MSISA] Firewall Policy > FirewallPolicy: How To > Configure WebPublishing Rules > Configure alistener for a Web publishing rule
[MSISA] Monitoring >Monitoring: How To > ConfigureLogging > To configure logging toan MSDE database
To enable strong SSL encryption,open the corresponding Webpublishing rule > Traffic andselect Require 128-bitencryption for HTTP traffic.
Information FlowControl
An alert occurs, so the administratorhas to monitor the alert.
[MSISA] Monitoring > Monitoring:How To > Configure Alerts
Audit Log file overflow. If the ISA Servercomputer runs out of disk space, the
administrator has to configure themaximum number of log files.
[MSISA] Monitoring > Monitoring:How To > Configure Logging >
Configure logging to an MSDEdatabase
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
26/44
Guidance Documentation Addendum Page 26/44
5 TOE Integrity
This chapter describes how the administrator can verify that the evaluated version of the TOEis used.
5.1 Integrity of the CD-ROM Content
Customers can check the CD content by using the publicly available Microsoft File Checksum
Integrity Verifier (FCIV) tool4.
This tool uses SHA-1 hash values to verify the integrity of the:
ISA Server 2006 Standard Edition (on CD-ROM)
ISA Server 2006 Enterprise Edition (on CD-ROM)
The corresponding hash files are available from the Microsoft corporate Web site, as well as a
batch file that runs the tool and a Readme file that explains the usage for users that do not
have access to this document. The hash file contains SHA-1 values for each of the relevant
files that must be verified and is downloadable using a secured channel from the ISA Server
common criteria Web page:
https://go.microsoft.com/fwlink/?linkid=49507
The FCIV is a command-prompt utility that computes and verifies cryptographic hash values of
files (MD5 and SHA-1 cryptographic hash values are possible). The tool is run by the supplied
batch file. To run the batch file the user opens a Command Prompt window and changes to the
folder into which the validation files were downloaded. The user then types the following (the
exact file name depends what CD-ROM or file the user wants to verify):
integritycheck.cmd X:
Where x: is the local CD-ROM drive that contains the ISA Server 2006 CD-ROM.
Figure 5.1 shows a successful verification of the TOE. Figure 5.2 shows an error message
because of the missing FCIV tool.
Important
The hash value of the FCIV tool is published on the ISA Server common criteria web page and
should be verified by the customer using a 3rd party tool of his choice. The complete process is
described on the web site and in the guidance addendum (the following is a shortened quote
from the ISA Server common criteria web page which also states the correct hash values
required for the verification process):
Please perform the following steps in order to ensure the integrity of your downloads from this
website:
1. Download the FCIV tool fromhttp://support.microsoft.com/default.aspx?scid=kb;en-
us;841290. The sha-1 value of this download is
4Installation instruction and download link on following Web page:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290
https://go.microsoft.com/fwlink/?linkid=49507https://go.microsoft.com/fwlink/?linkid=49507http://support.microsoft.com/default.aspx?scid=kb;en-us;841290http://support.microsoft.com/default.aspx?scid=kb;en-us;841290http://support.microsoft.com/default.aspx?scid=kb;en-us;841290http://support.microsoft.com/default.aspx?scid=kb;en-us;841290http://support.microsoft.com/default.aspx?scid=kb;en-us;841290http://support.microsoft.com/default.aspx?scid=kb;en-us;841290http://support.microsoft.com/default.aspx?scid=kb;en-us;841290http://support.microsoft.com/default.aspx?scid=kb;en-us;841290http://support.microsoft.com/default.aspx?scid=kb;en-us;841290https://go.microsoft.com/fwlink/?linkid=495077/28/2019 CC Guidance Documentation Addendum for ISA 2006
27/44
Guidance Documentation Addendum Page 27/44
99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex)
and shall be verified before executing the download. This can be done using any
tool capable of calculating SHA-1 values.
2. Download the "Integrity Check ISA 2006" and "CC Guidance Documentation
Addendum" to the directory where FCIV has been extracted.
3. Open a command prompt and change to directory where FCIV has been extracted.
4. Check the integrity of "Integrity Check ISA 2006" using
fciv "Integrity Check ISA 2006.zip" sha1
and verify that the result is
5. Check the integrity of the CC Guidance Addendum usingfciv "CC Guidance Documentation Addendum for ISA 2006.pdf"
sha1
and verify that the result is
6. Follow the CC Guidance Addendum for further Installation and Configuration of the
TOE.
Figure 5.1
Example of Integrity check I (successful)
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
28/44
Guidance Documentation Addendum Page 28/44
Figure 5.2 Example of Integrity check II (missing FDIV tool)
5.2 Integrity of the Package
ISA Server 2006 Enterprise Edition is available in a volume license only (see Figure 5.4), there
is no retail box with certificate of authenticity (COA) label on a box like for ISA Server 2006
Standard Edition (see Figure 5.3). Nevertheless the end user should check the integrity as
described in chapter 5.1 for ISA Server 2006 Standard Edition respectively ISA Server 2006
Enterprise Edition.Figure 5.3 ISA Server 2006 Standard Edition (Box & CD-ROM)
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
29/44
Guidance Documentation Addendum Page 29/44
Figure 5.4 ISA Server 2006 Enterprise Edition (CD-ROM)
5.3 Version Number for the TOE
The method to examine the ISA Server version number is included in the Microsoft
Management Console. The user can identify the version of the TOE in the Help menu
(HelpAbout ISA Server 2006; see Figure 5.6). The version number presented in the
Microsoft Management Console is 5.0.5720.100. That version corresponds to the evaluated
version named in the ST which is ISA Server 2006. From the about boxes it is not obvious
which configuration of ISA Server 2006 is installed. When in the left pane of the management
console the branch Enterprise exists you have installed ISA Server 2006 EE (see Figure 5.7).
Figure 5.5 Version number of ISA Server 2006 Standard Edition
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
30/44
Guidance Documentation Addendum Page 30/44
Figure 5.6 Version number of ISA Server 2006 Enterprise Edition
Figure 5.7 Identifying ISA Server 2006 Enterprise Edition
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
31/44
Guidance Documentation Addendum Page 31/44
6 Annotations
6.1 Authentication methods
This chapter describes how ISA Server manages authentication. It provides information about
authentication and delegation methods supported by the TOE, and how the authentication
process is handled.
6.1.1 Single Sign On
Single sign on (SSO) enables users to authenticate once to the TOE, and then access all of
the Web servers with the same domain suffix that the TOE is publishing on a specific listener,
without re-authenticating. Web servers can include Microsoft Outlook Web Access servers and
servers running Microsoft Office SharePoint Portal Server 2003, as well as standard servers
running Internet Information Services (IIS).
A typical example of SSO is a user who logs on to Outlook Web Access, providing credentials
on a form. In one of the e-mail messages that the user receives is a link to a document that is
stored in SharePoint Portal Server. The user clicks the link, and the document opens, without
an additional request for authentication.
Security Notes
As long as a user's browser process is still running, that user is logged on. For example, a
user logs on to Outlook Web Access. From the Microsoft Internet Explorer menu, the user
opens a new browser window, and then navigates to another site. Closing the Outlook Web
Access window does not end the session, and the user is still logged on.
When enabling SSO, be sure to provide a specific SSO domain. Providing a generic domain,
such as .co.uk, will allow the Web browser to send the ISA Server SSO cookie to any Web
site in that domain, creating a security risk.
Note
There is no support for SSO between different Web listeners. Published servers must share
the same Domain Name System (DNS) suffix. For example, you can configure SSO when
publishing mail.fabrikam.com and team.fabrikam.com. You cannot configure SSO when
publishing mail.fabrikam.com and mail.contoso.com. The DNS suffix consists of the entirestring that follows the first dot. For example, to configure SSO between
mail.detroit.contoso.com and mail.cleveland.contoso.com, you would use the DNS suffix
contoso.com.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
32/44
Guidance Documentation Addendum Page 32/44
6.1.2 Authentication Process
There are three components of the authentication process in the TOE:
Receipt of client credentials.
Validation of client credentials against an authentication provider.
Delegation of authentication to Web servers that are behind the TOE, such as serversrunning SharePoint Portal Server 2003.
Note
The first two components are configured on the Web listener that receives client requests.
The third is configured on the publishing rule. This means that you can use the same listener
for different rules, and have different types of delegation.
The authentication process for forms-based authentication is demonstrated in the following
figure. Note that this is a simplified description of the process, presented to describe the
primary steps involved.
Step 1, receipt of client credentials: The client sends a request to connect to the corporate
Outlook Web Access server in the Internal network. The client provides the credentials in an
HTML form (Frontend authentication).
Steps 2 and 3, sending credentials: The TOE sends the credentials to the authentication
provider, such as a domain controller for Integrated Windows authentication, or a RADIUS
server, and receives acknowledgment from the authentication provider that the user is
authenticated (Gateway authentication).
Step 4, authentication delegation: The TOE forwards the client's request to the Outlook Web
Access server, and authenticates itself to the Outlook Web Access server using the client's
credentials. The Outlook Web Access server will revalidate those credentials, typically using
the same authentication provider (Backend authentication).
Note
The Web server must be configured to use the authentication scheme that matches the
delegation method used by the TOE.Step 5, server response: The Outlook Web Access server sends a response to the client,
which is intercepted by the TOE.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
33/44
Guidance Documentation Addendum Page 33/44
Step 6, forwarding the response: The TOE forwards the response to the client.
Note
If you do not limit access to authenticated users, as in the case when a rule allowing accessis applied to all users, the TOE will not validate the user's credentials. The TOE will use the
user's credentials to authenticate to the Web server according to the configured delegation
method.
We recommend that you apply each publishing rule to all authenticated users or a specificuser set, rather than selecting Require all users to authenticate on the Web listener, which
requires any user connecting through the listener to authenticate.
6.1.3 Client Authentication Methods for Receipt of Client Credentials
The TOE Web listeners accept the following types of authentication from clients:
No authentication
Forms-based authentication
6.1.3.1 No Authentication
You can select to require no authentication. If you do so, you will not be able to configure a
delegation method on rules that use this Web listener.
6.1.3.2 Forms-Based Authentication
Forms-based authentication in ISA Server 2006 can be used for publishing any Web server.
One type of forms-based authentication is available in the TOE (Passcode form and
Passcode/Password form have not been evaluated):
Password form. The user enters a user name and password on the form. This is the type ofcredentials needed for Integrated and RADIUS credential validation.
Notes
The HTML forms for forms-based authentication can be fully customized.
When the TOE is configured to require authentication, because a publishing rule applies to a
specific user set orAll Authenticated Users, or a Web listener is configured to Require all
users to authenticate, the TOE validates the credentials before forwarding the request.
By default, the language setting of the client's browser determines the language of the form
that the TOE provides. The TOE provides forms in 26 languages. The TOE can also be
configured to serve forms in a specific language regardless of the browser's language.
When you configure a time-out for forms-based authentication, we recommend that the time-
out be shorter than that imposed by the published server. If the published server times out
before the TOE, the user may mistakenly think that the session ended. This could allow
attackers to use the session, which remains open until actively closed by the user or timed
out by the TOE as configured on the form setting.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
34/44
Guidance Documentation Addendum Page 34/44
You should ensure that your Web application is designed to resist session riding attacks
(also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before
publishing it using the TOE. This is particularly important for Web servers published throughthe TOE, because clients must use the same trust level for all of the Web sites they access
through the publishing ISA Server firewall.
6.1.4 Methods for Validation of Client Credentials
You can configure how the TOE validates client credentials. The TOE supports these providers
and protocols:
No authentication (allows the internal servers to handle authentication)
Local user database
RADIUS
Note
A publishing rule with a Web listener that uses a specific form of credential validation must use
a user set that is consistent with that form of validation. For example, a publishing rule with a
Web listener that uses LDAP credential validation must also use a user set that consists of
LDAP users.
6.1.4.1 Configuring Receipt and Validation of Client Credentials
You can configure the receipt and validation of client credentials on the Web listener for a
publishing rule.
In the New Web Listener Definition Wizard, use the Authentication Settings page, and in the
Web listener properties, use the Authentication tab.
Important
When you use the same Web listener to publish more than one application in the same
domain, a user who is authenticated for one application will also be able to access the others,
even if single sign on is not enabled.6.1.4.2 Integrated
The TOE checks if the user is a member of the local user database.
6.1.4.3 Radius authenticationRADIUS is used to provide credentials validation. When ISA Server is acting as a RADIUS
client, it sends user credentials and connection parameter information in the form of a RADIUS
message to a RADIUS server. The RADIUS server authenticates the RADIUS client request,
and sends back a RADIUS message response.
Because RADIUS servers authorize client credentials in addition to authenticating them, the
response that ISA Server receives from the RADIUS server indicating that the client
credentials are not approved, might actually indicate that the RADIUS server does not
authorize the client. Even if the credentials have been authenticated, ISA Server may reject the
client request, based on the RADIUS server authorization policy.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
35/44
Guidance Documentation Addendum Page 35/44
6.1.4.3.1 Configuring the TOE for RADIUS
authentication
When you configure the Web listener on ISA Server, select RADIUS authentication as the
authentication provider. When you add a RADIUS server, you must configure the following:
Server name. The host name or IP address of the RADIUS server.
Secret. The RADIUS client and the RADIUS server share a secret that is used to encrypt
messages sent between them. You must configure the same shared secret on ISA Server
and on the ISA server.
Authentication port. ISA Server sends its authentication requests using a User Datagram
Protocol (UDP) port on which the RADIUS server is listening. The default value of 1812 does
not need to be changed when you are using the default installation of ISA as a RADIUS
server.
6.1.4.3.2 Security considerations
The RADIUS User-Password hiding mechanism might not provide sufficient security for
passwords. The RADIUS hiding mechanism uses the RADIUS shared secret, the Request
Authenticator, and the use of the MD5 hashing algorithm to encrypt the User-Password and
other attributes, such as Tunnel-Password and MS-CHAP-MPPE-Keys. RFC 2865 notes the
potential need for evaluating the threat environment and determining whether additional
security should be used.
You can provide additional protection for hidden attributes by using Internet Protocol security
(IPsec) with Encapsulating Security Payload (ESP) and an encryption algorithm, such as Triple
DES (3DES), to provide data confidentiality for the entire RADIUS message. Follow these
guidelines:
Use IPsec to provide additional security for RADIUS clients and servers.
Require the use of strong user passwords.
Use authentication counting and account lockout to help prevent a dictionary attack against a
user password.
Use a long shared secret with a random sequence of letters, numbers, and punctuation.
Change it often to help protect your ISA server.
When you use password-based authentication, enforce strong password policies on your
network to make dictionary attacks more difficult.
6.1.5 Authentication Delegation
After validating the credentials, you can configure publishing rules to use one of the following
methods to delegate the credentials to the published servers:
No delegation, and client cannot authenticate directly
No delegation, but client may authenticate directly
Basic
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
36/44
Guidance Documentation Addendum Page 36/44
6.1.5.1 Configuring Authentication Delegation
Delegation of client credentials is configured on the publishing rule. In the Publishing Rule
Wizard, configure this on the Authentication Delegation page. In the publishing ruleproperties, the authentication settings are on the Authentication Delegation tab.
6.1.5.2 No Delegation, and Client Cannot Authenticate Directly
Credentials are not delegated. This is intended to prevent the unintentional delegation of
credentials into the organization, where they might be sniffed. This is the default setting in
some ISA Server publishing wizards, so that if you want to delegate credentials, you must
change the default.
6.1.5.3 No Delegation, but Client May Authenticate Directly
When you select the delegation method No Delegation, but client may authenticate
directly, the user's credentials are passed to the destination server without any additionalaction on the part of ISA Server. The client and the destination server then negotiate the
authentication.
6.1.5.4 Basic delegation
In Basic delegation, credentials are forwarded in plaintext to the server that requires
credentials. If authentication fails, ISA Server replaces the delegation with the authentication
type used by the Web listener. If the server requires a different type of credentials, an ISA
Server alert is triggered.
6.2 Lockdown Mode
A critical function of a firewall is to react to an attack. When an attack occurs, it may seem that
the first line of defense is to disconnect from the Internet, isolating the compromised network
from malicious outsiders. However, this is not the recommended approach. Although the attack
must be handled, normal network connectivity must be resumed as quickly as possible, and
the source of the attack must be identified.
The lockdown feature introduced with Microsoft Internet Security and Acceleration (ISA) Server
combines the need for isolation with the need to stay connected. Whenever a situation occurs
that causes the Microsoft Firewall service to shut down, ISA Server enters the lockdown mode.This occurs when:
An event triggers the Firewall service to shut down. When you configure alert definitions,
you decide which events will cause the Firewall service to shut down. Essentially, you
configure when ISA Server enters lockdown mode.
The Firewall service is manually shut down. If you become aware of malicious attacks, you
can shut down the Firewall service, while configuring the ISA Server computer and the
network to handle the attacks.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
37/44
Guidance Documentation Addendum Page 37/44
6.2.1 Affected functionality
When in lockdown mode, the following functionality applies:
The packet filter driver applies the firewall policy.
The following system policy rules are still applicable:
Allow ICMP from trusted servers to the local host.
Allow remote management of the firewall using MMC (RPC through port 3847).
Allow remote management of the firewall using RDP.
Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing
connection is established, that connection can be used to respond to incoming traffic. For
example, a DNS query can receive a DNS response, on the same connection.
No incoming traffic is allowed, unless a system policy rule (listed previously) that
specifically allows the traffic is enabled. The one exception is DHCP traffic, which is
allowed by default system policy rules. The UDP Send protocol on port 68 is allowed from
all networks to the Local Host network. The corresponding UDP Receive protocol on port
67 is allowed.
VPN remote access clients cannot access ISA Server. Similarly, access is denied to
remote site networks in site-to-site VPN scenarios.
Any changes to the network configuration while in lockdown mode are applied only after
the Firewall service restarts and ISA Server exits lockdown mode. For example, if you
physically move a network segment and reconfigure ISA Server to match the physical
changes, the new topology is in effect only after ISA Server exits lockdown mode.
ISA Server does not trigger any alerts.
For ISA Server Enterprise Edition, if the Configuration Storage server is installed on the
computer running ISA Server services, a system policy rule, named Allow access from trusted
servers to the local Configuration Storage server, is enabled. This system policy rule allows
the use of Microsoft CIFS (TCP), Microsoft CIFS (UDP), and MS Firewall Storage protocols
from all array members to the Local Host. This rule is applied even in lockdown mode. Traffic
using those protocols is allowed, even in lockdown mode.
6.2.2 Leaving lockdown mode
When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning,
as previously. Any changes made to the ISA Server configuration are applied after ISA Server
exits lockdown mode.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
38/44
Guidance Documentation Addendum Page 38/44
7 Flaw Remediation Guidance
7.1 How to report detected security flaws to Microsoft
Microsoft has established a single internal organization, the Microsoft Security Response
Center (MSRC), to investigate and remedy security vulnerabilities involving Microsoft software
or services. The MSRC is staffed 7 days a week, and investigates every report it receives of
suspected security vulnerabilities in Microsoft Products.
There are three ways for a Finder to contact the Microsoft Response Center (MSRC) to report
a detected or assumed security flaw.
1. A web page, located athttps://www.microsoft.com/technet/security/bulletin/alertus.aspx
provides an easy way to provide all the information needed to begin the investigation.
The form requests information about:
Reporter contact information (name and email; optionally)
Information about the reporters computer (manufacturer and model, additional
hardware, operating system, system service packs, operating system security
patches)
Affected product information (product name, product version, service packs for the
product, security patches for the product, vulnerability information)
Description of the flaw in the product (general description)
Product configuration (default/customized, required settings to make the flawappear)
Description how to reproduce the problem (step-by-step instructions that
demonstrate the flaw, program that demonstrates the flaw)
Description how someone might mount an attack via the flaw
Additional information that might be helpful in investigating this issue.
Data submitted via this page is encrypted using the Secure Sockets Layer protocol.
2. Alternatively, an email address, [email protected] also be used. Mail to this
address can be encrypted using PGP5.
3. The customer can contact Microsoft Services for additional support
(http://www.microsoft.com/services/microsoftservices/default.mspx).
Regardless of the method used to initially contact the MSRC or Microsoft Services,
subsequent communications typically take place via email, using the [email protected]
email address. When requested, MSRC can also conduct these communications via telephone
or other methods.
5 The MSRC's PGP key is available athttp://www.microsoft.com/technet/security/MSRC.asc
https://www.microsoft.com/technet/security/bulletin/alertus.aspxhttps://www.microsoft.com/technet/security/bulletin/alertus.aspxhttps://www.microsoft.com/technet/security/bulletin/alertus.aspxmailto:[email protected]:[email protected]:[email protected]://www.microsoft.com/services/microsoftservices/default.mspxhttp://www.microsoft.com/services/microsoftservices/default.mspxhttp://www.microsoft.com/services/microsoftservices/default.mspxmailto:[email protected]:[email protected]://www.microsoft.com/technet/security/MSRC.aschttp://www.microsoft.com/technet/security/MSRC.aschttp://www.microsoft.com/technet/security/MSRC.aschttp://www.microsoft.com/technet/security/MSRC.ascmailto:[email protected]://www.microsoft.com/services/microsoftservices/default.mspxmailto:[email protected]://www.microsoft.com/technet/security/bulletin/alertus.aspx7/28/2019 CC Guidance Documentation Addendum for ISA 2006
39/44
Guidance Documentation Addendum Page 39/44
7.2 How to get informed about Security Flaws and Flaw Remediation
A security update that is issued by the MSRC is always accompanied with a bulletin. The
bulletin contains the information that Microsoft makes available for the customers so that they
can take a decision whether to install the fix and on what systems. Every bulletin comes with a
rating to reflect its criticality (four levels). A KB is also provided but it is mostly a pointer to the
bulletin article.
The public page with Microsoft bulletins is located at
http://www.microsoft.com/security/bulletins/default.mspx
The original finder of the problem is kept in the picture throughout the process, if he chooses.
MSRC manages the communication with the reporter throughout the process.
Security updates typically can be installed on the current service pack and the previous one.
However, this is only a general rule. If the previous service pack is more than two years old,
the patch may be limited to only the current service pack. Conversely, if several service packs
have been released in short order, the patch may install on additional ones. The security patch
will be included automatically in the next service pack. Service packs, and patches, are
generally available for the previously released service pack. The security bulletin will always
provide specific information on the service pack requirements for the patch.
All security bulletins for Microsoft products are available at
http://www.microsoft.com/technet/security/current.aspx , and newly released bulletins are
highlighted on http://www.microsoft.com/security , http://www.microsoft.com/technet/security ,
andhttp://www.microsoft.com/isaserverWeb sites.In addition, Microsoft offers a free service through which customers can receive a technical or
non-technical bulletin synopsis by email. Customers can sign up for mailer at
https://www.microsoft.com/technet/security/bulletin/notify.mspx. Microsoft digitally signs the
technical synopsis, and the PGP key located at
http://www.microsoft.com/technet/security/MSRC.asc can be used to validate the signature.
Microsoft security bulletins always discuss the risk the vulnerability poses, the software it
affects, and the steps customers can take to eliminate it including, in the case of patches,
specific locations for obtaining them. In addition, security bulletins also frequently include a
public thank-you to the Finder, subject to the qualification criteria discussed at
http://www.microsoft.comtechnet/security/bulletin/policy.mspx.
Microsoft strongly encourages customers to sign up for the security bulletins.
So the steps to be always informed of security flaws and how to install them are:
1. Signing up for security bulletins (registering for receiving bulletins by email)
2. Checking for security bulletins (if not registered)
3. Deciding, whether to download and install a remedy
4. Downloading the fix, authentication of the fix
5. Installing the fix/remedy (follow bulletin description, see above)
http://www.microsoft.com/security/bulletins/default.mspxhttp://www.microsoft.com/security/bulletins/default.mspxhttp://www.microsoft.com/technet/security/current.aspxhttp://www.microsoft.com/technet/security/current.aspxhttp://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/isaserverhttp://www.microsoft.com/isaserverhttp://www.microsoft.com/isaserverhttps://www.microsoft.com/technet/security/bulletin/notify.mspxhttps://www.microsoft.com/technet/security/bulletin/notify.mspxhttp://www.microsoft.com/technet/security/MSRC.aschttp://www.microsoft.com/technet/security/MSRC.aschttp://www.microsoft.comtechnet/security/bulletin/policy.mspxhttp://www.microsoft.comtechnet/security/bulletin/policy.mspxhttp://www.microsoft.comtechnet/security/bulletin/policy.mspxhttp://www.microsoft.com/technet/security/MSRC.aschttps://www.microsoft.com/technet/security/bulletin/notify.mspxhttp://www.microsoft.com/isaserverhttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/technet/security/current.aspxhttp://www.microsoft.com/security/bulletins/default.mspx7/28/2019 CC Guidance Documentation Addendum for ISA 2006
40/44
Guidance Documentation Addendum Page 40/44
7.3 Installing a remedy
The security bulletins contain the affected product versions, links to download the security
patch, and guidance for manual (as well as automated) installation of the patch.
As an example (see Figure 7.1) from a security bulletin called MS04-035 that contains
installation instructions. The bulletin itself is at
http://www.microsoft.com/technet/security/Bulletin/MS04-035.mspxand not TOE relevant.
Figure 7.1 Installation Instructions for Security Bulletin (example)
http://www.microsoft.com/technet/security/Bulletin/MS04-035.mspxhttp://www.microsoft.com/technet/security/Bulletin/MS04-035.mspxhttp://www.microsoft.com/technet/security/Bulletin/MS04-035.mspx7/28/2019 CC Guidance Documentation Addendum for ISA 2006
41/44
Guidance Documentation Addendum Page 41/44
7.4 Authentication of a Fix
For a product released via the web, digital signatures are used to identify the source download
as coming from Microsoft.
When files are downloaded from the web using Internet Explorer (or another browser), the
Authenticode mechanism is used to inform users of whether the download did indeed come
from Microsoft. Authenticode, the formal name for the encryption technology Microsoft uses
for digital code signing, is based upon an encryption algorithm called public key technology.
Authenticode is based upon specifications that have been used successfully in the industry for
some time, including CMS (Cryptographic Message Syntax), PKCS #10 (certificate request
formats), X.509 (certificate specification), and SHA-1. Authenticode provides two important
features: time stamping and the ability to revoke a publishers digital certificate.
When a user downloads the code from the Internet, the browser uses a Win32 function calledWinVerifyTrust. If the user does not already trust the publisher, it displays certificate
information, such as the name included in the digital signature, an indication of whether it is a
commercial or personal certificate, and the date when the certificate expires. If the piece of
software has been digitally signed, it can verify that the software originated from the named
software publisher and that no one has tampered with it. A verification certificate is displayed if
the software meets these criteria. The user should confirm the source of the certificate to be
the Microsoft Corporation.
When a digital signature fails the verification process, the browser will report the failure,
indicate why the signature is invalid, and prompt the user about whether to proceed with the
download (only in the cases the user does not trust the publisher or trusts only the certifier of
the publisher).
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
42/44
Guidance Documentation Addendum Page 42/44
8 References and Glossary
This section provides references and a glossary.
8.1 References
General Common Criteria Documents
[CC] Common Criteria for Information Technology Security Evaluation, version 2.3,
revision August 2005
Part 1: Introduction and general model, CCMB-2005-08-001,
Part 2: Security functional requirements, CCMB-2005-08-002,
Part 3: Security Assurance Requirements, CCMB-2005-08-003
ISA Server 2006 Administrator Guidance and Publicly Available Evaluation Developer Documents
[MSISA] Microsoft Internet Security and Acceleration Server 2006 Help, Microsoft Corp.,
Version 2006 Standard Edition / Enterprise Edition
This help file is installed during ISA Server 2006 setup (isa.chm, stored on CD-
ROM).
[MSISAHARD] Security Hardening Guide - Microsoft Internet Security and Acceleration Server 2004,
Microsoft Corp., Version 2006, downloadable from
http://go.microsoft.com/fwlink/?LinkID=24507
[ST] ISA Server 2006 SE/EE Common Criteria Evaluation - Security Target, Version 1.1,
2007-06-05, Microsoft Corp.
[WINST] Microsoft Windows Server 2003 or Windows XP Security Target, Version 1.0.
28.09.2005, Microsoft Corporation
[WINVR] National Information Assurance Partnership, Common Criteria Evaluation and
Validation Scheme Validation Report Microsoft Windows Server 2003 and
Windows XP Workstation Report Number: CCEVS-VR-05-0131 Dated: November 6,
2005 Version: 1.1
http://go.microsoft.com/fwlink/?LinkID=24507http://go.microsoft.com/fwlink/?LinkID=24507http://go.microsoft.com/fwlink/?LinkID=245077/28/2019 CC Guidance Documentation Addendum for ISA 2006
43/44
Guidance Documentation Addendum Page 43/44
8.2 Acronyms
CC Common Criteria
EAL Evaluation Assurance Level
FCIV File Checksum Integrity Verifier
PP Protection Profile
SF Security Function
SFP Security Function Policy
SSL Secure Sockets Layer
ST Security Target
TOE Target of Evaluation
8.3 Glossary
application filters Application filters can access the data stream or datagrams associatedwith a session within the Microsoft Firewall service and work with some orall application-level protocols.
authentication Authentication is "A positive identification, with a degree of certainty
sufficient for permitting certain rights or privileges to the person or thingpositively identified." In simpler terms, it is "The act of verifying the claimedidentity of an individual, station or originator" [Schou, Corey (1996).Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho StateUniversity & Information Systems Security Organization)].
Basic authentication Basic authentication is the standard authentication method for HypertextTransfer Protocol (HTTP). Although user information is encoded, noencryption is used with Basic authentication.
feature pack A feature pack contains new product functionality that is distributedoutside the context of a product release, and usually is included in thenext full product release.
Firewall service log A firewall service log contains entries with connection establishments andterminations.
identification Identification, according to a current compilation of information securityterms, is "the process that enables recognition of a user described to anautomated data processing system. This is generally by the use of uniquemachine-readable names" (Schou, Corey (1996). Handbook of INFOSECTerms, Version 2.0. CD-ROM (Idaho State University & InformationSystems Security Organization)).
ISA Server In this document, ISA Server refers to Microsoft Internet Security andAcceleration Server 2006, except where it explicitly states otherwise.
7/28/2019 CC Guidance Documentation Addendum for ISA 2006
44/44
Guidance Documentation Addendum Page 44/44
MicrosoftManagement Console
The Microsoft Management Console is a configuration management toolsupplied with Windows that can be extended with snap-ins.
NTLM NTLM is an authentication scheme used by Microsoft browsers, proxies,and servers (Microsoft Internet Explorer, Internet Information Services,and others). This scheme is also sometimes referred to as the WindowsNT Challenge/Response authentication scheme or Integrated Windowsauthentication.
packet filter log file A packet filter log file contains records of packets that were dropped orallowed.
port number A port number identifies a certain Internet application with a specificconnection.
publishing rules Using publishing rules, you can publish virtually any computer on aninternal network to the Internet (see Web publishing and serverpublishing).
Secure Sockets Layer(SSL)
SSL is a protocol that supplies secure data communication through dataencryption and decryption. SSL enables communications privacy overnetworks.
server publishing Server publishing allows virtually any computer on an internal network topublish to the Internet.
service pack A service pack contains a cumulative set of all hotfixes, security updates,critical updates, and updates created and fixes for defects found byMicrosoft since the release of the product. Service packs may also containa limited number of customer requested design changes or features.
World Wide Web
Consortium (W3C)
W3C develops interoperable technologies (specifications, guidelines,
software, and tools) concerning Web technology (http://www.w3c.org).Web publishing Web publishing publishes Web content to the Internet.