Upload
arturomartinezvasquez
View
217
Download
0
Embed Size (px)
Citation preview
8/7/2019 isaharden
1/15
Because Microsoft Internet Security and Acceleration (ISA) Server 2004 is used to protect your
network or other resources from attack by malicious users, take special care in hardening the ISA
Server computer. We recommend that you apply the configurations described in the
Windows Server2003 Security Guide (http://www.microsoft.com). Specifically, you should
apply the Microsoft Baseline Security Policy security template. However, do not implement the
Internet Protocol security (IPsec) filters or any of the server role policies.
In addition, you should consider ISA Server functionality and harden the operating system
accordingly. This document describes how to harden Microsoft Windows Server 2003 and
Windows 2000 Server running on the ISA Server computer. For further security guidelines, see
the ISA Server Security Hardening Guide (http://www.microsoft.com). The ISA Server Security
Hardening Guide includes these instructions, in addition to more detailed security considerations.
Using the SecurityConfiguration Wizard
The Microsoft Windows Server 2003 operating system with Service Pack (SP1) includes an
attack surface reduction tool called the Security Configuration Wizard (SCW). Depending on the
server role you select, the SCW determines the minimum functionality required, and disables
functionality that is not required.
Hardening theWindowsInfrastructure onthe ISA Server 2004Computer
Note
We recommend that you harden the Windows infrastructure
after you have completely installed ISA Server. For ISA Server
Enterprise Edition, install all the necessary Configuration
Storage servers and the array members. Then, harden the
computers.
http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=24507http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=245078/7/2019 isaharden
2/15
When you install Microsoft Windows Server 2003 SP1 on the ISA Server computer, you can
install the SCW and use the wizard to harden the computer.
The SCW guides you through the process of creating, editing, applying, or rolling back a securitypolicy based on the selected roles of the server. The security policies that are created with the
SCW are XML files that, when applied, configure services, network security, specific registry
values, audit policy, and if applicable, Internet Information Services (IIS).
The SCW includes a role for ISA Server computers. To apply theappropriate ISA Server roles, perform the following steps:
1. On the ISA Server computer, clickStart, clickAdministrative Tools, and then clickSecurity Configuration Wizard.
2. In the Security Configuration Wizard, on the Welcome page, clickNext.
3. On the Configuration Action page, select Create a new security policy.
4. On the Select Server page, in Server, type the name or IP address of the ISA Server
computer.
5. On the Processing Security Configuration Database page, clickNext.
6. On the Welcome page of the Role-based Service Configuration page, clickNext.
7. On the Select Server Roles page, select the following and then clickNext.
a. Select Microsoft Internet Security and Acceleration Server 2004, if you
are hardening a computer running the ISA Server services (for ISA Server
Enterprise Edition, an array member).
b. Select Remote Access/VPN Server, if you will be using the ISA Server
computer for virtual private network (VPN) functionality.
8. On the Select Client Features page, select the default client roles, as appropriate. Nospecial client roles are specifically required for hardening ISA Server. Then, click
Next.
9. On the Select Administration and Other Options page, select the followingoptions:
a. Select Microsoft Internet Security and Acceleration Server 2004
Enterprise Edition: Configuration Storage, if the Configuration Storage
server is installed on this computer (for ISA Server Enterprise Edition
only).
b. Select Microsoft Internet Security and Acceleration Server 2004Enterprise Edition: Client installation share, if the Firewall Client share
is installed on this computer.
Note Do not select any specific server roles for a ConfigurationStorage server.
8/7/2019 isaharden
3/15
c. Select Microsoft Internet Security and Acceleration Server 2004
Enterprise Edition: MSDE Logging, if ISA Server advanced logging
options are installed on this computer.
10. On the Select Additional Services page, select the appropriate services and clickNext.
11. ClickNext until you finish the wizard.
For more technical guidance about the SCW, see Security Configuration Wizard for
Windows Server 2003 at the Microsoft Windows Server2003 Web site
(http://www.microsoft.com).
Hardening the Computer ManuallyIf Windows Server 2003 SP1 is not installed on the computer, you can configure the service
startup mode, as described in this section. You configure the computer as the SecurityConfiguration Wizard does.
Note that we recommend that you use the SCW to harden the computer, because it is best
optimized to secure the ISA Server computer.
Core ServicesThe following table lists the core services that must be enabled for ISA Server and the ISA
Server computer to function properly.
Service name Rationale Startup mode
COM+ Event System Core operating system Manual
Cryptographic Services Core operating system (security) Automatic
Event Log Core operating system Automatic
IPsec Services Core operating system (security) Automatic
Logical Disk Manager Core operating system (diskmanagement)
Automatic
Logical Disk ManagerAdministrative Service
Core operating system (diskmanagement)
Manual
Microsoft Firewall Required for normal functioningof ISA Server
Automatic
Microsoft ISA ServerControl
Required for normal functioningof ISA Server
Automatic
Microsoft ISA Server JobScheduler
Required for normal functioningof ISA Server
Automatic
http://go.microsoft.com/fwlink/?LinkID=42434http://go.microsoft.com/fwlink/?LinkID=42434http://go.microsoft.com/fwlink/?LinkID=42434http://go.microsoft.com/fwlink/?LinkID=42434http://go.microsoft.com/fwlink/?LinkID=424348/7/2019 isaharden
4/15
Service name Rationale Startup mode
Microsoft ISA Server
Storage
Required for normal functioning
of ISA Server
Automatic
MSSQL$MSFW Required when MSDE logging isused for ISA Server
Automatic
Microsoft DistributedTransaction Coordinator(MS DTC)
Distributed TransactionCoordinator
Automatic
Network Connections Core operating system (networkinfrastructure)
Manual
NTLM Security SupportProvider
Core operating system (security) Manual
Plug and Play Core operating system Automatic
Protected Storage Core operating system (security) Automatic
Remote AccessConnection Manager
Required for normal functioningof ISA Server
Manual
Remote Procedure Call(RPC)
Core operating system Automatic
Secondary Logon Core operating system (security) Automatic
Security AccountsManager
Core operating system Automatic
Server Required for ISA Server FirewallClient Share
Automatic
Smart Card Core operating system (security) Manual
SQLAgent$MSFW Required when MSDE logging isused for ISA Server
Manual
System Event Notification Core operating system Automatic
Telephony Required for normal functioningof ISA Server
Manual
Virtual Disk Service (VDS) Core operating system (diskmanagement)
Manual
Windows ManagementInstrumentation (WMI)
Core operating system (WMI) Automatic
WMI PerformanceAdapter
Core operating system (WMI) Manual
8/7/2019 isaharden
5/15
ISA Server Server RolesThe ISA Server computer may function in additional capacities, or roles, depending on how you
use the computer. The following table lists possible server roles, describes when they may be
required, and lists the services that should be activated when you enable the role.
Server role Usage scenario Services required Startupmode
RemoteAccess/VPNServer
Select this role to enablevirtual privatenetworking from the ISAServer computer.
Routing and RemoteAccess
Manual
Remote AccessConnection Manager
Manual
Telephony Manual
Workstation Automatic
Server Automatic
TerminalServer
Select this role to enableremote management ofthe ISA Server computer.
Server Automatic
Terminal Services Manual
Note that the Server service is required only if you use Routing and Remote Access Management
(rather than ISA Server Management) to configure a VPN.
ISA Server Administration and Other Options
For a server to perform necessary tasks, specific services must be enabled, based on the roles thatyou select. Unnecessary services should be disabled. The following table lists possible server
tasks for ISA Server, describes when they may be required, and lists the services that should be
activated when you enable the role.
Note
The startup mode for the Server service should be Automatic in
the following cases.
You install ISA Server 2004: Client Installation Share.
You use Routing and Remote Access Management, rather
than ISA Server Management, to configure a virtual private
network (VPN). Other tasks or roles, as described in the preceding table,
require the service.
The startup mode for the Routing and Remote Access
service is Manual. ISA Server starts the service only if a VPN
is enabled
8/7/2019 isaharden
6/15
Option Usage scenario Services required Startupmode
Applicationinstallationfrom GroupPolicy
Required to install,uninstall, or repairapplications using theMicrosoft InstallerService.
Windows Installer Manual
Backup Required if usingNTBackup or otherbackup program on theISA Server computer.
Microsoft SoftwareShadow CopyProvider
Manual
Volume Shadow Copy Manual
Removable Storageservice
Manual
Error Reporting Use to enable error
reporting, therebyhelping improveWindows reliability byreporting critical faultsto Microsoft for analysis.
Error Reporting
Service
Automatic
Help andSupport
Allows collection ofhistorical computer datafor Microsoft ProductSupport Servicesincident escalation.
Help and Support Automatic
ISAServer 2004:Clientinstallationshare
Required to allowcomputers to connect toand install from theFirewall Client share onthe ISA Server computer.
Server Automatic
ISAServer 2004:MSDE logging
Required to allowlogging using MSDEdatabases. If you do notenable the applicableservice, you can log toSQL databases or tofiles. However, you willnot be able to use theLog Viewer in off-linemode
SQLAgent$MSFW Manual
MSSQL$MSFW Automatic
Performancedata collection
Allows backgroundcollecting ofperformance data on theISA Server computer.
Performance Logsand Alerts
Automatic
Print Print Spooler Automatic
8/7/2019 isaharden
7/15
Option Usage scenario Services required Startupmode
Allows printing from theISA Server computer. TCP/IP NetBIOSHelper Automatic
Workstation Automatic
RemoteWindowsadministration
Allows remotemanagement of theWindows server (notrequired for remotemanagement of ISAServer).
Server Automatic
Remote Registry Automatic
TimeSynchronization
Allows the ISA Servercomputer to contact anNTP server to
synchronize its clock.From a securityperspective, an accurateclock is important forevent auditing and othersecurity protocols.
Windows Time Automatic
RemoteAssistanceExpert
Allows the RemoteAssistance feature to beused on this computer.
Help and Support Automatic
Remote DesktopHelp SessionManager
Manual
Terminal Services Manual
ISA Server Client RolesServers can be clients of other servers. Client roles are dependent on role-specific services being
enabled. The following table lists possible client roles for ISA Server, describes when they may
be required, and lists the services that should be activated when you enable the role.
Client role Usage scenario Services required Startup mode
AutomaticUpdate client
Select this role to allowautomatic detection
and update fromMicrosoft WindowsUpdate.
Automatic Updates Automatic
Background
Intelligent TransferService
Manual
DHCP client Select this role if theISA Server computerreceives its IP address
DHCP Client Automatic
NoteTime client applications require that either the Wireless or the
Server service is running in order to function properly.
8/7/2019 isaharden
8/15
Client role Usage scenario Services required Startup mode
automatically from a
DHCP server.
DNS client Select this role if theISA Server computerneeds to receive nameresolution informationfrom other servers.
DNS Client Automatic
Domainmember
Select this role if theISA Server computerbelongs to a domain.
Network locationawareness (NLA)
Manual
Net logon Automatic
Windows Time Automatic
DNS
registrationclient
Select this role to allow
the ISA Servercomputer toautomatically registerits name and addressinformation with a DNSServer.
DHCP Client Automatic
MicrosoftNetworkingclient
Select this role if theISA Server computerhas to connect to otherWindows clients. If youdo not select this role,the ISA Servercomputer will not be
able to access shareson remote computers;for example, to publishreports.
TCP/IP NetBIOSHelper
Automatic
Workstation Automatic
WINS client Select this role if theISA Server computeruses WINS-based nameresolution.
TCP/IP NetBIOSHelper
Automatic
Creating a Security TemplateYou can create a template, using the Security Templates Microsoft Management Console (MMC)
snap-in. The template includes information about which services should be enabled, as well astheir startup mode. By using a security template, you can easily configure a security policy and
then apply it to each ISA Server computer.
To create a security template, perform the following steps.
1. To open Security Templates, clickStart, clickRun, type mmc, and then clickOK.
8/7/2019 isaharden
9/15
2. On the File menu, clickAdd/Remove Snap-in and then clickAdd.
3. Select Security Templates, clickAdd, clickClose, and then clickOK.
4. In the console tree, click the Security Templates node, right-click the folder whereyou want to store the new template, and clickNew Template.
5. In Template name, type the name for your new security template.
6. In Description, type a description of your new security template, and then clickOK.
7. Expand the new template, and then clickSystem Services.
8/7/2019 isaharden
10/15
8. In the details pane, right-clickCOM+ Event System and then clickProperties.
9. Select Define this policy setting in the template and then click the startup mode.(For COM+ Event System, the startup mode is Automatic.)
10. Repeat steps 15 and 16 for each of the services listed in the following table.
Service name Short name Startup mode
Automatic Updates wuauserv Automatic
Background Intelligent Transfer BITS Manual
8/7/2019 isaharden
11/15
Service name Short name Startup mode
Service
COM+ Event System EventSystem Manual
Cryptographic Services CryptSvc Automatic
DHCP Client Dhcp Automatic
DNS Client Dnscache Automatic
Error Reporting Service ERSvc Automatic
Event Log Eventlog Automatic
Help and Support Helpsvc Automatic
IPsec Services PolicyAgent Automatic
Logical Disk Manager dmserver Automatic
Logical Disk ManagerAdministrative Service dmadmin Manual
Microsoft Firewall Fwsrv Automatic
Microsoft ISA Server Control ISACtrl Automatic
Microsoft ISA Server JobScheduler ISASched Automatic
Microsoft ISA Server Storage ISASTG Automatic
Microsoft Software ShadowCopy Provider SWPRV Manual
MSSQL$MSFW MSSQL$MSFW Automatic
Network Connections Netman Manual
Network Location Awareness(NLA) NLA Manual
NTLM Security Support Provider NtLmSsp Manual
Performance Logs and Alerts SysmonLog Automatic
Plug and Play PlugPlay Automatic
Protected Storage ProtectedStorage Automatic
Remote Access ConnectionManager RasMan Manual
Remote Desktop Help SessionManager RDSessMgr Manual
Remote Procedure Call (RPC) RpcSs Automatic
Removable Storage NtmsSvc Manual
8/7/2019 isaharden
12/15
Service name Short name Startup mode
Routing and Remote Access None Manual
Secondary Logon seclogon Automatic
Security Accounts Manager SamSs Automatic
Server lanmanserver Manual
Smart Card SCardSvr Manual
System Event Notification SENS Automatic
TCP/IP NetBIOS Helper LmHosts Automatic
Telephony TapiSrv Manual
Terminal Services TermService Manual
Virtual Disk Service (VDS) VDS Manual
Volume Shadow Copy VSS Manual
Windows Installer MSIServer Manual
Windows ManagementInstrumentation winmgmt Automatic
Windows Time W32time Automatic
Wireless Configuration WZCSVC Automatic
WMI Performance Adapter WmiApSrv Manual
Workstation lanmanworkstation Automatic
Time client applications require that either the Wireless or the Server service is running in orderto function properly.
To apply the new template to the ISA Server computer, perform thefollowing steps.
1. To open Security Templates, clickStart, clickRun, type mmc, and then clickOK.
Note
The startup mode for the Server service should be Automatic in
the following cases:
You install ISA Server 2004: Client Installation Share.
You use Routing and Remote Access Management, rather
than ISA Server Management, to configure a VPN.
Other tasks or roles, as described in the preceding table,
require the service.
The startup mode for the Routing and Remote Access service is
Manual. ISA Server starts the service only if a VPN is enabled.
8/7/2019 isaharden
13/15
2. On the File menu, clickAdd/Remove Snap-in and then clickAdd.
3. Select Security Configuration and Analysis, click Add, click Close, and then click
OK.
4. In the console tree, click Security Configuration and Analysis.
5. Right-click Security Configuration and Analysis and then click Open Database.
6. Type a new database name, and then click Open.
7. Select a security template to import, and then click Open. Select the security templatethat you created previously.
8/7/2019 isaharden
14/15
8. Right-click Security Configuration and Analysis and then click Configure ComputerNow.
Additional ResourcesFor more detailed information and guidelines on hardening ISA Server and the ISA Server
computer, see the ISA Server Security Hardening Guide, available on the Microsoft Web site
(http://www.microsoft.com).
For information about Microsoft ISA Server, see the Microsoft ISA Server Web site.
The example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious. No association with any real company,
organization, product, domain name, e-mail address, logo, person, places, or events is intended
or should be inferred.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
people, and events depicted herein are fictitious and no association with any real company,
organization, product, person, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrievalsystem, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
http://go.microsoft.com/fwlink/?LinkId=24507http://go.microsoft.com/fwlink/?LinkId=245078/7/2019 isaharden
15/15
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2005 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries/regions.
Do you have comments about this document? Send feedback.
mailto:[email protected]?subject=Hardening%20the%20Windows%20Infrastructure%20on%20the%20ISA%20Server%202004%20Computermailto:[email protected]?subject=Hardening%20the%20Windows%20Infrastructure%20on%20the%20ISA%20Server%202004%20Computer