8/7/2019 isaharden

1/15

Because Microsoft Internet Security and Acceleration (ISA) Server 2004 is used to protect your

network or other resources from attack by malicious users, take special care in hardening the ISA

Server computer. We recommend that you apply the configurations described in the

Windows Server2003 Security Guide (http://www.microsoft.com). Specifically, you should

apply the Microsoft Baseline Security Policy security template. However, do not implement the

Internet Protocol security (IPsec) filters or any of the server role policies.

In addition, you should consider ISA Server functionality and harden the operating system

accordingly. This document describes how to harden Microsoft Windows Server 2003 and

Windows 2000 Server running on the ISA Server computer. For further security guidelines, see

the ISA Server Security Hardening Guide (http://www.microsoft.com). The ISA Server Security

Hardening Guide includes these instructions, in addition to more detailed security considerations.

Using the SecurityConfiguration Wizard

The Microsoft Windows Server 2003 operating system with Service Pack (SP1) includes an

attack surface reduction tool called the Security Configuration Wizard (SCW). Depending on the

server role you select, the SCW determines the minimum functionality required, and disables

functionality that is not required.

Hardening theWindowsInfrastructure onthe ISA Server 2004Computer

Note

We recommend that you harden the Windows infrastructure

after you have completely installed ISA Server. For ISA Server

Enterprise Edition, install all the necessary Configuration

Storage servers and the array members. Then, harden the

computers.

http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=24507http://go.microsoft.com/fwlink/?LinkID=31584http://go.microsoft.com/fwlink/?LinkID=24507

8/7/2019 isaharden

2/15

When you install Microsoft Windows Server 2003 SP1 on the ISA Server computer, you can

install the SCW and use the wizard to harden the computer.

The SCW guides you through the process of creating, editing, applying, or rolling back a securitypolicy based on the selected roles of the server. The security policies that are created with the

SCW are XML files that, when applied, configure services, network security, specific registry

values, audit policy, and if applicable, Internet Information Services (IIS).

The SCW includes a role for ISA Server computers. To apply theappropriate ISA Server roles, perform the following steps:

1. On the ISA Server computer, clickStart, clickAdministrative Tools, and then clickSecurity Configuration Wizard.

2. In the Security Configuration Wizard, on the Welcome page, clickNext.

3. On the Configuration Action page, select Create a new security policy.

4. On the Select Server page, in Server, type the name or IP address of the ISA Server

computer.

5. On the Processing Security Configuration Database page, clickNext.

6. On the Welcome page of the Role-based Service Configuration page, clickNext.

7. On the Select Server Roles page, select the following and then clickNext.

a. Select Microsoft Internet Security and Acceleration Server 2004, if you

are hardening a computer running the ISA Server services (for ISA Server

Enterprise Edition, an array member).

b. Select Remote Access/VPN Server, if you will be using the ISA Server

computer for virtual private network (VPN) functionality.

8. On the Select Client Features page, select the default client roles, as appropriate. Nospecial client roles are specifically required for hardening ISA Server. Then, click

Next.

9. On the Select Administration and Other Options page, select the followingoptions:

a. Select Microsoft Internet Security and Acceleration Server 2004

Enterprise Edition: Configuration Storage, if the Configuration Storage

server is installed on this computer (for ISA Server Enterprise Edition

only).

b. Select Microsoft Internet Security and Acceleration Server 2004Enterprise Edition: Client installation share, if the Firewall Client share

is installed on this computer.

Note Do not select any specific server roles for a ConfigurationStorage server.

8/7/2019 isaharden

3/15

c. Select Microsoft Internet Security and Acceleration Server 2004

Enterprise Edition: MSDE Logging, if ISA Server advanced logging

options are installed on this computer.

10. On the Select Additional Services page, select the appropriate services and clickNext.

11. ClickNext until you finish the wizard.

For more technical guidance about the SCW, see Security Configuration Wizard for

Windows Server 2003 at the Microsoft Windows Server2003 Web site

(http://www.microsoft.com).

Hardening the Computer ManuallyIf Windows Server 2003 SP1 is not installed on the computer, you can configure the service

startup mode, as described in this section. You configure the computer as the SecurityConfiguration Wizard does.

Note that we recommend that you use the SCW to harden the computer, because it is best

optimized to secure the ISA Server computer.

Core ServicesThe following table lists the core services that must be enabled for ISA Server and the ISA

Server computer to function properly.

Service name Rationale Startup mode

COM+ Event System Core operating system Manual

Cryptographic Services Core operating system (security) Automatic

Event Log Core operating system Automatic

IPsec Services Core operating system (security) Automatic

Logical Disk Manager Core operating system (diskmanagement)

Automatic

Logical Disk ManagerAdministrative Service

Core operating system (diskmanagement)

Manual

Microsoft Firewall Required for normal functioningof ISA Server

Automatic

Microsoft ISA ServerControl

Required for normal functioningof ISA Server

Automatic

Microsoft ISA Server JobScheduler

Required for normal functioningof ISA Server

Automatic

http://go.microsoft.com/fwlink/?LinkID=42434http://go.microsoft.com/fwlink/?LinkID=42434http://go.microsoft.com/fwlink/?LinkID=42434http://go.microsoft.com/fwlink/?LinkID=42434http://go.microsoft.com/fwlink/?LinkID=42434

8/7/2019 isaharden

4/15

Service name Rationale Startup mode

Microsoft ISA Server

Storage

Required for normal functioning

of ISA Server

Automatic

MSSQL$MSFW Required when MSDE logging isused for ISA Server

Automatic

Microsoft DistributedTransaction Coordinator(MS DTC)

Distributed TransactionCoordinator

Automatic

Network Connections Core operating system (networkinfrastructure)

Manual

NTLM Security SupportProvider

Core operating system (security) Manual

Plug and Play Core operating system Automatic

Protected Storage Core operating system (security) Automatic

Remote AccessConnection Manager

Required for normal functioningof ISA Server

Manual

Remote Procedure Call(RPC)

Core operating system Automatic

Secondary Logon Core operating system (security) Automatic

Security AccountsManager

Core operating system Automatic

Server Required for ISA Server FirewallClient Share

Automatic

Smart Card Core operating system (security) Manual

SQLAgent$MSFW Required when MSDE logging isused for ISA Server

Manual

System Event Notification Core operating system Automatic

Telephony Required for normal functioningof ISA Server

Manual

Virtual Disk Service (VDS) Core operating system (diskmanagement)

Manual

Windows ManagementInstrumentation (WMI)

Core operating system (WMI) Automatic

WMI PerformanceAdapter

Core operating system (WMI) Manual

8/7/2019 isaharden

5/15

ISA Server Server RolesThe ISA Server computer may function in additional capacities, or roles, depending on how you

use the computer. The following table lists possible server roles, describes when they may be

required, and lists the services that should be activated when you enable the role.

Server role Usage scenario Services required Startupmode

RemoteAccess/VPNServer

Select this role to enablevirtual privatenetworking from the ISAServer computer.

Routing and RemoteAccess

Manual

Remote AccessConnection Manager

Manual

Telephony Manual

Workstation Automatic

Server Automatic

TerminalServer

Select this role to enableremote management ofthe ISA Server computer.

Server Automatic

Terminal Services Manual

Note that the Server service is required only if you use Routing and Remote Access Management

(rather than ISA Server Management) to configure a VPN.

ISA Server Administration and Other Options

For a server to perform necessary tasks, specific services must be enabled, based on the roles thatyou select. Unnecessary services should be disabled. The following table lists possible server

tasks for ISA Server, describes when they may be required, and lists the services that should be

activated when you enable the role.

Note

The startup mode for the Server service should be Automatic in

the following cases.

You install ISA Server 2004: Client Installation Share.

You use Routing and Remote Access Management, rather

than ISA Server Management, to configure a virtual private

network (VPN). Other tasks or roles, as described in the preceding table,

require the service.

The startup mode for the Routing and Remote Access

service is Manual. ISA Server starts the service only if a VPN

is enabled

8/7/2019 isaharden

6/15

Option Usage scenario Services required Startupmode

Applicationinstallationfrom GroupPolicy

Required to install,uninstall, or repairapplications using theMicrosoft InstallerService.

Windows Installer Manual

Backup Required if usingNTBackup or otherbackup program on theISA Server computer.

Microsoft SoftwareShadow CopyProvider

Manual

Volume Shadow Copy Manual

Removable Storageservice

Manual

Error Reporting Use to enable error

reporting, therebyhelping improveWindows reliability byreporting critical faultsto Microsoft for analysis.

Error Reporting

Service

Automatic

Help andSupport

Allows collection ofhistorical computer datafor Microsoft ProductSupport Servicesincident escalation.

Help and Support Automatic

ISAServer 2004:Clientinstallationshare

Required to allowcomputers to connect toand install from theFirewall Client share onthe ISA Server computer.

Server Automatic

ISAServer 2004:MSDE logging

Required to allowlogging using MSDEdatabases. If you do notenable the applicableservice, you can log toSQL databases or tofiles. However, you willnot be able to use theLog Viewer in off-linemode

SQLAgent$MSFW Manual

MSSQL$MSFW Automatic

Performancedata collection

Allows backgroundcollecting ofperformance data on theISA Server computer.

Performance Logsand Alerts

Automatic

Print Print Spooler Automatic

8/7/2019 isaharden

7/15

Option Usage scenario Services required Startupmode

Allows printing from theISA Server computer. TCP/IP NetBIOSHelper Automatic

Workstation Automatic

RemoteWindowsadministration

Allows remotemanagement of theWindows server (notrequired for remotemanagement of ISAServer).

Server Automatic

Remote Registry Automatic

TimeSynchronization

Allows the ISA Servercomputer to contact anNTP server to

synchronize its clock.From a securityperspective, an accurateclock is important forevent auditing and othersecurity protocols.

Windows Time Automatic

RemoteAssistanceExpert

Allows the RemoteAssistance feature to beused on this computer.

Help and Support Automatic

Remote DesktopHelp SessionManager

Manual

Terminal Services Manual

ISA Server Client RolesServers can be clients of other servers. Client roles are dependent on role-specific services being

enabled. The following table lists possible client roles for ISA Server, describes when they may

be required, and lists the services that should be activated when you enable the role.

Client role Usage scenario Services required Startup mode

AutomaticUpdate client

Select this role to allowautomatic detection

and update fromMicrosoft WindowsUpdate.

Automatic Updates Automatic

Background

Intelligent TransferService

Manual

DHCP client Select this role if theISA Server computerreceives its IP address

DHCP Client Automatic

NoteTime client applications require that either the Wireless or the

Server service is running in order to function properly.

8/7/2019 isaharden

8/15

Client role Usage scenario Services required Startup mode

automatically from a

DHCP server.

DNS client Select this role if theISA Server computerneeds to receive nameresolution informationfrom other servers.

DNS Client Automatic

Domainmember

Select this role if theISA Server computerbelongs to a domain.

Network locationawareness (NLA)

Manual

Net logon Automatic

Windows Time Automatic

DNS

registrationclient

Select this role to allow

the ISA Servercomputer toautomatically registerits name and addressinformation with a DNSServer.

DHCP Client Automatic

MicrosoftNetworkingclient

Select this role if theISA Server computerhas to connect to otherWindows clients. If youdo not select this role,the ISA Servercomputer will not be

able to access shareson remote computers;for example, to publishreports.

TCP/IP NetBIOSHelper

Automatic

Workstation Automatic

WINS client Select this role if theISA Server computeruses WINS-based nameresolution.

TCP/IP NetBIOSHelper

Automatic

Creating a Security TemplateYou can create a template, using the Security Templates Microsoft Management Console (MMC)

snap-in. The template includes information about which services should be enabled, as well astheir startup mode. By using a security template, you can easily configure a security policy and

then apply it to each ISA Server computer.

To create a security template, perform the following steps.

1. To open Security Templates, clickStart, clickRun, type mmc, and then clickOK.

8/7/2019 isaharden

9/15

2. On the File menu, clickAdd/Remove Snap-in and then clickAdd.

3. Select Security Templates, clickAdd, clickClose, and then clickOK.

4. In the console tree, click the Security Templates node, right-click the folder whereyou want to store the new template, and clickNew Template.

5. In Template name, type the name for your new security template.

6. In Description, type a description of your new security template, and then clickOK.

7. Expand the new template, and then clickSystem Services.

8/7/2019 isaharden

10/15

8. In the details pane, right-clickCOM+ Event System and then clickProperties.

9. Select Define this policy setting in the template and then click the startup mode.(For COM+ Event System, the startup mode is Automatic.)

10. Repeat steps 15 and 16 for each of the services listed in the following table.

Service name Short name Startup mode

Automatic Updates wuauserv Automatic

Background Intelligent Transfer BITS Manual

8/7/2019 isaharden

11/15

Service name Short name Startup mode

Service

COM+ Event System EventSystem Manual

Cryptographic Services CryptSvc Automatic

DHCP Client Dhcp Automatic

DNS Client Dnscache Automatic

Error Reporting Service ERSvc Automatic

Event Log Eventlog Automatic

Help and Support Helpsvc Automatic

IPsec Services PolicyAgent Automatic

Logical Disk Manager dmserver Automatic

Logical Disk ManagerAdministrative Service dmadmin Manual

Microsoft Firewall Fwsrv Automatic

Microsoft ISA Server Control ISACtrl Automatic

Microsoft ISA Server JobScheduler ISASched Automatic

Microsoft ISA Server Storage ISASTG Automatic

Microsoft Software ShadowCopy Provider SWPRV Manual

MSSQL$MSFW MSSQL$MSFW Automatic

Network Connections Netman Manual

Network Location Awareness(NLA) NLA Manual

NTLM Security Support Provider NtLmSsp Manual

Performance Logs and Alerts SysmonLog Automatic

Plug and Play PlugPlay Automatic

Protected Storage ProtectedStorage Automatic

Remote Access ConnectionManager RasMan Manual

Remote Desktop Help SessionManager RDSessMgr Manual

Remote Procedure Call (RPC) RpcSs Automatic

Removable Storage NtmsSvc Manual

8/7/2019 isaharden

12/15

Service name Short name Startup mode

Routing and Remote Access None Manual

Secondary Logon seclogon Automatic

Security Accounts Manager SamSs Automatic

Server lanmanserver Manual

Smart Card SCardSvr Manual

System Event Notification SENS Automatic

TCP/IP NetBIOS Helper LmHosts Automatic

Telephony TapiSrv Manual

Terminal Services TermService Manual

Virtual Disk Service (VDS) VDS Manual

Volume Shadow Copy VSS Manual

Windows Installer MSIServer Manual

Windows ManagementInstrumentation winmgmt Automatic

Windows Time W32time Automatic

Wireless Configuration WZCSVC Automatic

WMI Performance Adapter WmiApSrv Manual

Workstation lanmanworkstation Automatic

Time client applications require that either the Wireless or the Server service is running in orderto function properly.

To apply the new template to the ISA Server computer, perform thefollowing steps.

1. To open Security Templates, clickStart, clickRun, type mmc, and then clickOK.

Note

The startup mode for the Server service should be Automatic in

the following cases:

You install ISA Server 2004: Client Installation Share.

You use Routing and Remote Access Management, rather

than ISA Server Management, to configure a VPN.

Other tasks or roles, as described in the preceding table,

require the service.

The startup mode for the Routing and Remote Access service is

Manual. ISA Server starts the service only if a VPN is enabled.

8/7/2019 isaharden

13/15

2. On the File menu, clickAdd/Remove Snap-in and then clickAdd.

3. Select Security Configuration and Analysis, click Add, click Close, and then click

OK.

4. In the console tree, click Security Configuration and Analysis.

5. Right-click Security Configuration and Analysis and then click Open Database.

6. Type a new database name, and then click Open.

7. Select a security template to import, and then click Open. Select the security templatethat you created previously.

8/7/2019 isaharden

14/15

8. Right-click Security Configuration and Analysis and then click Configure ComputerNow.

Additional ResourcesFor more detailed information and guidelines on hardening ISA Server and the ISA Server

computer, see the ISA Server Security Hardening Guide, available on the Microsoft Web site

(http://www.microsoft.com).

For information about Microsoft ISA Server, see the Microsoft ISA Server Web site.

The example companies, organizations, products, domain names, e-mail addresses, logos,

people, places, and events depicted herein are fictitious. No association with any real company,

organization, product, domain name, e-mail address, logo, person, places, or events is intended

or should be inferred.

Information in this document, including URL and other Internet Web site references, is subject to

change without notice. Unless otherwise noted, the example companies, organizations, products,

people, and events depicted herein are fictitious and no association with any real company,

organization, product, person, or event is intended or should be inferred. Complying with all

applicable copyright laws is the responsibility of the user. Without limiting the rights under

copyright, no part of this document may be reproduced, stored in or introduced into a retrievalsystem, or transmitted in any form or by any means (electronic, mechanical, photocopying,

recording, or otherwise), or for any purpose, without the express written permission of Microsoft

Corporation.

http://go.microsoft.com/fwlink/?LinkId=24507http://go.microsoft.com/fwlink/?LinkId=24507

8/7/2019 isaharden

15/15

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

2005 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other

countries/regions.

Do you have comments about this document? Send feedback.

mailto:isadocs@microsoft.com?subject=Hardening%20the%20Windows%20Infrastructure%20on%20the%20ISA%20Server%202004%20Computermailto:isadocs@microsoft.com?subject=Hardening%20the%20Windows%20Infrastructure%20on%20the%20ISA%20Server%202004%20Computer