ISA Administrative Roles - NTFS and Registry Permissions
I want to provide a little bit more detail regarding the Discretionary Access Control Lists (DACLs) used by ISA Server. These ensure that the ISA installation and logging folders are configured with the proper NTFS security permissions required by ISA services. This topic is handled briefly in the ISA TechNet documentation handling the Role-based Administration of ISA:
Discretionary Access Control Lists
With a new installation, ISA Server discretionary access control lists (DACLs) are appropriately configured. In addition, ISA Server reconfigures DACLs when you modify administrative roles and when the Microsoft ISA Server Control service (isactrl) is restarted. For more information, see the section Role-Based Administration Features earlier in this document.
Caution: |
Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure.Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users:Folder for reports (when you select to publish the reports).Configuration files created when exporting or backing up the configuration.Log files that are backed up to a different location.Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by ISA Server, be sure to keep the data source name (DSN) secure. Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry.If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is Inherit permission from parent. |
Tip: |
We recommend that you do not save critical data (such as executables and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitions |
Source: http://technet.microsoft.com/en-us/library/bb794769.aspx
Q: How does this affect my daily work with ISA?
A: We think that this will have no negative effect on your work, and that it will help ISA remain stable ;-) The DACLs are in place to make sure ISA Server has all proper permissions on its installation directories and registry locations.
Q: How are DACLs affecting my ISA Server at all?
A: When you configure or change any Administrative Role on ISA (regardless of Enterprise or Standard Edition), the file and registry DACLs will be modified.
Important! Any changes you made earlier in the NTFS security settings, which don't match the roles configured in ISA, will be removed!!
Example: You recently added NTFS permissions to a user named BACKUP (manually, by GPO or sth. like this...). This use should be able to backup the ISA folders. All permissions you granted to this user will be removed after you make any changes or restart ISACTRL, if you haven't configured this user in the ISA Administrative Roles. Therefore your backup of ISA Server will most likely fail.
Q: Which Role provides which access to the ISA Folders?
A: See the following Tables for details...
ISA 2006 Standard Edition |
ISA Server Monitoring Auditor |
ISA Server Auditor |
ISA Server Full Administrator |
%ISAINSTALLDIRECTORY% |
RE,L,R |
RE,L,R |
Full Control |
ISALogs |
no access |
RE,L,R |
Full Control |
ISASummaries |
no access |
RE,L,R |
Full Control |
StgData |
no access |
no access |
Full Control |
Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN |
RE,L,R |
RE,L,R |
Full Control |
Table 1: ISA 2006 Standard Edition SP1 (RE = Read & Execute, L = List Folder Contents, R = Read)
ISA 2006 Enterprise Edition |
ISA Server Enterprise Auditor |
ISA Server Enterprise Administrator |
ISA Server Array Monitoring Auditor |
ISA Server Array Auditor |
ISA Server Array Administrator |
%ISAINSTALLDIRECTORY% |
RE,L,R |
RE,L,R |
RE,L,R |
RE,L,R |
RE,L,R |
ISALogs |
RE,L,R |
Full Control |
no access |
RE,L,R |
Full Control |
ISASummaries |
RE,L,R |
Full Control |
no access |
RE,L,R |
Full Control |
StgData |
no access |
no access |
no access |
no access |
no access |
Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN |
RE,L,R |
RE,L,R |
RE,L,R |
RE,L,R |
RE,L,R |
Table 2: ISA 2006 Enterprise Edition SP1 (RE = Read & Execute, L = List Folder Contents, R = Read)
ISA 2004 Standard Edition |
ISA Server Basic Monitoring |
ISA Server Extended Monitoring |
ISA Server Full Administrator |
%ISAINSTALLDIRECTORY% |
RE,L,R |
RE,L,R |
Full Control |
ISALogs |
no access |
Full Control |
Full Control |
ISASummaries |
no access |
Full Control |
Full Control |
StgData |
no access |
no access |
Full Control |
ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, SDisaTemplates, Trace, UI_HTMLs, Uninstall, VPN |
RE,L,R |
RE,L,R |
Full Control |
Table 3: ISA 2004 Standard Edition SP3 (RE = Read & Execute, L = List Folder Contents, R = Read)
ISA 2004 Enterprise Edition |
ISA Server Enterprise Auditor |
ISA Server Enterprise Administrator |
ISA Server Array Monitoring Auditor |
ISA Server Array Auditor |
ISA Server Array Administrator |
%ISAINSTALLDIRECTORY% |
RE,L,R |
RE,L,R |
RE,L,R |
RE,L,R |
RE,L,R |
ISALogs |
RE,L,R |
Full Control |
no access |
RE,L,R |
Full Control |
ISASummaries |
RE,L,R |
Full Control |
no access |
RE,L,R |
Full Control |
StgData |
no access |
no access |
no access |
no access |
no access |
Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN |
RE,L,R |
RE,L,R |
RE,L,R |
RE,L,R |
RE,L,R |
Table 4: ISA 2004 Enterprise Edition SP3 (RE = Read & Execute, L = List Folder Contents, R = Read)
Q: Which Role provides which access to the ISA RegKeys?
A: See the following Tables for details... 'root key' for the relevant ISA RegKeys is.
ISA 2006 Standard Edition |
ISA Server Monitoring Auditor |
ISA Server Auditor |
ISA Server Full Administrator |
HKLM\SOFTWARE\Microsoft\Fpc and Subkeys |
R |
R |
Full Control |
HKLM\IsaStg_Eff1 and [ArrayID] Subkeys Alerts, ConnectivityVerifiers, Logs, NetConfig, RuleElements, Servers, |
R |
R |
Full Control |
HKLM\IsaStg_Eff1\Arrays\[ArrayID]\ Subkeys AdminSecurity,ArrayPolicy, Cache, ClientConfigSettings, Extensions, NetworktemplateUsed, Reports, SD, VendorParametersSets |
no access |
R |
Full Control |
HKLM\IsaStg_Eff1Policy |
no access |
R |
Full Control |
HKLM\IsaStg_Eff1Prot |
R |
R |
Full Control |
Table 5: ISA 2006 Standard Edition SP1 (R = Read (Query + Enumerate Subkeys + Notify + Read Control)
ISA 2006 Enterprise Edition (Array Member Server) |
ISA Server Enterprise Auditor |
ISA Server Enterprise Administrator |
ISA Server Array Monitoring Auditor |
ISA Server Array Auditor |
ISA Server Array Administrator |
HKLM\SOFTWARE\Microsoft\Fpc and Subkeys |
R |
R |
R |
R |
R |
HKLM\IsaStg_Eff1 HKLM\IsaStg_Eff1Policy HKLM\IsaStg_Eff1Prot |
no access |
no access |
no access |
no access |
no access |
HKLM\IsaStg_Eff2 HKLM\IsaStg_Eff2Policy HKLM\IsaStg_Eff2Prot |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
HKLM\IsaStg_Cache HKLM\IsaStg_CacheArrPolicy HKLM\IsaStg_CacheArrProt HKLM\IsaStg_CacheEntPolicies HKLM\IsaStg_CacheEntProt |
R |
R |
R |
R |
R |
Table 5: ISA 2006 Enterprise Edition SP1 (R = Read (Query + Enumerate Subkeys + Notify + Read Control)
ISA 2004 Standard Edition |
ISA Server Monitoring Auditor |
ISA Server Auditor |
ISA Server Full Administrator |
HKLM\SOFTWARE\Microsoft\Fpc and Subkeys (except Storage) |
R |
R |
Full Control |
HKLM\SOFTWARE\Microsoft\Fpc\Storage\Array-Root\Arrays and [ArrayID] Subkeys Alerts, ConnectivityVerifiers, Logs, NetConfig, RuleElements, Servers, Sessions, SignaledAlerts |
R |
R |
Full Control |
HKLM\IsaStg_Eff1\Arrays\[ArrayID]\ Subkeys AdminSecurity, ArrayPolicy, Cache, ClientConfigSettings, Extensions, NetworktemplateUsed, Report, Reports, VpnQuarantine |
no access |
R |
Full Control |
Table 6: ISA 2004 Standard Edition (R = Read (Query + Enumerate Subkeys + Notify + Read Control)
ISA 2004 Enterprise Edition (Array Member Server) |
ISA Server Enterprise Auditor |
ISA Server Enterprise Administrator |
ISA Server Array Monitoring Auditor |
ISA Server Array Auditor |
ISA Server Array Administrator |
HKLM\SOFTWARE\Microsoft\Fpc and Subkeys |
R |
R |
R |
R |
R |
HKLM\IsaStg_Eff1 HKLM\IsaStg_Eff1Policy HKLM\IsaStg_Eff1Prot |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
HKLM\IsaStg_Eff2 HKLM\IsaStg_Eff2Policy HKLM\IsaStg_Eff2Prot |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
R but no access to Subkeys |
HKLM\IsaStg_Cache HKLM\IsaStg_CacheArrPolicy HKLM\IsaStg_CacheArrProt HKLM\IsaStg_CacheEntPolicies HKLM\IsaStg_CacheEntProt |
R |
R |
R |
R |
R |
Table 5: ISA 2004 Enterprise Edition (R = Read (Query + Enumerate Subkeys + Notify + Read Control)
Author
Philipp Sand
Microsoft Support Specialist ISA Server
Technical Reviewer
Jim Harrison
Microsoft Forefront (ISA/TMG) Sustained Engineering Team