ISA Administrative Roles – NTFS and Registry Permissions


I want to provide a little bit more detail regarding the Discretionary Access Control Lists (DACLs) used by ISA Server.  These ensure that the ISA installation and logging folders are configured with the proper NTFS security permissions required by ISA services. This topic is handled briefly in the ISA TechNet documentation handling the Role-based Administration of ISA:

Discretionary Access Control Lists


With a new installation, ISA Server discretionary access control lists (DACLs) are appropriately configured. In addition, ISA Server reconfigures DACLs when you modify administrative roles and when the Microsoft ISA Server Control service (isactrl) is restarted. For more information, see the section Role-Based Administration Features earlier in this document.












Caution:


Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure.
Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users:
Folder for reports (when you select to publish the reports).
Configuration files created when exporting or backing up the configuration.
Log files that are backed up to a different location.
Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by ISA Server, be sure to keep the data source name (DSN) secure.
Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry.
If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is Inherit permission from parent.


Tip:


We recommend that you do not save critical data (such as executables and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitions


Source: http://technet.microsoft.com/en-us/library/bb794769.aspx


 


Q: How does this affect my daily work with ISA?


A: We think that this will have no negative effect on your work, and that it will help ISA remain stable 😉 The DACLs are in place to make sure ISA Server has all proper permissions on its installation directories and registry locations.


Q: How are DACLs affecting my ISA Server at all?


A: When you configure or change any Administrative Role on ISA (regardless of Enterprise or Standard Edition), the file and registry DACLs will be modified.


Important! Any changes you made earlier in the NTFS security settings, which don’t match the roles configured in ISA, will be removed!!
 Example: You recently added NTFS permissions  to  a user named BACKUP (manually, by GPO or sth. like this…). This use should be able to backup the ISA folders. All permissions you granted to this user will be removed after you make any changes or restart ISACTRL, if you haven’t configured this user in the ISA Administrative Roles. Therefore your backup of ISA Server will most likely fail.


Q: Which Role provides which access to the ISA Folders?


A: See the following Tables for details…


































ISA 2006 Standard Edition


ISA Server Monitoring Auditor


ISA Server Auditor


ISA Server Full Administrator


%ISAINSTALLDIRECTORY%


RE,L,R


RE,L,R


Full Control


ISALogs


no access


RE,L,R


Full Control


ISASummaries


no access


RE,L,R


Full Control


StgData


no access


no access


Full Control


Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN


RE,L,R


RE,L,R


Full Control


Table 1: ISA 2006 Standard Edition SP1 (RE = Read & Execute, L = List Folder Contents, R = Read)














































ISA 2006 Enterprise Edition


ISA Server Enterprise Auditor


ISA Server Enterprise Administrator


ISA Server Array Monitoring Auditor


ISA Server Array Auditor


ISA Server Array Administrator


%ISAINSTALLDIRECTORY%


RE,L,R


RE,L,R


RE,L,R


RE,L,R


RE,L,R


ISALogs


RE,L,R


Full Control


no access


RE,L,R


Full Control


ISASummaries


RE,L,R


Full Control


no access


RE,L,R


Full Control


StgData


no access


no access


no access


no access


no access


Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN


RE,L,R


RE,L,R


RE,L,R


RE,L,R


RE,L,R


Table 2: ISA 2006 Enterprise Edition SP1 (RE = Read & Execute, L = List Folder Contents, R = Read)


 


 


































ISA 2004 Standard Edition


ISA Server Basic Monitoring


ISA Server Extended Monitoring


ISA Server Full Administrator


%ISAINSTALLDIRECTORY%


RE,L,R


RE,L,R


Full Control


ISALogs


no access


Full Control


Full Control


ISASummaries


no access


Full Control


Full Control


StgData


no access


no access


Full Control


ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, SDisaTemplates, Trace, UI_HTMLs, Uninstall, VPN


RE,L,R


RE,L,R


Full Control


Table 3: ISA 2004 Standard Edition SP3 (RE = Read & Execute, L = List Folder Contents, R = Read)














































ISA 2004 Enterprise Edition


ISA Server Enterprise Auditor


ISA Server Enterprise Administrator


ISA Server Array Monitoring Auditor


ISA Server Array Auditor


ISA Server Array Administrator


%ISAINSTALLDIRECTORY%


RE,L,R


RE,L,R


RE,L,R


RE,L,R


RE,L,R


ISALogs


RE,L,R


Full Control


no access


RE,L,R


Full Control


ISASummaries


RE,L,R


Full Control


no access


RE,L,R


Full Control


StgData


no access


no access


no access


no access


no access


Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN


RE,L,R


RE,L,R


RE,L,R


RE,L,R


RE,L,R


Table 4: ISA 2004 Enterprise Edition SP3 (RE = Read & Execute, L = List Folder Contents, R = Read)


Q: Which Role provides which access to the ISA RegKeys?


A: See the following Tables for details… ‘root key’ for the relevant ISA RegKeys is.


































ISA 2006 Standard Edition


ISA Server Monitoring Auditor


ISA Server Auditor


ISA Server Full Administrator


HKLM\SOFTWARE\Microsoft\Fpc and Subkeys


R


R


Full Control


HKLM\IsaStg_Eff1 and [ArrayID] Subkeys Alerts, ConnectivityVerifiers, Logs, NetConfig, RuleElements, Servers,


R


R


Full Control


HKLM\IsaStg_Eff1\Arrays\[ArrayID]\ Subkeys AdminSecurity,ArrayPolicy, Cache, ClientConfigSettings, Extensions, NetworktemplateUsed, Reports, SD, VendorParametersSets


no access


R


Full Control


HKLM\IsaStg_Eff1Policy


no access


R


Full Control


HKLM\IsaStg_Eff1Prot


R


R


Full Control


Table 5: ISA 2006 Standard Edition SP1 (R = Read (Query + Enumerate Subkeys + Notify + Read Control)


 







































ISA 2006 Enterprise Edition


(Array Member Server)


ISA Server Enterprise Auditor


ISA Server Enterprise Administrator


ISA Server Array Monitoring Auditor


ISA Server Array Auditor


ISA Server Array Administrator


HKLM\SOFTWARE\Microsoft\Fpc and Subkeys


R


R


R


R


R


HKLM\IsaStg_Eff1 HKLM\IsaStg_Eff1Policy


HKLM\IsaStg_Eff1Prot


no access


no access


no access


no access


no access


HKLM\IsaStg_Eff2


HKLM\IsaStg_Eff2Policy


HKLM\IsaStg_Eff2Prot


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


HKLM\IsaStg_Cache


HKLM\IsaStg_CacheArrPolicy


HKLM\IsaStg_CacheArrProt


HKLM\IsaStg_CacheEntPolicies


HKLM\IsaStg_CacheEntProt


R


R


R


R


R


Table 5: ISA 2006 Enterprise Edition SP1 (R = Read (Query + Enumerate Subkeys + Notify + Read Control)


 
























ISA 2004 Standard Edition


ISA Server Monitoring Auditor


ISA Server Auditor


ISA Server Full Administrator


HKLM\SOFTWARE\Microsoft\Fpc and Subkeys (except Storage)


R


R


Full Control


HKLM\SOFTWARE\Microsoft\Fpc\Storage\Array-Root\Arrays and [ArrayID] Subkeys Alerts, ConnectivityVerifiers, Logs, NetConfig, RuleElements, Servers,  Sessions, SignaledAlerts


R


R


Full Control


HKLM\IsaStg_Eff1\Arrays\[ArrayID]\ Subkeys AdminSecurity, ArrayPolicy, Cache, ClientConfigSettings, Extensions, NetworktemplateUsed, Report, Reports, VpnQuarantine


no access


R


Full Control


Table 6: ISA 2004 Standard Edition  (R = Read (Query + Enumerate Subkeys + Notify + Read Control)


 







































ISA 2004 Enterprise Edition


(Array Member Server)


ISA Server Enterprise Auditor


ISA Server Enterprise Administrator


ISA Server Array Monitoring Auditor


ISA Server Array Auditor


ISA Server Array Administrator


HKLM\SOFTWARE\Microsoft\Fpc and Subkeys


R


R


R


R


R


HKLM\IsaStg_Eff1 HKLM\IsaStg_Eff1Policy


HKLM\IsaStg_Eff1Prot


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


HKLM\IsaStg_Eff2


HKLM\IsaStg_Eff2Policy


HKLM\IsaStg_Eff2Prot


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


R but no access to Subkeys


HKLM\IsaStg_Cache


HKLM\IsaStg_CacheArrPolicy


HKLM\IsaStg_CacheArrProt


HKLM\IsaStg_CacheEntPolicies


HKLM\IsaStg_CacheEntProt


R


R


R


R


R


Table 5: ISA 2004 Enterprise Edition (R = Read (Query + Enumerate Subkeys + Notify + Read Control)


 


Author


Philipp Sand


Microsoft Support Specialist ISA Server


Technical Reviewer


Jim Harrison


Microsoft Forefront (ISA/TMG) Sustained Engineering Team


 


Comments (0)