Running Security Configuration wizard on ISA server
I recently worked on a case where ISA server administrator wanted to run SCW (security configuration wizard) on the ISA server. I created a lab to do repro of the scenario . So here I have walk through of running SCW on the ISA server. SCW is not installed on the ISA server (windows 2003 server on which ISA server is installed) by default. So we need to install it from the add remove programs->windows components.After the installation of SCW a folder (msscw) gets created at c:\windows\security. After installing it we need to download the package for ISA server, its link is https://www.microsoft.com/downloads/details.aspx?familyid=2748a927-bd3c-4d87-80fa-8687d5e2ab35&displaylang=en. This update adds the roles for ISA Server 2006 Standard Edition, ISA Server 2006 Enterprise Edition, and ISA Server Configuration Storage Server. After downloading it we need to run this package and extract the files from it. Then copy the two .xml files (isa.xml and isaloc.xml) to c:\windows\security\msscw\kbs folder but first take the backup of the existing files with same name then overwrite these two files.
Then copy the isascwhlp.dll file to c:\windows\security\msscw\bin folder. After adding these files at the respective folders we can start SCW wizard for ISA server.
Note: Please take backup of the server before performing the steps.
We can start by goint to start-administrative tools-SCW then we will see following screen
Then click next to proceed further and we will get following screen
in the above screen choose first option i.e. create a new security policy and move next and we will get following screen
mention the name of the server on which we are going to run the SCW in this case it is CorpA05 then move next
move next to configure SCW with role based service configuration i.e. only those services should be running which are as per the role on the server.
Then we will get following screen only choose ISA server role
Then we need to choose client features that we need ISA server to use in my case I used following
and
then choose the services that you want to keep in my case I chose following
1.
2.
3.
4.
5.
and additional services, in my case following services were there if you don't want any service you can uncheck that from the list
then we need to specify what we would do with unspecified services we have two options either leave the startup mode of the service as it is or disable it.in my case I chose to disable such services.
then verify the service changes below
Then make sure we skip following as shown in following screen
then we will go to following screen
then we will get following screen keep the second option unchecked to save the cpu cycles where cpu utilization is a constraint.
Then we would define what method ISA would to authenticate with remote computers depending upon how we want ISA to authenticate to remote computers where it make connection, we can make this choice. In this case I chose domain accounts.
Then how outbound authentication should happen using domain accounts keep both options checked.
Then for inbound calls to ISA server we can uncheck both the options shown below.
Then we will get Registry changes summary as below
Then configure the Audit policy
Depending upon our requirement we can choose the option and in my case I chose third option to audit successful and failed activities.
Then we will get audit policy summary as below
Then we will save the security policy as below
and we will get to following screen where we will define the location for the policy to be saved , we know that we can use this policy on another similar ISA server as baseline.
Then we will get the following screen where we can apply the policy now or later in my case i applied it right there.
then it starts getting applied
Then finaly we will get the completion sceen.
After completetion you can reboot the machine and test the connectivity and existing functionality on the ISA server.