Hardening ISA Server in a Supported Manner

  • Article

1. Introduction

One process that it is becoming more and more common today is the hardening server’s process. This is really an excellent idea in the security perspective, the problem is when you tight too much or when you do it in an unsupported manner. Before go to the best practices I’m going to use two examples of cases where the ISA Server was affected drastically due a too restricted (and unsupported) hardening process.

2. Scenario 1 – Failure while installing ISA Server

In this scenario the ISA Server installation did not proceed and gives the error: “Microsoft ISA Server 2006 Setup failed while creating ISA Server Storage” .

The scenario was:

· Customer installed ISA Server as a domain member and assign ISA’s computer account to a specific OU. In this OU he created a series (long list) of restrictions for what services should be started or not.

· The default permission for the services also changed.

· The User Rights also were changed.

Solution: we created a new OU, moved the ISA computer account for this OU and hardening the services in a supported manner using the list described in the article Hardening the Windows Infrastructure on the ISA Server 2004 Computer .

3. Scenario 2 – Microsoft ISA Server Firewall Services Stops

In this scenario the ISA Server was failing to start with the error 14060. The scenario was:

· Customer installed ISA Server in a workgroup.

· After install he runs a script provided by his Security Department to hardening the Servers.

· One week after that, ISA started to have a “crash” behavior where the Microsoft Firewall service suddenly stops.

Solution: by using regmon we were able to determine that we were receiving access denied to access some registry hives needed during that time. Customer didn’t have a rollback script to undo the changes and since it will take too much time to reverse that he decided to rebuild the OS and reinstall ISA.

4. Best Practices

These are just a simple example of headaches that can happen if the hardening on ISA Server is not using Microsoft recommendations. While the hardening process is very important, it is also important to understand the minimum requirements for a product to work correctly. You can’t get a generic hardening script and apply to ISA Server without knowing what it is really necessary.

The main recommendation is to use the Security Configuration Wizard with the ISA Sever template to hardening ISA Server. TechNet Magazine September issue has a nice article from Alan Maddison that explains in details how to do that, check it out here.

Besides that, here we have the official statement about ISA Server hardening process:

· Securing the ISA Server Computer

· ISA Server 2004 Security Hardening Guide

· ISA Server 2006 Security Guide

Stay safe and stay supportable J