Beruflich Dokumente
Kultur Dokumente
Windows
Infrastructure on
the ISA Server 2004
Computer
Because Microsoft® Internet Security and Acceleration (ISA) Server 2004 is used to protect your
network or other resources from attack by malicious users, take special care in hardening the ISA
Server computer. We recommend that you apply the configurations described in the
Windows Server 2003 Security Guide (http://www.microsoft.com). Specifically, you should
apply the Microsoft Baseline Security Policy security template. However, do not implement the
Internet Protocol security (IPsec) filters or any of the server role policies.
In addition, you should consider ISA Server functionality and harden the operating system
accordingly. This document describes how to harden Microsoft Windows Server™ 2003 and
Windows® 2000 Server running on the ISA Server computer. For further security guidelines, see
the ISA Server Security Hardening Guide (http://www.microsoft.com). The ISA Server Security
Hardening Guide includes these instructions, in addition to more detailed security considerations.
Note
We recommend that you harden the Windows infrastructure
after you have completely installed ISA Server. For ISA Server
Enterprise Edition, install all the necessary Configuration
Storage servers and the array members. Then, harden the
computers.
8. On the Select Client Features page, select the default client roles, as appropriate. No
special client roles are specifically required for hardening ISA Server. Then, click
Next.
9. On the Select Administration and Other Options page, select the following
options:
a. Select Microsoft Internet Security and Acceleration Server 2004
Enterprise Edition: Configuration Storage, if the Configuration Storage
server is installed on this computer (for ISA Server Enterprise Edition
only).
b. Select Microsoft Internet Security and Acceleration Server 2004
Enterprise Edition: Client installation share, if the Firewall Client share
is installed on this computer.
c. Select Microsoft Internet Security and Acceleration Server 2004
Enterprise Edition: MSDE Logging, if ISA Server advanced logging
options are installed on this computer.
10. On the Select Additional Services page, select the appropriate services and click
Next.
11. Click Next until you finish the wizard.
For more technical guidance about the SCW, see “Security Configuration Wizard for
Windows Server 2003” at the Microsoft Windows Server 2003 Web site
(http://www.microsoft.com).
Core Services
The following table lists the core services that must be enabled for ISA Server and the ISA
Server computer to function properly.
Note
The startup mode for the Server service should be Automatic in
the following cases.
• You install ISA Server 2004: Client Installation Share.
• You use Routing and Remote Access Management, rather
than ISA Server Management, to configure a virtual private
network (VPN).
• Other tasks or roles, as described in the preceding table,
require the service.
• The startup mode for the Routing and Remote Access
service is Manual. ISA Server starts the service only if a VPN
is enabled
Note that the Server service is required only if you use Routing and Remote Access Management
(rather than ISA Server Management) to configure a VPN.
Note
Time client applications require that either the Wireless or the
Server service is running in order to function properly.
4. In the console tree, click the Security Templates node, right-click the folder where
you want to store the new template, and click New Template.
5. In Template name, type the name for your new security template.
6. In Description, type a description of your new security template, and then click OK.
7. Expand the new template, and then click System Services.
8. In the details pane, right-click COM+ Event System and then click Properties.
9. Select Define this policy setting in the template and then click the startup mode.
(For COM+ Event System, the startup mode is Automatic.)
10. Repeat steps 15 and 16 for each of the services listed in the following table.
Note
The startup mode for the Server service should be Automatic in
the following cases:
• You install ISA Server 2004: Client Installation Share.
• You use Routing and Remote Access Management, rather
than ISA Server Management, to configure a VPN.
• Other tasks or roles, as described in the preceding table,
require the service.
The startup mode for the Routing and Remote Access service is
Manual. ISA Server starts the service only if a VPN is enabled.
Time client applications require that either the Wireless or the Server service is running in order
to function properly.
To apply the new template to the ISA Server computer, perform the
following steps.
1. To open Security Templates, click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in and then click Add.
3. Select Security Configuration and Analysis, click Add, click Close, and then click
OK.
Additional Resources
For more detailed information and guidelines on hardening ISA Server and the ISA Server
computer, see the ISA Server Security Hardening Guide, available on the Microsoft Web site
(http://www.microsoft.com).
For information about Microsoft ISA Server, see the Microsoft ISA Server Web site.
The example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious. No association with any real company,
organization, product, domain name, e-mail address, logo, person, places, or events is intended
or should be inferred.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
people, and events depicted herein are fictitious and no association with any real company,
organization, product, person, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries/regions.