One issue that I think a lot about is the issue of ISA firewall system hardening. There’s a lot of talk on this subject, and everyone seems to be looking for a magic bullet to harden his ISA firewall while at the same time not breaking any core functionality. I’ve heard discussions about applying Windows security templates, disabling services that are assumed to not be needed, disabling the Server and Workstation services, and all sort of other home-grown remedies.
The issue with ISA firewall system hardening is that your hardening procedure needs to be specific for specific roles the ISA firewall will play on your network. Unlike typical hardware firewalls that are significantly limited in the roles they can take to protect your network, the ISA firewall can take many roles, including that of network firewall, remote access VPN server, site to site VPN gateway, Web proxy server, or any combination of these. The hardening procedure varies with what role or combination of roles the ISA firewall performs. The only way to really intelligently hardening the ISA firewall is understand and follow the guidelines in the ISA Server 2004 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx
In the ISA Server 2004 Security Hardening Guide you’ll find that the most useful information is not about arcane Registry edits, file system / Registry ACLs, or services configuration, but rather how to configure the ISA firewall software itself to provide a highly secure configuration. Remember, the ISA firewall is the most secure device on your network, and the chances that your ISA firewall will be compromised before any network servers (usually due to insiders) is exceptionally low.
The ISA firewall only allows connections that you have allowed either via Firewall Policy or via System Policy. Since the System Policy makes certain assumptions about your network, the first thing you should do after installing the ISA firewall is configure the System Policy to meet your networking and security requirements.
For this reason, I prefer to keep my ISA firewall “hardening” fairly simple:
- Customize System Policy for least privilege
- Customize firewall policy for least privilege
- Run the Security Configuration Wizard with the ISA Server template
- Configure ISA firewall settings consistent with a high level of security based on the recommendations in the ISA Server 2004 Security Hardening Guide
- Never install any other software on the ISA firewall that isn’t designed as an ISA firewall add-on — no Web servers, mail servers, FTP servers, etc.
- Never use the Web browser, Outlook Express or any other client application on the ISA firewall (except for network diagnostics apps like ping, tracert, pathping, etc)
- Host the Firewall client share on a file server
- Host the autoconfiguration script on a Web server
Now that I’ve finished my rant on ISA firewall system hardening, I can get what motivated me to discuss this subject.
A few people have recently asked about the error Setup failed registering ISA Server Performance Monitoring after installing the ISA firewall on Windows 2000. The reason you received this error is that you applied a security template to the Windows 2000 operating system. The solution? Crater the box and start over, this time do not install a security template. Use the advice I provided in this post.
Thomas W Shinder, M.D.
MVP — ISA Firewalls