Microsoft ISA Server 2006 provides you with network perimeter protection that enables secure remote access to applications and data while protecting your IT infrastructure from Internet-based threats. With ISA Server 2006 you can securely publish content for remote access, establish secure connections with branch office sites, and defend against both internal and external Web-based threats.
Sitting on the front line of the network perimeter and acting as the authentication gatekeeper for authorized remote access, the ISA Server typically receives a significant amount of network traffic. When it comes to monitoring the performance of ISA Server, assessing network security, or conducting a forensic analysis of ISA Server traffic as a function of incident response, you will need to understand how to work with the logging and reporting features of ISA Server.
Thankfully, Microsoft thought of that and built relatively robust logging and reporting capabilities into ISA Server 2006. ISA Server 2006 reports let you view general traffic patterns, analyze which applications or protocols are used most frequently, which sites are being accessed, unauthorized or malicious attempts to access network resources, and more.
ISA Server aggregates data from the Web proxy and firewall logs using Dailysum.exe. The Dailysum.exe program is part of ISA Server and runs by default at 12:30am each day to extract and summarize the log data from those sources. Even if no reports are configured to run, Dailysum.exe will run, unless it is disabled. At the beginning of each month Dailysum.exe also generates a summary of the previous month’s activity. By default, at least 35 daily summaries and 13 monthly summaries are saved. These summaries are stored as *.ILS database files in the ISASummaries folder which can be found within the ISA Server installation folder.
ISA Server 2006 comes with a variety of predefined report types that enable you to quickly and easily review common traffic data and critical security information. The built-in report types are:
With these reports as a base, ISA Server 2006 allows you to customize or filter the results using the following criteria:
You use the ISARepGen.exe application, installed by default with ISA Server, to generate one-time or recurring reports. You can create a one-time report using the New Report Wizard. By definition the report will run only one time once you complete the wizard. Follow these steps to generate a one-time report:
You can also configure recurring reports to be generated on a predefined periodic basis such as daily, weekly, or monthly. To create a new recurring report you have to run the New Report Job Wizard and specify the criteria to define what content the report should cover and the frequency that the report should be generated. Follow these steps to create a recurring report:
Whether you are creating a one-time or recurring report, you will need to supply information to the wizard such as the name of the report, the content that should be included within the report, the reporting timeframe or frequency schedule (depending on whether it is a one-time or recurring report), the directory the report should be published to and any access credentials necessary for ISA Server to write to that directory, and whether or not an email notification should be generated when the report is created and any SMTP or email address information necessary to facilitate that notification.
Log data can be written to a text file, however, even in small and medium-sized business environments the text file can quickly grow to a cumbersome size. The better logging options are to use a SQL Server database, or SQL Server’s scaled down cousin- MSDE. There are some security and performance advantages to using an external SQL Server for maintaining log data, but SQL Server requires separate licensing. MSDE provides many of the same features as SQL Server, but in a less robust database that runs locally on the ISA Server.
Regardless of whether you store log data in MSDE or SQL Server, you can use SQL queries to extract information. SQL queries enable you to filter log data on a very granular level and export data to Excel spreadsheets where it can be easier to work with and manipulate it.
For example, assume that while reviewing a standard daily ISA Server 2006 Security report you notice an inordinate number of failed authorization attempts by one specific user account, MaryN. The user in question is out on maternity leave and the Failed Access events appear to indicate an attempt to compromise the user account and breach the network. What you would want to do is to review data which is specific to this user account over the past week and try to determine the scope of the problem and at what point the issue began.
When filtering the log data, you need to specify the criteria that you want to filter, the conditional argument to apply, and the value. In our example you might filter on the following:
In order to investigate the anomalous failed authorizations, you want to examine log data for the past week for MaryN. So, you would also want to narrow the results using:
Third party tools such as GFI WebMonitor for ISA Server provide even more detailed and valuable reports to help you administer access to your network and protect your users and network from malicious activity. In addition to the expanded reporting capabilities, GFI WebMonitor for ISA Server also extends the security and traffic-filtering functionality of ISA Server 2006. GFI WebMonitor for ISA Server enables you to enforce Internet acceptable use policies with ISA Server 2006, filter web content based on categories, prevent data leakage by filtering outbound files, and protect against malware compromise by scanning inbound traffic.
ISA Server 2006 is a powerful and effective tool for your network perimeter. It enables remote users to connect to internal resources securely while protecting the internal network from unauthorized access. To be effective though, you need to have procedures in place for when and how to review log and report data, and how to respond when malicious or anomalous activity is detected. Third-party tools can extend the functionality of ISA Server 2006 itself, as well as helping to automate and simplify management of network security, providing more robust and effective reporting.
There’s a lot of information in log files. Maybe too much information. Use PowerShell to…
Error messages don’t always tell you what caused the problem with Azure.. Azure services status…
Is your organization faced with making tough decisions about staffing, remote work, and other matters?…
With artificial intelligence, there’s no looking back. And these forward-looking startups are at the leading…
There are fewer things more evil than blackmailing patients of a psychotherapy clinic. But this…
COVID-19 has forced many to shelter-in-place — including IT pros who might otherwise look for…