ISA Server 2006 allows the delegation of administrative permissions to individual users to make the Administration model more flexible. ISA Server 2006 uses two different models to assign permissions to individual users. ISA Server 2006 Standard uses a simple model that controls access for specific parts of the ISA configuration. ISA Server 2006 Enterprise uses a more distributed model which lets you assign permissions at the Enterprise level and at array level.
Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”
ISA Server 2006 Standard role | Tasks |
ISA Server Monitoring Auditor | Users assigned to this role can monitor ISA Server 2006 but cannot view the ISA Server configuration. |
ISA Server Auditor | Users and groups assigned this role can perform all monitoring activities like Firewall log configuration, definition of ISA alerts and can view, but not modify the ISA Server 2006 configuration. |
ISA Server Full Administrator | Users and groups can perform any ISA Server 2006 task. This is the most powerful role in ISA Server 2006. |
Table 1: ISA Server 2006 Standard roles
Every normal Windows user or Windows group can be assigned permissions for ISA Server roles. No special privileges or Windows permissions are required.
Note:
There is one exception to what is written above. When a user tries to open Perfmon for viewing the ISA Server 2006 Performance counters or the ISA Server Dashboard, the account must be a Member of the Windows Server 2003 Performance Monitor User group.
To assign administrative roles, start the ISA Server 2006 Management console; right click the Server objects properties and navigate to the Assign Roles tab. You must be an Administrator with the assigned role “ISA Server Full Administrator” to delegate permissions.
Click Add to select users or groups which you would like to assign specific roles.
Figure 1: Assign ISA management roles
After selecting the user group or user, select the role that you want to assign to the user or user group.
Figure 2: Select the management role
Example permission of ISA Server roles
Activity | ISA Server Monitoring Auditor | ISA Server Auditor | ISA Server Full Administrator |
View Dashboard, alerts, connectivity, sessions, services | Allowed | Allowed | Allowed |
Acknowledge alerts | Allowed | Allowed | Allowed |
View log information | Not allowed | Allowed | Allowed |
Create alert definitions | Not allowed | Not allowed | Allowed |
Create reports | Not allowed | Allowed | Allowed |
Stop and start sessions and services | Not allowed | Allowed | Allowed |
View firewall policy | Not allowed | Allowed | Allowed |
Configure firewall policy | Not allowed | Not allowed | Allowed |
Configure cache | Not allowed | Not allowed | Allowed |
Configure a virtual private network (VPN) | Not allowed | Not allowed | Allowed |
Table 2: ISA Server 2006 detailed permissions (Source: Role-based Administration in ISA Server 2006)
Attention:
If you remove the assigned ISA management role for a specific user or user group, the users removed from this group retain ownership of the objects they created, so that it is possible that an ISA Administrator can delete objects he created although the user is no longer a member of an ISA Server role.
Figure 3: Users retain ownership of objects they created
Open the ISA Management console with no access
Another interesting thing is what happens when a user tries to open the ISA Server 2006 management console when the user has no assigned ISA Server 2006 roles. I tried it with the user Auditor who has no assigned ISA Server role. You can see the result in the following picture.
Figure 4: Messages when a user tries to open the ISA Management console without assigned roles
Testing the ISA role concept
As a next step, I logged on with the user Auditor which I assigned the ISA Server Auditor rule. After the Management console has opened, I tried to create a new firewall rule but this should not succeed, because the ISA Server Auditor rule should not have the right to create firewall rules.
Figure 5: The ISA Server Auditor rules doesn’t have the permission to create a firewall rule
Defining Enterprise-Level Administrative Roles
ISA Server 2006 Enterprise also uses a role-based model to organize enterprise and array administrators with predefined roles. Users with a specific role are allowed to complete specific ISA Server tasks. ISA Server 2006 distinguishes between enterprise-level roles and array level roles. ISA Server 2006 Enterprise can assign the following Enterprise roles:
ISA Server 2006 Enterprise role | Tasks |
ISA Server Enterprise Administrator | This role allows full control over the enterprise and the configuration of all arrays in the enterprise. Users with this role can create enterprise policies and apply them to an array, manage array configurations, and assign roles to other users and groups. |
ISA Server Enterprise Auditor | This role allows users to view the enterprise configuration and the configuration of all arrays in the enterprise. |
ISA Server Enterprise Policy Editor | Enterprise administrators can assign administrators permissions for specific enterprise policies, thus limiting enterprise-level administration to a specific policy. Enterprise Policy Editors can create rules for the specific enterprise policy, but cannot create new enterprise policies. |
Table 3: ISA Server 2006 Enterprise roles
Discretionary Access Control Lists
When ISA Server 2006 is installed, it uses discretionary access control lists (DACLs) to configure permission. ISA Server 2006 reconfigures the DACLs every time when the Microsoft ISA Server Control service (ISACTRL) is restarted or when you add new administrative ISA Server roles.
Conclusion
In this article I tried to show you how to delegate administrative permissions for administering ISA Server 2006 with different users and user groups. Distributing the Firewall administration is often required in enterprise environments where many ISA Servers must be administered and administrative work is distributed through the admin staff.
In my opinion, delegating administrative permissions in ISA Server 2006 is extremely useful in ISA Server 2006 Enterprise, because of the array model and the enterprise environment it may be useful to separate the administrative permissions to administer ISA Server 2006.
Related links