Using the Windows Server 2003 Security Configuration Wizard to Harden the ISA Firewall
by Thomas W Shinder MD, MVP
Have Questions about the article?
The pain was felt on both ends of the aisle – ISA firewall admins felt the pain, and the Microsoft ISA firewall product group felt it too. Microsoft was determined to correct this situation and they worked diligently to come up with comprehensive ISA firewall hardening guides for the 2004 ISA firewall. If you haven’t a chance to read them yet, check them out at http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx
As good as those guides are, you still have to read them a few times to figure out the consequences of your actions, and then if something goes haywire, you need to figure out a way to back out of your configuration without making the fix an avocation.
The solution for ISA firewall admins running their ISA firewalls on Windows Server 2003 Service Pack 1 is the Security Configuration Wizard (SCW). The SCW automates the process of hardening the ISA firewall by using security templates specially designed to lock down tight as a drum the ISA firewall and its base operating system.
The SCW isn’t installed by default. After installing Windows Server 2003 SP1, open the Control Panel and open the Add/Remove Programs applet. Click the Add/Remove Windows Components button and select the Security Configuration Wizard from the list. After the SCW is installed, you can access the application from the Administrative Tools menu.
Make sure that ISA Server 2004 Service Pack 1 is installed on the ISA firewall before installing Windows Server 2003 SP1.
The example provided in this article shows how the SCW works using a best practices configuration, where the ISA firewall has multiple network interfaces and is a member of the domain. The SCW may detect different roles and present you with different options if you run it on an ISA firewall that doesn’t meet these requirements for a secure ISA firewall deployment.
The first page of the wizard explains what the SCW does. Click Next.
The second page of the wizard enables you to create a new policy, edit an existing policy, apply an existing policy, and best of all, rollback the last applied security policy. The rollback feature is a great feature that help you save yourself in the event that you make the wrong decisions and the ISA firewall blows up. Since this is the first time we’re running the SCW on the ISA firewall, select the Create a new security policy option.
On the Select Server page you enter the name of the ISA firewall in the Server (use DNS name, NetBIOS name, or IP address text box). Since you never want to allow connections to the ISA firewall itself (except for those absolutely necessary), we always run the SCW on the firewall and not from another host on the network. While the SCW does allow you to do remote profiling and configuration of servers, this should be avoided when using the SCW to harden the ISA firewall. In this example, the FQDN of the ISA is isalocal.msfirewall.org so we enter that into the text box. Click Next.
After clicking Next, the SCW will take a minute or two to check the ISA firewall’s current configuration against the SCW’s security configuration database.
When the SCW is done doing its work, you’ll see the View Configuration Database button appear. Click the View Configuration Database button.
This brings up the SCW Viewer, which shows you information about the different client and server roles, admin options, services, ports and other settings that the SCW has information on and can configure. You can get more information about each setting by clicking the arrow next to the setting or role. This is a comprehensive list and includes roles and settings that fall outside just the ISA firewall settings. If you click on a role or setting that does apply to the ISA firewall, you’ll see that the SCW has detected that role or feature. Close the SCW Viewer and click Next on the Processing Security Configuration Database page.
The Role-Based Service Configuration page explains that the SCW can configure the device based on the role that device plays on the network. Click Next.
On the Select Server Roles page you see the roles that were detected for the ISA firewall device. In this example, the SCW had actually detected that the ISA firewall was configured as both a File server and Microsoft Internet Security and Acceleration Server 2004. The ISA firewall would need to be configured as a file server if you have the Firewall client installation share installed on the ISA firewall, but if you are not hosting the Firewall client installation share on the ISA firewall, then you should remove that role by removing the checkmark. You can get more information about the role by clicking the arrow next to the role. In this example the only role played by the ISA firewall is the Microsoft Internet Security and Acceleration Server 2004 role. This machine does not host the Firewall client share, so I removed the checkmark that the SCW had put there.
Note that if you are using the ISA firewall as a VPN server or gateway, then you should not select the Remote access/VPN server option. We want the ISA firewall to take control of the RRAS configuration, not the SCW. So, make sure that the Remote access/VPN server option is not selected. Click Next.
On the Select Client Features page, the client features required by the ISA firewall are selected by default. However, you may want to support additional client features. For example, if you want your VPN clients to browse the network after they connect, you should configure the ISA firewall’s internal interface of the ISA firewall with a WINS server address. If you do, then make sure the WINS Client role is selected. Most of the options are valid and the WINS entry is the only one that I would change. You might want to consider removing the DNS registration client if you’re not using DDNS. Click Next.
The Select Administration and Other Options page shows you the admin and other options that the ISA firewall team determined were important for an ISA firewall in our current configuration. Most of them are legit, although I removed the Application installation from Group Policy option since I’m not interested in having any applications other than the ISA firewall software installed on the ISA firewall device. Review the client roles careful and click the arrows next to each of the options to learn more about the options. Click Next.
On the Handling Unspecified Services page, you tell the Wizard how to handle services that aren’t installed on the selected server and not listed in the security configuration database. While its unlikely that you’ll have additional services installed on the ISA firewall that aren’t included in the security database, it could be possible that third party product would install services that need to start in order to work correctly. For this reason, I recommend selecting the Do not change the startup mode of the service option. Click Next.
The Confirm Service Changes page shows you the changes the SCW will make to services running on the ISA firewall. Carefully review these changes before proceeding. In my runs with the SCW, I didn’t find anything changed that I didn’t want to change. Click Next.
The Network Security page introduces changes the SCW can make to Windows Firewall and IPSec settings. Since we’re running a stateful packet and application layer inspection firewall, we don’t need to configure the Windows Firewall or IPSec settings. Leave the checkmark in the Skip this section checkbox and click Next.
The Registry Settings page introduces you to the changes you can make to protocols supported by the ISA firewall device. Most of what you’ll be configuring in the following pages is related to RPC and other intradomain communications. Click Next.
On the Require SMB Security Signatures page you configure whether or not want SMB signatures enabled and required. I recommend that you select both the All computer that connect to it satisfy the following minimum operating system requirements and the It has surplus processor capacity that can be used to sign file and print traffic if you are hosting the Firewall client share on the ISA firewall device. If you are not hosting the Firewall client share on the ISA firewall device, then do not select the It has surplus processor capacity that can be used to sign file and print traffic. Click Next.
On the Outbound Authentication Methods page you configure the LAN Manager authenticated supported for when the ISA firewall device itself must authenticate to another computer. In this example, the ISA firewall is a member of the user domain (for enhanced security) and will also be used as a VPN gateway for site to site VPN connections. For this reason I selected the Domain Accounts and Local Accounts on the remote computers (since the remote VPN gateways might not be members of the domain). However, this is no reason at all that I can imagine supporting connections requiring File sharing passwords on Windows 95, Windows 98, or Windows Millennium Edition. Click Next.
On the Outbound Authentication using Domain Accounts page you configure the LAN Manager authentication level used when making outbound connections. The default enabled option is Windows NT 4.0 Service Pack 6a or later operating systems. However, you do have the option to select Clocks that are synchronized with the selected server’s clock. You can check both if your network security requirements dictate that you do so, but I typically select the first one since I’m connecting to Windows Server 2003 servers/firewalls. Click Next.
The Registry Settings Summary page shows you the changes that will be made to the Registry to enforce the authentication requirements. Review these settings closely and then click Next.
The Audit Policy page explains the purposes and goals of the audit policy configuration options that show up on subsequent pages. Click Next after reading this information.
The options on the System Audit Policy page allow you to set the audit policy on the ISA firewall device. The default option is Audit successful activities. However, I want to know who’s been successful and unsuccessful, so I will typically choose the Audit successful and unsuccessful activities option.
The Audit Policy Summary page shows the changes the SCW will make to the current audit configuration on the ISA firewall device. Review these closely before continuing. You also have the option include the SCWAUdit.inf security template, which will set system access controls (SACLs) which will enable auditing of the file system. Note that once the template sets the SACLs on the file system, you won’t be able to use the rollback feature to reset them. Click Next.
Click Next on the Save Security Policy page to save the changes to a security policy template. Note that no changes will be made to the ISA firewall device at this time.
On the Security Policy File Name page, enter the name for the file at the end of the path provided for you in the Security policy file name text box. In this example, we’ll name the file isafirewallsecpol. Click the View Security Policy button to view the details of the security policy you’ve configured with the SCW.
The SCW Viewer appears and shows you the details of the security policy you’ve configured with the SCW. Review these settings closely to confirm that you want to make the changes listed in here. Close the SCW Viewer.
Now for the moment of Truth. You have the option to save the file and apply it later, or you can apply the policy you’ve configured in the SCW now. If you’re not sure you want to make the changes, choose the Apply later option and copy the file to a lab ISA firewall and test it there. If you want immediate gratification, then select the Apply now option. Except for the changes made to the file system ACLs, you can always undo the changes made by the SCW policy but running the SCW again. In this example I’ll select the Apply now option and click Next.
Click Next on the Applying Security Policy page after you see it say Application complete.
Click Finish on the Completing the Security Configuration Wizard page.
Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=24;t=000903
I recommend restarting the ISA firewall device after you apply the policy changes to the ISA firewall.
While the changes made to the ISA firewall do not seem to have disabled any core functionality and have not created an access control issues that I’ve been able to identify, I have to recommend that you always test your policies in a lab environment before deploying them to your production ISA firewall. Your deployment may significantly differ from the best practices configuration that I recommend for ISA firewalls, or you may have networking or stateful packet inspection or application layer inspection enhancements installed on your ISA firewall. You should test your SCW security polices in the lab, with your production software environment, before deploying them on the actual ISA firewall device. You’re asking for trouble if you do otherwise.