Hardening ISA Server 2004 (Part 2)
If you would like to read the other part in this article series please go to Hardening ISA Server 2004 (Part 1).
There are other good articles that vendors produce and I will refer to these so that the network professional gets a better understanding of what is initialed, covering both the hard issues and the soft. The whole point of hardening ISA is to reduce the points of contact with the ISA server, this can be referred to as reducing the attack surface, let's follow the below guidelines to establish this.
The ISA server system policy
Below are key ISA server system policy elements that need to be monitored and carefully configured to ensure a secure ISA system.
Network Services: these services are regulated by the system policy and should be carefully controlled in terms of access and what services are allowed.
Authentication Services: this defines how ISA authenticates. This is where and how you can ensure that the authentication is done through the appropriate sever, and also where the extra network cards come in.
Remote Management: This element defines who can administer your server. Be very careful who you allow access to the ISA server as mis-configuration of this element will result in compromise. It is recommended that a static IP address mapping be used here or a defined user group for remote admin, think carefully about remote admin.
Firewall Client Share: if you need this feature then I would rather setup a share on another server. Note only the internal network has access to this feature in any case and it can be controlled from the system policy.
Diagnostic Services: Only for authorized personnel, alternatively only for your segmented administrative network. This may be a private network that is used by the IT professionals.
Managing roles and permissions: Care must be taken when assigning permissions to the ISA Server computer and its related components because ISA Server controls access to the network. This can be accomplished by careful determination of the configuration and the logon rights, relative to authorized professionals who log on to the ISA Server. ISA Server enables this by allowing the application of administrative roles to users and groups.
Administrative Roles: When auditing this make sure that it is buttoned down. When defining the permissions for the ISA server, the security professional needs to pay special attention to the roles of the ISA Server administrator. ISA Server makes this process a simpler one by it utilizing a range of user roles which ultimately distinguish the roles of each user. The following user roles can be applied:
- ISA Server Basic monitoring:
This role enables a professional to monitor the ISA Server computer and network activity, but does not allow one to configure specific monitoring functionality. This should be part of your hardening process as you can find additional aspects that need to be looked at whilst you monitor the ISA server.
- ISA Server Extended Monitoring:
This role enables one to perform all monitoring tasks, including log configuration, alert definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring Role. This role is for advanced interaction with the ISA server.
- ISA Server Full Administrator:
This role allows one to perform any Server task, including rule configuration, applying network templates and monitoring.
Reducing the potential attack surface
One can further secure the ISA Server computer by reducing the attack surface. This can be obtained through the following:
- Remove or disable unnecessary applications and services on the ISA Server computer. This begs the question of Antivirus. It is needed but you need to make sure it is carefully tested and that it is server class AV, reason being most vendors have personal firewalls and other modules that tamper with ISA’s functionality.
- Disable any ISA Server features that are not in current use.
- Disable any system policies associated with services not being utilized to manage your network.
- Limit the applicability of the system policy rules to required network entities only.
Step 2: Securing the ISA Configuration
To ensure that the ISA configuration is secure the ISA professional must validate the configuration after an upgrade, for example when moving from ISA 2000 to ISA 2004, as different versions incorporate different policies. The Firewall policy should also be validated, that is if a firewall policy is created by the ISA professional and the default policy is not utilized. The firewall policy should be checked to identify whether the correct traffic is being allowed through and to confirm that no unnecessary ports are open. ISA Server, by default, implements a default firewall policy rule named Default Rule. This policy rejects access by all unauthorized users to all networks.
ISA can also be used as a virtual Private network (VPN). It is imperative to make certain that the ISA server is secure when being used as a VPN server as it must be protected against any unauthorized entry into the network. To secure the ISA server when it is being utilized as a VPN server the following can be undertaken:
- Layer Two Tunneling Protocol over the Internet Protocol security connections
- Control the operating systems being used by the remote VPN clients by allowing usage of only certain selected ones
- Use the ISA Server Quarantine Control feature. By utilizing this feature it allows for time to verify the users accessing the network and corrections to unauthorized users can be undertaken before potential attack occurs.
Another concern when using ISA Sever as a VPN Server is that it is not secure against attack by viruses which infect the ISA Server through the virus infected VPN client. This potential attack can be prevented through various means of virus protection methods. This procedure incorporates the implementation of monitoring, to detect irregularities and the design of notifications as e-mail messages to notify the ISA professional of the potential attack. If an infected VPN client computer is acknowledged it can be resolved by excluding the user from the VPN clients authorized to connect through one of two approaches, restricting VPN access by user name or by IP address.
The VPN should be authenticated to ensure better security. This is achieved through the use of various authentication protocols.
Another feature incorporated by ISA server, which secures the ISA configuration, is that it allows the ISA professional to control the amount of connections being made to the server at any moment. The connection limit can be adjusted to suit the specific client requirements and thus once the limit which was predetermined is reached, any subsequent connections will be denied. It is recommended that the smallest number of connections be allowed to maintain a secure environment.
Step 3: Securing the operation of ISA
The third step is to determine how to deploy the network infrastructure secured by the ISA Server.
Remote network access
Restrict dial-in access to trusted and authorized users and limit the functionality of the users from remote locations. Policies can be designed in such a way that user activity will be traced. When accessing a network remotely, a VPN is a secure method that can be used and trusted. Data that travels over a VPN connection is much less susceptible to interception than normal PPP connections over the PSTN networks. In high security environments, put systems in place that require credential validation for any resource that is accessed remotely. Client side certificates can be used and strong password authentication methods should be applied. Remote access remains one of the weakest links in network security if incorrectly implemented and, in many cases, is just the break intruders are looking for.
Virus software settings need to be set to the most restrictive. This ensures that any form of malicious virus activity is not tolerated. When selecting your AV software test it with your ISA server configuration and ensure that the AV software is server class.
Intrusion detection / prevention.
Intrusion detection is a vital part of hardening the windows network and various intrusion detection products exist that can aid an organization in detection of unwanted intruders. For a comparative analysis on IDS look in www.windowsecurity.com
Services run on most windows machines as registered processes. These services are what intruders attempt to find vulnerabilities within. Disabling any unused services is good practice and leaves less for the intruders to find exploits within. It also puts less strain on the hardware and requires less monitoring.
File systems should be installed on secure machines with the highest form of file security. NTFS is a strong secure file system that let the administrator and user control access to files that have respective assigned permissions. The data on the drive is not as vulnerable as it would be if it were on a Fat partition. In the same breath, a few companies have developed software that will be able to read file on NTFS partitions if permissions are assigned or not. By default, NTFS is needed for the ISA Cache file, I would recommend the highest security file system settings when installing ISA.
Assign a password to the Bios. If an intruder gains physical access to the ISA server and wants to change the boot order of drive within the server computer he will first log into the bios and change the order to boot off of the CD-ROM. The utilities that let a user gain access to the machine are typically on a CD-ROM. By assigning a password to the Bios it adds a small added level of security. If the user can not gain access to the inside of the computer because it is physically restrained, the bios can also not be reset and the bios then remains locked. Please note that some bios manufactures have master passwords that override any previous entered passwords. It is a good idea that, when choosing the hardware, a vendor that doesn't have master password capability is chosen.
This is a common physical access attack, so restrict the access or consider getting an ISA server appliance that only allows remote access.
When assigning the drive to boot, ensure that only the C: drive has the booting capability as other drives like CD, floppy disk and flash disks drives provide an avenue for attack. Intruders may need to install or load third party applications and by booting around the operating system this may be possible. Many security professionals secure the operating systems and overlook the underlying booting and removable disk options.
In any organization business continuity should be part of the disaster recovery strategy and backups will be part of this ISA server security strategy. All ISA configurations should be backed up and should be restored frequently on test systems. Backups are important and it is vital that the media is stored offsite. Storing backup media onsite will not help in a situation where a physical disaster destroys the site. Offsite storage is needed in situations that require an extra level of data security.
Hardening your ISA server is an ongoing process and should be taken very seriously. Regular audits like the one presented on the ISACA website that incorporate firewall audits should be regular with a minimum audit of once a year. Uphold the integrity of your network, secure your perimeter network.
If you would like to read the other part in this article series please go to Hardening ISA Server 2004 (Part 1).