Editing the ISA server 2004 System Policy (Part 1)
A System Policy is created when ISA Server 2004 is installed, the system policy is a component of ISA 2004 that is automatically configured and contains default settings. The system policy consists of a set of rules that specify how the ISA Server computer will interact with other network resources.
The above figures (1.1 & 1.2) display two different routes to access the ISA 2004 System policy.
The ISA 2004 System policy is often a feature that is overlooked and that remains unedited this results in default settings remaining. The system policy can be backed up by exporting it into an XML file. This XML file can then be imported on other ISA 2004 servers or added to backups for safe keeping.
The ISA 2004 System policy is split up into four sections.
Configuration Groups are network service type’s categorizations. These are used to define how ISA 2004 interacts with network resources required.
General tab defines the system policy rules and also allows the Security professional to switch a configuration group element on or off.
To/From tab defines the network that the traffic can travel to or from. You can also create network groups that will consolidate the policy rule.
- DHCP: Network Services DHCP Allow DHCP requests from ISA Server to Internal. Allow DHCP replies from DHCP servers to ISA Server Allows the ISA Server computer to access the Internal network using the DHCP (reply) and DHCP (request) protocols. This rule may be required for remote access or for traversal DHCP access though internal interfaces. Note this can be specified in the “from” window tab and exceptions can be added for static servers etc.
- DNS: Network Services (Name resolution using DNS) DNS Allow DNS from ISA Server to selected servers this allows the ISA Server computer to access all networks using the DNS protocol. Using this policy element you can control where ISA resolves its DNS requests by default this is set to all networks. If necessary you can specify exceptions incase there are more than one internet connection and you would like to specify explicit resolution path.
- NTP: Network Services (Time configuration) NTP Allow NTP from ISA host to trusted NTP servers allows the ISA 2004 computer to access the internal network using the NTP (UDP) protocol. This may be necessary to synchronize your time with internal servers.
- Active directory: Authentication (Windows user authentication) Active Directory Allow access to directory services for authentication purposes. Allow RPC from ISA Server to trusted servers. Allows Microsoft CIFS from ISA Server to trusted servers or servers in the same domain. Allow Kerberos authentication from ISA Server to trusted servers allows the ISA Server computer to access the internal network using various LDAP protocols, RPC (all interfaces) protocol, various Microsoft CIFS protocols, and various Kerberos protocols, using Active Directory® directory service. If this is disable ISA 2004 will stop authenticating with AD and will only be able to authenticate locally.
- RADIUS Authentication Services RADIUS allows RADIUS authentication from ISA Server to trusted RADIUS servers allows the ISA Server computer to access the internal network using various RADIUS protocols his includes AV pairs for Cisco devices.
- RSA SecureID Authentication Services RSA SecurID Allow SecurID authentication from ISA Server to trusted servers allows the ISA Server computer to access the Internal network using the RSA SecurID® protocol.
- CRL Download Authentication Services Certificate Revocation List Allow HTTP from ISA Server to all networks for CRL downloads Authentication Services: Allow HTTP from ISA Server to selected networks for downloading updated Certificate Revocation Lists (CRL) this is important when publishing SSL and OWA and any technology that makes use of Certificates.
- Microsoft Management Remote allows for remote management from selected computers (this can be defined and exceptions can also be added as to not allow other users to administer ISA) using MMC Allow MS Firewall Control communication to selected computers Allows computers on the Internal network to access the ISA Server computer using the MS Firewall Control and RPC (all interfaces) protocols. By defining this policy it can prove to be extremely powerful as the IT professional is able to explicitly allow access to administrators only while doing this without using AD but by using IP or an address range or a subnet.
The figure below 1.3 depicts what can be done with this system policy.
- Terminal Server Remote management allows for remote management from selected computers using Terminal Server it also allows computers on the internal network to access the ISA Server computer using the RDP (Terminal Services) protocol. It is useful to define this policy as you can control who is using terminal services to administer the ISA server.
- ICMP (Ping) Remote management allows ICMP (PING) requests from selected computers to ISA Server Allows computers on the Internal network to access the ISA Server computer using the Ping protocol, and vice versa. This option can be changed if you wish. Ping is a tool that can be used against your organization. If you do not need it disable it.
- Firewall Client install: This defines access to Firewall client share so that the client computers can access the Firewall client setup from trusted computers to the Firewall Client installation share on ISA 2004 Server this can be defined and restricted to computers on the internal network using various Microsoft CIFS and NetBIOS protocols. Be aware of the flexibility the Firewall client provides before allowing access to this tool. If the Firewall Client Share component was not installed this configuration group is not enabled.
- ICMP Diagnostic Services: This policy allows ICMP requests from ISA Server to defined servers it also allows the ISA Server computer to access all networks using various ICMP protocols and the Ping protocol. For diagnostic purposes this is a use full tool however it can pose a threat if it is not managed. Disable this option if you do not need the functionality.
- Windows Networking Diagnostic Services allows NetBIOS from ISA Server to trusted servers the policy allows the ISA Server computer to access all networks using various NetBIOS protocols. NetBIOS is a very dangerous protocol if it is not controlled as it can reveal lots of information about servers and clients. Disable this option if it is not used.
- Microsoft Error Reporting Diagnostic Services (Microsoft Error Reporting) Communication to Microsoft Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites allows the ISA Server computer to access members of the Microsoft Error Reporting sites URL set using HTTP or HTTPS protocols. This is when a MS application crashes and needs to report back to MS to improve the next version.
- HTTP connectivity verifiers are used when ISA checks for connectivity by sending HTTP GET requests to a predetermined computer. A system policy rule named Allow HTTP/HTTPS from firewall to all networks, for HTTP connectivity verifiers is configured as necessary, to allow these requests.
- Remote logging (NetBIOS) allows remote logging to trusted servers using NetBIOS this in turn enables the ISA Server computer to access the internal network using various NetBIOS protocols. Enable this if you need this option.
- Remote logging (SQL) allows remote SQL logging from ISA Server to selected servers allows the ISA Server computer to use Microsoft (SQL) protocols to access the Internal network.
- Remote performance Monitoring allows remote performance monitoring of ISA Server from trusted servers Allows computers on the Internal network to access the ISA Server computer using various NetBIOS protocols. This is important as professionals can use this to monitor the ISA server by default it not enabled or configured.
- Microsoft operations Manager Remote monitoring allows remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent Allows the ISA Server computer to access the internal network using the Microsoft Operations Manager agent. This option should be configured for internal servers or computers only. Be strict with this policy as it potentially could allow remote monitoring form un-trusted source.
- SMTP Remote monitoring (Mail alerts) enables SMTP from ISA Server to trusted servers Allows the ISA Server computer to contact the Internal network using the SMTP protocol.
- Scheduled download jobs: This policy allows the Scheduled Download Jobs using HTTP from ISA Server to selected computers for Content Download Jobs this policy enables the ISA Server computer to access all networks using HTTP.
- Allowed sites Various determines HTTP/HTTPS requests from ISA to specified sites the ISA Server computer can access members of the System Policy and allowed Sites URL set using HTTP and HTTPS protocols.
The ISA 2004 System policy helps to protect your network resources and facilitates secure access for policy defined needs. The ISA 2004 system policy maps to a set of firewall policy rules witch control how ISA 2004 enables the infrastructure that facilitates network management network security and connectivity. Default system policy is installed to protect internal resources and the Local ISA host machine.
By default system policy rules are enabled after installation. These are most essential and necessary rules for effectively managing the ISA 2004 environment. These policy rules can be changed to match your organizational security policy and so that it maps to custom requirements that the professional may have.
In the first part of this series I took you though when a system Policy is created and how it is automatically configured and what settings the policy contains. The system policy consists of a set of rules that specify how the ISA Server computer will interact with other network resources. If the IT professional learns how to manipulate the policy it can prove to be a strong tool that will assist in making the ISA implantation stronger.
If you would like to be notified when Ricky Magalhaes releases Part 2 click here to sign up to our newsletter.