Updating ISA s Operating System

Updating ISA's Operating System

The most commonly updated portion of ISA Server is ISA's operating system, which is Windows Server 2003 in most cases.

CAUTION

Although ISA Server 2004 supports installation on Windows 2000 Server, deploying it on Windows Server 2003 is highly recommended. The 2000 support is primarily intended for short-term migration scenarios, and Windows 2000 itself does not support the same level of robust operating system security as Windows Server 2003. This point cannot be stressed enough.

Any of several methods can be used to patch the Windows operating system:

Manual Patching The traditional way of patching Windows has been to download and install patches to the server itself. In highly secure ISA scenarios, where access to the Internet or internal systems cannot be granted or obtained, this may be the only feasible approach to patching.
Windows Update Windows Update is a Microsoft website that allows for detection of installed patches and provides for automated installation of the necessary patches. Windows Update must be manually invoked from the server console itself, and must be made available through ISA system policy rules.
Automatic Updates Client The Automatic Updates client uses the same type of technology as Windows Update, but automates the transfer of patches and updates. It can be configured to use Microsoft servers or internal Windows Server Update Services (WSUS) servers. This method is an unorthodox way to update an ISA server. It is generally preferred to manually control when a server is patched and rebooted.
Windows Server Update Services (WSUS) A Windows Server Update Services (WSUS) server pushes administrator-approved updates to clients and servers on a network, using the Automatic Updates client and on a predefined schedule.
Other Patch Push Technology Other patch push technologies for updating clients and servers such as ISA allow for patches and updates to be automatically pushed out on a scheduled basis. This includes technologies such as Systems Management Server (SMS) 2003. In general, these types of technologies are not used with an ISA server because greater control over the patching process is typically required.

Manually Patching an ISA Server

Given the fact that it is often not viable to automatically update and reboot a critical system such as ISA, the most common approach to ISA Server Patch management involves manually installing and patching an ISA Server on a controlled basis. Given the large number of server updates that Microsoft releases, this may seem like a rather onerous task. In reality, however, only a small number of these patches and updates apply to ISA server itself, so one of the tasks of the administrator is to validate whether an ISA server requires a specific patch or not.

For example, a patch that addresses a WINS server vulnerability would not apply to an ISA server that is not running that particular service. In reality, because ISA is locked down to not respond to any type of traffic other than those that are specifically defined, only a small number of the patches that are produced need to be run on an ISA server.

In general, a patch may need to be applied on the ISA server if it addresses a vulnerability in the following Windows components:

The kernel of the operating system.
Any part of the TCP/IP stack.
The Remote Routing and Access Service (RRAS), if VPN capability is enabled on the ISA Server.
Windows File server components, only if the Firewall Client Share is turned on (it's turned off by default).
The Internet Information Services (IIS) SMTP component, only if the SMTP Screener has been installed.
Any other service turned or identified as enabled during the Security Configuration Wizard (SCW) that is run during the setup of the server. See Chapter 2, "Installing ISA Server 2004," for this procedure.

NOTE

If in doubt, it is best to install the patch after testing it in a lab environment. If it is not a critical patch, it may be wise to wait until a designated maintenance interval and then install the cumulative patches that have come out so far.

Verifying Windows Update Access in the ISA System Policy

ISA Server System Policies control whether or not the Local Host network (effectively the ISA server itself) is allowed access to certain websites. The System Policy controls whether or not ISA can ping servers on the internal network, whether it can contact NTP servers to update its internal clock, and any other type of network access, including whether the server can access external websites such as Windows Update.

The default web policy blocks most websites from direct access from ISA, and enabling the ISA server to access specific sites must be manually defined in the System Policy. To allow for automatic updates via the Windows Update website, ISA grants the Local Host network access to the windowsupdate.com website. If this setting has been changed, or if access to additional websites is required, the System Policy must be updated. It is therefore important to know the location of this policy and how to modify it. To view this setting, perform the following steps:

1.	From the ISA Management Console, right-click on the Firewall Policy node in the console tree and select Edit System Policy.
2.	Under the Configuration Groups pane on the left, scroll down to Various, Allowed Sites, and select it by clicking on it once.
3.	Select the To tab on the right pane.
4.	Under This Rule Applies to Traffic Sent to These Destinations, double-click on System Policy Allowed Sites.
5.	Under the System Policy Allowed Sites Properties, shown in Figure 17.1, ensure that .windowsupdate.com and .microsoft.com sites are entered. Figure 17.1. Modifying System Policy Allowed Sites settings.
6.	Add additional sites as necessary, such as third-party hardware or software vendor sites, by using the New button and entering in the site in the same format as the existing sites.
7.	Click OK twice when changes are done.
8.	Click the Apply button, and then click OK to save the changes to ISA.

Working with Windows Update to Patch the Operating System

Utilizing the Windows Update websites gives a greater degree of control to updating an ISA server, while at the same time making it easier for an administrator to determine what patches are needed. Assuming the Windows Update site has been added to the System Policy Allowed Sites group, as described in the previous section, using this technique to patch an ISA Server is straightforward. Windows Update can be invoked easily by clicking on the built-in link at Start, All Programs, Windows Update.

For step-by-step instructions on using Windows Update to patch an ISA server, see Chapter 2.

Managing ISA Server Updates and Critical Patches

In addition to operating system updates, the ISA application itself may require patching. This involves installing and configuring an ISA Standard Edition server with the latest service pack for ISA, in addition to checking the ISA website at Microsoft for updates to ISA. Up-to-date information on patch availability for ISA Server 2004 can be found at the following URL:

http://www.microsoft.com/isaserver/downloads/2004.asp

In addition, it may be helpful to review the ISA Server community boards on such websites as http://www.isaserver.org, http://www.isatools.org, and http://www.msisafaq.de for updates and issue troubleshooting on a regular basis. Reviewing the real world deployment issues and questions on these sites can be an important part of maintaining an ISA server.

Prototyping ISA Server Patches Before Updating Production Equipment

In general, it is always good practice to prototype the deployment of patches for an ISA system before they are installed on a production system. A spare ISA server in a lab environment is an ideal candidate for this type of deployment. In addition, a robust backup and restore plan for ISA, in the event of an installed patch taking a server down, should be developed. For more information on backing up and restoring ISA, see Chapter 18, "Backing up, Restoring, and Recovering an ISA Server 2004 Environment."