The most impressive and useful addition to Windows Server 2003 Service Pack 1 has to be the Security Configuration Wizard (SCW). SCW allows for a server to be completely locked down, except for the very specific services that it requires to perform specific duties. This way, a WINS server responds to only WINS requests, and a DNS server has only DNS enabled. This type of functionality was long sought after and is now available.
SCW enables administrators to build custom templates that can be exported to additional servers, thus streamlining the securing process when multiple systems are set up. In addition, current security templates can be imported into SCW to allow for existing intelligence to be maintained.
The advantages to using the SCW service on an ISA server are immediately identifiable. The ISA Server, in that it is often directly exposed to the Internet, is vulnerable to attack, and should have all unnecessary services and ports shut down. The Firewall Service of ISA normally drops this type of activity, but it is always a good idea to put in an additional layer of security for good measure.
Installing the Security Configuration Wizard
Installing Service Pack 1 for Windows Server 2003 enables only the SCW service to be installed. It is not, however, installed by default, and must be set up from the Add or Remove Programs applet in Windows via the following procedure:
Logged in as a local administrator, click Start, Control Panel, Add or Remove Programs.
Click Add/Remove Windows Components.
Scroll down and check Security Configuration Wizard from the alphabetical list of components, as shown in Figure 2.14. Click Next to Continue.
Figure 2.14. Installing the Security Configuration Wizard.
Click Finish when the installation is complete.
Creating a Custom ISA Security Template with the Security Configuration Wizard
The Security Configuration Wizard contains a wide variety of sometimes confusing securing options, and it is important to understand what each one does before securing ISA's Operating System. Too much securing, and ISA functionality could be crippled. Too little, and ISA is left insecure. It is therefore important to understand the SCW process.
Starting the SCW Template Creation
The following procedure outlines and explains the process for creating a custom security template with SCW that can be used to secure an ISA server:
Logged in as a local administrator, click Start, All Programs, Administrative Tools, Security Configuration Wizard.
At the welcome screen, click Next to continue.
From the list of actions to perform, select Create a New Security Policy and click Next to continue.
Enter the name of the server that is to be used as a baseline. For this example, the local server will be used, so click Next to continue.
After the processing is complete, click Next to continue.
On the Role-Based Service Configuration dialog box, click Next to continue.
The Select Servers dialog box, shown in Figure 2.15, enables administrators to define in what roles the server is allowed to function. Roles that are not specifically chosen are disabled through a process of disabling the corresponding service and/or locking down other functionality. Examine the list carefully, and click the arrow buttons to view additional information about each service.
Figure 2.15. Selecting server roles for the Security Configuration Wizard.
Depending on what functionality will be required from the ISA Server that is being set up, various roles must be assigned to the server during this process. If the roles are not configured during this step, the services associated with the particular functionality will be locked down. For example, if the Remote Access/VPN Server role is not checked, VPN access through ISA is disabled. Keeping this in mind, the following list displays some of the default roles that directly relate to ISA functionality. Additional roles may be displayed or may be necessary, and it is important to choose the ones that are required.
File Server This role is necessary if the Firewall client share will be utilized on the ISA Server. Most ISA installations do not require this service because it is most commonly installed on a standard file server within the organization. The service exists only to distribute the Firewall client to internal network users.
Microsoft Internet Security and Acceleration Server 2004 This role is required for any ISA server deployments.
Middle-Tier Application Server (COM+/DTC) This role is required if the Message screening service is installed and configured on the ISA Server because it is a component of Internet Information Services (IIS). The Message Screening service allows for advanced screening of SMTP messages for content and basic anti-spam functionality, effectively allowing ISA to act as a mail relay.
Remote Access/VPN Server This role is required if the ISA server will handle Virtual Private Network (VPN) clients. It is important to note that, by default, VPN functionality is disabled on an ISA server, and it must be enabled manually. Consequently, the Security Configuration Wizard does not check the box next to this role by default because it doesn't see it as a running service. This box must be checked if future VPN functionality will be needed, however.
SMTP Server This role is the second piece of the Message Screening service, as described previously.
The other roles listed on this dialog boxsuch as DFS Server, Telnet Server, Print Server, and Internet Connection Sharing Servershould typically not be checked to maintain a smaller attack surface area on the ISA server. With the roles unchecked, their services are disabled.
Unchecking the Print Server role disables the Spooler service, which effectively disables printing to and from the ISA Server. It is generally best practice not to print from a server, particularly from a security server such as ISA.
Configuring SCW Roles and Options
To continue with the SCW, perform the following steps:
Check the roles that the server is to perform, then click Next to continue.
Review the options on the Select Client Features dialog box, illustrated in Figure 2.16, which lists client features of the server. Check the appropriate boxes to enable functionality that the server requires.
Figure 2.16. Selecting client roles for the Security Configuration Wizard.
The list of client roles that should be enabled on the server is no less complex than the server roles that were already configured. Properly securing an ISA server is contingent on configuring only those services that are necessary. Browse through the roles listed in the Client Features dialog box, clicking the arrows to view more information about each feature. The following are several features that may need to be enabled for an ISA server to function correctly, depending on its function:
Automatic Update Client This feature can be enabled if capability to automatically detect and download new patches for the operating system is required. In general, it is best practice to disable this functionality for an ISA server and instead set up a manual schedule of updating the operating system through a web browser or through manual patch execution on a regular basis.
DNS Client This feature is often enabled if the ISA server needs to contact DNS servers for the purposes of using the web (for patching) and/or contacting internal network services. In highly secure situations, however, this feature can be disabled and a static hosts file can be used for any name resolution required.
DNS Registration Client This service, although enabled by default, is best left disabled. The ISA server should not normally be writing its own records onto DNS servers. In most cases, if specific DNS records are required for internal resolution to an ISA server, for caching or another purpose, these records can be statically assigned.
Domain Member If the decision was previously made to configure ISA as a domain member, this feature needs to be enabled. If, however, it is being set up as a workgroup member, it should be disabled.
Microsoft Networking Client This service enables the ISA server to connect to other servers on a network. This feature is typically enabled if the server is a domain member. In other cases, such as with workgroup membership or when the ISA server is set up for a very specific purpose, such as a reverse-proxy server in the DMZ of an existing firewall, it would be disabled. Disabling this service disallows the ISA server from connecting to any mapped drives or shares on other servers.
The other client features listed in this dialog box, such as WINS client, SQL client, DHCP Client, and the others listed, are rarely configured on a dedicated ISA Server for security reasons. It is best to leave them disabled during the Security Configuration Wizard setup process.
Continuing with the SCW Configuration Process
To continue with the SCW, perform the following steps:
After checking the boxes for the features that will be enabled and unchecking those that will be disabled, click Next to continue.
On the next dialog box, titled Select Administration and Other Options, narrow the list of options down by clicking on the arrow in the View drop-down box and choosing Selected Options, as shown in Figure 2.17. The figure displays the options that remain after several options have been deselected.
Figure 2.17. Selecting administration roles.
Sorting by Selected Options enables all the default options that the wizard automatically chooses to be displayed. Many of these options are unnecessary and a review and audit of each option should be undertaken. The rule of thumb with configuring these and all the other SCW options is to enable (put a check mark) next to only those options that are absolutely necessary for the server to function.
The following list describes several of the options that can be enabled or disabled. It is important to thoroughly review each item to ensure that the server is properly secured.
Application Experience Lookup Service This service, installed with Windows Server 2003 Service Pack 1, is a new feature that automatically checks applications for compatibility issues when they are launched. This is an unnecessary service for an ISA Server, and it should normally be disabled.
Application Installation from Group Policy This option should almost always be disabled on an ISA server because it is not good practice to have applications automatically installed, whether from Active Directory or any other location.
Backup (NT or 3rd Party) Enabling this option turns on the appropriate services and ports to allow the ISA Server to be backed up with NTBackup or another third-party backup solution. Although backup functionality is a common feature, ISA can potentially disable this service if the configuration is manually exported to XML files on a regular basis. For more information on setting up this type of functionality, refer to Chapter 18, "Backing up, Restoring, and Recovering an ISA Server 2004 Environment."
Back Up to Local Hardware This option goes hand in hand with the previous option. In fact, if it is enabled, the Backup (NT or 3rd Party) option must be enabled as well. This option enables the ISA server to perform backups to locally attached tapes or other media. Both these backup options can be enabled, depending on the backup method and procedure chosen. If they are not needed, they should be disabled.
Error Reporting Enabling this option allows faults and errors to be sent to Microsoft for troubleshooting and analysis. Although the information is never automatically sent, it is common best practice to disable this, unless troubleshooting a problem with Microsoft. Unchecking this option disables only the part of error reporting that sends the information to Microsoft, and the local console is still notified when a fault occurs. The entire error reporting service can be disabled in the System Properties under the Control Panel, if necessary, although this is not a common securing technique.
Help and Support The Help and Support option does what one would think: It enables display of Windows help topics and troubleshooting. It is not common to disable this because the service is not published to outside access, and it may be useful for troubleshooting in the future. It can be disabled, however, if it will not be utilized.
Link Tracking for Users' Shortcuts This service is typically not required for an ISA server. It proactively tracks the files to which a logged in user has shortcuts and looks to see whether they have been renamed or moved. Because it requires the server to probe the network occasionally, it is recommended to disable this service.
Local Application Installation This option enables applications to be installed or modified on the ISA Server. Because this also applies to patches and updates, it is not normally disabled. For the most paranoid environments, however, it can be disabled and then re-enabled when updates or new applications are necessary.
Microsoft Internet Security and Acceleration Server 2004: Client Installation Share This option allows the Firewall client share to exist on the ISA Server for clients to use. While installed as part of a full installation, it should only be enabled if there is no other location on the network available to place the Firewall client installation files. If this functionality is required, however, it can be enabled.
Microsoft Internet Security and Acceleration Server 2004: MSDE Logging This option enables the Microsoft Desktop Engine (MSDE) SQL database to operate, which gives ISA the capability to perform advanced logging to a SQL-style database. For security reasons, the MSDE database is accessible only to local system access, which reduces the threat of SQL-borne viruses and exploits such as SQL Slammer. Although ISA is capable of logging to text or other formats, the advanced ISA logging capabilities are desirable in many cases, so it may be wise to install and maintain this. If it is not used, however, this should not be enabled.
Remote Desktop Administration Enabling this option allows for remote administration of the entire ISA server via the Remote Desktop Protocol (RDP). RDP administration of an ISA Server is common for managing the ISA services, and it can simplify ISA configuration in the future. It is important to note that enabling this option simply keeps the Remote Desktop Administration service enabled, but the Firewall service of ISA blocks access from all systems unless specified in the System Policy. If RDP will not be utilized, disable this option. For more information on remote administration of an ISA server, refer to Chapter 3.
Remote SCW Configuration and Analysis This option, when enabled, enables the Security Configuration Wizard to remotely configure the server. It should always be disabled on an ISA Server because remote configuration requires the Windows Firewall to be installed, which cannot run on an ISA Firewall.
Remote Windows Administration This option allows for remote administration of the MMC-related administrative tools on the server, such as the Event Viewer, Registry Editor, Performance Logs and Alerts, Local Users and Groups, and any of the administrative functions that can be remotely attached. In most cases, it is best to disable this option because remote administration of these services, even though explicitly blocked by the Firewall service, can be dangerous.
Shadow Copying The Shadow Copy Service takes snapshot backups of files on volumes that have been enabled for this service. This service is typically used on file servers, where data is dynamically changed on a regular basis and normally does not need to be installed and configured on an ISA Server.
SQL Server Active Directory Helper This service should be disabled on an ISA Server because its function is to allow a SQL Server to publish itself in Active Directory when certain permissions are used.
Time Synchronization The Time Synchronization option enables Network Time Protocol (NTP) to be used to keep the server's clock in synch. Keeping the clock synchronized to a known time source, such as pool.ntp.org or an internal NTP server, is an effective way to keep audit events and avoid replay attacks, so it is often good practice to keep this service enabled and subsequently configure ISA to use a time source. More information on using NTP with ISA can be found in Chapter 3. If this service is disabled, the clock should be manually synchronized with a known good time source on a regular basis.
Web Proxy Auto-Discovery The Web Proxy Auto-Discovery (WPAD) service permits certain HTTP traffic to be executed with fewer privileges than it would be normally. This would serve to strengthen security, but the service function becomes moot if web browsing is not performed. Because a server should not be used for web browsing, save for such activities as Windows Update, it is better to disable this option because it requires services such as the DHCP client, which can introduce other vulnerabilities.
Windows User Mode Driver Framework Part of the .NET Framework, this option turns on a service that is intended to provide a framework for drivers to behave properly and reduce system crashes. In general, this functionality is simply additional overhead and a potential security hole, so it is recommended to disable it on an ISA Server. As always, all server drivers should be properly stress-tested and validated to avoid the types of problems that this service attempts to fix.
No additional Administrative options are necessary for ISA functionality, so it is therefore not recommended to enable any other options unless there is a very specific need to do so. Go on with the following steps:
After the list of selected options has been chosen, click Next to continue with the SCW process.
The next dialog box, labeled Select Additional Services, lists any custom services that may be required for the server to function. This list normally includes items such as hardware monitoring services that were installed with the operating system. Carefully look through the options and select only those that are absolutely necessary. Click Next to continue.
The Handling Unspecified Services dialog box to be displayed gives the option of configuring how to handle unspecified services. The two options provided are to not do anything with the unidentified service (Do Not Change the Startup Mode of the Service) or to shut down any services that were not identified in the SCW process (Disable the Service). For security purposes, it is best to configure the server to disable any unidentified services.
Locking Down Services with SCW
To continue with the SCW process, do the following:
Choose Disable the Service and then click Next to continue.
At the confirmation dialog box, similar to the one shown in Figure 2.18, look over each of the changes that SCW will make to ensure that they are accurate. After they are verified, click Next to continue.
Figure 2.18. Confirming service changes with SCW.
The dialog box that follows contains a section that enables the Windows Firewall component to be configured. Because the Windows Firewall should not be used on an ISA Server 2004 system (ISA is a much more capable Firewall), the check box for Skip This Section should be checked. Click Next to continue.
The next dialog box displayed offers the opportunity to modify Registry settings to block communication with particular types of clients. It is generally advisable not to skip this section, so the check box should not be checked. Click Next to continue.
The subsequent dialog box, shown in Figure 2.19, allows for the server to be locked down to accept only Server Message Block (SMB) traffic, which is Microsoft's file and print traffic, that has been digitally signed. Because most ISA server implementations do not allow SMB traffic to reach the server, this setting becomes moot. However, if the Firewall client share is configured, SMB traffic is allowed, and it is much more secure to force the SMB traffic to be digitally signed, so as to avoid "man in the middle" types of exploits against the ISA Server.
Figure 2.19. Configuring SMB signing options.
Although it is true that enabling this option prevents downlevel clients (Windows 3.1, Windows 95/98 without the Directory Services Client, Windows NT preService Pack 6a) from connecting to the Firewall client share, they are not supported by the Firewall client, so it is not desirable to grant them access.
Even without the Firewall client share in place, it may be advisable to configure these options to add an additional layer of security to ISA, in the event that a problem with the Firewall service allows SMB traffic to be sent to the machine. To continue with the Template creation, do the following:
Ensure that both check boxes on the SMB Security Signatures dialog box are checked, and click Next to continue.
The subsequent dialog box, shown in Figure 2.20, controls outbound authentication levels, which should normally be set to the default, Domain Accounts. This strengthens security as downlevel authentication attempts, which can often be decrypted and/or deciphered, are disabled. Click Next to continue.
Figure 2.20. Configuring outbound authentication methods.
The next dialog box, Outbound Authentication Using Domain Accounts, controls LAN Manager authentication levels. In nearly all environments, except for those with downlevel (preWindows NT 4.0 Service Pack 6a) environments, the check box for Windows NT 4.0 Service Pack 5a or Later Operating Systems can be checked. This strengthens the authentication level used for outbound connections, making it less likely that passwords will be decrypted through the use of brute-force techniques.
In addition, the setting for Clocks That Are Synchronized with the Selected Server's Clock can be checked if there is a clock synchronization scheme in place, such as NTP, and/or if the domain controllers in the domain are Windows Server 2003 or greater. Once again, this affects only outbound attempts to communicate with file servers from the ISA Server, which is often disabled, so many of these options may seem redundant and unnecessary. As previously mentioned, however, it is ideal to configure as many layers of security as possible without breaking functionality, and there are very few downsides to configuring these options, so it is always a good idea to set them.
Go on with the following steps:
Check both boxes on the Outbound Authentication by using the Domain Account dialog box (if the criteria mentioned earlier has been satisfied) and click Next to continue.
Uncheck (disable support for the lower security forms of authentication) the two boxes on the subsequent dialog box that configured inbound authentication methods. Because the only clients that would connect with the authentication methods listed are clients that cannot install the Firewall client from the Firewall client share, it is not necessary to provide that form of support. Click Next to continue.
Review the Registry changes that will be made on the subsequent dialog box, similar to the ones shown in Figure 2.21. Click Next to continue.
Figure 2.21. Confirming Registry Settings changes in SCW.
The Audit Policy dialog box is for configuring audit settings. Because it is highly recommended to audit who logs in to an ISA server, it is advisable not to skip this section. Click Next to continue.
On the next dialog box, labeled System Audit Policy, change the setting to Audit Successful and Unsuccessful Activities. Although more processor intensive, it helps increase the security of the ISA server. Click Next to continue.
Review the Audit Policy summary on the next dialog box. Leave the box checked to include the SCWAudit.inf security template, which properly sets System Access Control Lists (SACLS) for file-level audit access. Click Next to continue.
Under Save Security Policy, click Next to continue.
The next set of options are for specifying where the XML-based file that contains the security policy that SCW creates will be saved. Enter a path for saving the policy and a name for the policy, similar to what is shown in Figure 2.22. It may also be helpful to include a description of the security policy.
Figure 2.22. Saving the Security Policy file.
If the View Security Policy button is clicked, the SCW Viewer is invoked to enable the policy options to be viewed. In addition, the Include Security Templates button enables you to add preconfigured security template (.inf) files to the security policy.
Applying the SCW Template
To apply the SCW Template that was created, do the following:
After entering a path, name, and description for the policy, click Next to continue.
The choice to apply the security policy now or at a later time is given in the next dialog box. For this example, choose Apply Now and click Next to continue.
When complete, click Next to continue.
Click Finish at the summary page.