Unless you're using ISA Server as just a Web proxy and caching server, don't install any other services or applications on the ISA Server computer. By installing additional applications on your server, you will increase the attack surface, which reduces the security of your environment. Avoid running ISA Server on domain controllers or other existing server configurations whenever possible.
There are some exceptions to this rule. One notable exception is Microsoft Small Business Server, in which ISA Server—along with all the other services and applications—must be installed on the same computer. For more information about how to ensure the most secure Small Business Server configuration possible, see Chapter 20. In any case, adhere to the following guidelines when choosing where to install your ISA server:
Place ISA Server on a dedicated computer—if you must run other services or applications on the server, limit the number of them, and use accounts that have limited rights to run these services.
If you are using ISA Server as a front-end firewall, you should install it in a workgroup or separate domain, as you will create an additional layer of security—this way, if attackers compromise your ISA server, they will not immediately have access to your domain.