Scribd Logo
Upload

Welcome to Scribd!

  • 32 views

    Isa 2000

    Uploaded by

    rrs756
    This document provides an overview and best practices for configuring ISA Server 2000 for security, reliability, and performance. It discusses Windows configuration such as patching, service dependencies, and NIC binding order. For ISA configuration, it recommends testing all policies, separating inbound and outbound duties, backing up regularly, and properly configuring caching arrays. The document also provides references to important security hotfixes and performance guidelines for both Windows and ISA settings.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    Isa 2000

    Uploaded by

    rrs756
    32 views72 pages
    This document provides an overview and best practices for configuring ISA Server 2000 for security, reliability, and performance. It discusses Windows configuration such as patching, service dependencies, and NIC binding order. For ISA configuration, it recommends testing all policies, separating inbound and outbound duties, backing up regularly, and properly configuring caching arrays. The document also provides references to important security hotfixes and performance guidelines for both Windows and ISA settings.

    Original Title

    ISA_2000.ppt

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides an overview and best practices for configuring ISA Server 2000 for security, reliability, and performance. It discusses Windows configuration such as patching, service dependencies, and NIC binding order. For ISA configuration, it recommends testing all policies, separating inbound and outbound duties, backing up regularly, and properly configuring caching arrays. The document also provides references to important security hotfixes and performance guidelines for both Windows and ISA settings.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    32 views72 pages

    Isa 2000

    Uploaded by

    rrs756
    This document provides an overview and best practices for configuring ISA Server 2000 for security, reliability, and performance. It discusses Windows configuration such as patching, service dependencies, and NIC binding order. For ISA configuration, it recommends testing all policies, separating inbound and outbound duties, backing up regularly, and properly configuring caching arrays. The document also provides references to important security hotfixes and performance guidelines for both Windows and ISA settings.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    You are on page 1of 72

    ISA Server 2000

    Best Practices from the Field

    Presenters:
    Jim Harrison - Microsoft Corp
    Jim Edwards - Microsoft Corp

    Agenda
    Introduction (Jim Harrison)
    Security (Jim Harrison)
    Reliability (Jim & Jim)
    Performance (Jim Edwards)
    Q&A

    Security
    Windows Configuration
    Domain Association
    Perimeter Network Scenarios
    ISA Configuration
    ISA Policies
    ISA Logs
    References

    Windows Configuration
    Patches, Patches, PATCHES!
    Security checklists on
    Technet
    ISAServer.org
    NSA

    Windows Configuration
    ISA Service Dependencies
    ISA Server Packet Filter Extension (mspfltex)
    Remote Access Connection Manager
    (rasman)
    WMI Driver Extensions (wmi)

    DCOM is required for ISA

    Windows Configuration
    Service Dependencies created by ISA
    ICS (sharedaccess) depends on Microsoft
    Firewall (fwsrv)
    Routing and Remote Access (remoteaccess)
    depends on ISA Control (isactrl)

    Non-Domain

    Separate Domains (Forests)

    Same Forest, Separate Domains

    Single Domain

    TwoTier Perimeter Network

    Third-leg Perimeter Network

    LAT Perimeter Network

    Cache mode
    IP packet filtering NOT Available
    LAT / LDT NOT Available
    Outgoing and Incoming Web Requests
    listener configurations
    Best behind another (ISA) firewall

    Firewall & Integrated modes


    IP Filtering makes this the most secure
    User- / group-based non-web traffic rules
    Single-NIC installation is NOT supported
    without dialup as external
    LAT configuration

    LAT Configuration

    Right

    Wrong

    IP Packet Filtering

    Right

    Wrong

    IP Packet Filtering

    Right

    Wrong

    Admin Rights

    Right

    Right?

    Protocol Rules

    Right

    Protocol Rules

    Wrong

    Site & Content Rules

    Anonymous

    Site & Content Rules

    Unfiltered

    Server Publishing

    Incoming Web Listeners

    Right

    Right ?

    Web Publishing

    Right

    Wrong

    Web Publishing

    Web Publishing

    ISA Logs
    Other Server Logs
    SMTP, DNS, etc.

    Forensic Analysis
    Securityfocus.com article

    Legal Evidence
    Computer Forensics
    Trail of Evidence

    IP Packet Filter Logs


    External scans,
    attacks, spoofs
    Log field selections
    Payload is limited to
    the first 256 bytes

    IP PF Log Examples
    source-ip

    destination-ip proto param#1 param#2

    flags

    68.124.157.106
    193.179.148.234

    123.123.123.10 Tcp
    123.123.123.12 Tcp

    1646
    4738

    17300
    22

    SYN
    SYN

    209.221.223.108
    209.221.223.108
    209.221.223.108
    209.221.223.108

    123.123.123.10
    123.123.123.11
    123.123.123.12
    123.123.123.13

    ICMP
    ICMP
    ICMP
    ICMP

    8
    8
    8
    8

    0
    0
    0
    0

    62.111.208.195
    62.111.208.195
    62.111.208.195
    62.111.208.195

    123.123.123.10
    123.123.123.11
    123.123.123.12
    123.123.123.13

    Tcp
    Tcp
    Tcp
    Tcp

    2736
    2737
    2738
    2739

    135
    135
    135
    135

    SYN
    SYN
    SYN
    SYN

    IP PF Log Bonus Slide


    211.41.55.136 123.123.123.11 Tcp 3127 3127 SYN
    211.41.55.136 123.123.123.12 Tcp 3135 3127 SYN
    211.41.55.136 123.123.123.13 Tcp 3140 3127 SYN

    Firewall Logs
    Internal virus / worms
    detection
    Log field selections
    WP and FW share
    many logging options

    Firewall Log Examples


    c-ip

    r-ip

    r-port

    cs-prot s-oper

    sc-status

    192.168.0.1 123.123.123.123
    192.168.0.1 207.46.245.214

    135
    135

    TCP
    TCP

    Connect
    Connect

    13301
    0

    192.168.0.1 207.46.245.214
    192.168.0.1 207.46.245.214

    17300
    17300

    TCP
    TCP

    Connect
    Connect

    13301
    0

    192.168.0.1 207.46.245.214
    192.168.0.1 207.46.245.214

    80
    80

    TCP
    TCP

    Connect
    Connect

    13301
    0

    Web Proxy Logs


    Internal, external virus
    / worms detection
    Log field selections

    Web Proxy Log Examples


    CodeRed
    <SourceIP>
    <SourceIP>

    GET
    GET

    www
    www

    12202
    200

    Nimda
    <SourceIP>
    <SourceIP>

    GET
    GET

    <ISAExtIP>
    <ISAExtIP>

    12202
    200

    Auth Failure
    <SourceIP>

    GET

    http://www.thatsite.tld

    12209

    Romper-Room No-Nos
    IP Packet Filtering off & IP Routing on
    Enable IP Routing via RRAS or TCP/IP
    LAT includes external (or DMZ) subnets
    Same-subnet on internal / external NICs
    FW Client installed on the ISA
    All destinations web publishing rule

    Security and Critical Hotfixes


    Service Pack 1
    KB 283213 ICMP blocking (Nachi defense)

    Post SP1
    KB 319374 & 321846 Web Proxy crash
    MS02-027 BO in Gopher protocol handler
    MS03-009 DoS in DNS IDS filter
    MS03-012 DoS in Firewall Service
    MS03-028 XSS in ISA Error pages
    MS04-001 H.323 Vulnerability

    Security References
    Microsoft checklists and guides:
    http://www.microsoft.com/technet/security/chklist/Default
    .asp
    http://www.microsoft.com/technet/security/tools/default.a
    sp

    CC configuration
    https://s.microsoft.com/isaserver/code/commoncriteria/

    Security References
    NSA configuration
    http://www.nsa.gov/snac/win2k/guides/w2k-11.pd
    f
    http://www.nsa.gov/snac/win2k/guides/inf/isa.inf

    Log Forensics
    http://securityfocus.com/infocus/1712

    Reliability
    Windows Considerations
    ISA Server 2000 Firewall Considerations

    Reliability Windows Settings


    NIC binding order
    Routing table
    Patch Patch Patch!
    Redundancy
    System Services
    Extraneous Services

    Reliability Windows Settings:


    NIC Binding Order

    Internal

    Top of list
    NO Default gateway
    DNS/WINS

    External
    Default gateway
    Dial up issues

    RAS
    Dial up issues

    DMZ
    Doesnt matter

    Reliability Windows Settings:


    Routing Table

    Static Routes

    Windows
    routing table
    RRAS routing
    table

    Dynamic Routes
    VPN issues

    VPN Clients
    Mystery of the Windows VPN client gateway

    Reliability Windows Settings:


    Patches!

    Service Packs

    Install them now


    Latest OS and ISA SP and FP

    Hotfixes
    Do you need them?
    What about Windows Update?

    Security Updates
    Whats going to break?

    Testing lab
    Mirror config in lab
    Dont let the production network be your regression
    testing lab

    Reliability Windows Settings:


    Redundancy

    What are you


    trying to accomplish?
    Web v. Server
    Publishing Rules
    NLB v. Rainwall
    Bidirectional
    what?

    Hardware Load
    Balancers
    Pay to play

    RainConnect

    Redundant Internet
    connectivity
    Outbound and inbound

    NextLAND Proturbo 800

    Reliability Windows Settings:


    System Services

    Disable Junk Services


    (list several of these)

    Determining Required
    Services
    Disable and test

    Remote Registry
    Service

    Reliability Windows Settings:


    Extraneous Software

    Server Services

    Its a firewall, not a firesale

    Not a workstation
    No Kaaza
    No VPN client connections

    Plug Ins
    Test test test

    Reliability ISA Settings


    Test All Policies
    Separate Inbound and Outbound Duties
    Backing Up
    Caching Arrays

    Reliability ISA Settings:


    Field Test All Policies
    Protocol Rules

    The dreaded all open rule

    Site and Content Rules

    Kill anonymous access Site and


    Content Rules
    Server client address set for
    anonymous access

    Kill the HTTP (Re)Director

    Cant block via Site/Content rules

    Packet Filters

    This aint no pix(en)

    Web and Server Publishing Rules


    FQDN in Destination Sets
    The mystery of the ephemeral
    outbound IP address

    VMware

    Buy now or pay later

    Reliability ISA Settings:


    Separate Inbound and Outbound
    Separate Inbound and Outbound Servers
    Inbound Servers
    Web Publishing and
    Memory
    Server publishing
    performance

    Outbound Servers

    Authentication traffic and


    performance
    Active caching and traffic

    Bandwidth

    Kill bandwidth rules

    Reliability ISA Settings:


    Backing Up
    Integrated Backup Tool
    Who needs em?

    Import/Export Script

    Different IP address publishing/filters (IP specific)

    ISAinfo script (better know everything before you


    need to restore)
    Disk Imaging
    Careful of different hardware

    Using VMware Images

    Works great performance


    issues

    Reliability ISA Settings:


    Caching Array
    Caching Array
    Not fault tolerance scheme
    Load balancing v. load sharing
    The miracle of wpad and autodiscovery

    Reliability ISA Settings:


    Autoconfiguration and Autodetection
    Wpad
    DHCP
    DNS

    Group Policy
    IEAK
    Registry file
    Firewall client
    installation

    Reliability Hotfixes
    ISA Server Service Pack 1
    http://www.microsoft.com/isaserver/downloads/ s
    p1.asp

    ISA Server 2000 Hotfix for Rules Engine and


    Potential Web Proxy Service Crash
    http://www.microsoft.com/downloads/details.aspx
    ? displaylang=en&FamilyID=235B14FB-CDB4-4FCE-BE
    10-E25F869DD40E

    Flaw In ISA Server DNS Intrusion Detection


    Filter Can Cause Denial Of Service

    http://www.microsoft.com/technet/treeview/default.asp
    ?url=/technet/security/bulletin/MS03-009.asp

    Reliability Hotfixes
    Flaw In Winsock Proxy Service And ISA
    Firewall Service Can Cause Denial Of
    Service
    http://www.microsoft.com/technet/treeview/
    default.asp?url=/technet/security/bulletin/
    MS03-012.asp

    Update Rollup for ISA Server Services


    http://support.microsoft.com/default.aspx?
    scid=kb;EN-US;810493

    Key References
    Shinder ISA Server 2000 Section
    www.isaserver.org/shinder

    Jim Harrisons ISAtools Site


    www.isatools.org

    ISA Server Performance Best Practices


    http://www.microsoft.com/technet/security/
    prodtech/ISA/ISAPrfBP.asp?frame=true

    Performance

    Windows Configuration
    ISA Configuration

    Performance; Windows Settings


    IP Stack configuration
    TcpTimedWaitDelay & StrictTimeWaitSeqCheck
    Remove QOS when not using ISA Bandwidth Control

    Page File

    Separate physical drive


    Not compressed/encrypted volume

    Physical memory
    1024 Meg Minimum
    3072 Meg Maximum
    /3GB switch Reverse Web Cache only

    Performance; Windows Settings


    Disk subsystem Only for Web Cache
    RAID 0 if using RAID

    NIC
    Server class, 64-bit PCI-X
    Multiprocessor - HW Interrupt Partitioning

    SSL/IPSec Accelerators
    Good only for large number of HTTPS connections

    Processors (class / quantity)


    Do not use the ISA server as a workstation

    Performance; Windows Settings


    Domain Topology
    Large number of NTLM authentication
    requests
    DNS

    Logical Network
    Single Default Gateway on ISA Server

    Performance; ISA Settings


    Rule elements Less granular
    Rule processing increases linearly
    Small number of Rules with large Destination Sets

    Enable Kernel Mode Data Pump IP Routing


    Significant increase to most capacity intensive
    Protocols
    Disable filtering of IP fragments

    Firewall & Web Proxy service DNS Cache


    By default, services hold last 3000 DNS records
    for 6 hours, regardless of TTL

    Performance; ISA Settings


    Server Publishing

    Non RPC
    RPC

    Web Publishing

    Fewer Rules with large Destination Sets. Faster, less


    secure.
    More Rules with small Destination Sets. Slower, more
    secure.
    Skip name resolution

    Memory Usage

    Firewall Service
    Web Service

    Performance; ISA Settings


    Split purpose
    Web Proxy
    Web Publishing
    Firewall
    Logging
    Ideal is Off. Not going to happen
    Logging Fails, ISA stops serving content
    File
    Database
    Reporting
    Disable

    Performance; ISA Clients


    Outbound
    Use Remote WinSock (RWS) client where
    possible
    Set web browsers to use ISA server as Web
    Proxy
    Streaming media clients

    Performance; Registry Re-Cap


    Disk

    Disable short name creation.


    HKLM\SYSTEM\CurrentControlSet\Control\
    Filesystem DWord NtfsDiable8dot3NameCreation
    0x1
    Disable last access update.
    HKLM\SYSTEM\CurrentControlSet\Control\
    Filesystem DWordNtfsDsiableLastAccessUpdate
    0x1
    Multiprocessor only - Bypassing I/O Counters.
    HKLM\SYSTEM\CurrentControlSet\Control\Session
    Manager\I/O System DWord CounterOperations
    0x0

    Performance; Registry Re-Cap


    NTLM Authentication

    HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\
    Parameters DWord MaxConcurrentApi 0x3 through
    0x6

    ISA

    Internal DNS Cache


    Web Proxy:
    HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array
    GUID}\ArrayPolicy\WebProxy DWord
    "msFPCDnsCacheSize & "msFPCDnsCacheTtl"
    Firewall: HKLM\SOFTWARE\Microsoft\Fpc\Arrays\
    {Array GUID}\ArrayPolicy\Proxy-WSP DWord
    "msFPCDnsCacheSize & "msFPCDnsCacheTtl

    Performance; Registry Re-Cap


    ISA
    Maximum backlog for incoming TCP
    connections
    Non RPC
    HKLM\System\CurrentControlSet\Services\
    FWSRV\Parameters ServerMappingBlacklog
    DWord key. For Exchange server 0x50, Web
    server 0xA0.
    RPC HKLM\Software\Microsoft\FPC\PluginRPC
    ServerMappingBlacklog and InterfacesBacklog.
    For Exchange RPC ServerMappingBlacklog =
    0xA0 and InterfacesBacklog = 0x50.

    Performance; Registry Re-Cap


    ISA
    Bypass Name Resolution
    HKLM\SYSTEM\CurrentControlSet\Services\
    W3Proxy\Parameters\
    SkipNameResolutionForPublishingRules DWord
    SkipNameResolutionForPublishingRules 0x1
    HKLM\SYSTEM\CurrentControlSet\Services\
    W3Proxy\Parameters\
    SkipNameResolutionForAccessAndRoutingRules
    DWord
    SkipNameResolutionForAccessAndRoutingRules
    0x1

    Performance; References
    Windows
    Disk
    http://www.microsoft.com/technet/prodtechnol/
    windows2000serv/reskit/serverop/part2/
    sopch08.asp
    System
    http://support.microsoft.com/default.aspx?
    scid=kb;en-us;171793
    http://www.microsoft.com/technet/prodtechnol/
    windows2000serv/reskit/serverop/part2/
    sopch10.asp

    Performance; References
    ISA
    http://www.microsoft.com/technet/security/
    prodtech/ISA/ISAPrfBP.asp
    http://www.isaserver.org/tutorials/ISA_Clients__
    Part_1__General_ISA_Server_Configuration.html
    http://support.microsoft.com/default.aspx?
    scid=kb;en-us;326040
    http://support.microsoft.com/default.aspx?
    scid=kb;en-us;291427
    http://support.microsoft.com/default.aspx?
    scid=kb;en-us;292018

    Q&A

    You might also like