ISA Server 2000

Best Practices from the Field

Presenters:
Jim Harrison - Microsoft Corp
Jim Edwards - Microsoft Corp

Agenda
Introduction (Jim Harrison)
Security (Jim Harrison)
Reliability (Jim & Jim)
Performance (Jim Edwards)
Q&A

Security
Windows Configuration
Domain Association
Perimeter Network Scenarios
ISA Configuration
ISA Policies
ISA Logs
References

Windows Configuration
Patches, Patches, PATCHES!
Security checklists on
Technet
ISAServer.org
NSA

Windows Configuration
ISA Service Dependencies
ISA Server Packet Filter Extension (mspfltex)
Remote Access Connection Manager
(rasman)
WMI Driver Extensions (wmi)

DCOM is required for ISA

Windows Configuration
Service Dependencies created by ISA
ICS (sharedaccess) depends on Microsoft
Firewall (fwsrv)
Routing and Remote Access (remoteaccess)
depends on ISA Control (isactrl)

Non-Domain

Separate Domains (Forests)

Same Forest, Separate Domains

Single Domain

TwoTier Perimeter Network

Third-leg Perimeter Network

LAT Perimeter Network

Cache mode
IP packet filtering NOT Available
LAT / LDT NOT Available
Outgoing and Incoming Web Requests
listener configurations
Best behind another (ISA) firewall

Firewall & Integrated modes

IP Filtering makes this the most secure
User- / group-based non-web traffic rules
Single-NIC installation is NOT supported
without dialup as external
LAT configuration

LAT Configuration

Right

Wrong

IP Packet Filtering

Right

Wrong

IP Packet Filtering

Right

Wrong

Admin Rights

Right

Right?

Protocol Rules

Right

Protocol Rules

Wrong

Site & Content Rules

Anonymous

Site & Content Rules

Unfiltered

Server Publishing

Incoming Web Listeners

Right

Right ?

Web Publishing

Right

Wrong

Web Publishing

Web Publishing

ISA Logs
Other Server Logs
SMTP, DNS, etc.

Forensic Analysis
Securityfocus.com article

Legal Evidence
Computer Forensics
Trail of Evidence

IP Packet Filter Logs

External scans,
attacks, spoofs
Log field selections
Payload is limited to
the first 256 bytes

IP PF Log Examples
source-ip

destination-ip proto param#1 param#2

flags

68.124.157.106
193.179.148.234

123.123.123.10 Tcp
123.123.123.12 Tcp

1646
4738

17300
22

SYN
SYN

209.221.223.108
209.221.223.108
209.221.223.108
209.221.223.108

123.123.123.10
123.123.123.11
123.123.123.12
123.123.123.13

ICMP
ICMP
ICMP
ICMP

8
8
8
8

0
0
0
0

62.111.208.195
62.111.208.195
62.111.208.195
62.111.208.195

123.123.123.10
123.123.123.11
123.123.123.12
123.123.123.13

Tcp
Tcp
Tcp
Tcp

2736
2737
2738
2739

135
135
135
135

SYN
SYN
SYN
SYN

IP PF Log Bonus Slide

211.41.55.136 123.123.123.11 Tcp 3127 3127 SYN
211.41.55.136 123.123.123.12 Tcp 3135 3127 SYN
211.41.55.136 123.123.123.13 Tcp 3140 3127 SYN

Firewall Logs
Internal virus / worms
detection
Log field selections
WP and FW share
many logging options

Firewall Log Examples

c-ip

r-ip

r-port

cs-prot s-oper

sc-status

192.168.0.1 123.123.123.123
192.168.0.1 207.46.245.214

135
135

TCP
TCP

Connect
Connect

13301
0

192.168.0.1 207.46.245.214
192.168.0.1 207.46.245.214

17300
17300

TCP
TCP

Connect
Connect

13301
0

192.168.0.1 207.46.245.214
192.168.0.1 207.46.245.214

80
80

TCP
TCP

Connect
Connect

13301
0

Web Proxy Logs

Internal, external virus
/ worms detection
Log field selections

Web Proxy Log Examples

CodeRed
<SourceIP>
<SourceIP>

GET
GET

www
www

12202
200

Nimda
<SourceIP>
<SourceIP>

GET
GET

<ISAExtIP>
<ISAExtIP>

12202
200

Auth Failure
<SourceIP>

GET

http://www.thatsite.tld

12209

Romper-Room No-Nos
IP Packet Filtering off & IP Routing on
Enable IP Routing via RRAS or TCP/IP
LAT includes external (or DMZ) subnets
Same-subnet on internal / external NICs
FW Client installed on the ISA
All destinations web publishing rule

Security and Critical Hotfixes

Service Pack 1
KB 283213 ICMP blocking (Nachi defense)

Post SP1
KB 319374 & 321846 Web Proxy crash
MS02-027 BO in Gopher protocol handler
MS03-009 DoS in DNS IDS filter
MS03-012 DoS in Firewall Service
MS03-028 XSS in ISA Error pages
MS04-001 H.323 Vulnerability

Security References
Microsoft checklists and guides:
http://www.microsoft.com/technet/security/chklist/Default
.asp
http://www.microsoft.com/technet/security/tools/default.a
sp

CC configuration
https://s.microsoft.com/isaserver/code/commoncriteria/

Security References
NSA configuration
http://www.nsa.gov/snac/win2k/guides/w2k-11.pd
f
http://www.nsa.gov/snac/win2k/guides/inf/isa.inf

Log Forensics
http://securityfocus.com/infocus/1712

Reliability
Windows Considerations
ISA Server 2000 Firewall Considerations

Reliability Windows Settings

NIC binding order
Routing table
Patch Patch Patch!
Redundancy
System Services
Extraneous Services

Reliability Windows Settings:

NIC Binding Order

Internal

Top of list
NO Default gateway
DNS/WINS

External
Default gateway
Dial up issues

RAS
Dial up issues

DMZ
Doesnt matter

Reliability Windows Settings:

Routing Table

Static Routes

Windows
routing table
RRAS routing
table

Dynamic Routes
VPN issues

VPN Clients
Mystery of the Windows VPN client gateway

Reliability Windows Settings:

Patches!

Service Packs

Install them now

Latest OS and ISA SP and FP

Hotfixes
Do you need them?
What about Windows Update?

Security Updates
Whats going to break?

Testing lab
Mirror config in lab
Dont let the production network be your regression
testing lab

Reliability Windows Settings:

Redundancy

What are you

trying to accomplish?
Web v. Server
Publishing Rules
NLB v. Rainwall
Bidirectional
what?

Hardware Load
Balancers
Pay to play

RainConnect

Redundant Internet
connectivity
Outbound and inbound

NextLAND Proturbo 800

Reliability Windows Settings:

System Services

Disable Junk Services

(list several of these)

Determining Required
Services
Disable and test

Remote Registry
Service

Reliability Windows Settings:

Extraneous Software

Server Services

Its a firewall, not a firesale

Not a workstation
No Kaaza
No VPN client connections

Plug Ins
Test test test

Reliability ISA Settings

Test All Policies
Separate Inbound and Outbound Duties
Backing Up
Caching Arrays

Reliability ISA Settings:

Field Test All Policies
Protocol Rules

The dreaded all open rule

Site and Content Rules

Kill anonymous access Site and

Content Rules
Server client address set for
anonymous access

Kill the HTTP (Re)Director

Cant block via Site/Content rules

Packet Filters

This aint no pix(en)

Web and Server Publishing Rules

FQDN in Destination Sets
The mystery of the ephemeral
outbound IP address

VMware

Buy now or pay later

Reliability ISA Settings:

Separate Inbound and Outbound
Separate Inbound and Outbound Servers
Inbound Servers
Web Publishing and
Memory
Server publishing
performance

Outbound Servers

Authentication traffic and

performance
Active caching and traffic

Bandwidth

Kill bandwidth rules

Reliability ISA Settings:

Backing Up
Integrated Backup Tool
Who needs em?

Import/Export Script

Different IP address publishing/filters (IP specific)

ISAinfo script (better know everything before you

need to restore)
Disk Imaging
Careful of different hardware

Using VMware Images

Works great performance

issues

Reliability ISA Settings:

Caching Array
Caching Array
Not fault tolerance scheme
Load balancing v. load sharing
The miracle of wpad and autodiscovery

Reliability ISA Settings:

Autoconfiguration and Autodetection
Wpad
DHCP
DNS

Group Policy
IEAK
Registry file
Firewall client
installation

Reliability Hotfixes
ISA Server Service Pack 1
http://www.microsoft.com/isaserver/downloads/ s
p1.asp

ISA Server 2000 Hotfix for Rules Engine and

Potential Web Proxy Service Crash
http://www.microsoft.com/downloads/details.aspx
? displaylang=en&FamilyID=235B14FB-CDB4-4FCE-BE
10-E25F869DD40E

Flaw In ISA Server DNS Intrusion Detection

Filter Can Cause Denial Of Service

http://www.microsoft.com/technet/treeview/default.asp
?url=/technet/security/bulletin/MS03-009.asp

Reliability Hotfixes
Flaw In Winsock Proxy Service And ISA
Firewall Service Can Cause Denial Of
Service
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/
MS03-012.asp

Update Rollup for ISA Server Services

http://support.microsoft.com/default.aspx?
scid=kb;EN-US;810493

Key References
Shinder ISA Server 2000 Section
www.isaserver.org/shinder

Jim Harrisons ISAtools Site

www.isatools.org

ISA Server Performance Best Practices

http://www.microsoft.com/technet/security/
prodtech/ISA/ISAPrfBP.asp?frame=true

Performance

Windows Configuration
ISA Configuration

Performance; Windows Settings

IP Stack configuration
TcpTimedWaitDelay & StrictTimeWaitSeqCheck
Remove QOS when not using ISA Bandwidth Control

Page File

Separate physical drive

Not compressed/encrypted volume

Physical memory
1024 Meg Minimum
3072 Meg Maximum
/3GB switch Reverse Web Cache only

Performance; Windows Settings

Disk subsystem Only for Web Cache
RAID 0 if using RAID

NIC
Server class, 64-bit PCI-X
Multiprocessor - HW Interrupt Partitioning

SSL/IPSec Accelerators
Good only for large number of HTTPS connections

Processors (class / quantity)

Do not use the ISA server as a workstation

Performance; Windows Settings

Domain Topology
Large number of NTLM authentication
requests
DNS

Logical Network
Single Default Gateway on ISA Server

Performance; ISA Settings

Rule elements Less granular
Rule processing increases linearly
Small number of Rules with large Destination Sets

Enable Kernel Mode Data Pump IP Routing

Significant increase to most capacity intensive
Protocols
Disable filtering of IP fragments

Firewall & Web Proxy service DNS Cache

By default, services hold last 3000 DNS records
for 6 hours, regardless of TTL

Performance; ISA Settings

Server Publishing

Non RPC
RPC

Web Publishing

Fewer Rules with large Destination Sets. Faster, less

secure.
More Rules with small Destination Sets. Slower, more
secure.
Skip name resolution

Memory Usage

Firewall Service
Web Service

Performance; ISA Settings

Split purpose
Web Proxy
Web Publishing
Firewall
Logging
Ideal is Off. Not going to happen
Logging Fails, ISA stops serving content
File
Database
Reporting
Disable

Performance; ISA Clients

Outbound
Use Remote WinSock (RWS) client where
possible
Set web browsers to use ISA server as Web
Proxy
Streaming media clients

Performance; Registry Re-Cap

Disk

Disable short name creation.

HKLM\SYSTEM\CurrentControlSet\Control\
Filesystem DWord NtfsDiable8dot3NameCreation
0x1
Disable last access update.
HKLM\SYSTEM\CurrentControlSet\Control\
Filesystem DWordNtfsDsiableLastAccessUpdate
0x1
Multiprocessor only - Bypassing I/O Counters.
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\I/O System DWord CounterOperations
0x0

Performance; Registry Re-Cap

NTLM Authentication

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\
Parameters DWord MaxConcurrentApi 0x3 through
0x6

ISA

Internal DNS Cache

Web Proxy:
HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array
GUID}\ArrayPolicy\WebProxy DWord
"msFPCDnsCacheSize & "msFPCDnsCacheTtl"
Firewall: HKLM\SOFTWARE\Microsoft\Fpc\Arrays\
{Array GUID}\ArrayPolicy\Proxy-WSP DWord
"msFPCDnsCacheSize & "msFPCDnsCacheTtl

Performance; Registry Re-Cap

ISA
Maximum backlog for incoming TCP
connections
Non RPC
HKLM\System\CurrentControlSet\Services\
FWSRV\Parameters ServerMappingBlacklog
DWord key. For Exchange server 0x50, Web
server 0xA0.
RPC HKLM\Software\Microsoft\FPC\PluginRPC
ServerMappingBlacklog and InterfacesBacklog.
For Exchange RPC ServerMappingBlacklog =
0xA0 and InterfacesBacklog = 0x50.

Performance; Registry Re-Cap

ISA
Bypass Name Resolution
HKLM\SYSTEM\CurrentControlSet\Services\
W3Proxy\Parameters\
SkipNameResolutionForPublishingRules DWord
SkipNameResolutionForPublishingRules 0x1
HKLM\SYSTEM\CurrentControlSet\Services\
W3Proxy\Parameters\
SkipNameResolutionForAccessAndRoutingRules
DWord
SkipNameResolutionForAccessAndRoutingRules
0x1

Performance; References
Windows
Disk
http://www.microsoft.com/technet/prodtechnol/
windows2000serv/reskit/serverop/part2/
sopch08.asp
System
http://support.microsoft.com/default.aspx?
scid=kb;en-us;171793
http://www.microsoft.com/technet/prodtechnol/
windows2000serv/reskit/serverop/part2/
sopch10.asp

Performance; References
ISA
http://www.microsoft.com/technet/security/
prodtech/ISA/ISAPrfBP.asp
http://www.isaserver.org/tutorials/ISA_Clients__
Part_1__General_ISA_Server_Configuration.html
http://support.microsoft.com/default.aspx?
scid=kb;en-us;326040
http://support.microsoft.com/default.aspx?
scid=kb;en-us;291427
http://support.microsoft.com/default.aspx?
scid=kb;en-us;292018

Q&A