Implementing a Secure ISA Server - PowerPoint PPT Presentation

About This Presentation
Title:

Implementing a Secure ISA Server

Description:

Accessories. IIS. Custom networking only TCP/IP. External Card: ... Protected storage. Security accounts manager. Telephony. And maybe : IPSec policy agent ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 12
Provided by: Robe294
Category:

less

Transcript and Presenter's Notes

Title: Implementing a Secure ISA Server


1
Implementing a Secure ISA Server
  • Roberta Bragg

2
Step One
  • Read Step Ten before actually doing any of these
    steps!

3
Step Two Planning
  • What do you want? A firewall? A caching server?
    Both?
  • Single server? DMZ? Array?
  • Amount of traffic?
  • What needs to pass through?
  • Machine sizing

4
Step Three- Network Preparations
  • Network addresses
  • Routers
  • Insure internal DNS for internal network clients
  • External DNS for ISA Server
  • Changes required to network configuration?
    Clients?

5
Step Four Install Clean W2K
  • Separate drives/partition system data from
    firewall
  • Customization - Uncheck all options!
  • Accessories
  • IIS
  • Custom networking only TCP/IP
  • External Card
  • Disable DNS automatic registration
  • Disable windows networking
  • Disable NetBIOS over TCP/IP
  • Internal Card as appropriate for your network
  • Workgroup not domain

6
Step Five Pre-ISA Install
  • Edit systemroot\inf\sysoc.inf and remove the
    hide keyword where it appears
  • Use Add/Remove to remove Fax, Image View,
    Pinball, Word Pad be careful here!
  • Check Routing Table
  • Clean Certificate Store remove unnecessary
    certificates
  • Disable services that get installed by default
    are not needed
  • Apply Service Pack/patches
  • SO, what services do you need?
  • DNS client
  • Eventlog
  • Logical disk manager
  • Plug and play
  • Protected storage
  • Security accounts manager
  • Telephony
  •  And maybe
  • IPSec policy agent
  • Network connections manager
  • Remote procedure call
  • Remote registry service
  • Run as

7
Step Six ISA Installation
  • Install only services you need
  • Do not install H.323 unless going to use!
  • Install onto other partition from OS
  • If this is Enterprise
  • select administrative array/enterprise policies
    as per your organization administrative policy
  • only allow publishing if in DMZ
  • Enable packet filtering
  • Configure LAT so only has addresses in internal
    network

8
Step Seven After Install Test Basic Connectivity
  • Ensure LAT only contains addresses from internal
    network
  • Connection to Internet?
  • Check default site and content rule
  • Add Protocol rule
  • REMOVE TEST!

9
Step Eight Secure ISA
  • Set file /folder/ share permissions
  • Mspclnt share Authenticated Users Read
  • Inheritance not allowed from parent folder,
    apply settings to folder, subfolders, files
  • Installation Directory, Clients directory,
    Urlcache
  • Administrators, Creator/Owner, System Full
    Control
  • Clients Authenticated Users Read Execute
  • Tweak then apply security template
  • Follow guidelines for secure configuration
  • Of especial importance
  • Limit accounts in local database
  • Use strong passwords

10
Step Nine Configure and Roll Out
  • Configure client access as per plan
  • Configure packet filters/intrusion detection as
    per plan
  • Do not enable ip routing unless DMZ 3-homed
    firewall/mail server publishing
  • Test
  • Configure Reporting/Monitoring
  • Install and Configure Clients

11
Step Ten
  • Never, never, never accept on faith any advice
    from a security guru, government agency, book,
    Microsoft document, SearchWin2000 chat.
  • Your network, server, use, requirements may
    differ
  • TEST
Write a Comment
User Comments (0)
About PowerShow.com