ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.
Download ReportTranscript ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp.
ISA Server 2000
Best Practices from the Field
Presenters:
Jim Harrison - Microsoft Corp
Jim Edwards - Microsoft Corp
Agenda
Introduction (Jim Harrison)
Security (Jim Harrison)
Reliability (Jim & Jim)
Performance (Jim Edwards)
Q&A
Security
Windows Configuration
Domain Association
Perimeter Network Scenarios
ISA Configuration
ISA Policies
ISA Logs
References
Windows Configuration
Patches, Patches, PATCHES!
Security checklists on
– Technet
– ISAServer.org
– NSA
Windows Configuration
ISA Service Dependencies
– ISA Server Packet Filter Extension (mspfltex)
– Remote Access Connection Manager
(rasman)
– WMI Driver Extensions (wmi)
DCOM is required for ISA
Windows Configuration
Service Dependencies created by ISA
– ICS (sharedaccess) depends on Microsoft
Firewall (fwsrv)
– Routing and Remote Access (remoteaccess)
depends on ISA Control (isactrl)
Non-Domain
ISA Server(s)
LAN Domain
Separate Domains (Forests)
One Way
Trust from
ISA to LAN
ISA Domain
LAN Domain
Same Forest, Separate Domains
Domain (Forest) root
Implicit
Two Way
Trust
ISA Domain
LAN Domain
Single Domain
ISA / LAN Domain
Two–Tier Perimeter Network
2nd-Tier
Perimeter
Network
LAT Segment
123.123.123/24
192.168.0/24
192.168.1/24
Third-leg Perimeter Network
123.123.123/25
123.123.123/24
192.168.0/24
LAT Segment
External
Subnet
LAT Perimeter Network
192.168.1/24
192.168.0/24
LAT Segment
IPSec / RRAS IP Filters
LAT
Segment
Cache mode
IP packet filtering NOT Available
LAT / LDT NOT Available
Outgoing and Incoming Web Requests
listener configurations
Best behind another (ISA) firewall
Firewall & Integrated modes
IP Filtering makes this the most secure
User- / group-based non-web traffic rules
Single-NIC installation is NOT supported
without dialup as external
LAT configuration
LAT Configuration
Right
Wrong
IP Packet Filtering
Right
Wrong
IP Packet Filtering
Right
Wrong
Admin Rights
Right
Right?
Protocol Rules
Right
Protocol Rules
Wrong
Site & Content Rules
Anonymous
Site & Content Rules
Unfiltered
Server Publishing
Incoming Web Listeners
Right
Right ?
Web Publishing
Right
Wrong
Web Publishing
Web Publishing
ISA Logs
Other Server Logs
– SMTP, DNS, etc.
Forensic Analysis
– Securityfocus.com article
Legal Evidence
– Computer Forensics
– Trail of Evidence
IP Packet Filter Logs
External scans,
attacks, spoofs
Log field selections
– Payload is limited to
the first 256 bytes
IP PF Log Examples
source-ip
destination-ip proto param#1 param#2
flags
68.124.157.106
193.179.148.234
123.123.123.10 Tcp
123.123.123.12 Tcp
1646
4738
17300
22
SYN
SYN
209.221.223.108
209.221.223.108
209.221.223.108
209.221.223.108
123.123.123.10
123.123.123.11
123.123.123.12
123.123.123.13
ICMP
ICMP
ICMP
ICMP
8
8
8
8
0
0
0
0
62.111.208.195
62.111.208.195
62.111.208.195
62.111.208.195
123.123.123.10
123.123.123.11
123.123.123.12
123.123.123.13
Tcp
Tcp
Tcp
Tcp
2736
2737
2738
2739
135
135
135
135
SYN
SYN
SYN
SYN
IP PF Log Bonus Slide
211.41.55.136 123.123.123.11 Tcp 3127 3127 SYN
211.41.55.136 123.123.123.12 Tcp 3135 3127 SYN
211.41.55.136 123.123.123.13 Tcp 3140 3127 SYN
Firewall Logs
Internal virus / worms
detection
Log field selections
– WP and FW share
many logging options
Firewall Log Examples
c-ip
r-ip
r-port
cs-prot s-oper
sc-status
192.168.0.1 123.123.123.123
192.168.0.1 207.46.245.214
135
135
TCP
TCP
Connect
Connect
13301
0
192.168.0.1 207.46.245.214
192.168.0.1 207.46.245.214
17300
17300
TCP
TCP
Connect
Connect
13301
0
192.168.0.1 207.46.245.214
192.168.0.1 207.46.245.214
80
80
TCP
TCP
Connect
Connect
13301
0
Web Proxy Logs
Internal, external virus
/ worms detection
Log field selections
Web Proxy Log Examples
CodeRed
<SourceIP>
<SourceIP>
GET
GET
www
www
12202
200
Nimda
<SourceIP>
<SourceIP>
GET
GET
<ISAExtIP>
<ISAExtIP>
12202
200
Auth Failure
<SourceIP>
GET
http://www.thatsite.tld
12209
Romper-Room No-No’s
IP Packet Filtering off & IP Routing on
Enable IP Routing via RRAS or TCP/IP
LAT includes external (or DMZ) subnets
Same-subnet on internal / external NICs
FW Client installed on the ISA
“All destinations” web publishing rule
Security and Critical Hotfixes
Service Pack 1
– KB 283213 ICMP blocking (Nachi defense)
Post SP1
– KB 319374 & 321846 Web Proxy crash
– MS02-027 BO in Gopher protocol handler
– MS03-009 DoS in DNS IDS filter
– MS03-012 DoS in Firewall Service
– MS03-028 XSS in ISA Error pages
– MS04-001 H.323 Vulnerability
Security References
Microsoft checklists and guides:
http://www.microsoft.com/technet/security/chklist/Default.
asp
http://www.microsoft.com/technet/security/tools/default.a
sp
CC configuration
https://s.microsoft.com/isaserver/code/commoncriteria/
Security References
NSA configuration
http://www.nsa.gov/snac/win2k/guides/w2k11.pdf
http://www.nsa.gov/snac/win2k/guides/inf/isa.inf
Log Forensics
http://securityfocus.com/infocus/1712
Reliability
Windows Considerations
ISA Server 2000 Firewall Considerations
Reliability Windows Settings
NIC binding order
Routing table
Patch Patch Patch!
Redundancy
System Services
Extraneous Services
Reliability Windows Settings:
NIC Binding Order
Internal
– Top of list
– NO Default gateway
– DNS/WINS
External
– Default gateway
– Dial up issues
RAS
– Dial up issues
DMZ
– Doesn’t matter
Reliability Windows Settings:
Routing Table
Static Routes
– Windows
routing table
– RRAS routing
table
Dynamic Routes
– VPN issues
VPN Clients
– Mystery of the Windows VPN client gateway
Reliability Windows Settings:
Patches!
Service Packs
– Install them now
– Latest OS and ISA SP and FP
Hotfixes
– Do you need them?
– What about Windows Update?
Security Updates
– What’s going to break?
Testing lab
– Mirror config in lab
– Don’t let the production network be your regression
testing lab
Reliability Windows Settings:
Redundancy
What are you
trying to accomplish?
Web v. Server
Publishing Rules
NLB v. Rainwall
– Bidirectional
what?
Hardware Load
Balancers
– Pay to play
RainConnect
– Redundant Internet
connectivity
– Outbound and inbound
NextLAND Proturbo 800
Reliability Windows Settings:
System Services
Disable Junk Services
– (list several of these)
Determining Required
Services
– Disable and test
Remote Registry
Service
Reliability Windows Settings:
Extraneous Software
Server Services
– It’s a firewall, not a firesale
Not a workstation
– No Kaaza
– No VPN client connections
Plug In’s
– Test test test
Reliability ISA Settings
Test All Policies
Separate Inbound and Outbound Duties
Backing Up
Caching Arrays
Reliability ISA Settings:
Field Test All Policies
Protocol Rules
– The dreaded “all open” rule
Site and Content Rules
– Kill anonymous access Site and
Content Rules
– Server client address set for
anonymous access
Kill the HTTP (Re)Director
– Can’t block via Site/Content rules
Packet Filters
– This ain’t no pix(en)
Web and Server Publishing Rules
– FQDN in Destination Sets
– The mystery of the ephemeral
outbound IP address
VMware
– Buy now or pay later
Reliability ISA Settings:
Separate Inbound and Outbound
Separate Inbound and Outbound Servers
Inbound Servers
– Web Publishing and
Memory
– Server publishing
performance
Outbound Servers
– Authentication traffic and
performance
– Active caching and traffic
Bandwidth
– Kill bandwidth rules
Reliability ISA Settings:
Backing Up
Integrated Backup Tool
– Who need’s ‘em?
Import/Export Script
– Different IP address publishing/filters (IP specific)
ISAinfo script (better know everything before you
need to restore)
Disk Imaging
– Careful of different hardware
Using VMware Images
– Works great – performance
issues
Reliability ISA Settings:
Caching Array
Caching Array
– Not fault tolerance scheme
– Load balancing v. load sharing
– The miracle of wpad and autodiscovery
Reliability ISA Settings:
Autoconfiguration and Autodetection
Wpad
– DHCP
– DNS
Group Policy
IEAK
Registry file
Firewall client
installation
Reliability Hotfixes
ISA Server Service Pack 1
– http://www.microsoft.com/isaserver/downloads/
sp1.asp
ISA Server 2000 Hotfix for Rules Engine and
Potential Web Proxy Service Crash
– http://www.microsoft.com/downloads/details.aspx?
displaylang=en&FamilyID=235B14FB-CDB4-4FCEBE10-E25F869DD40E
Flaw In ISA Server DNS Intrusion Detection
Filter Can Cause Denial Of Service
– http://www.microsoft.com/technet/treeview/default.asp
?url=/technet/security/bulletin/MS03-009.asp
Reliability Hotfixes
Flaw In Winsock Proxy Service And ISA
Firewall Service Can Cause Denial Of
Service
– http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/
MS03-012.asp
Update Rollup for ISA Server Services
– http://support.microsoft.com/default.aspx?
scid=kb;EN-US;810493
Key References
Shinder ISA Server 2000 Section
– www.isaserver.org/shinder
Jim Harrison’s ISAtools Site
– www.isatools.org
ISA Server Performance Best Practices
– http://www.microsoft.com/technet/security/
prodtech/ISA/ISAPrfBP.asp?frame=true
Performance
Windows Configuration
ISA Configuration
Performance; Windows Settings
IP Stack configuration
– TcpTimedWaitDelay & StrictTimeWaitSeqCheck
– Remove QOS when not using ISA Bandwidth Control
Page File
– Separate physical drive
– Not compressed/encrypted volume
Physical memory
– 1024 Meg Minimum
– 3072 Meg Maximum
– /3GB switch – Reverse Web Cache only
Performance; Windows Settings
Disk subsystem – Only for Web Cache
– RAID 0 if using RAID
NIC
– Server class, 64-bit PCI-X
– Multiprocessor - HW Interrupt Partitioning
SSL/IPSec Accelerators
– Good only for large number of HTTPS connections
Processors (class / quantity)
– Do not use the ISA server as a workstation
Performance; Windows Settings
Domain Topology
– Large number of NTLM authentication
requests
– DNS
Logical Network
– Single Default Gateway on ISA Server
Performance; ISA Settings
Rule elements – Less granular
– Rule processing increases linearly
– Small number of Rules with large Destination Sets
Enable Kernel Mode Data Pump – IP Routing
– Significant increase to most capacity intensive
Protocols
– Disable filtering of IP fragments
Firewall & Web Proxy service DNS Cache
– By default, services hold last 3000 DNS records
for 6 hours, regardless of TTL
Performance; ISA Settings
Server Publishing
– Non RPC
– RPC
Web Publishing
– Fewer Rules with large Destination Sets. Faster, less
secure.
– More Rules with small Destination Sets. Slower,
more secure.
– Skip name resolution
Memory Usage
– Firewall Service
– Web Service
Performance; ISA Settings
Split purpose
– Web Proxy
– Web Publishing
– Firewall
Logging
– Ideal is Off. Not going to happen
– Logging Fails, ISA stops serving content
– File
– Database
Reporting
– Disable
Performance; ISA Clients
Outbound
– Use Remote WinSock (RWS) client where
possible
– Set web browsers to use ISA server as Web
Proxy
– Streaming media clients
Performance; Registry Re-Cap
Disk
– Disable short name creation.
HKLM\SYSTEM\CurrentControlSet\Control\
Filesystem DWord “NtfsDiable8dot3NameCreation”
0x1
– Disable last access update.
HKLM\SYSTEM\CurrentControlSet\Control\
Filesystem DWord“NtfsDsiableLastAccessUpdate”
0x1
– Multiprocessor only - Bypassing I/O Counters.
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\I/O System DWord “CounterOperations”
0x0
Performance; Registry Re-Cap
NTLM Authentication
– HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\
Parameters DWord “MaxConcurrentApi” 0x3 through
0x6
ISA
– Internal DNS Cache
Web Proxy:
HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array
GUID}\ArrayPolicy\WebProxy DWord
"msFPCDnsCacheSize“ & "msFPCDnsCacheTtl"
Firewall:
HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array
GUID}\ArrayPolicy\Proxy-WSP DWord
"msFPCDnsCacheSize“ & "msFPCDnsCacheTtl“
Performance; Registry Re-Cap
ISA
– Maximum backlog for incoming TCP
connections
Non RPC –
HKLM\System\CurrentControlSet\Services\
FWSRV\Parameters “ServerMappingBlacklog”
DWord key. For Exchange server 0x50, Web
server 0xA0.
RPC – HKLM\Software\Microsoft\FPC\PluginRPC
“ServerMappingBlacklog” and ”InterfacesBacklog”.
For Exchange RPC “ServerMappingBlacklog” =
0xA0 and ”InterfacesBacklog” = 0x50.
Performance; Registry Re-Cap
ISA
– Bypass Name Resolution
HKLM\SYSTEM\CurrentControlSet\Services\
W3Proxy\Parameters\
SkipNameResolutionForPublishingRules DWord
“SkipNameResolutionForPublishingRules” 0x1
HKLM\SYSTEM\CurrentControlSet\Services\
W3Proxy\Parameters\
SkipNameResolutionForAccessAndRoutingRules
DWord
“SkipNameResolutionForAccessAndRoutingRules”
0x1
Performance; References
Windows
Disk
http://www.microsoft.com/technet/prodtechnol/
windows2000serv/reskit/serverop/part2/
sopch08.asp
System
http://support.microsoft.com/default.aspx?
scid=kb;en-us;171793
http://www.microsoft.com/technet/prodtechnol/
windows2000serv/reskit/serverop/part2/
sopch10.asp
Performance; References
ISA
http://www.microsoft.com/technet/security/
prodtech/ISA/ISAPrfBP.asp
http://www.isaserver.org/tutorials/ISA_Clients__
Part_1__General_ISA_Server_Configuration.html
http://support.microsoft.com/default.aspx?
scid=kb;en-us;326040
http://support.microsoft.com/default.aspx?
scid=kb;en-us;291427
http://support.microsoft.com/default.aspx?
scid=kb;en-us;292018
Q&A