In this article we’ll focus on best practices
specifically to Microsoft Internet Security and Acceleration (ISA)
Let’s start looking at some recommendations to
configure then Microsoft ISA firewall so it provides the best level of
security, reliability and performance possible. There are too many
items to describe all of them in this article, so we’ll focus
on the most important items that you should pay attention to. The
overview is not in any particular order so items higher in the list are
not necessarily more important.
- ISA Server comes with a
Firewall and Web Proxy client.
You should deploy these clients to get superior performance over what a
hardware firewall provides. The combination of ISA server and its
clients provide an intelligent security solution, more so than an
appliance without clients can offer.
- The ISA firewall should
have only one DNS server
configured on its interfaces, and that DNS server address must be
configured on its internal interface (or whatever interface is closest
to an internal DNS server that can resolve Internet host names). Never
put an external DNS server on any of the ISA firewall’s
interfaces, and never enter a DNS server address on more than one ISA
- When investigating a
possible attack, use www.arin.net
and do a Whois search on the IP address. This should be the first thing
you do when you detect unusual activity in your firewall logs.
- Use DMZ networks connected
to the ISA firewall to limit
access to different security zones within your organization. Put ISA
firewalls between different security zones to make sure you are
protected against attacks sourcing from different security zones.
- Do not consolidate other
server functions (file
server, web server, etc) with the ISA server. The ISA firewall is a
just that; a firewall.
- Harden the server
using the ISA firewall hardening guides located at
- Typically there is no reason to enable NetBT
on the external interface of the ISA firewall. If you don’t
need it, disable it.
- There typically isn’t a reason
to enable the Server service on the external interface
of the ISA firewall, as it is used to enable access to shared resources
on the ISA firewall. In general, the Server service should be disabled
on all interfaces of the ISA firewall, but there can be side effects,
such as being unable to access the Firewall client share on the ISA
firewall if you installed it there. It is best to place the client
installation files on a network share hosted by a file server. You
shouldn’t run into any issues if the Server service is
unbound only from the external interface.
- On Windows 2000, the Alerter and Messenger
services should be disabled on the ISA firewall.
Windows Server 2003 turns off these services by default, or they are
turned off as part of running the Security Configuration Wizard on a
Windows Server 2003 Service Pack 1 ISA firewall.
- Install Network monitor
for troubleshooting issues. Microsoft Network Monitor comes with
Windows, and you can install it Monitor either before or after the ISA
firewall software is installed.
- The ISA firewall
shouldn’t be used as a workstation;
it is a network firewall representing an important component of your
network security infrastructure. Don’t use client
applications, such as Internet Explorer, on the ISA firewall and
don’t disable the enhanced IE security configuration that is
part of Windows Server 2003 Internet Explorer.
- If users complain about
decreased performance of the Web, configure the clients as
Web Proxy clients and
configure the web browsers to use HTTP 1.1.
- Make sure to patch the base operating
system before installing ISA.
Innstall the base operating system on a protected network, so that you
can safely install the operating system and then update the operating
system before installing the ISA firewall software. Connect the ISA
firewall device to the Internet only after the operating system is
patched and the ISA firewall software is installed.
- You can rename the network
interfaces installed on the
ISA firewall from Local Area Connection 1 and Local Area Connection 2
to something more meaningful, such as WAN, LAN, and DMZ. This is
helpful when you have a lot of interfaces installed on the ISA firewall
- The ISA firewall can
mitigate worm and other automated attacks by enforcing connection limits.
You can configure connection limits by going to the General node in the
ISA firewall console and Define Connection Limits.
The above list represents only some of the recommendation to
configuring your ISA Firewall and certainly doesn’t cover all
of the aspects. If you want to analyze your implementation of ISA
Server it is a good idea to download the Microsoft Best Practice
Analyzer Tool from the Microsoft website and run this against your ISA
Server. The tool is compatible with ISA Server 2004, 2006, and
Forefront TMG: http://www.microsoft.com/download/en/details.aspx?id=811
The Microsoft TechNet website is a great resource that offers a lot of
information about how to configure your ISA server for your
environment, performance best practices
) , and
troubleshooting performance issues