Special measures should be taken when using a Windows-based gateway on a customer's network. This tip, reposted courtesy of SearchWindowsSecurity.com, offers a checklist of factors to consider when securing Microsoft's ISA Server.
It takes work to make any installation of an operating system secure -- or at least secure against the vast majority of threats out there -- since the idea of total computer security is somewhat misleading. If you're using Windows as your gateway server, via Microsoft's ISA Server or a similar product, then you need to give your gateway extra-special attention.
A full exploration of all the possible roles for ISA Server (as a front-end firewall, as a perimeter network firewall, etc.) would be beyond the scope of this piece, but consider the following core considerations for keeping a Windows-based gateway computer secure.
Plan your customer's server to match their network topology. Figure out exactly what this server is going to be responsible for and configure it to match that role. For instance, a server that will handle all traffic between the network and the Internet needs to be locked down a lot more heavily than a perimeter server (one that protects one network segment from the rest of the LAN). It may also need different hardware, such as an edge server, multi-homed, to keep up with the amount of traffic going through. Finally, don't install anything on this server that does not absolutely have to be there; the cleaner the system to begin with, the better.
Start with the basics. First, get the system up to speed as far as service packs and security hotfixes go. No house can be built on a shaky foundation. Once you install ISA Server itself (if that's what you're using), be sure to bring it up to speed, too, with the appropriate updates.
Perform a baseline security analysis. One of the most useful tools Microsoft provides for hardening a system -- they call it "reducing the attack surface" -- is the Baseline Security Analyzer. The BSA scans for security problems in any product supported by Microsoft Update, in addition to Windows itself, and prints out a detailed report of what to change and why. Even if you're not running ISA Server, this is an excellent way to gather information about what to lock down.
Harden ISA itself. Microsoft's ISA Server Security Hardening Guide is a long, extremely detailed and very comprehensive step-by-step guide to locking down ISA Server. Read it thoroughly before employing any of it. Note that you should not modify any of ISA Server's Discretionary Access Control Lists (DACLs) via Group Policy or another mechanism; let ISA Server manage those directly or you'll have a conflict between custom settings and ISA's settings.
- Configure clients to get the most out of the gateway as well. Make sure all the clients in the network are taking advantage of the way the gateway is configured, especially if they use the Firewall Client. One of the client tools for this job is the Firewall Client Tool. It provides tools to check that the ISA server and auto-detection mechanisms are all working correctly for a given computer that is using the Firewall Client for ISA. (If you're having problems that may be due to a driver misconfiguration on the client machine, check out the Firewall Kernel Mode Tool for extremely detailed information about what might be wrong.)
About the author
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This tip originally appeared on SearchWindowsSecurity.com.