ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison

ISA Server 2000 Best Practices from the Field Presenters: Jim Harrison - Microsoft Corp Jim Edwards - Microsoft Corp

Agenda Introduction (Jim Harrison) Security (Jim Harrison) Reliability (Jim & Jim) Performance (Jim Edwards) Q&A

Security Windows Configuration Domain Association Perimeter Network Scenarios ISA Configuration ISA Policies ISA Logs References

Windows Configuration Patches, Patches, PATCHES! Security checklists on – Technet – ISAServer.org – NSA

Windows Configuration ISA Service Dependencies – ISA Server Packet Filter Extension (mspfltex) – Remote Access Connection Manager (rasman) – WMI Driver Extensions (wmi) DCOM is required for ISA

Windows Configuration Service Dependencies created by ISA – ICS (sharedaccess) depends on Microsoft Firewall (fwsrv) – Routing and Remote Access (remoteaccess) depends on ISA Control (isactrl)

Non-Domain ISA Server(s) LAN Domain

Separate Domains (Forests) One Way Trust from ISA to LAN ISA Domain LAN Domain

Same Forest, Separate Domains Domain (Forest) root Implicit Two Way Trust ISA Domain LAN Domain

Single Domain ISA / LAN Domain

Two–Tier Perimeter Network 2nd -Tier Perimeter Network LAT Segment 123.123.123/24 192.168.0/24 192.168.1/24

Third-leg Perimeter Network 123.123.123/25 123.123.123/24 192.168.0/24 LAT Segment External Subnet

LAT Perimeter Network 192.168.1/24 192.168.0/24 LAT Segment IPSec / RRAS IP Filters LAT Segment

Cache mode IP packet filtering NOT Available LAT / LDT NOT Available Outgoing and Incoming Web Requests listener configurations Best behind another (ISA) firewall

Firewall & Integrated modes IP Filtering makes this the most secure User- / group-based non-web traffic rules Single-NIC installation is NOT supported without dialup as external LAT configuration

LAT Configuration Right Wrong

IP Packet Filtering Right Wrong

IP Packet Filtering Right Wrong

Admin Rights Right Right?

Protocol Rules Right

Protocol Rules Wrong

Site & Content Rules Anonymous

Site & Content Rules Unfiltered

Server Publishing

Incoming Web Listeners Right Right ?

Web Publishing Right Wrong

Web Publishing

Web Publishing

ISA Logs Other Server Logs – SMTP, DNS, etc. Forensic Analysis – Securityfocus.com article Legal Evidence – Computer Forensics – Trail of Evidence

IP Packet Filter Logs External scans, attacks, spoofs Log field selections – Payload is limited to the first 256 bytes

IP PF Log Examples source-ip destination-ip proto param#1 param#2 flags 68.124.157.106 193.179.148.234 123.123.123.10 Tcp 123.123.123.12 Tcp 1646 4738 17300 22 SYN 209.221.223.108 209.221.223.108 209.221.223.108 209.221.223.108 123.123.123.10 123.123.123.11 123.123.123.12 123.123.123.13 ICMP ICMP ICMP ICMP 8 8 8 8 0 0 0 0 62.111.208.195 62.111.208.195 62.111.208.195 62.111.208.195 123.123.123.10 123.123.123.11 123.123.123.12 123.123.123.13 Tcp Tcp Tcp Tcp 2736 2737 2738 2739 135 135 135 135 SYN SYN SYN SYN SYN

IP PF Log Bonus Slide 211.41.55.136 123.123.123.11 Tcp 3127 3127 SYN 211.41.55.136 123.123.123.12 Tcp 3135 3127 SYN 211.41.55.136 123.123.123.13 Tcp 3140 3127 SYN

Firewall Logs Internal virus / worms detection Log field selections – WP and FW share many logging options

Firewall Log Examples c-ip r-ip r-port cs-prot s-oper sc-status 192.168.0.1 123.123.123.123 192.168.0.1 207.46.245.214 135 135 TCP TCP Connect Connect 0 13301 192.168.0.1 207.46.245.214 17300 192.168.0.1 207.46.245.214 17300 TCP TCP Connect Connect 13301 0 192.168.0.1 207.46.245.214 80 192.168.0.1 207.46.245.214 80 TCP TCP Connect Connect 13301 0

Web Proxy Logs Internal, external virus / worms detection Log field selections

Web Proxy Log Examples CodeRed SourceIP GET SourceIP GET www www 12202 200 Nimda SourceIP GET SourceIP GET ISAExtIP ISAExtIP 12202 200 Auth Failure SourceIP GET http://www.thatsite.tld 12209

Romper-Room No-No’s IP Packet Filtering off & IP Routing on Enable IP Routing via RRAS or TCP/IP LAT includes external (or DMZ) subnets Same-subnet on internal / external NICs FW Client installed on the ISA “All destinations” web publishing rule

Security and Critical Hotfixes Service Pack 1 – KB 283213 ICMP blocking (Nachi defense) Post SP1 – KB 319374 & 321846 Web Proxy crash – MS02-027 BO in Gopher protocol handler – MS03-009 DoS in DNS IDS filter – MS03-012 DoS in Firewall Service – MS03-028 XSS in ISA Error pages – MS04-001 H.323 Vulnerability

Security References Microsoft checklists and guides: http://www.microsoft.com/technet/security/chklist/Default. asp http://www.microsoft.com/ technet/security/tools/default.asp CC configuration https://s.microsoft.com/isaserver/code/commoncriteria/

Security References NSA configuration http://www.nsa.gov/snac/win2k/guides/w2k-11.p df http://www.nsa.gov/snac/win2k/guides/inf/isa.inf Log Forensics http://securityfocus.com/infocus/1712

Reliability Windows Considerations ISA Server 2000 Firewall Considerations

Reliability Windows Settings NIC binding order Routing table Patch Patch Patch! Redundancy System Services Extraneous Services

Reliability Windows Settings: NIC Binding Order Internal – Top of list – NO Default gateway – DNS/WINS External – Default gateway – Dial up issues RAS – Dial up issues DMZ – Doesn’t matter

Reliability Windows Settings: Routing Table Static Routes – Windows routing table – RRAS routing table Dynamic Routes – VPN issues VPN Clients – Mystery of the Windows VPN client gateway

Reliability Windows Settings: Patches! Service Packs – Install them now – Latest OS and ISA SP and FP Hotfixes – Do you need them? – What about Windows Update? Security Updates – What’s going to break? Testing lab – – Mirror config in lab Don’t let the production network be your regression testing lab

Reliability Windows Settings: Redundancy What are you trying to accomplish? Web v. Server Publishing Rules NLB v. Rainwall – Bidirectional what? Hardware Load Balancers – Pay to play RainConnect – Redundant Internet connectivity – Outbound and inbound NextLAND Proturbo 800

Reliability Windows Settings: System Services Disable Junk Services – (list several of these) Determining Required Services – Disable and test Remote Registry Service

Reliability Windows Settings: Extraneous Software Server Services – It’s a firewall, not a firesale Not a workstation – No Kaaza – No VPN client connections Plug In’s – Test test test

Reliability ISA Settings Test All Policies Separate Inbound and Outbound Duties Backing Up Caching Arrays

Reliability ISA Settings: Field Test All Policies Protocol Rules – The dreaded “all open” rule Site and Content Rules – Kill anonymous access Site and Content Rules – Server client address set for anonymous access Kill the HTTP (Re)Director – Can’t block via Site/Content rules Packet Filters – This ain’t no pix(en) Web and Server Publishing Rules – FQDN in Destination Sets – The mystery of the ephemeral outbound IP address VMware – Buy now or pay later

Reliability ISA Settings: Separate Inbound and Outbound Separate Inbound and Outbound Servers Inbound Servers – Web Publishing and Memory – Server publishing performance Outbound Servers – Authentication traffic and performance – Active caching and traffic Bandwidth – Kill bandwidth rules

Reliability ISA Settings: Backing Up Integrated Backup Tool – Who need’s ‘em? Import/Export Script – Different IP address publishing/filters (IP specific) ISAinfo script (better know everything before you need to restore) Disk Imaging – Careful of different hardware Using VMware Images – Works great – performance issues

Reliability ISA Settings: Caching Array Caching Array – Not fault tolerance scheme – Load balancing v. load sharing – The miracle of wpad and autodiscovery

Reliability ISA Settings: Autoconfiguration and Autodetection Wpad – DHCP – DNS Group Policy IEAK Registry file Firewall client installation

Reliability Hotfixes ISA Server Service Pack 1 – http://www.microsoft.com/isaserver /downloads/ sp1.asp ISA Server 2000 Hotfix for Rules Engine and Potential Web Proxy Service Crash – http://www.microsoft.com/downloads/details.aspx? displaylang en&FamilyID 235B14FB-CDB4-4FCEBE10-E25F869DD40E Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service – http://www.microsoft.com/technet/treeview/default.asp? url /technet/security/bulletin/MS03-009.asp

Reliability Hotfixes Flaw In Winsock Proxy Service And ISA Firewall Service Can Cause Denial Of Service – http://www.microsoft.com/technet/treeview/ default.asp?url /technet/security/bulletin/ MS03-012.asp Update Rollup for ISA Server Services – http://support.microsoft.com/default.aspx? scid kb;EN-US;810493

Key References Shinder ISA Server 2000 Section – www.isaserver.org/shinder Jim Harrison’s ISAtools Site – www.isatools.org ISA Server Performance Best Practices – http://www.microsoft.com/technet/security/ prodtech/ISA/ISAPrfBP.asp?frame true

Performance Windows Configuration ISA Configuration

Performance; Windows Settings IP Stack configuration – TcpTimedWaitDelay & StrictTimeWaitSeqCheck – Remove QOS when not using ISA Bandwidth Control Page File – – Separate physical drive Not compressed/encrypted volume Physical memory – 1024 Meg Minimum – 3072 Meg Maximum – /3GB switch – Reverse Web Cache only

Performance; Windows Settings Disk subsystem – Only for Web Cache – RAID 0 if using RAID NIC – Server class, 64-bit PCI-X – Multiprocessor - HW Interrupt Partitioning SSL/IPSec Accelerators – Good only for large number of HTTPS connections Processors (class / quantity) – Do not use the ISA server as a workstation

Performance; Windows Settings Domain Topology – Large number of NTLM authentication requests – DNS Logical Network – Single Default Gateway on ISA Server

Performance; ISA Settings Rule elements – Less granular – Rule processing increases linearly – Small number of Rules with large Destination Sets Enable Kernel Mode Data Pump – IP Routing – Significant increase to most capacity intensive Protocols – Disable filtering of IP fragments Firewall & Web Proxy service DNS Cache – By default, services hold last 3000 DNS records for 6 hours, regardless of TTL

Performance; ISA Settings Server Publishing – Non RPC – RPC Web Publishing – Fewer Rules with large Destination Sets. Faster, less secure. – More Rules with small Destination Sets. Slower, more secure. – Skip name resolution Memory Usage – Firewall Service – Web Service

Performance; ISA Settings Split purpose – Web Proxy – Web Publishing – Firewall Logging – Ideal is Off. Not going to happen – Logging Fails, ISA stops serving content – File – Database Reporting – Disable

Performance; ISA Clients Outbound – Use Remote WinSock (RWS) client where possible – Set web browsers to use ISA server as Web Proxy – Streaming media clients

Performance; Registry Re-Cap Disk – Disable short name creation. HKLM\SYSTEM\ CurrentControlSet\Control\ Filesystem DWord “NtfsDiable8dot3NameCreation” 0x1 – Disable last access update. HKLM\SYSTEM\ CurrentControlSet\Control\ Filesystem DWord“NtfsDsiableLastAccessUpdate” 0x1 – Multiprocessor only - Bypassing I/O Counters. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System DWord “CounterOperations” 0x0

Performance; Registry Re-Cap NTLM Authentication – HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters DWord “MaxConcurrentApi” 0x3 through 0x6 ISA – Internal DNS Cache Web Proxy: HKLM\SOFTWARE\Microsoft\Fpc\ Arrays\{Array GUID}\ArrayPolicy\WebProxy DWord "msFPCDnsCacheSize“ & "msFPCDnsCacheTtl" Firewall: HKLM\SOFTWARE\Microsoft\Fpc\Arrays\ {Array GUID}\ArrayPolicy\Proxy-WSP DWord "msFPCDnsCacheSize“ & "msFPCDnsCacheTtl“

Performance; Registry Re-Cap ISA – Maximum backlog for incoming TCP connections Non RPC – HKLM\System\CurrentControlSet\ Services\ FWSRV\Parameters “ServerMappingBlacklog” DWord key. For Exchange server 0x50, Web server 0xA0. RPC – HKLM\Software\Microsoft\FPC\PluginRPC “ServerMappingBlacklog” and ”InterfacesBacklog”. For Exchange RPC “ServerMappingBlacklog” 0xA0 and ”InterfacesBacklog” 0x50.

Performance; Registry Re-Cap ISA – Bypass Name Resolution HKLM\SYSTEM\CurrentControlSet\Services\ W3Proxy\Parameters\ SkipNameResolutionForPublishingRules DWord “SkipNameResolutionForPublishingRules” 0x1 HKLM\SYSTEM\CurrentControlSet\Services\ W3Proxy\Parameters\ SkipNameResolutionForAccessAndRoutingRules DWord “SkipNameResolutionForAccessAndRoutingRules” 0x1

Performance; References Windows Disk http://www.microsoft.com/technet/prodtechnol / windows2000serv/reskit/serverop/part2/ sopch08.as p System http://support.microsoft.com/default.aspx? scid kb;en-us;171793 http://www.microsoft.com/technet/prodtechnol / windows2000serv/reskit/serverop/part2/ sopch10.as p

Performance; References ISA http://www.microsoft.com/technet/security/ prodtech/ISA/ISAPrfBP.asp http://www.isaserver.org/tutorials/ISA Clients Part 1 General ISA Server Configuration.html http://support.microsoft.com/default.aspx? scid kb;en-us;326040 http://support.microsoft.com/default.aspx? scid kb;en-us;291427 http://support.microsoft.com/default.aspx? scid kb;en-us;292018

Q&A