• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Securing the ISA server box

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Securing the ISA server box Page: [1]
Login
Message << Older Topic   Newer Topic >>
Securing the ISA server box - 11.Mar.2009 10:02:49 AM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
Hi.

I'm planning to deploy a new ISA Server 2006 Standard Edition server on our network.
My thought was that this server should be made extremely secure in terms of the ISA server and OS itself.

My plan is to first install the OS and then.
1. Install OS SPs and patches
2. Instal the ISA Server 2006
3. Install SP1 for ISA Server 2006
4. Run the Security and Configuration Wizard to secure the server OS.

When I do this in test VmWare environment the server works fine as a web proxy and firewall, but the eventlog contains errors like:

The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code.  HRESULT was 80040201.

And

The COM+ Event System failed to create an instance of the subscriber {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}.  StandardCreateInstance returned HRESULT 80070422.

And

disabled or because it has no enabled devices associated with it. " attempting to start the service SENS with arguments "" in order to run the server:
{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Why do these errors appear and can they be ignored?

Also I get errors like:

The session setup to the Windows NT or Windows 2000 Domain Controller \\WINSERVER.nexoe.dom for the domain NEXOE is not responsive.  The current RPC call from Netlogon on \\ISA to \\WINSERVER.nexoe.dom has been cancelled.

Where Winserver is the domain controller.

Furthermore I want to disable the following Windows services which are not disabled by the SCW:
- Server service
- WinHTTP Web proxy auto-discovery
- Smart card
- TCP/IP Netbios helper
- DHCP Client
- Secondary logon
- Removable storage

Are the any implications in disabling these services?

_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net
Post #: 1
RE: Securing the ISA server box - 11.Mar.2009 12:15:22 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Yup, don't use the wizard....

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to ThomasNexoe)
Post #: 2
RE: Securing the ISA server box - 11.Mar.2009 12:38:25 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
With regard to the services, disabling the TCP/IP Netbios helper service will prevent you from being able to log in to the system interactively. Disabling the DHCP client service will prevent automatic DNS hostanme registration, so make sure you have configured those records manually.  The Server service will be required if you expect to do any sort of remote administration.  The others can safely be shutdown and disabled.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to ThomasNexoe)
Post #: 3
RE: Securing the ISA server box - 11.Mar.2009 4:51:59 PM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
Hi.

Thanks for replying!

Any idea why the Netbios Helper service is required for login? I would suspect that all Netbios would be best to disable for security reasons.

Regarding the DHCP client service. I guess it's not needed at all that the ISA registers it's DNS. Either it can be set manually or it can be ignored. It might be an even better security if the ISA server is not in the local dns...

Any idea why these COM+ events occur in the log?
Can they be ignored without suddenly loosing mision critical features on the server?

Cheers!

_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net

(in reply to richardhicks)
Post #: 4
RE: Securing the ISA server box - 11.Mar.2009 7:58:57 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
COM+ errors are pretty common after using SCW if I remember correctly...the choices you choose in the wizard will often affect the services that get disabled - are you going with default or are you disabling feature and admin options? If so, which?

Have a look at the follow doc for guidelines on what services are needed for ISA.

http://technet.microsoft.com/en-us/library/bb794718.aspx

Another thing to consider is that by disabling the DHCP service you will also not be able to assign VPN clients with dynamic addreses using DHCP from the internal network.

Personally, I would use SCW (as per the MS guide) and live with the errors or possibly modify the COM object using dcomcnfg.
 
It is debateable how much value SCW provides with a properly configured ISA Server, but it does provide defence in depth, which is no bad thing normally...if system policy is configured properly and you use a good least privilge model for your firewall policy there should be minimal inbound connectivity to allow external devices to ever touch the OS as all traffic with traverse the firewall kernal driver before reaching the OS.

Cheers

JJ

< Message edited by Jason Jones -- 11.Mar.2009 8:03:19 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ThomasNexoe)
Post #: 5
RE: Securing the ISA server box - 12.Mar.2009 10:23:27 AM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
Hi.

Thanks for getting back to me on this!

It's cool to know about the VPN issue and the DHCP client service, I didn't realize this.

If you say that these com+ errors are pretty common, I guess I'll leave it with this. I just wanted to make sure that this wouldn't get an impact on the ISA services and firewall functionallity.

However, I see a new issue in the log now.
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

The ISA server is not supposed to get policies via group policy. I will rather apply local policies to the server as I think the more 'cloded' it is to the outside environment, the better.
However, will this error have any negativ impact on the server regarding it's membership in the AD?
It's ok that it cannot get policies but if it forgets its own name I guess it's not too good.

_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net

(in reply to Jason Jones)
Post #: 6
RE: Securing the ISA server box - 12.Mar.2009 10:26:36 AM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
<quote>
COM+ errors are pretty common after using SCW if I remember correctly...the choices you choose in the wizard will often affect the services that get disabled - are you going with default or are you disabling feature and admin options? If so, which?
</quote>

I pretty much used the defaults. I ran through the wizard and skipped the networking section because of the server role.

I have chosen ISA Server 2004 as the only server role and then disabled a couple more services in the services applet.

_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net

(in reply to Jason Jones)
Post #: 7
RE: Securing the ISA server box - 12.Mar.2009 10:26:40 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
If you don't want it to recieve GP's then put it in an OU that has no plicies applied. It needs to be able to contact the DC for various reasons.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to ThomasNexoe)
Post #: 8
RE: Securing the ISA server box - 12.Mar.2009 11:17:32 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

quote:

I have chosen ISA Server 2004 as the only server role and then disabled a couple more services in the services applet.

ISA 2004?? You have to update the SCW to apply ISA 2006 templates. The link Jason provided you has another link on how to do it.

The only DCOM error I get after install ISA server is this:
http://support.microsoft.com/kb/931355

Regards,
Paulo Oliveira.

(in reply to ThomasNexoe)
Post #: 9
RE: Securing the ISA server box - 12.Mar.2009 11:59:09 AM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
quote:

ORIGINAL: SteveMoffat

If you don't want it to recieve GP's then put it in an OU that has no plicies applied. It needs to be able to contact the DC for various reasons.


Hi.

It will not receive gps.
My concern was about the error in the event log telling me that the server couldn't even remember its own name and couldn't contact the domain.

I'm aware of the possibilities to nest objects in AD and apply policies etc. :-)

_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net

(in reply to SteveMoffat)
Post #: 10
RE: Securing the ISA server box - 12.Mar.2009 12:01:16 PM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
quote:

ORIGINAL: paulo.oliveira

Hi,

quote:

I have chosen ISA Server 2004 as the only server role and then disabled a couple more services in the services applet.

ISA 2004?? You have to update the SCW to apply ISA 2006 templates. The link Jason provided you has another link on how to do it.

The only DCOM error I get after install ISA server is this:
http://support.microsoft.com/kb/931355

Regards,
Paulo Oliveira.


I got aware of the link right after I replied to Jason. So the patch is downloaded and will be applied for next test.

I'm planning to re-install it all and apply the SP2 for Server 2003 as well and also the SCW patch and see if this maybee gives another view on the event viewer problems.

Thanks guys!
Cheers

_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net

(in reply to paulo.oliveira)
Post #: 11
RE: Securing the ISA server box - 12.Mar.2009 12:54:57 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Thomas,

very nice!! Donīt forget to disable RSS after install Windows Server 2003 SP2.

Keep us updated!

Regards,
Paulo Oliveira.

(in reply to ThomasNexoe)
Post #: 12
RE: Securing the ISA server box - 12.Mar.2009 4:30:55 PM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
Thanks for letting me know.
I have found the article here http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695

I will post updates on how it goes with the second test install.

Cheers!

_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net

(in reply to paulo.oliveira)
Post #: 13
RE: Securing the ISA server box - 20.Mar.2009 10:16:20 AM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
Hi guys.

I'm finally getting to the bottom of the testing - I have actually made more than one test because I ran into some problems after applying the sp2 to Windows Server 2003, which made the system hang after installing the ISA server software.

The tings I did was.
1. Install the OS - Windows Server 2003 Standard Edition
2. Install Service Pack 2 for Windows 2003.
3. Disabled RSS as per the article in my last post
4. Installed the ISA server 2006
5. Installed service pack 1 for ISA 2006

I wanted to run the SCW but the server started to behave strangely and hung. I needed to restart the server and it continued.
I went further and found an article describing how to disable further networking features from the SNP pachage
http://support.microsoft.com/kb/948496

Still no luck.

I decided to start all over for the third time and skip the service pack 2 install.
Everything went fine then I could manage to create firewall rules and test with the ISA server after I had applied the SCW.

I updated the working server with sp2 and other updates, re-applied the scw policy I created earlier (just in case), and everything worked just fine.

Strange isn't it? It obviously works when applying the sp2 for Windows after all the other steps, but not if you apply it as some of the preliminary steps before installing ISA server.

Ok, I decided to go for another install because I really wanted the sp2 applied before anything else. It's my opinion, that all such core component as updates and sps should be installed before any other software, especially on an ISA server.

This time I did the OS install and then:
1. Installed a patch disabling the SNP pack for sp2 for Windows.
2. Made sure that the above mentioned reg keys were actually turned off by the patch.
3. Installed the ISA Server 2006 software
4. Installed the sp1 for ISA 2006
5. Installed SCW
6. Installed the update files for the SCW to contain the ISA 2006 role

I'm not completely done with all the steps for this test install, but everytinh seems to work just fine again and the server is updatoing from micrsoftupdate at the moment installing 48 patches.

I will then run the SCW and hopefully everything will work just fine to complete my install documentation for the real install :-)

I still cannot figure out why it didn't worked the first time when I instaled the sp2 and amended the reg keys/dword values.
But appears that the update patch for SNP really works and maybee it does something else othet than amending the values in the registry?

I hope someone else can benefit from this.

Cheers,
Thomas


_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net

(in reply to ThomasNexoe)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Securing the ISA server box Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts