I'm planning to deploy a new ISA Server 2006 Standard Edition server on our network. My thought was that this server should be made extremely secure in terms of the ISA server and OS itself.
My plan is to first install the OS and then. 1. Install OS SPs and patches 2. Instal the ISA Server 2006 3. Install SP1 for ISA Server 2006 4. Run the Security and Configuration Wizard to secure the server OS.
When I do this in test VmWare environment the server works fine as a web proxy and firewall, but the eventlog contains errors like:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
And
The COM+ Event System failed to create an instance of the subscriber {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. StandardCreateInstance returned HRESULT 80070422.
And
disabled or because it has no enabled devices associated with it. " attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
Why do these errors appear and can they be ignored?
Also I get errors like:
The session setup to the Windows NT or Windows 2000 Domain Controller \\WINSERVER.nexoe.dom for the domain NEXOE is not responsive. The current RPC call from Netlogon on \\ISA to \\WINSERVER.nexoe.dom has been cancelled.
Where Winserver is the domain controller.
Furthermore I want to disable the following Windows services which are not disabled by the SCW: - Server service - WinHTTP Web proxy auto-discovery - Smart card - TCP/IP Netbios helper - DHCP Client - Secondary logon - Removable storage
Are the any implications in disabling these services?
Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
With regard to the services, disabling the TCP/IP Netbios helper service will prevent you from being able to log in to the system interactively. Disabling the DHCP client service will prevent automatic DNS hostanme registration, so make sure you have configured those records manually. The Server service will be required if you expect to do any sort of remote administration. The others can safely be shutdown and disabled.
Any idea why the Netbios Helper service is required for login? I would suspect that all Netbios would be best to disable for security reasons.
Regarding the DHCP client service. I guess it's not needed at all that the ISA registers it's DNS. Either it can be set manually or it can be ignored. It might be an even better security if the ISA server is not in the local dns...
Any idea why these COM+ events occur in the log? Can they be ignored without suddenly loosing mision critical features on the server?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
COM+ errors are pretty common after using SCW if I remember correctly...the choices you choose in the wizard will often affect the services that get disabled - are you going with default or are you disabling feature and admin options? If so, which?
Have a look at the follow doc for guidelines on what services are needed for ISA.
Another thing to consider is that by disabling the DHCP service you will also not be able to assign VPN clients with dynamic addreses using DHCP from the internal network.
Personally, I would use SCW (as per the MS guide) and live with the errors or possibly modify the COM object using dcomcnfg.
It is debateable how much value SCW provides with a properly configured ISA Server, but it does provide defence in depth, which is no bad thing normally...if system policy is configured properly and you use a good least privilge model for your firewall policy there should be minimal inbound connectivity to allow external devices to ever touch the OS as all traffic with traverse the firewall kernal driver before reaching the OS.
Cheers
JJ
< Message edited by Jason Jones -- 11.Mar.2009 8:03:19 PM >
It's cool to know about the VPN issue and the DHCP client service, I didn't realize this.
If you say that these com+ errors are pretty common, I guess I'll leave it with this. I just wanted to make sure that this wouldn't get an impact on the ISA services and firewall functionallity.
However, I see a new issue in the log now. Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
The ISA server is not supposed to get policies via group policy. I will rather apply local policies to the server as I think the more 'cloded' it is to the outside environment, the better. However, will this error have any negativ impact on the server regarding it's membership in the AD? It's ok that it cannot get policies but if it forgets its own name I guess it's not too good.
<quote> COM+ errors are pretty common after using SCW if I remember correctly...the choices you choose in the wizard will often affect the services that get disabled - are you going with default or are you disabling feature and admin options? If so, which? </quote>
I pretty much used the defaults. I ran through the wizard and skipped the networking section because of the server role.
I have chosen ISA Server 2004 as the only server role and then disabled a couple more services in the services applet.
If you don't want it to recieve GP's then put it in an OU that has no plicies applied. It needs to be able to contact the DC for various reasons.
Hi.
It will not receive gps. My concern was about the error in the event log telling me that the server couldn't even remember its own name and couldn't contact the domain.
I'm aware of the possibilities to nest objects in AD and apply policies etc. :-)
I got aware of the link right after I replied to Jason. So the patch is downloaded and will be applied for next test.
I'm planning to re-install it all and apply the SP2 for Server 2003 as well and also the SCW patch and see if this maybee gives another view on the event viewer problems.
I'm finally getting to the bottom of the testing - I have actually made more than one test because I ran into some problems after applying the sp2 to Windows Server 2003, which made the system hang after installing the ISA server software.
The tings I did was. 1. Install the OS - Windows Server 2003 Standard Edition 2. Install Service Pack 2 for Windows 2003. 3. Disabled RSS as per the article in my last post 4. Installed the ISA server 2006 5. Installed service pack 1 for ISA 2006
I wanted to run the SCW but the server started to behave strangely and hung. I needed to restart the server and it continued. I went further and found an article describing how to disable further networking features from the SNP pachage http://support.microsoft.com/kb/948496
Still no luck.
I decided to start all over for the third time and skip the service pack 2 install. Everything went fine then I could manage to create firewall rules and test with the ISA server after I had applied the SCW.
I updated the working server with sp2 and other updates, re-applied the scw policy I created earlier (just in case), and everything worked just fine.
Strange isn't it? It obviously works when applying the sp2 for Windows after all the other steps, but not if you apply it as some of the preliminary steps before installing ISA server.
Ok, I decided to go for another install because I really wanted the sp2 applied before anything else. It's my opinion, that all such core component as updates and sps should be installed before any other software, especially on an ISA server.
This time I did the OS install and then: 1. Installed a patch disabling the SNP pack for sp2 for Windows. 2. Made sure that the above mentioned reg keys were actually turned off by the patch. 3. Installed the ISA Server 2006 software 4. Installed the sp1 for ISA 2006 5. Installed SCW 6. Installed the update files for the SCW to contain the ISA 2006 role
I'm not completely done with all the steps for this test install, but everytinh seems to work just fine again and the server is updatoing from micrsoftupdate at the moment installing 48 patches.
I will then run the SCW and hopefully everything will work just fine to complete my install documentation for the real install :-)
I still cannot figure out why it didn't worked the first time when I instaled the sp2 and amended the reg keys/dword values. But appears that the update patch for SNP really works and maybee it does something else othet than amending the values in the registry?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Securing the ISA server box 
Securing the ISA server box - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread