ISAserver.org - February 2008 Newsletter

Articles | Authors | Blogs | Books | Events | Hardware | Message Boards | RSS | Software

ISAserver.org Monthly Newsletter of February 2008 Sponsored by: Burstek Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org Why ISA Users Choose Burstek Internet Security Software Burstek makes serious Internet security easy for ISA users. Created specifically for Microsoft and ISA environments, Burstek is easy to install & administer, and delivers feature-rich Web filtering & reporting for your entire enterprise without additional consoles, hardware, software or plug-ins. See why Burstek was voted ISAserver.org Readers' Choice Award Winner in 2007 with a free 15 day Trial! Get a Free Trial of Burstek Right Now! 1. ISA Firewall on a Domain Controller? The subject of putting the ISA Firewall on a domain controller came up again several times last month. This is a subject that is always going to raise some sort of discussion, because the configuration is somewhat contradictory. Why contradictory? Because the ISA Firewall was designed to be a network firewall, not a host based firewall. There are no use cases for the ISA Firewall as a host based firewall except for the fact that the ISA Firewall does protect the ISA Firewall machine itself and the firewall server and services. However, there is no explicit support for the ISA Firewall software protecting other software components that have not been designed to work with the ISA Firewall. What is counterintuitive is the fact that I have never heard of anyone wanting to put a domain controller on a PIX, or an ASA, or a Netscreen, or a Blue Coat device. In reality, the reason for this is that you cannot make any of those other devices a domain controller. But what if you could? Imagine a modern Check Point Firewall running on Windows and the security admin coming out and saying "Hey, we need to put a domain controller on that Check Point firewall". Can you imagine what would happen? I can, but I cannot communicate the picture in my head in polite company. Needless to say, making such a statement has the potential for being a career limiting move. And so should it be when someone decides to completely break the ISA Firewall's security model by putting a domain controller on it. But the fact is, that does not happen. Why? Is it that people still do not take Microsoft security seriously? Perhaps, but I think it might be something else that emboldens these people to put their ISA Firewalls and domain controllers at such risk. What I think happens with these people is that they know that Microsoft has had a problem with security in the past. While Microsoft has vastly improved their security story and has actually become one of the major security players in the market today, admins who play fast and loose with the ISA Firewall's security model know that when their DC gets "owned" by a hAx0Rz they will be able to blame Microsoft for the security issue. It is an interesting observation and a vexing problem. People generally shy away from actions that are going to create pain and loss of reputation. That is why we do not suggest putting domain controllers on Check Point firewalls. But some people recommend to their clients, or allow their clients, to put DCs on their ISA Firewalls because there will be no pain or loss of reputation when a security incident ensues (because of this gross misconfiguration) of the ISA Firewall because it will be Microsoft who will feel the pain and loss of reputation. In fact, these admins will be the first ones to point a crooked finger at Microsoft for creating such a weak firewall. Well, I want all you ISA on a DC admins to know that we are on to you and you are not going to get away with it. Microsoft has already documented the fact that they do not support putting a DC on the ISA Firewall (outside of the SBS scenario). Check this out at Troubleshooting Unsupported Configurations in ISA Server. Since Microsoft is explicit on this, any security event due to a DC on the ISA firewall is entirely the responsibility of the admin who created such a misconfiguration. Bottom line: it will be the admin's fault for the security incident and have nothing to do with Microsoft security. What do you think? Should Microsoft take the hit when someone deploys a configuration that breaks the ISA Firewall security model? Let me know at tshinder@isaserver.org Thanks! Tom ======================= Quote of the Month - "An ISA Firewall with a DC on it is like a Bicycle with Fish on it - it smells" Editor, ISAserver.org Newsletter, Dr. Tom Shinder ======================= 2. ISA Server 2006 Migration Guide - Order Today! Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall.. Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did.    Click here to Order    your copy today Why ISA Users Choose Burstek Internet Security Software Burstek makes serious Internet security easy for ISA users. Created specifically for Microsoft and ISA environments, Burstek is easy to install & administer, and delivers feature-rich Web filtering & reporting for your entire enterprise without additional consoles, hardware, software or plug-ins. See why Burstek was voted ISAserver.org Readers' Choice Award Winner in 2007 with a free 15 day Trial! Get a Free Trial of Burstek Right Now! 3. ISAserver.org Learning Zone Articles of Interest We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles: ISA Server 2006 MSDE Password Management Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls (Part 1) ISA Server 2006 Flood Mitigation Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls (Part 2) 4. KB Articles of the Month If you have been following this space, you might be aware that we have had trouble with the new Windows KB search site, in that they no longer allow you to filter your searches by date. The bad news is that this is not fixed yet. The good news is that people within Microsoft support services are aware of this problem and they know that you want to be able to filter your searches based on the date of the KB article. From what I understand, they are working on this issue up the food chain and hopefully we will have the search site fixed in the next few months. I will definitely keep you up to date and I would like to let the Microsoft personnel that I have been communicating with know that I appreciate the good work they do and their help in this matter. You cannot start the Microsoft Firewall service on a server that is running ISA 2004 or ISA 2006 if you enable SSL on a Web listener Internet Security and Acceleration (ISA) Server does not log an IP packet that consists of only an IP header Error message after you use the ISA2KExport.exe tool to migrate ISA Server 2000 to ISA Server 2004, Standard Edition How to bypass the Web Proxy service in ISA Server 2006 or in ISA Server 2004 Support for the Windows Server 2003 Network Access Quarantine Control feature in ISA Server 2006 and in ISA Server 2004 5. Tips of the Month Rob John came up with a great post on the ISAserver.org message boards last month, which contains some insight that we can all benefit from: "If malware is using IP addresses instead of domain names, I'm not sure. I think it would then depend if the malware uses your proxy setttings, if it does, I'm not sure how ISA would treat it since a nslookup is not required. It would then depend on how effective your other layers (Defense in Depth) are. For my work network these are the key components: Each host has its own IPS, AV, AS protection system to prevent infection or abuses. All servers and PCs are religiously patched to prevent vulnerabilities from being exploited Very few users have admin rights All traffic on the network is controlled via PERMIT statements at the gateways (Inbound and Outbound), all other traffic is IMPLICITLY DENIED. A behavior based IDS/IPS (Lancope Stealthwatch) monitors and analyzes all traffic traversing the network via span ports on our Core switches. We know within seconds any out of profile, suspicious, or unauthorized traffic. ISA is used to filter HTTP destinations, content and applications." Rob's approach is common sense. However, I would add to it by using the ISA Firewall client for full firewall protection, and not just HTTP filtering. When you deploy the Firewall client, you get full firewall protection by allowing authentication for all protocols and also by allowing you to control which applications can be used to connect through the ISA Firewall. The Firewall client adds orders of magnitude to the level of security for you ISA Firewall solution and not using the Firewall client is something that just should never be done. Why ISA Users Choose Burstek Internet Security Software Burstek makes serious Internet security easy for ISA users. Created specifically for Microsoft and ISA environments, Burstek is easy to install & administer, and delivers feature-rich Web filtering & reporting for your entire enterprise without additional consoles, hardware, software or plug-ins. See why Burstek was voted ISAserver.org Readers' Choice Award Winner in 2007 with a free 15 day Trial! Get a Free Trial of Burstek Right Now! 6. ISA Firewall Links of the Month ISA Firewall Best Practices Analyzer - Version 6 Firewall Client with Windows Vista Support Update to Publishing Exchange 2007 with ISA 2006 Capacity Planning Tool for ISA Firewall Deployments 7. Blog Posts ISA Firewall Best Practices Analyzer v6 RTMs Collective Software's Debugging Filter Get Dr. Tom Shinder's ISA 2006 Book — Its the Best of Breed Microsoft IPsec Diagnostic Tool 8. Ask Dr. Tom QUESTION: Hi Tom, I'm deploying Windows Server 2008 DNS servers and I'm having a problem with my wpad queries. I've entered a Host (A) record for wpad on my Windows Server 2008 DNS server and it look right. However, when I do a DNS queries for wpad.domain.com, the query fails! My Web proxy and Firewall clients can't find ISA firewall anymore because of this wpad problem. Do you have any ideas what the problem might be? Thanks! -John. ANSWER: Hi John! That's a very interesting question and it got me to looking up what is new with the Windows Server 2008 DNS server. I was already aware of the new GlobalNames Zone, which I thought was the only new thing about the Windows Server 2008 DNS server. Guess what? I was wrong. There is another new feature included with the Windows Server 2008 DNS server - DNS Server Global Query Block List. It turns out that this new feature turns off all queries to wpad and isatap host names for all zones for which the DNS server is authoritative. The idea behind this was to prevent machines that can auto-update the DNS from hijacking these names. You can remove the names from the block list using the dnscmd.exe command line tool. Check out the DNS Server Global Query Block List article for details. Also, Rayne Weisman from the ISA Firewall Team put together some great information on this subject on their Team Blog site QUESTION: Hi Tom, First, I want to thank you for the great work you've done on ISAserver.org. It seems like everything you ever wanted to know about the ISA Firewall is on your site. Great work! However, there does seem to be something missing from the ISAserver.org, and that's information about how to publish Communicator Web Access 2007. I don't know if you know about this, but Communicator Web Access allows you to use a Web Communicator client. It's really cool. I'd like to see the Web Communicator log on page instead of the ISA forms based authentication page. Can I do that? Thanks! -Richard. ANSWER: That's a great question and some great information. I haven't looked into Office Communicator or OCS yet, so I didn't know about this cool piece of functionality. I did some Web searching and found a great article on this subject, written by my friend here in the Dallas, Texas, area - Yuri Diogenes. Yuri and a couple of cohorts on the OCS and LATAM teams (Patrick Kelley and Daniel Seveso) put together a very nice step by step guide on how to get this working. Check it out on the ISA Team Blog site Got a question for Dr. Tom? Send it to tshinder@isaserver.org. Why ISA Users Choose Burstek Internet Security Software Burstek makes serious Internet security easy for ISA users. Created specifically for Microsoft and ISA environments, Burstek is easy to install & administer, and delivers feature-rich Web filtering & reporting for your entire enterprise without additional consoles, hardware, software or plug-ins. See why Burstek was voted ISAserver.org Readers' Choice Award Winner in 2007 with a free 15 day Trial! Get a Free Trial of Burstek Right Now! TechGenix Sites MSExchange.org The leading Microsoft Exchange Server 2007 / 2003 / 2000 resource site. WindowSecurity.com Network Security & Information Security resource for IT administrators. WindowsNetworking.com Windows Server 2008 / 2003 & Vista networking resource site. MSTerminalServices.org A leading Microsoft Terminal Services and Citrix resource site.

Articles | Authors | Blogs | Books | Events | Hardware | Message Boards | RSS | Software

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
Click here for sponsorship information or contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2008. All rights reserved.