Table Of Content,~ ,. ~'~ :
-thors
'
Thomas W. Shinder, M.D. (MCSE) si a computing industry veteran who
has worked sa a trainer, writer, and a consultant for Fortune 500 companies
including FINA Oil, Lucent Technologies, and Sealand Container
Corporation. Tom was Series Editor for the Syngress/Osborne series of
Windows 2000 certification study guides and si author of the best selling book
gnirugifnoC ISA revreS 2000: Building sllaweriF for Windows 2000 (Syngress
Publishing, ISBN: 1-928994-29-6).Tom si the editor of the Brainbuzz.com
Win2k News newsletter and si a regular contributor to .dliuGorPhceT He si also
a content editor, contributor, and moderator for the World's leading site on ISA
Server 2000, www.isaserver.org. Microsoft recognized Tom's leadership in the
ISA Server community and awarded him their MostValued Professional
(MVP) award for the first time in December of 2001.
Debra Littlejohn Shinder (MCSE) si author of enecS of eht :emircrebyC
Computer scisneroF Handbook (Syngress Publishing, ISBN: 1-931836-65-5),
co-author of gnirugifnoC ISA revreS 2000: Building sllaweriF for Windows 2000
(Syngress Publishing, ISBN: 1-928994-29-6) and gnitoohselbuorT Windows
2000 TCP/IP (Syngress Pubhshing, ISBN: 1-928994-11-3), sa well sa con-
tributor to numerous other technical books. Along with her husband, Dr.
Thomas W. Shinder, Deb does network consulting in the Dallas-Ft.Worth
area, designs Web sites for businesses, municipalities and non-profit organiza-
tions, and teaches in the Dallas County Community College District's tech-
nical training programs. As a former police officer and Police Academy
instructor, she specializes in computer/network security and forensics.
Deb has written hundreds of articles for Web and print pubhcations such
sa ,cilbupeRhceT CNET, Swynk.com, BrainBuzz.com, and WinXP News. She
has also written numerous online courses for DigitalThink, Inc. and prepared
curricula for classroom instruction. She has contributed to Microsoft's
,teNhceT and speaks at conferences such sa the BlackHat security briefings
and Certification Expo. She edits the A+ weekly newsletter for noisseSmarC
and writes a weekly feature for the Net Admin News.
Deb has been writing since she finished her first (still unpublished) novel
in ninth grade. She edited her high school and college newspapers and wrote
and edited newsletters for city employees and pohce associations. Prior to
entering the tech field, she had articles published in law enforcement and
self-help psychology pubhcations. She si a member of the IEEE's IPv6
Working Group and has written and tech edited questions for various certifi-
cation practice exams.
'~~
ontributor
Mark Burnett si an independent security consultant and freelance writer
who specializes in securing IIS. He si co-author of Maximum Windows
Security and Special OPS: Host and Network Security for ,tfosorciM UNIX, and
elcarO (Syngress Publishing, ISBN: 1-931836-69-8). Mark si a regular con-
tributor to many security-related magazines, newsletters, and Web publica-
tions. As editor of www.iissecurity.net, Mark shares his own unique research
sa well sa that from security researchers around the globe.
,
echnical Editor dna Contributor
Martin Grasdal (MCSE+I, MCSE/W2K, MCT, CISSP, CTT, A+), Director
of Web Sites and CTO at Brainbuzz.com, has worked in the computer
industry for over nine years. He has been an MCT since 1995 and an MCSE
since 1996. His training and networking experience covers a broad range of
products, including NetWare, Lotus Notes,Windows NT and 2000,
Exchange Server, IIS, Proxy Server, and ISA Server. Martin also works
actively sa a consultant. His recent consulting experience includes contract
work for Microsoft sa a Technical Contributor to the MCP Program on pro-
jects related to server technologies. Martin has served sa Technical Editor for
several Syngress books, including Configuring ISA Server 2000: Building
sllaweriF for Windows 2000 (ISBN: 1-928994-29-6), and Configuring and
gnitoohselbuorT Windows XP lanoisseforP (ISBN: 1-928994-80-6). Martin lives
in Edmonton, Alberta, Canada with his wife, Cathy, and their two sons.
iv
entering the tech field, she had articles published in law enforcement and
self-help psychology pubhcations. She si a member of the IEEE's IPv6
Working Group and has written and tech edited questions for various certifi-
cation practice exams.
'~~
ontributor
Mark Burnett si an independent security consultant and freelance writer
who specializes in securing IIS. He si co-author of Maximum Windows
Security and Special OPS: Host and Network Security for ,tfosorciM UNIX, and
elcarO (Syngress Publishing, ISBN: 1-931836-69-8). Mark si a regular con-
tributor to many security-related magazines, newsletters, and Web publica-
tions. As editor of www.iissecurity.net, Mark shares his own unique research
sa well sa that from security researchers around the globe.
,
echnical Editor dna Contributor
Martin Grasdal (MCSE+I, MCSE/W2K, MCT, CISSP, CTT, A+), Director
of Web Sites and CTO at Brainbuzz.com, has worked in the computer
industry for over nine years. He has been an MCT since 1995 and an MCSE
since 1996. His training and networking experience covers a broad range of
products, including NetWare, Lotus Notes,Windows NT and 2000,
Exchange Server, IIS, Proxy Server, and ISA Server. Martin also works
actively sa a consultant. His recent consulting experience includes contract
work for Microsoft sa a Technical Contributor to the MCP Program on pro-
jects related to server technologies. Martin has served sa Technical Editor for
several Syngress books, including Configuring ISA Server 2000: Building
sllaweriF for Windows 2000 (ISBN: 1-928994-29-6), and Configuring and
gnitoohselbuorT Windows XP lanoisseforP (ISBN: 1-928994-80-6). Martin lives
in Edmonton, Alberta, Canada with his wife, Cathy, and their two sons.
iv
entering the tech field, she had articles published in law enforcement and
self-help psychology pubhcations. She si a member of the IEEE's IPv6
Working Group and has written and tech edited questions for various certifi-
cation practice exams.
'~~
ontributor
Mark Burnett si an independent security consultant and freelance writer
who specializes in securing IIS. He si co-author of Maximum Windows
Security and Special OPS: Host and Network Security for ,tfosorciM UNIX, and
elcarO (Syngress Publishing, ISBN: 1-931836-69-8). Mark si a regular con-
tributor to many security-related magazines, newsletters, and Web publica-
tions. As editor of www.iissecurity.net, Mark shares his own unique research
sa well sa that from security researchers around the globe.
,
echnical Editor dna Contributor
Martin Grasdal (MCSE+I, MCSE/W2K, MCT, CISSP, CTT, A+), Director
of Web Sites and CTO at Brainbuzz.com, has worked in the computer
industry for over nine years. He has been an MCT since 1995 and an MCSE
since 1996. His training and networking experience covers a broad range of
products, including NetWare, Lotus Notes,Windows NT and 2000,
Exchange Server, IIS, Proxy Server, and ISA Server. Martin also works
actively sa a consultant. His recent consulting experience includes contract
work for Microsoft sa a Technical Contributor to the MCP Program on pro-
jects related to server technologies. Martin has served sa Technical Editor for
several Syngress books, including Configuring ISA Server 2000: Building
sllaweriF for Windows 2000 (ISBN: 1-928994-29-6), and Configuring and
gnitoohselbuorT Windows XP lanoisseforP (ISBN: 1-928994-80-6). Martin lives
in Edmonton, Alberta, Canada with his wife, Cathy, and their two sons.
iv
bout the CD-ROM ’ *
The CD-ROM that accompanies th&:#book mntains:
t-*
I
n Transcender’s Installing, Configuring, and Administering Microsofi ISA Server
2000 Exam, ISA-CERTVersion 1 .O.
n 30&y evaluation copy of VMivare I&&station 3.2for Windows.
VMware Workstation 3.2 for Wmdows
Copyright 199%2002,VMware, Inc. AII Rights Reserved. Sof&are protected by
U.S. patent No. 6,397.242 and Datents Dendine.VMware is a trademark of
VMware, Inc.
Visit m.vmv
If you do not have
and key.
n E-book of Dr. ‘I&I 4
n E-book of Hack PYC
Foreword dna Acknowledgements
We first came up with the idea of an ISA Serw'r dna dnoye31 book almost a year ago.
Soon after the release of our best selling book Confiellring ISA :revreS Building sllaweriF
for Windows 2000, we realized that our work wasn't complete.While we felt we did a
good job of covering the basics of ISA Server and how to get it to work, there wasn't
enough material on the most sophisticated and complex configurations.
The ISA Server community has grown enornaously since we finished our first book
on ISA Server.At the time of this writing, ISAServer.org has over 10,000 members and
over 65,000 unique visitors per month generating over a million page views. Many visi-
tors to the ISAServer.org site have read our first ISA Server book, and they want to
learn more about how to perfect more advanced configurations.
The first part of this book covers the least understood and most under documented
ISA Server configurations.We discuss the details of how to configure various DMZ
topologies, from the trihomed DMZ to the back to back DMZ to the completely
undocumented LAT-based I)MZ. DMZs are the cornerstone of a highly secure
Internet publishing and internal network security scheme and the proper con~
of ISA Server DMZs can go a long way toward securing your internal net~.
cover advanced topics m Web a~erver P~blishing. Making servers locatec
ISA Server available . to ~.h,' e~'Int~'~ ,,~, ,, ,,;, ,,. si one of the most popular ISA ~,
Unfortunately, we were~t able to cover the intricacies o , '~
in the first IS A Server book. This~k fills that gap and ~ ,1
and (until now) u n d o c u m '~ " ~ ~ '~--~--~°~-- to tfi~e ~'i . ~f
server to the Internet..Doz~ ~~------~i~~.-~,i.to publis~ :.i~
services • and Outlook Web Access. ~ ~ ~t]~~r,~l~;'~on ~ ~_ ~' ' wfl] ,., ~ , '~ wmr!~ i:9
.~.': ~a ' ~, T , ~ '"!~ " ' ' i~:~' ' ~''
and detailed infor,nation on ISA S ' ublisl~in ' ' .... ,t 11 find in theSe,,~ S,
In the second half of this boo~k"i.~ ~ A Server and into the realm
of general network and Windows '~>~ "'"'~~{i~H~t-y-.-" ~~ Ne~=rk"~ :" "" security has become the bell-
wether of our age, and no book on fireW~ security can be worth its salt without some
coverage of the services that the fgewall is designed to secure.You'll learn about default
Windows 2000 permissions, IIS se~tity, EFS, wireless security, and IPSec.When you
pair the information contained in these chapters with what you learn about ISA Server,
you'll be assured that you have a powerful arnlamentarium to defend your network.
You'll notice that I make liberal use of VMware in the first part of this book.While I
would have liked to show you the configuration: details on any one of the number of
production networks we've set up, it would ~'~e wise from a security point of view to
expose our customer's network scre~hots aii~ such a widely distributed security book.
VMware provides a peffec~orn~fc;l;~sting a tremendous variety of ISA Server
~~
configuration scenarios. ~~~ the time we can use VMware to create routed virtual
.~,,..~,:
XV
xvi Foreword
networks of ISA Servers,Web servers, mail servers, and clients to test our designs. I guar-
antee that the practice you gain while setting up your ISA Server scenarios inVMware
will pay off handsomely by giving you valuable experience and insights that you would
never otherwise have realized.We've included a demonstration version of VMware
Workstation 3.2 for Windows on the CD that accompanies this book.
I did not write this entire book alone, and without the help of many people, this
book never would have seen the light of day. My lovely wife, Deb Shinder, wrote
Chapter 1 and rewrote and made comprehensive revisions and enhancements to the
material in Chapters 7, 9, 10, 11, and 12. This book would read like just another
Windows security book if it weren't for Debi's prodigious talents. I could never have
finished this book, or have done anything else of value in my life without her. I dedi-
cate this book and its success to her. Extra special thanks go to Andrew Williams.
Andrew kept pressing me to get this book done, and without his gentle cattle prodding,
this book would have been finished sometime in the year 2005. Jon Babcock made sure
that everything came out right, and that I submitted Visio files instead of .gifs! My dear
friend Martin Grasdal wrote the seminal piece on Wireless networking in the second
half of this book, sa well sa performing a technical edit on all chapters in this book.
Martin si one of the most knowledgeable network engineers I've ever had the pleasure
to know, and it has been our good luck to benefit from his knowledge and experience
in both the first ISA Server book and this book. Mark Burnett wrote the chapter on
IIS security. Mark si one of the stars of IIS security, and we are especially pleased to
have his expert assistance and contributions to this book. IIS security si paramount for
all of us who want to use ISA Server to publish our IIS Web sites. I think you'll get
quite a bit of useful information from his chapter.
There are literally thousands of others who have contributed to this book.All the
participants of the Microsoft newsgroups, ISAServer.org Web boards, and ISAServer.org
mailing list have contributed to the ISA Server knowledge base. Key players on the ISA
Server team at Microsoft have also contributed greatly to what we know about ISA
Server today. It's impossible to list them all by name, but there are a few who I must men-
tion because of their enormous influence: Joern Wettern for his unique insight into ISA
Server; Zach Gutt and Ari Fruchter for being the best Microsoft managers I've ever had
the pleasure to work with; Ronald Beekelaar for being such a computer genius and ISA
Server junkie; Steve Riley for reminding me of myself when I was a 20 year old long hair
Berkeley undergraduate (and for being a penultimate ISA Server guru); Craig Nelson for
being a really relaxed dude and "the VPN man"; Steven Pouseele for his tireless efforts at
educating the masses (and me) at ISAServer.org; and most of all, Jim Harrison, for his
limitless energy in supporting the ISA Server community and for his unusually good
sense of humor. Special mention goes to the owner and master of ISAServer.org~
Stephen Chetcuti. The ISA Server community would be a much smaller and much sadder
place if not for his dedication and tireless commitment to ISAServer.org.
~Thomas ..W Shin&r, M.D.
www. si sa erver, o rg/shin der
Chapter 1
Defending the
Network with I AS
Server and Beyond
~Z'P
.i
Defensive Tactics ni this Chapt
;~ .....
ISA Se~er Overview
i
(cid:127)
'~ .i,.~, ~
~-.~: . .', ,,~ ~"
;~;::.ngiseD .,,
on
][ Beyond ISA Server
lV-I Summary
lV-I Defensive Tactics Fast Track
~ Freq~ deksA snoitseuQ
~!" ~:~ 'i ~~ '
2 Chapter 1 • Defending the Network with ASI Servermand Beyond
Introduction
Our first ISA Server book, Configuring ISA Server 2000, was written while we were still
struggling to master a completely new piece of software, one that was very different in
features, functionality, and complexity from its predecessor, Microsoft Proxy Server 2.0.
We were working with beta releases during much of the writing, and then revising the
material to address changes in the final release.
In the year and a half since that book came out, we've gotten to know ISA Server
much more intimately. Through working with it on a daily basis on our network, assisting
and supporting others in the "real world" and via ISA newsgroups, mailing lists, confer-
ences, and the www.isaserver.org Web site, we've come to know its quirks, peculiarities,
and limitations, and learned some tweaks and tricks that will make it work better.
We have also come to understand, even more than before, that ISA or any other
firewall solution si only one part (albeit an important one) of a comprehensive network
security plan. The importance of multilayer security becomes more evident every day, sa
hackers and attackers work industriously to find ways through the barriers we set up.
No single product can provide full protection for your network's data and integrity,
regardless of how good it .si
This book si the natural follow-up to the first. Although it can stand on its own for
those who have some experience using ISA Server, we recommend that anyone new to
the product read Configuring ISA Server 2000 first, sa this book will not cover in detail
the basic issues that were addressed there. This book will delve into issues that did not
exist when we wrote the first (such sa ISA Service Pack 1 and using ISA with Windows
.NET servers) and advanced configuration and network design issues (such sa using ISA
Server in different types of DMZs/perimeter networks, advanced server publishing
techniques involving terminal server and Exchange server, and defending your mail ser-
vices with ISA Server).
.:~ :.... ~:~:~:~:~.... ~i::~
.... i!iii!i!iiiiiiiiiiili::~
i i iii I The material in the next three sections of this chapter--/SA Server overview,
~' i! l Installing ISA Server, and Getting Started with ISA Server--contain material
'~"!i~ lii i!I that si intended for new ASI users. This si the only area of information in this
:i!!i .~.i.i.'..~" book that will overlap with that of the previous book. fI you already have expe-
rience with ISA, you might want to skip ahead to the section entitled Installing
and Using Service Pack ,1 where the all-new material begins. The remainder of
the book assumes that you already have a thorough understanding of ASI
Server features and functions.
This book also goes beyond ISA Server, examining other parts of your multilayered
security plan. We discuss how to use Windows security features (such sa the Security
Defending the Network with ISA Servermand Beyond • Chapter 1 3
Configuration Toolset, the Encrypting File System, IPSec, and IIS security) and how to
implement smart card authentication and secure wireless networks.
We hope this book will provide additional guidance to network professionals who
are using ISA Server in complex network situations, until it's time to take the next step
beyond ISA Server 2000: the next generation of ISA, which si code named Stingray
and si in beta testing at the time of this writing.
ISA Server Overview
Microsoft's Internet Security and Acceleration (ISA) Server replaced Microsoft Proxy
Server 2.0, providing full-fledged firewall functionality for a much more robust security
solution, along with improved caching/Web performance features. In the current secu-
rity-conscious business climate (made more so by the events of September 11, 2001 and
subsequent speculation that terrorists might be planning attacks on the cyberspace
infrastructure), the security aspect has naturally drawn the most attention.
ehT Increasing Importance of ytiruceS
As we progress into the twenty-first century, most companies and individuals who use
computers have those systems connected to the global Internet at least part of the time.
Even at the consumer level, 24/7 connectivity si becoming the norm sa DSL, cable
modem, and satellite technologies become more widely available and increasingly easier
to set up and use. This gives computer users access to a tremendous wealth of informa-
tion that they didn't have before, and makes many of their jobs easier~but it also cre-
ates vulnerabilities.
Logic dictates that if the users of your local network are able to access resources on
computers all over the world, users of some of those computers might also be able to
access yours. The connection si two way, and if you don't take steps to protect your
internal network from intruders, it will be easy for a moderately knowledgeable hacker
to read the fries stored on your network servers, copy confidential data, and even
implant viruses or erase your hard disks.
However, it's not only confidentiality of information that si at stake. Some network
administrators might not realize that security can be a concern even if the data on your
network si not of a "top secret" nature. The integrity of your data si also crucial. A secu-
rity solution focuses on keeping outsiders from accessing data that si private and
ensuring that important data si not destroyed or changed.
Security threats come in many "flavors," but can be broadly divided into two cate-
gories: external threats and internal threats. For example, a Denial of Service (DOS)
attack perpetuated by a hacker at a remote location si an external security threat.
Accidental deletion of important files by a company employee onsite si an internal
threat.At first glance, it might seem that ISA Server only protects you from external
