ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Tuesday, November 20, 2012

This blog will be removed in a couple of months. I encourage everyone to follow me on my new blog at http://www.thirdtier.net/blog

thanks for reading...Amy

Wednesday, September 26, 2007

This Is The Last Post

This is the last post for this particular blog.

Don't panic! I've created a new blog. The new blog will have a much broader focus and cover not only ISA but the full range of security challenges encountered by small businesses every day. It will include technical how to, as well as opinion, commentary and product reviews.

The new blog location is http://securesmb.harborcomputerservices.net/


I will keep this blog online for some period as an archive.

Monday, August 27, 2007

ISA SP3 Logging Improvements

I've been so busy lately that I haven't had a chance to blog much. Thank goodness that the official ISA blog has picked up the slack. :) They've put out some great posts lately including todays: Logging Diasgnostic Improvements in SP3. You definately need to check it out.

http://blogs.technet.com/isablog/archive/2007/08/26/diagnostic-improvements-in-isa-server-2004-service-pack-3.aspx

ISA @ SMBNation

ISA will be featured in the technical track at SMB Nation this year. My presentation back in March at SMBTN was well received. I'll be building on that presentation. I will demonstrate several configurations that are in demand for SMB consultants:

Spam and Flood protection
Limiting Internet Access: Integration with AD and Group Policy
Logging and Reporting
Backup and Recovery

So be there. Dana Epp, Security MVP has organized top drawer technical content for this conference. It's September 29 - October 1. http://www.smbnation.com

Also, a heads up. I'll be presenting at SMB Focus in Sydney Australia in November as well. Plan now and I'll see you there.

Tuesday, July 17, 2007

Thoughts on what it means to not have an edge SBS

Situating SBS on the edge of the small business network has always been a controversial topic. A network in a box for small companies has to include some kind of firewall doesn't it? So through the years it was RRAS, Proxy 2.0, ISA 2000 and ISA 2004. With word out that SBS will no longer be supported on the edge that means that ISA on that box and RRAS are both out of the picture. Considering that most SBS servers are currently protected by RRAS that's significant.

Having worked in the small business market for a number of years I can tell you with certainty that this will leave the vast majority of SBS customers with networks protected by their DSL router. A DSL router just isn't sufficient to protect against today's application targeted attacks. Neither is it sophisticated enough to serve the publishing needs of Exchange 2007 without leaving gaping holes to exploit.

Microsoft knows best how to protect Microsoft software. SBS is jammed packed with Microsoft software as are most small business desktops. What then will be the official "best practice" recommended by Microsoft to protect their software that these customers are so dependant upon?

The Skinny on ISA in SBS 2008

The official word:

"With respect to ISA, here's what we're public on:

- SBS no longer will support being the edge box. You'll need SBS to be behind a network firewall of some sort -- could be a hardware firewall, could be a software firewall, such as ISA.

- ISA, itself, will no longer support running on the SBS server itself -- this is really related to #1. We're building the SBS tools in the next rev assuming that the network firewall is elsewhere."

I wish I was allowed to say more about what's going on in the next version of SBS but I'm not. So from the official statement above it doesn't take a rocket scientist to notice that you're going to have to place your ISA server in front of SBS next time around on a seperate server. Unfortunately there's no public statement about what this means the product list is for SBS Premium because obviously we're going to need another license of Windows for that second server. We'll have to wait and see.

Wednesday, June 06, 2007

News: Microsoft soft unveils Stirling

Microsoft unveiled a new product, code name Stirling, yesterday at Tech-Ed. For those wondering where ISA is going in the future. Here's a hint. There is also another product under development under a different code name that non-enterprise businesses will also be interested in.

See the full article here.

Wednesday, May 02, 2007

ISA 2004 SP3 Released

ISA 2004 SP3 is here.

ISA Server 2004 SP3 includes the following new features and improved functionality:

Improvements to the ISA Server Management console with the addition of a new Troubleshooting node

Enhanced log viewing functionality

Additional log filtering functionality

Diagnostic logging, including over 200 new diagnostic logging events

Integration with the Microsoft ISA Server Best Practices Analyzer Tool

Support for publishing Microsoft Exchange Server 2007 with ISA Server 2004

Vista might not connect immediately

Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista

Read all about it in TechNet. Vista contains a feature which uses DNS to locate and connect to a pre-defined website. This is part of the new network identification feature. So when Vista detects a new network and pops up the box for you to select how much you trust this newly connected network, this article explains what has happened in the background.

The key issues are:

1. Vista clients behind ISA may not immediately recognize that they are connected to the Internet via a firewall
2. ISA logs will contain denied DNS traffic destined for 131.107.255.255 (yes, this is a valid IP address)

And don't panic.

Wednesday, April 25, 2007

Publishing AuthAnvil Self Service Token Enrollment

In using AuthAnvil to create a secure two-factor remote access for the SBS servers we manage it was decided that we'd like to allow users to Enroll the Cryptocard token we've provided themselve. AuthAnvil allows this through a self service token enroll website located on IIS. We'll use SSL to publish this site.

  1. Click Publish a Web Server. Call it AuthAnvil Token Enroll.
  2. Click Next, Choose Allow, Click Next.
  3. The server name will be publishing.yourinternaldomain.local. Check Forward the orginal host header. The path will be /AuthEnroll/* The public name is the DNS name of your server, for example: mail.domain.com. Click Next.
  4. Choose the SBS Web Listener. Click Next.
  5. Leave All Users. Click Next.
  6. Click Next, until done. Then Click Finish.
  7. Make sure your rule is at the bottom of the other publishing rules in your server. This will make it rule 6 or so.
  8. Right click on it and select Properties
  9. On the Bridging tab make sure SSL is checked
  10. On the To tab check to make sure your server name is correct, the check box is checked and the radio button for requests appear to come from the ISA server is selected.
  11. On the Public Name tab make sure the public DNS name of your server is listed and is correct.
  12. Click OK.
  13. Press the Apply button for this rule to take effect.

Tuesday, April 17, 2007

Multi-Core Processors: Another reason for SP2

While loading an ISA2004 onto new hardware I ran into a problem where the firewall service would not run. When something like that happens on a new install you get that sinking feeling that it's going to be a long night.

Fortunately a quick search came up with the solution. Install ISA 2004 SP2. ISA 2004 SP2 corrects an issue where ISA misidentifies the number of processors in the system. This can happen for a variety of reasons, one of which is multi-core processors.

Here's the kb reference

Tuesday, April 03, 2007

Vista 64-Bit Can't Join Domain

Found a kb article that resolved a perplexing problem for us today. A Vista 64-Bit Ultimate edition PC was unable to join the domain. The error message stated a problem with RPC. This usually points to the local firewall but in this case it was ISA and a hotfix is needed to resolve it. This hotfix is available from the download center. No call to PSS required!

The kb article id is 917903; last updated March 15, 2007.

You cannot join a computer that is running a 64-bit version of Windows Vista to a Windows domain on which ISA Server 2004 is configured as a firewall

SYMPTOMS

Consider the following scenario. You have a Windows domain on which Microsoft Internet Security and Acceleration (ISA) Server 2004 is configured as a firewall. You try to add to the domain a client computer that is running a 64-bit version of Windows Vista. However, you receive an "RPC Server unavailable" error message on the client computer. Additionally, the computer is not added to the domain.Note This problem occurs primarily in a Microsoft Windows Small Business Server 2003 (Windows SBS) domain.


CAUSE

This problem occurs because 64-bit Windows Vista client computers add a third context element structure to a remote procedure call (RPC) bind call. However, the ISA Server RPC application filter drops this bind call as an incorrect RPC bind packet.

Thursday, March 29, 2007

ISA and Windows 2003 SP2

The ISA team has blogged about some issues affecting ISA after an installation of Windows 2003 SP2. The original post is here.

ISA Server and Windows Server 2003 Service Pack 2

Recently Microsoft released Service Pack (SP) 2 for Windows Server 2003 (http://www.microsoft.com/technet/windowsserver/sp2.mspx). We tested ISA Server with the Windows service pack quite extensively. Unfortunately we discovered after the release of the Windows service pack that there are several issues that have potential ill-effects on ISA Server. This blog summarizes the currently known issues, and suggestions on how to mitigate those issues.

1. If you run ISA Server 2004 Enterprise Edition with or without the ISA Server SP2, you must install ADAM SP1 on the ISA Server Configuration Storage Server prior to installing the Windows Server 2003 SP2. ADAM SP1 can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en. If you install Windows Server 2003 SP2 without first installing the ADAM SP1, ISA Server will not start after the installation, and you will have to uninstall Windows Server 2003 SP2. Further information is available in the Windows Server 2003 SP2 release notes, at http://technet2.microsoft.com/WindowsServer/en/library/ed5382af-e819-4d33-ace0-225d31b7ab751033.mspx?mfr=true .

2. If you run ISA Server 2000, 2004 or 2006 Standard or Enterprise editions on a multi-core / multi-processor 32-bit computer, and the CPU is heavily utilized, you might experience performance degradation in certain deployment scenarios after installing Windows Server 2003 SP2. The issue stems from a change in interrupt handling introduced in SP2.To correct the issue you must download and run the Interrupt Affinity Tool (intfiltr) available in Windows Server 2003 resource kit (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en). You can read about installation and usage of intfiltr.exe in http://support.microsoft.com/kb/252867.

3. If your network adaptors (NICs) support receive-side scaling (RSS), then in certain NAT scenarios ISA Server 2000, 2004 or 2006 Standard or Enterprise editions might not transfer packets from one NIC to the other after installation of Windows Server 2003 SP2.To correct the issue you must disable RSS support ­­- follow the instructions in http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695.

Neta Amit
Program manager
ISA Server Sustained Engineering Team

Tuesday, February 27, 2007

ISA 2008 Needs Your Help

The Microsoft ISA Product Team is working on the next version of ISA. As part of the work, the team is currently recruiting customers for its internal customer programs namely TAP (Technology Adoption Program) and the Advisory Group). Interested customers, consultants, solution provides and others can contact ngtprcrt@microsoft.com to start the nomination process.
Please note:
- The information about these specific programs is Microsoft-confidential. Therefore, nomination to these programs requires the nominees to already have or sign a non-disclosure-agreement (NDA) with Microsoft.
- Nominees who wish to participate (after they are accepted to the program) in the TAP kickoff event on April 16-18, are advised to follow-up immediately.

Wednesday, February 14, 2007

SMBTN Conference ISA Session

There's a great conference coming up March 15-18th. It's the SMB Summit, the 3rd annual SMB Technology Network conference. It's being held at Disneyland. Have a look at the sessions and the speakers. If you are a small IT firm looking to grow, this is the place to be.

I'll be presenting a technical session on using ISA to build your security practice. I'll show off wireless network security, advanced DMZ controls and monitoring and reporting, then we'll open it up for discussion on adding security services to your standard service offerings.

Hope to see you there!

Monday, February 05, 2007

Update: iTunes ISA 2004 SP2

In a previous blogpost I pointed you to the ISA Product Team blog for instructions on how to allow iTunes through ISA. I've got a little personal experience with this now and some new information for you.

If you're having problems visiting the iTunes site, you'll notice in the ISA logs that the packets are being rejected because ISA wasn't expecting compressed content but the iTunes responds with compressed content. I think this is a web development issue. The tighter we make our firewall configurations the more we expect development to follow the rules. Repsonding with compressed content when it wasn't requested is a no-no and the packet will be handled according to the settings under General, Define HTTP Compression Preferences. You'll notice that by default any packets trying to send compressed content that you didn't ask for will be dropped.

Following the instructions in the previous blog you'll need to provide a "site" for the exception to our compressed content restrictions. By "site" what is really meant is computer set. So create one and let's call it iTunes. Add the following IP addresses to this set.
  • 89.149.169.80-.89.149.169.97
  • 194.109.192.22
  • 194.109.192.7
  • 17.250.236.65
  • 69.44.123.19
  • 69.44.123.26

Once you have your "site" created check the box Request Compressed HTTP Content from Servers.

You'll be able to speak to the iTunes servers now.

Thursday, February 01, 2007

Strong Authentication for SBS

Good news! Today is the official release day for AuthAnvil. This is an excellent addition to the RWW Guard product that Scorpion Software also offers. I've seen it in action. This is a must have for IT firms servicing multiple clients and for all small businesses taking advantage of the many remote access features of SBS. There's nothing like knowing for certain who is logging into your server.

Scorpion Software releases AuthAnvil Strong Authentication System (SAS) for Small Business
Chilliwack, BC: February 1, 2007 - Scorpion Software Corp. today announced the general availability of version 1.0 of AuthAnvil, a strong authentication system (SAS) to protect small businesses and enhance their remote access security with the introduction of two-factor authentication server software for Microsoft's Small Business Server (SBS) 2003 and Windows Server 2003 platforms. AuthAnvil enhances online trust and enables secure remote access to protected information assets by offering the ability to reliably prove user identities through the use of strong authentication. More information about AuthAnvil is available at
http://www.scorpionsoft.com/products/authanvil/.

"AuthAnvil is our second and most crucial piece to our strong authentication solution for small business. It helps to eliminate the insecurities and weaknesses in static reusable passwords by offering more perfected one time passwords that can be easily deployed and managed." says Dana Epp, Scorpion Software's President and Computer Security Software Architect. "In combination with our RWW-Guard product we can now offer a complete solution to help protect the remote access to critical information assets in small businesses who leverage Microsoft server technology like SBS 2003 and Remote Web Workplace."

About Scorpion Software Corp.
Scorpion Software Corp provides the premium solution for SMBs to reduce the risks associated with the use of weak static reusable passwords and provide a higher level of confidence that only authorized users can access their company's most important business assets - their proprietary information. Headquartered in British Columbia, Canada, Scorpion Software helps small businesses manage online risk while offering unprecedented password protection. More information about the company is available at
www.scorpionsoft.com.

Thursday, January 11, 2007

2 1/2 Conferences

I'll be attending the SMBSummit a Disneyland from March 15-17. This conference is organized by the SMB Technology Network. If you are looking for good technical information on SBS and good business information on running a small consulting firm this is the place to be.

http://www.smbsummit.com

I am also hoping to attend Jeff Middleton's Small Business IT Disaster Recovery and Crises Recovery conference from May 26th - June 2nd. Jeff's conference is the 1 1/2 part in the title of this post. The first two days are land based in New Orleans. The remaining 5 are on a Cruiseship leaving New Orleans headed for Mexico. You can attend the first part, the second part or both. It's a round table discussion type conference with leaders rather than speakers happening for the majority of it. Great concept. Should also be a great time. There's plenty of fun time built into this one.

http://conference2007.sbsmigration.com

Hope to meet you there!

Creating a Visited Websites Report by User

Many admins learned how to create reports by opening up the log files in ISA 2000 and using Excel features to organize the data in a meaningful way. Contrary to popular opinion, you can use Excel to generate a report using ISA 2004 with MSDE logging much easier than in ISA 2000 flat files.

Start by trimming out what you don't want to see, right in ISA.

In the monitoring tab create a query with the information you want to view.

Logging last 7 days
Protocol HTTP
Action Allowed Connection
Rule SBS Internet Access Rule
Client Username Not Equal Annonymous

This will display in the monitoring viewer a list of packets going to websites. Press the Copy to Clipboard and then paste into Excel to start organizating the data into a report.

How ISA MSDE Logging Works

Recently on a mailing list a question was asked for someone to explain how ISA does logging to MSDE and why you sometimes see a lot of log files for the same day. Dana Epp, of Scorpion Software, quickly responded with a very concise and clear response.

When using MSDE, ISA stores the logs in daily database files. If you make any policy changes to the firewall, it stops the instance and restarts it with a new name. As an example for today the database would be called ISALOG_20070110_FWS_000. (That is the format YYYYMMDD in case you missed it). If you stopped and restarted ISA, it would then be ISALOG_20070110_FWS_001. You would need to function concat() { [native code]}the 000 and the 001 to get the complete set of log events for the day. For the web proxy, its "_WEB_" instead of of "_FWS_". Microsoft does this to apparently prevent data corruption, although I have yet to see how that matters in this regard. There is no reason it couldn't be merged. (IMNSHO). I think they do it to prevent the DB size limitation for MSDN databases.

Depending on your audit log retention policy, you might have up to a month or two of these hanging around. What Firewall Dashboard
(Dana's ISA add-on) does is merge all the data together, consolidate all the events down to remove log events not helpful in analysis, and import them into the FWDB database instance. Thats how we can literally go from a few hundred thousand events down to a few hundred, depending on the scenario.

The actual table structure for the whole lot is stored under the ISA directory. If you wish to see the structure of the data, its in *.sql scripts in the base dir of ISA.

If you are finding that the files are hanging around past the date you want, you can freely delete them... with one caveat. If you are consolidating the data with the ISA reporting engine, make sure you aren't deleting the summary/archive data.

There is a KB on configuring logging for ISA. Not sure if you would find that useful or not. You can see it at:
http://support.microsoft.com/?id=302372

Labels:

Wednesday, January 03, 2007

New RSS Feed

Google converted my blog over to the new format and because of this the RSS feed address changed. Here's the new one: http://isainsbs.blogspot.com/feeds/posts/default?alt=rss

The old one was so much simpler.

MVP Awarded

For the second year I have been awarded an MVP for ISA. This recognition means more to me than any certification because it is a peer nominated award for my participation and contribution to the ISA community. A lot of amazing people are MVP's and I'm honored to be in their company.

Tuesday, January 02, 2007

Thank you!

I'd like to put in a big thank you to several people that made a difference in the world of ISA support in 2006.

Jim Harrison - Without Jim there would be no ISA community. He's a man of infinite patience and belief in community. We only managed to push him over the edge twice this year and given how many buttons were pushed, only twice says a lot for his character and ability to see beyond the surface bull to the real issues.

Susan Bradley - The World News, the Great Library of Susan, the ever helpful and passionate about community nearly to a fault Susan. If you haven't heard the name then you must live underwater someplace. No one can read Susan and always agree with her but that's part of what makes her voice invaluable. Susan isn't afraid to ask the difficult, the unsaid, or to point out the elephant in the room and when you need her support she's right there. I love that.

Tom Shinder - Given Tom's opinions about SBS some will question my sanity for mentioning him here, but just as many will question my mention of Susan above. Truth be told the combined passion that these two have for their respective communities, if harnessed, could resolve the west coast summer power problems. Tom's dedication to ISA and community through his articles and forum support surpasses the rest of us combined. His comments can be harshly worded but I value them even so. Besides, I think we have an understanding.

Andy Goodman - Andy will probably fall off his chair if he's sees this but Andy has done some excellent work detailing what needs to be done to stop CRM and ISA from trying to kill one another and CRM works as an SSL site to boot. Since Microsoft put out the SBS version of CRM and didn't include instructions that made any sense, they owe him some thanks as well. But since that probably isn't coming Andy, you'll have to get by with just mine.

Eriq Neale - Because he said after reading the chapters I wrote for his book that he's converting his clients over to ISA. When your boss says that, well, you've got to say thank you.

Thanks also to the readers. Most of you find this blog through Google or links from other blogs. I get a couple of comments every week usually direct to my mailbox. Thanks for those; they mean a lot.

Adding Exchange Defender for SMTP Security

A price we pay for putting ISA on the same physical box as our Exchange server in SBS 2003 is that we're unable to make use of the SMTP features in ISA. You can however use Exchange Defender, a third party SMTP filtering service, to reduce incoming spam. (among other nice features) If you are planning to implement Exchange Defender you'll want to have a look at Susan Bradley's article on how to configure ISA to work with it. You can find it here. I'll add this reference to the App section on the blog website as well.

Wednesday, December 20, 2006

ISA 2004 Installation Fails Creating Sotrage

ISA in SBS - yes, it's secure

This response by Mark Stanfill saved me last night. (Thank you Mark) The only additional thing I would add is that this installation method also does not create a share to hold the firewall client for you. So after you have sucessfully installed ISA go into add/remove programs, Choose ISA, select Modify and select the Firewall Client Share item.

Note: The original question came from a person with a HP Server. My problem machine was also an HP.

Dave,

We've seen a few instances of this, usually related to MSDE install errors.
Please try the following:

1. Launch the ISA 2004 MSI package manually and install ISA manually from
CD #6:

:\ISA2004\FPC\MS_FPC_SERVER.MSI

2. The installation should be successful but this only installs the
console. The
MSDE instance has not yet been installed. Go ahead and run the Setup.EXE
for ISA
2004 so that all the additional components will install.

3. If the installation of MS_FPC_SERVER.MSI is NOT installed successfully,
then run
it with the following command to create a LOG file of the installation:

msiexec.exe /i D:\ISA2004\FPC\MS_FPC_SERVER.msi /l* c:\isa.txt

4. The log file will be located on C:\isa.txt

The verbose log file will help us in the next step of troubleshooting.

Regards,
__
Mark Stanfill, MCSE+I, MCSE 2000, MCDBA, MCSA
Microsoft Corporation

Tuesday, December 19, 2006

Vista Firewall Client

How to obtain the version of Firewall Client for ISA Server (December 2006) that includes Windows Vista support

This KB article will take you to the page that lists the new features of the client as well as a link on where to download it. According to this KB the correct version is 1.0.

New features

The following features are new in this version of Firewall Client for ISA Server:

• Support for client computers that are running Windows Vista
• Software updates that improve the security and stability of Firewall Client for ISA Server

Friday, December 01, 2006

Protecting Wireless Networks - 3 Ways

Recently there's been a rash of clients needing to setup open wireless access for visitors. For the record, I hate open wireless. But some clients won't be convinced. Since this is the real world we do what we can do to protect them. Depending on the circumstances there are 3 options:

1. Install a 3rd NIC into your server. Create a network for this NIC corresponding to your wireless network and assign rules accordingly. Keep in mind, that if this is an SBS server, this is an unsupported option. The reason it is unsupported is that the Connect to the Internet Wizard will choke on the extra NIC. It was written to expect only 2 NICs. To work around this problem you should disable your 3rd NIC and the rules associated with it before running that wizard.

2. Use a different public IP for your wireless router and create an entirely seperate network for wireless. Most of the time an ISP will provide 5 IP addresses to business accounts. Most businesses are only using one of those. Plug the wireless router directly into the router provided by your ISP and assign the wireless router one of your unused IP address. Configure the wireless router as needed.

3. Connect the wireless router to your internal network and give it a static IP address. Set it up to assign DHCP addresses to the wireless guests that are on a seperate network. For example, if your internal network is 192.168.16 then setup the wireless router's built-in DHCP server to pass out 192.168.17 addresses. Assign rules to keep the wireless router away from everything but the Internet.

Here's what option 3 looks like in practice:

1. Create a DHCP reservation for your wireless router.
2. In ISA, create an Address Range Object for the wireless router.
3. In ISA, create a new Access Rule. From Wireless Router, To External, Specified Protocols: HTTP, HTTPS. Other protocols your guests might need include FTP, ICA and SMTP but keep the list as short as possible. Place this rule above the SBS Protected Networks Access Rule.
4. In ISA, create a new Acces Rule. From Wireless Router, to LocalHost, Specified Protocols: DNS. This will allow the wireless router to resolve addresses. Place this rule above the one you just created.

Friday, October 20, 2006

DHCP Not Working After Applying ISA 2004 SP2?

I've come across reports of 7 seperate servers where after installing ISA 2004 SP2, the DHCP server does not work as expected. Reports are that the DHCP receive/request rules are in place but not functioning. The current resolution is to create a new set of DHCP receive/request rules.

Follow this article to create the rules, if you are having this problem. Hopefully later, I'll be able to post more on why the system rules are broken.

Monday, October 16, 2006

Troubleshooting ISA Performance

The configuration of your NICs can have a significant and difficult to diagnose effect upon your ISA server. If you are using auto negotiation on your NICs and Switches it may slow down the performance of your server while under load. Read the article below for an explanation and considerations.

ISA Server Troubleshooting; Layer 1

Monday, October 09, 2006

ISAtools.org Make Over

ISATools.org has gotten a make over and it looks great. The site is much easier to navigate now.

Friday, October 06, 2006

Mailbag: To Firewall or not?

I received this question in my mailbox the other day. It wasn't the first time. Thought I may as well post the answer too.

Amy, I've heard you on the SBS Show and read your comments in the Yahoo
groups and on your own blog. I recently ran across Thomas Shinder's
blog post called "Why SBS is Insecure by Design and Not Even an ISA
Firewall can Fix the Problem" which can be found here:

http://blogs.isaserver.org/shinder/2006/09/03/why-sbs-is-insecure-by-des
ign-and-not-even-an-isa-firewall-can-fix-the-problem/

I wanted to get your opinion on a specific statement Mr. Shinder makes
in this post:

"The SBS 2003 SP1/ISA firewall box with a "hardware" firewall or NAT
device in front of it is no more secure than the SBS 2003 SP1 box
without the "hardware" firewall or NAT device in front of it. Putting a
"hardware" firewall in front of the SBS box is psychological exercise in
futility, and the money spent on the PIX 501 would be much better spent
on a couple hours of psychotherapy or a few bottles of Dom P. Whether
you choose the PIX, the shrink or the Dom, you'll end up with the same
level of security."

Do you think a hardware firewall in front of an SBS box is no more
secure then an SBS box without a hardware firewall in front of it? Do
the companies you consult for usually have a hardware firewall in front
of the SBS box, regardless of whether or not they are running ISA on
SBS?

Your opinion on this would be greatly appreciated!


______________________________________________________________________

Dear Reader,

Security is not an absolute. Most people agree that it is about risk mitigation. As a small business consultant I can say with certainty that SBS does make small business more functional and more secure. Without exception when I make first contact with a small business they are operating their business without backup, with expired anti-virus software, with a high speed Internet connection and without a firewall. After we install SBS, provide for backup, subscribe and deploy an anti-virus solution, configure monitoring and patching and deploy a firewall the business is more secure than before we started. Are they as secure as an enterprise that has embraced least privilege and separation of duties? No, but at least they are now on the right path.

You should always deploy a firewall. I only use SBS Premium in my practice because I believe that ISA can protect Microsoft products better than the competition and I've got a lot of Microsoft products running on SBS. Now, is a hardware firewall necessary in front of ISA? No, this will not make you anymore secure. If my clients have an ISP supplied router with some firewall capabilities built-in, then I enable that only because they already have it. I would never recommend that they go out and purchase one.

If you are using SBS standard, then you had better go out and purchase the best firewall that money can buy to protect it. You've got a lot of eggs in your basket to protect.

Amy Babinchak

Tuesday, October 03, 2006

Updated Firewall Client Available

The new firewall client is available for download and should be installed on all workstations. This new firewall client supports 64-bit OS and resolves a conflict with Defender. All versions of ISA are supported.

Monday, October 02, 2006

Publishing Project Server Portal

Over at SmallBizServer.net a new article has been published on how to publish a Microsoft Project Server portal through ISA 2004. You can read the article here.

Many of the articles from SmallBizServer.net require a subscription. This one doesn't seem to, so get it while it's available. My only comment is that in Step 1 under ISA, it says Create a New Rule. Since we have 3 types of rules to choose from in ISA, this really ought to read Create a New Web Publishing rule.

They are doing some great work over at SmallBizServer.net so if you aren't familar with them it would be a good idea to check out the entire site.

Sunday, October 01, 2006

Replacing the SBS self-signed SSL certificate with an 'el cheapo one from GoDaddy

Jeff at ABC Solutions has created a PDF file documeting how to replace the self-signed SSL certificate that the SBS wizard creates for you with a certificate from GoDaddy. Since this involves both IIS and ISA I wanted to call it to your attention. Good job Jeff and nice work on the PDF too. You can download the PFD here.

ISA in SBS Blog Website Updated

Finally getting a few moments to update the blog and accompanying website. What else are Sunday mornings for?

The website for this blog has been updated.

Changes:

RSS Feed Link
4 new Amy's Voice Links added

RSS Feed Now Available

Thank you Susan Bradley for pointing out that Blogger now, finally, supports RSS. Effective immediately the RSS address is: http://isainsbs.blogspot.com/rss.xml

Deciding Where to put the rule you just created

Lately I've seen too many ISA Firewall Policies with all of the custom created rules sitting at the top of the firewall policy. At the top isn't always the best place for a new rule. New rules should be placed according to function. There is a great TechNet article that explains how to determine where to place your new rule.

The article starts like this and then goes into further detail about how to order the rules within these categories:

Ordering the rule base
We recommend that you organize your access rules in this order:

1.
Global deny rules. Rules that deny specific access to all users. These rules should use the rule elements that require simple networking information. An example of such a rule would be a rule that denies all users access from anywhere to anywhere on protocols used for peer-to-peer file sharing.

2.
Global allow rules. Rules that allow specific access to all users. These rules should use the rule elements that require simple networking information. An example of this would be a rule allowing access on the Domain Name System (DNS) protocol from the Internal network to the External network.

3.
Rules for specific computers. Rules that allow or deny access for specific computers, for example, a rule allowing UNIX computers access to the Internet.

4.
Rules for specific users, URLs, and MIME types, and also publishing rules. Rules that contain rule elements that require additional networking information, and that enforce policy for specific users, or for specific Uniform Resource Locators (URLs) or Multipurpose Internet Mail Extensions (MIME) types. Publishing rules should also occur at this point in the rule order.

5.
Other allow rules. Rules that handle traffic that does not match rules that occur previously in the list of rules, assuming the traffic is allowed by your corporate policy. For example, a rule allowing all traffic from the Internal network to the Internet.

Filter the Internet?

Occasionally I get requests for Internet Filtering. My answer is always the same. "If you need to filter the Internet you have an HR problem, not an IT problem." Once I get that out I back peddle a bit and let them know that we can create a list of allowed websites provided it isn't too long. If you would like to know how to do this then download the instructions under Amy's How To Articles at ISAinSBS. Then I back up a little bit further and let the client know that they can subscribe to a service like Surf Control or Web Sense and they'll let you slice, dice and filter the Internet in a huge variety of ways; but they're not cheap. The Internet landscape is constantly changing and these companies have poor souls whose job it is to view possible objectionable websites and assign them a filter category.

Then there's Steve. Some people make a hobby out of creating destination sets for ISA. Steve either is one of these people or he knows a lot of them. The destination sets can be had for free over at Steve's site.

Now if you decide to use one of these destination sets be sure to place the deny rule in position just above your SBS Internet Access rule. Why not put it at the top of your firewall policy? Well think about what you're asking ISA to do. For example, the sex site destination set contains 169,299 URL's, the porn URL set 214,835; the porn domains 469,759. Every time a request hits that rule, ISA will look through each of those URL's and/or Domain names to see if the request should be blocked. The potential to bog down your Internet access is real.

Secure FTP through ISA 2004

At first I thought they were joking...FTPS...Never heard of it...you can't secure FTP without an application filtering firewall like ISA...that's right an FTP application filter. But twice recently something called FTPS has come to my attention and finally I had a situation where a client needed to access an FTPS server but couldn't.

ISA 2004 has an FTP Application Filter that inspects FTP traffic as it passes through. It also dynamically opens the high port required for the connection. There is an excellent article by Stefaan Pouseele called How the FTP Protocol Challenges Firewall Security over on the ISAserver.org website. In it Stefaan explains why FTP is insecure by design, how ISA can secure FTP for you and all of the details in between. It is an excellent article.

FTPS creates an interesting challenge though. FTPS was developed in an attempt to secure FTP transmission. It's FTP with SSL encrypted information running inside. The owners of an FTPS website assume that you are using a simple packet filtering 'el cheapo firewall and can't secure your own network. FTPS proposes to do this for you using SSL. But if you are using a quality application filtering firewall with an FTP filter like ISA 2004 then you'll run into a problem because the FTP application filter can't see into the SSL encrypted packets and will therefore deny them.

Solution 1: Disable the FTP Application filter. This will work IF FTPS is the only kind of FTP site you will ever need to connect to. If you disable the FTP filter all "normal" FTP traffic will be denied.

Solution 2: Create a new Access Rule for FTP for traffic going from your network to the FTPS destination that does not use the FTP filter.

Here's what your rule should look like:

Allow -- Selected Protocols, FTP. Highlight FTP, Press Edit, Uncheck the FTP Access Filter -- Traffic from your Internal Network --- Traffic to New, Address Range, Enter IP address of the FTPS server you need to reach -- SBS Internet Users or User group of your choice.

FTPS will now work to that destination for all but SecureNat clients. So make sure you've got the Firewall Client installed on all of your workstations.

Sunday, September 24, 2006

Blocking the zero day VML vuln...

The patch for this vulernability is scheduled to be released in October. Meanwhile if you are concerned and would like to prevent this attack sooner, Microsoft has released instructions for configuring your ISA to block it. The TechNet article is Learn How Your ISA Server Helps Block VML Vulnerability Traffic.

You may also be interested in what Jesper Johnansson has to say about VML attack and how to prevent it.

Block-VML-Zero_2D00_Day-Vuln-on-a-domain

More-options-on-protecting-against-the-VML-vulnerability-on-a-domain

Security is a personal decision. For my users I'm reasonably certain that they will not come into contact with this vuln before the patch is deployed. This one is starting to spread but it's spreading slowly for now and in obsecure places.

Friday, September 15, 2006

PPTP Out Disabled by Default

The Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy blocks outgoing PPTP connections in Microsoft Windows Small Business Server 2003 Premium Edition SP1

This is one of those by design things that the SBS team saddled us with. The KB will walk you through the official way to add PPTP outbound to your rule set.

Tuesday, August 22, 2006

Going to SMBNation Redmond

I'll be attending the SMBNation in Redmond from September 7th - 11th. If you'll also be there look up me. It's always good to put a face with the comments!