ebook img

Dr. Tom Shinder's ISA Server and Beyond. Real World Security Solutions for Microsoft Enterprise Networks PDF

849 Pages·2003·62.163 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Dr. Tom Shinder's ISA Server and Beyond. Real World Security Solutions for Microsoft Enterprise Networks

,~ ,. ~'~ : -thors ' Thomas W. Shinder, M.D. (MCSE) si a computing industry veteran who has worked sa a trainer, writer, and a consultant for Fortune 500 companies including FINA Oil, Lucent Technologies, and Sealand Container Corporation. Tom was Series Editor for the Syngress/Osborne series of Windows 2000 certification study guides and si author of the best selling book gnirugifnoC ISA revreS 2000: Building sllaweriF for Windows 2000 (Syngress Publishing, ISBN: 1-928994-29-6).Tom si the editor of the Brainbuzz.com Win2k News newsletter and si a regular contributor to .dliuGorPhceT He si also a content editor, contributor, and moderator for the World's leading site on ISA Server 2000, www.isaserver.org. Microsoft recognized Tom's leadership in the ISA Server community and awarded him their MostValued Professional (MVP) award for the first time in December of 2001. Debra Littlejohn Shinder (MCSE) si author of enecS of eht :emircrebyC Computer scisneroF Handbook (Syngress Publishing, ISBN: 1-931836-65-5), co-author of gnirugifnoC ISA revreS 2000: Building sllaweriF for Windows 2000 (Syngress Publishing, ISBN: 1-928994-29-6) and gnitoohselbuorT Windows 2000 TCP/IP (Syngress Pubhshing, ISBN: 1-928994-11-3), sa well sa con- tributor to numerous other technical books. Along with her husband, Dr. Thomas W. Shinder, Deb does network consulting in the Dallas-Ft.Worth area, designs Web sites for businesses, municipalities and non-profit organiza- tions, and teaches in the Dallas County Community College District's tech- nical training programs. As a former police officer and Police Academy instructor, she specializes in computer/network security and forensics. Deb has written hundreds of articles for Web and print pubhcations such sa ,cilbupeRhceT CNET, Swynk.com, BrainBuzz.com, and WinXP News. She has also written numerous online courses for DigitalThink, Inc. and prepared curricula for classroom instruction. She has contributed to Microsoft's ,teNhceT and speaks at conferences such sa the BlackHat security briefings and Certification Expo. She edits the A+ weekly newsletter for noisseSmarC and writes a weekly feature for the Net Admin News. Deb has been writing since she finished her first (still unpublished) novel in ninth grade. She edited her high school and college newspapers and wrote and edited newsletters for city employees and pohce associations. Prior to entering the tech field, she had articles published in law enforcement and self-help psychology pubhcations. She si a member of the IEEE's IPv6 Working Group and has written and tech edited questions for various certifi- cation practice exams. '~~ ontributor Mark Burnett si an independent security consultant and freelance writer who specializes in securing IIS. He si co-author of Maximum Windows Security and Special OPS: Host and Network Security for ,tfosorciM UNIX, and elcarO (Syngress Publishing, ISBN: 1-931836-69-8). Mark si a regular con- tributor to many security-related magazines, newsletters, and Web publica- tions. As editor of www.iissecurity.net, Mark shares his own unique research sa well sa that from security researchers around the globe. , echnical Editor dna Contributor Martin Grasdal (MCSE+I, MCSE/W2K, MCT, CISSP, CTT, A+), Director of Web Sites and CTO at Brainbuzz.com, has worked in the computer industry for over nine years. He has been an MCT since 1995 and an MCSE since 1996. His training and networking experience covers a broad range of products, including NetWare, Lotus Notes,Windows NT and 2000, Exchange Server, IIS, Proxy Server, and ISA Server. Martin also works actively sa a consultant. His recent consulting experience includes contract work for Microsoft sa a Technical Contributor to the MCP Program on pro- jects related to server technologies. Martin has served sa Technical Editor for several Syngress books, including Configuring ISA Server 2000: Building sllaweriF for Windows 2000 (ISBN: 1-928994-29-6), and Configuring and gnitoohselbuorT Windows XP lanoisseforP (ISBN: 1-928994-80-6). Martin lives in Edmonton, Alberta, Canada with his wife, Cathy, and their two sons. iv entering the tech field, she had articles published in law enforcement and self-help psychology pubhcations. She si a member of the IEEE's IPv6 Working Group and has written and tech edited questions for various certifi- cation practice exams. '~~ ontributor Mark Burnett si an independent security consultant and freelance writer who specializes in securing IIS. He si co-author of Maximum Windows Security and Special OPS: Host and Network Security for ,tfosorciM UNIX, and elcarO (Syngress Publishing, ISBN: 1-931836-69-8). Mark si a regular con- tributor to many security-related magazines, newsletters, and Web publica- tions. As editor of www.iissecurity.net, Mark shares his own unique research sa well sa that from security researchers around the globe. , echnical Editor dna Contributor Martin Grasdal (MCSE+I, MCSE/W2K, MCT, CISSP, CTT, A+), Director of Web Sites and CTO at Brainbuzz.com, has worked in the computer industry for over nine years. He has been an MCT since 1995 and an MCSE since 1996. His training and networking experience covers a broad range of products, including NetWare, Lotus Notes,Windows NT and 2000, Exchange Server, IIS, Proxy Server, and ISA Server. Martin also works actively sa a consultant. His recent consulting experience includes contract work for Microsoft sa a Technical Contributor to the MCP Program on pro- jects related to server technologies. Martin has served sa Technical Editor for several Syngress books, including Configuring ISA Server 2000: Building sllaweriF for Windows 2000 (ISBN: 1-928994-29-6), and Configuring and gnitoohselbuorT Windows XP lanoisseforP (ISBN: 1-928994-80-6). Martin lives in Edmonton, Alberta, Canada with his wife, Cathy, and their two sons. iv entering the tech field, she had articles published in law enforcement and self-help psychology pubhcations. She si a member of the IEEE's IPv6 Working Group and has written and tech edited questions for various certifi- cation practice exams. '~~ ontributor Mark Burnett si an independent security consultant and freelance writer who specializes in securing IIS. He si co-author of Maximum Windows Security and Special OPS: Host and Network Security for ,tfosorciM UNIX, and elcarO (Syngress Publishing, ISBN: 1-931836-69-8). Mark si a regular con- tributor to many security-related magazines, newsletters, and Web publica- tions. As editor of www.iissecurity.net, Mark shares his own unique research sa well sa that from security researchers around the globe. , echnical Editor dna Contributor Martin Grasdal (MCSE+I, MCSE/W2K, MCT, CISSP, CTT, A+), Director of Web Sites and CTO at Brainbuzz.com, has worked in the computer industry for over nine years. He has been an MCT since 1995 and an MCSE since 1996. His training and networking experience covers a broad range of products, including NetWare, Lotus Notes,Windows NT and 2000, Exchange Server, IIS, Proxy Server, and ISA Server. Martin also works actively sa a consultant. His recent consulting experience includes contract work for Microsoft sa a Technical Contributor to the MCP Program on pro- jects related to server technologies. Martin has served sa Technical Editor for several Syngress books, including Configuring ISA Server 2000: Building sllaweriF for Windows 2000 (ISBN: 1-928994-29-6), and Configuring and gnitoohselbuorT Windows XP lanoisseforP (ISBN: 1-928994-80-6). Martin lives in Edmonton, Alberta, Canada with his wife, Cathy, and their two sons. iv bout the CD-ROM ’ * The CD-ROM that accompanies th&:#book mntains: t-* I n Transcender’s Installing, Configuring, and Administering Microsofi ISA Server 2000 Exam, ISA-CERTVersion 1 .O. n 30&y evaluation copy of VMivare I&&station 3.2for Windows. VMware Workstation 3.2 for Wmdows Copyright 199%2002,VMware, Inc. AII Rights Reserved. Sof&are protected by U.S. patent No. 6,397.242 and Datents Dendine.VMware is a trademark of VMware, Inc. Visit m.vmv If you do not have and key. n E-book of Dr. ‘I&I 4 n E-book of Hack PYC Foreword dna Acknowledgements We first came up with the idea of an ISA Serw'r dna dnoye31 book almost a year ago. Soon after the release of our best selling book Confiellring ISA :revreS Building sllaweriF for Windows 2000, we realized that our work wasn't complete.While we felt we did a good job of covering the basics of ISA Server and how to get it to work, there wasn't enough material on the most sophisticated and complex configurations. The ISA Server community has grown enornaously since we finished our first book on ISA Server.At the time of this writing, ISAServer.org has over 10,000 members and over 65,000 unique visitors per month generating over a million page views. Many visi- tors to the ISAServer.org site have read our first ISA Server book, and they want to learn more about how to perfect more advanced configurations. The first part of this book covers the least understood and most under documented ISA Server configurations.We discuss the details of how to configure various DMZ topologies, from the trihomed DMZ to the back to back DMZ to the completely undocumented LAT-based I)MZ. DMZs are the cornerstone of a highly secure Internet publishing and internal network security scheme and the proper con~ of ISA Server DMZs can go a long way toward securing your internal net~. cover advanced topics m Web a~erver P~blishing. Making servers locatec ISA Server available . to ~.h,' e~'Int~'~ ,,~, ,, ,,;, ,,. si one of the most popular ISA ~, Unfortunately, we were~t able to cover the intricacies o , '~ in the first IS A Server book. This~k fills that gap and ~ ,1 and (until now) u n d o c u m '~ " ~ ~ '~--~--~°~-- to tfi~e ~'i . ~f server to the Internet..Doz~ ~~------~i~~.-~,i.to publis~ :.i~ services • and Outlook Web Access. ~ ~ ~t]~~r,~l~;'~on ~ ~_ ~' ' wfl] ,., ~ , '~ wmr!~ i:9 .~.': ~a ' ~, T , ~ '"!~ " ' ' i~:~' ' ~'' and detailed infor,nation on ISA S ' ublisl~in ' ' .... ,t 11 find in theSe,,~ S, In the second half of this boo~k"i.~ ~ A Server and into the realm of general network and Windows '~>~ "'"'~~{i~H~t-y-.-" ~~ Ne~=rk"~ :" "" security has become the bell- wether of our age, and no book on fireW~ security can be worth its salt without some coverage of the services that the fgewall is designed to secure.You'll learn about default Windows 2000 permissions, IIS se~tity, EFS, wireless security, and IPSec.When you pair the information contained in these chapters with what you learn about ISA Server, you'll be assured that you have a powerful arnlamentarium to defend your network. You'll notice that I make liberal use of VMware in the first part of this book.While I would have liked to show you the configuration: details on any one of the number of production networks we've set up, it would ~'~e wise from a security point of view to expose our customer's network scre~hots aii~ such a widely distributed security book. VMware provides a peffec~orn~fc;l;~sting a tremendous variety of ISA Server ~~ configuration scenarios. ~~~ the time we can use VMware to create routed virtual .~,,..~,: XV xvi Foreword networks of ISA Servers,Web servers, mail servers, and clients to test our designs. I guar- antee that the practice you gain while setting up your ISA Server scenarios inVMware will pay off handsomely by giving you valuable experience and insights that you would never otherwise have realized.We've included a demonstration version of VMware Workstation 3.2 for Windows on the CD that accompanies this book. I did not write this entire book alone, and without the help of many people, this book never would have seen the light of day. My lovely wife, Deb Shinder, wrote Chapter 1 and rewrote and made comprehensive revisions and enhancements to the material in Chapters 7, 9, 10, 11, and 12. This book would read like just another Windows security book if it weren't for Debi's prodigious talents. I could never have finished this book, or have done anything else of value in my life without her. I dedi- cate this book and its success to her. Extra special thanks go to Andrew Williams. Andrew kept pressing me to get this book done, and without his gentle cattle prodding, this book would have been finished sometime in the year 2005. Jon Babcock made sure that everything came out right, and that I submitted Visio files instead of .gifs! My dear friend Martin Grasdal wrote the seminal piece on Wireless networking in the second half of this book, sa well sa performing a technical edit on all chapters in this book. Martin si one of the most knowledgeable network engineers I've ever had the pleasure to know, and it has been our good luck to benefit from his knowledge and experience in both the first ISA Server book and this book. Mark Burnett wrote the chapter on IIS security. Mark si one of the stars of IIS security, and we are especially pleased to have his expert assistance and contributions to this book. IIS security si paramount for all of us who want to use ISA Server to publish our IIS Web sites. I think you'll get quite a bit of useful information from his chapter. There are literally thousands of others who have contributed to this book.All the participants of the Microsoft newsgroups, ISAServer.org Web boards, and ISAServer.org mailing list have contributed to the ISA Server knowledge base. Key players on the ISA Server team at Microsoft have also contributed greatly to what we know about ISA Server today. It's impossible to list them all by name, but there are a few who I must men- tion because of their enormous influence: Joern Wettern for his unique insight into ISA Server; Zach Gutt and Ari Fruchter for being the best Microsoft managers I've ever had the pleasure to work with; Ronald Beekelaar for being such a computer genius and ISA Server junkie; Steve Riley for reminding me of myself when I was a 20 year old long hair Berkeley undergraduate (and for being a penultimate ISA Server guru); Craig Nelson for being a really relaxed dude and "the VPN man"; Steven Pouseele for his tireless efforts at educating the masses (and me) at ISAServer.org; and most of all, Jim Harrison, for his limitless energy in supporting the ISA Server community and for his unusually good sense of humor. Special mention goes to the owner and master of ISAServer.org~ Stephen Chetcuti. The ISA Server community would be a much smaller and much sadder place if not for his dedication and tireless commitment to ISAServer.org. ~Thomas ..W Shin&r, M.D. www. si sa erver, o rg/shin der Chapter 1 Defending the Network with I AS Server and Beyond ~Z'P .i Defensive Tactics ni this Chapt ;~ ..... ISA Se~er Overview i (cid:127) '~ .i,.~, ~ ~-.~: . .', ,,~ ~" ;~;::.ngiseD .,, on ][ Beyond ISA Server lV-I Summary lV-I Defensive Tactics Fast Track ~ Freq~ deksA snoitseuQ ~!" ~:~ 'i ~~ ' 2 Chapter 1 • Defending the Network with ASI Servermand Beyond Introduction Our first ISA Server book, Configuring ISA Server 2000, was written while we were still struggling to master a completely new piece of software, one that was very different in features, functionality, and complexity from its predecessor, Microsoft Proxy Server 2.0. We were working with beta releases during much of the writing, and then revising the material to address changes in the final release. In the year and a half since that book came out, we've gotten to know ISA Server much more intimately. Through working with it on a daily basis on our network, assisting and supporting others in the "real world" and via ISA newsgroups, mailing lists, confer- ences, and the www.isaserver.org Web site, we've come to know its quirks, peculiarities, and limitations, and learned some tweaks and tricks that will make it work better. We have also come to understand, even more than before, that ISA or any other firewall solution si only one part (albeit an important one) of a comprehensive network security plan. The importance of multilayer security becomes more evident every day, sa hackers and attackers work industriously to find ways through the barriers we set up. No single product can provide full protection for your network's data and integrity, regardless of how good it .si This book si the natural follow-up to the first. Although it can stand on its own for those who have some experience using ISA Server, we recommend that anyone new to the product read Configuring ISA Server 2000 first, sa this book will not cover in detail the basic issues that were addressed there. This book will delve into issues that did not exist when we wrote the first (such sa ISA Service Pack 1 and using ISA with Windows .NET servers) and advanced configuration and network design issues (such sa using ISA Server in different types of DMZs/perimeter networks, advanced server publishing techniques involving terminal server and Exchange server, and defending your mail ser- vices with ISA Server). .:~ :.... ~:~:~:~:~.... ~i::~ .... i!iii!i!iiiiiiiiiiili::~ i i iii I The material in the next three sections of this chapter--/SA Server overview, ~' i! l Installing ISA Server, and Getting Started with ISA Server--contain material '~"!i~ lii i!I that si intended for new ASI users. This si the only area of information in this :i!!i .~.i.i.'..~" book that will overlap with that of the previous book. fI you already have expe- rience with ISA, you might want to skip ahead to the section entitled Installing and Using Service Pack ,1 where the all-new material begins. The remainder of the book assumes that you already have a thorough understanding of ASI Server features and functions. This book also goes beyond ISA Server, examining other parts of your multilayered security plan. We discuss how to use Windows security features (such sa the Security Defending the Network with ISA Servermand Beyond • Chapter 1 3 Configuration Toolset, the Encrypting File System, IPSec, and IIS security) and how to implement smart card authentication and secure wireless networks. We hope this book will provide additional guidance to network professionals who are using ISA Server in complex network situations, until it's time to take the next step beyond ISA Server 2000: the next generation of ISA, which si code named Stingray and si in beta testing at the time of this writing. ISA Server Overview Microsoft's Internet Security and Acceleration (ISA) Server replaced Microsoft Proxy Server 2.0, providing full-fledged firewall functionality for a much more robust security solution, along with improved caching/Web performance features. In the current secu- rity-conscious business climate (made more so by the events of September 11, 2001 and subsequent speculation that terrorists might be planning attacks on the cyberspace infrastructure), the security aspect has naturally drawn the most attention. ehT Increasing Importance of ytiruceS As we progress into the twenty-first century, most companies and individuals who use computers have those systems connected to the global Internet at least part of the time. Even at the consumer level, 24/7 connectivity si becoming the norm sa DSL, cable modem, and satellite technologies become more widely available and increasingly easier to set up and use. This gives computer users access to a tremendous wealth of informa- tion that they didn't have before, and makes many of their jobs easier~but it also cre- ates vulnerabilities. Logic dictates that if the users of your local network are able to access resources on computers all over the world, users of some of those computers might also be able to access yours. The connection si two way, and if you don't take steps to protect your internal network from intruders, it will be easy for a moderately knowledgeable hacker to read the fries stored on your network servers, copy confidential data, and even implant viruses or erase your hard disks. However, it's not only confidentiality of information that si at stake. Some network administrators might not realize that security can be a concern even if the data on your network si not of a "top secret" nature. The integrity of your data si also crucial. A secu- rity solution focuses on keeping outsiders from accessing data that si private and ensuring that important data si not destroyed or changed. Security threats come in many "flavors," but can be broadly divided into two cate- gories: external threats and internal threats. For example, a Denial of Service (DOS) attack perpetuated by a hacker at a remote location si an external security threat. Accidental deletion of important files by a company employee onsite si an internal threat.At first glance, it might seem that ISA Server only protects you from external

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.