Hardening the Computer Manually
If Windows Server 2003 SP1 is not installed on the computer, you can configure the service startup mode, as described in this section. You configure the computer as the Security Configuration Wizard does.
Note that we recommend that you use the SCW to harden the computer, because it is best optimized to secure the ISA Server computer.
Core Services
The following table lists the core services that must be enabled for ISA Server and the ISA Server computer to function properly.
|
Service name
|
Rationale
|
Startup mode
|
| COM+ Event System | Core operating system | Manual |
| Cryptographic Services | Core operating system (security) | Automatic |
| Event Log | Core operating system | Automatic |
| IPSec Services | Core operating system (security) | Automatic |
| Logical Disk Manager | Core operating system (disk management) | Automatic |
| Logical Disk Manager Administrative Service | Core operating system (disk management) | Manual |
| Microsoft Firewall | Required for normal functioning of ISA Server | Automatic |
| Microsoft ISA Server Control | Required for normal functioning of ISA Server | Automatic |
| Microsoft ISA Server Job Scheduler | Required for normal functioning of ISA Server | Automatic |
| Microsoft ISA Server Storage | Required for normal functioning of ISA Server | Automatic |
| MSSQL$MSFW | Required when MSDE logging is used for ISA Server | Automatic |
| Network Connections | Core operating system (network infrastructure) | Manual |
| NTLM Security Support Provider | Core operating system (security) | Manual |
| Plug and Play | Core operating system | Automatic |
| Protected Storage | Core operating system (security) | Automatic |
| Remote Access Connection Manager | Required for normal functioning of ISA Server | Manual |
| Remote Procedure Call (RPC) | Core operating system | Automatic |
| Secondary Logon | Core operating system (security) | Automatic |
| Security Accounts Manager | Core operating system | Automatic |
| Server | Required for ISA Server Firewall Client Share | Automatic |
| Smart Card | Core operating system (security) | Manual |
| SQLAgent$MSFW | Required when MSDE logging is used for ISA Server | Manual |
| System Event Notification | Core operating system | Automatic |
| Telephony | Required for normal functioning of ISA Server | Manual |
| Virtual Disk Service (VDS) | Core operating system (disk management) | Manual |
| Windows Management Instrumentation (WMI) | Core operating system (WMI) | Automatic |
| WMI Performance Adapter | Core operating system (WMI) | Manual |
ISA Server Server Roles
The ISA Server computer may function in additional capacities, or roles, depending on how you use the computer. The following table lists possible server roles, describes when they may be required, and lists the services that should be activated when you enable the role.
|
Server role
|
Usage scenario
|
Services required
|
Startup mode
|
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Routing and Remote Access | Manual |
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Remote Access Connection Manager | Manual |
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Telephony | Manual |
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Workstation | Automatic |
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Server | Automatic |
| Terminal Server for Remote Desktop Administration | Select this role to enable remote management of the ISA Server computer. | Server | Automatic |
| Terminal Server for Remote Desktop Administration | Select this role to enable remote management of the ISA Server computer. | Terminal Services | Manual |
ISA Server Server Roles
The ISA Server computer may function in additional capacities, or roles, depending on how you use the computer. The following table lists possible server roles, describes when they may be required, and lists the services that should be activated when you enable the role.
|
Server role
|
Usage scenario
|
Services required
|
Startup mode
|
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Routing and Remote Access | Manual |
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Remote Access Connection Manager | Manual |
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Telephony | Manual |
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Workstation | Automatic |
| Routing and Remote Access Server | Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality. | Server | Automatic |
| Terminal Server for Remote Desktop Administration | Select this role to enable remote management of the ISA Server computer. | Server | Automatic |
| Terminal Server for Remote Desktop Administration | Select this role to enable remote management of the ISA Server computer. | Terminal Services | Manual |
.gif) Note: |
|---|
|
The startup mode for the Server service should be Automatic in the following cases:
|
-
You install ISA Server 2004: Client Installation Share.
-
You use Routing and Remote Access Management, rather than ISA Server Management, to configure a virtual private network (VPN).
-
Other tasks or roles, as described in the preceding table, require the service.
-
The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.
Note that the Server service is required only if you use Routing and Remote Access Management (rather than ISA Server Management) to configure a VPN.
ISA Server Administration and Other Options
For a server to perform necessary tasks, specific services must be enabled, based on the roles that you select. Unnecessary services should be disabled. The following table lists possible server tasks for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.
|
Client role
|
Usage scenario
|
Services required
|
Startup mode
|
| Application installation from Group Policy | Required to install, uninstall, or repair applications using the Microsoft Installer Service. | Windows Installer | Manual |
| Backup | Required if using NTBackup or other backup program on the ISA Server computer. | Microsoft Software Shadow Copy Provider | Manual |
| Backup | Required if using NTBackup or other backup program on the ISA Server computer. | Volume Shadow Copy | Manual |
| Backup | Required if using NTBackup or other backup program on the ISA Server computer. | Removable Storage service | Manual |
| Error Reporting | Use to enable error reporting, thereby helping improve Windows reliability by reporting critical faults to Microsoft for analysis. | Error Reporting Service | Automatic |
| Help and Support | Allows collection of historical computer data for Microsoft Product Support Services incident escalation. | Help and Support | Automatic |
| ISA Server 2004: Client installation share | Required to allow computers to connect to and install from the Firewall Client share on the ISA Server computer. | Server | Automatic |
| ISA Server 2004: MSDE logging | Required to allow logging using MSDE databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the Log Viewer in off-line mode | SQLAgent$MSFW | Manual |
| ISA Server 2004: MSDE logging | Required to allow logging using MSDE databases. If you do not enable the applicable service, you can log to SQL databases or to files. However, you will not be able to use the Log Viewer in off-line mode | MSSQL$MSFW | Automatic |
| Performance data collection | Allows background collecting of performance data on the ISA Server computer. | Performance Logs and Alerts | Automatic |
| Print | Allows printing from the ISA Server computer. | Print Spooler | Automatic |
| Print | Allows printing from the ISA Server computer. | TCP/IP NetBIOS Helper | Automatic |
| Print | Allows printing from the ISA Server computer. | Workstation | Automatic |
| Remote Windows administration | Allows remote management of the Windows server (not required for remote management of ISA Server). | Server | Automatic |
| Remote Windows administration | Allows remote management of the Windows server (not required for remote management of ISA Server). | Remote Registry | Automatic |
| Time Synchronization | Allows the ISA Server computer to contact an NTP server to synchronize its clock. From a security perspective, an accurate clock is important for event auditing and other security protocols. | Windows Time | Automatic |
| Remote Assistance Expert | Allows the Remote Assistance feature to be used on this computer. | Help and Support | Automatic |
| Remote Assistance Expert | Allows the Remote Assistance feature to be used on this computer. | Remote Desktop Help Session Manager | Manual |
| Remote Assistance Expert | Allows the Remote Assistance feature to be used on this computer. | Terminal Services | Manual |
| Note: |
|---|
|
Time client applications require that either the Wireless or the Server service is running in order to function properly.
|
ISA Server Client Roles
Servers can be clients of other servers. Client roles are dependent on role-specific services being enabled. The following table lists possible client roles for ISA Server, describes when they may be required, and lists the services that should be activated when you enable the role.
|
Client role
|
Usage scenario
|
Services required
|
Startup mode
|
| Automatic Update client | Select this role to allow automatic detection and update from Microsoft Windows Update. | Automatic Updates | Automatic |
| Automatic Update client | Select this role to allow automatic detection and update from Microsoft Windows Update. | Background Intelligent Transfer Service | Manual |
| DHCP client | Select this role if the ISA Server computer receives its IP address automatically from a DHCP server. | DHCP Client | Automatic |
| DNS client | Select this role if the ISA Server computer needs to receive name resolution information from other servers. | DNS Client | Automatic |
| Domain member | Select this role if the ISA Server computer belongs to a domain. | Network location awareness (NLA) | Manual |
| Domain member | Select this role if the ISA Server computer belongs to a domain. | Net logon | Automatic |
| Domain member | Select this role if the ISA Server computer belongs to a domain. | Windows Time | Automatic |
| DNS registration client | Select this role to allow the ISA Server computer to automatically register its name and address information with a DNS Server. | DHCP Client | Automatic |
| Microsoft Networking client | Select this role if the ISA Server computer has to connect to other Windows clients. If you do not select this role, the ISA Server computer will not be able to access shares on remote computers; for example, to publish reports. | TCP/IP NetBIOS Helper | Automatic |
| Microsoft Networking client | Select this role if the ISA Server computer has to connect to other Windows clients. If you do not select this role, the ISA Server computer will not be able to access shares on remote computers; for example, to publish reports. | Workstation | Automatic |
| WINS client | Select this role if the ISA Server computer uses WINS-based name resolution. | TCP/IP NetBIOS Helper | Automatic |
Creating a Security Template
You can create a template, using the Security Templates Microsoft Management Console (MMC) snap-in. The template includes information about which services should be enabled, as well as their startup mode. By using a security template, you can easily configure a security policy and then apply it to each ISA Server computer.
To create a security template, perform the following steps:
-
To open Security Templates, click Start, click Run, type mmc, and then click OK.
-
On the File menu, click Add/Remove Snap-in and then click Add.
-
Select Security Templates, click Add, click Close, and then click OK.
-
In the console tree, click the Security Templates node, right-click the folder where you want to store the new template, and click New Template.
-
In Template name, type the name for your new security template.
-
In Description, type a description of your new security template, and then click OK.
-
Expand the new template, and then click System Services.
-
In the details pane, right-click COM+ Event System and then click Properties.
-
Select Define this policy setting in the template and then click the startup mode. (For COM+ Event System, the startup mode is Automatic.)
-
Repeat steps 8 and 9 for each of the services listed in the following table.
|
Service name
|
Short Name
|
Startup mode
|
| Automatic Updates | wuauserv | Automatic |
| Background Intelligent Transfer Service | BITS | Manual |
| COM+ Event System | EventSystem | Manual |
| Cryptographic Services | CryptSvc | Automatic |
| DHCP Client | Dhcp | Automatic |
| DNS Client | Dnscache | Automatic |
| Error Reporting Service | ERSvc | Automatic |
| Event Log | Eventlog | Automatic |
| Help and Support | Helpsvc | Automatic |
| IPsec Services | PolicyAgent | Automatic |
| Logical Disk Manager | dmserver | Automatic |
| Logical Disk Manager Administrative Service | dmadmin | Manual |
| Microsoft Firewall | Fwsrv | Automatic |
| Microsoft ISA Server Control | ISACtrl | Automatic |
| Microsoft ISA Server Job Scheduler | ISASched | Automatic |
| Microsoft ISA Server Storage | ISASTG | Automatic |
| Microsoft Software Shadow Copy Provider | SWPRV | Manual |
| MSSQL$MSFW | MSSQL$MSFW | Automatic |
| Network Connections | Netman | Manual |
| Network Location Awareness (NLA) | NLA | Manual |
| NTLM Security Support Provider | NtLmSsp | Manual |
| Performance Logs and Alerts | SysmonLog | Automatic |
| Plug and Play | PlugPlay | Automatic |
| Protected Storage | ProtectedStorage | Automatic |
| Remote Access Connection Manager | RasMan | Manual |
| Remote Desktop Help Session Manager | RDSessMgr | Manual |
| Remote Procedure Call (RPC) | RpcSs | Automatic |
| Removable Storage | NtmsSvc | Manual |
| Routing and Remote Access | None | Manual |
| Secondary Logon | seclogon | Automatic |
| Security Accounts Manager | SamSs | Automatic |
| Server | lanmanserver | Manual |
| Smart Card | SCardSvr | Manual |
| System Event Notification | SENS | Automatic |
| TCP/IP NetBIOS Helper | LmHosts | Automatic |
| Telephony | TapiSrv | Manual |
| Terminal Services | TermService | Manual |
| Virtual Disk Service (VDS) | VDS | Manual |
| Volume Shadow Copy | VSS | Manual |
| Windows Installer | MSIServer | Manual |
| Windows Management Instrumentation | winmgmt | Automatic |
| Windows Time | W32time | Automatic |
| Wireless Configuration | WZCSVC | Automatic |
| WMI Performance Adapter | WmiApSrv | Manual |
| Workstation | lanmanworkstation | Automatic |
| Note: |
|---|
|
The startup mode for the Server service should be Automatic in the following cases:
|
-
You install ISA Server 2004: Client Installation Share.
-
You use Routing and Remote Access Management, rather than ISA Server Management, to configure a VPN.
-
Other tasks or roles, as described in the preceding table, require the service.
-
The startup mode for the Routing and Remote Access service is Manual. ISA Server starts the service only if a VPN is enabled.
-
Time client applications require that either the Wireless or the Server service is running in order to function properly.
To apply the new template to the ISA Server computer, perform the following steps:
-
To open Security Templates, click Start, click Run, type mmc, and then click OK.
-
On the File menu, click Add/Remove Snap-in and then click Add.
-
Select Security Configuration and Analysis, click Add, click Close, and then click OK.
-
In the console tree, click Security Configuration and Analysis.
-
Right-click Security Configuration and Analysis and then click Open Database.
-
Type a new database name, and then click Open.
-
Select a security template to import, and then click Open. Select the security template that you created previously.
-
Right-click Security Configuration and Analysis and then click Configure Computer Now.