Role-based Administration in ISA Server 2006

Role-based Administration in ISA Se...

Microsoft Internet Security and Acceleration Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 allows you to apply administrative roles to users and groups. After you determine which groups are allowed to configure or view ISA Server policy and monitoring information, you can assign roles appropriately.

Scenario: Role-Based Administration

You can use role-based administration to organize ISA Server administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you allow that user permissions to perform specific tasks. Role-based administration involves Microsoft Windows Server® 2003 or Windows® 2000 Server users and groups. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.

Because ISA Server controls access to your network, you should take special care in assigning permissions to the ISA Server computer and related components. Carefully determine who should have permission to log on to the ISA Server computer. Then, configure the logon rights accordingly.

Role-Based Administration Features

Similar to any application in your environment, when you define the permissions for ISA Server, you should consider the roles of the ISA Server administrators and assign them only necessary permissions. To simplify the process, ISA Server uses administrative roles. When you assign a role to a user, you essentially allow that user permissions to perform specific tasks. A user that has one role, such as ISA Server Full Administrator, can perform specific ISA Server tasks that a user with another role, such as ISA Server Basic Monitoring, cannot perform. Role-based administration involves Windows users and groups. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.

Members of these ISA Server administrative groups can be any Windows user. No special privileges or Windows permissions are required.

Note:
The only exception is that to view the ISA Server performance counters, using Perfmon or the ISA Server Dashboard, the user must be a member of the Windows Server 2003 Performance Monitor Users group

Users with administrator permissions on the ISA Server Enterprise Edition computer automatically have ISA Server enterprise-level permissions. Note, that users that belong to the Administrators group on the Configuration Storage server can control the enterprise configuration. This is because they can directly modify any data on the Configuration Storage server

Administrative Roles (Standard Edition)

The following table describes the ISA Server Standard Edition roles.

Standard Edition role	Description
ISA Server Monitoring Auditor	Users and groups assigned this role can monitor basic ISA Server computer and network activity, but cannot view the ISA Server configuration.
ISA Server Auditor	Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert definition configuration, and can view the ISA Server configuration.
ISA Server Full Administrator	Users and groups assigned this role can perform any ISA Server task, including rule configuration, applying of network templates, and monitoring.

Note:
Administrators with ISA Server Auditor permissions can export, import, and decrypt information such as passwords stored in the configuration.

Roles and Activities

Each ISA Server role has a specific list of ISA Server tasks associated with it. The following table lists some ISA Server administrative tasks along with the roles in which they are performed.

Activity	ISA Server Monitoring Auditor	ISA Server Auditor	ISA Server Full Administrator
View Dashboard, alerts, connectivity, sessions, services	Allowed	Allowed	Allowed
Acknowledge alerts	Allowed	Allowed	Allowed
View log information	Not allowed	Allowed	Allowed
Create alert definitions	Not allowed	Not allowed	Allowed
Create reports	Not allowed	Allowed	Allowed
Stop and start sessions and services	Not allowed	Allowed	Allowed
View firewall policy	Not allowed	Allowed	Allowed
Configure firewall policy	Not allowed	Not allowed	Allowed
Configure cache	Not allowed	Not allowed	Allowed
Configure a virtual private network (VPN)	Not allowed	Not allowed	Allowed

Administrators who have ISA Server Auditor role permissions can configure all report properties with the following exceptions:

Cannot configure a different user account when publishing reports.
Cannot customize report contents.

Array-Level Administrative Roles (Enterprise Edition)

You can organize array-level administrators into separate, predefined roles, each with its own set of tasks. The following table describes the ISA Server Enterprise Edition array-level roles.

Role	Description
ISA Server Array Monitoring Auditor	Users and groups assigned this role can monitor basic ISA Server computer and network activity, but cannot view the ISA Server configuration.
ISA Server Array Auditor	Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert definition configuration, and can view the ISA Server configuration.
ISA Server Array Administrator	Users and groups assigned this role can perform any ISA Server task on the specific array, including rule configuration, applying of network templates, and monitoring.

Note:
Administrators with ISA Server Array Auditor permissions can configure all report properties with the following exceptions:

Cannot configure a different user account when publishing reports.
Cannot customize report contents.
A user assigned the ISA Server Array Administrator role can run highly privileged processes on the ISA Server computer.

Roles and Activities

Each ISA Server role has a specific list of ISA Server tasks associated with it. The following table lists some ISA Server administrative tasks along with the roles in which they are performed.

Activity	ISA Server Array Monitoring Auditor	ISA Server Array Auditor	ISA Server Array Administrator
View Dashboard, alerts, connectivity, sessions, services	Allowed	Allowed	Allowed
Acknowledge and reset alerts	Allowed	Allowed	Allowed
View log information	Not allowed	Allowed	Allowed
Create alert definitions	Not allowed	Not allowed	Allowed
Create reports	Not allowed	Allowed	Allowed
Stop and start sessions and services	Not allowed	Allowed	Allowed
View firewall policy	Not allowed	Allowed	Allowed
Configure firewall policy	Not allowed	Not allowed	Allowed
Configure cache	Not allowed	Not allowed	Allowed
Configure a virtual private network (VPN)	Not allowed	Not allowed	Allowed
Drain and stop network load balanced (NLB) firewall or Web Proxy load balanced server	Not allowed	Allowed	Allowed
View local configuration (in registry of array member)	Not allowed	Allowed	Allowed
Change local configuration (in registry of array member)	Not allowed	Not allowed	Not allowed

Enterprise-Level Administrative Roles (Enterprise Edition)

You can use role-based administration to organize ISA Server 2006 enterprise administrators into separate, predefined roles, each with its own set of tasks. When you assign a role to a user, you allow that user permissions to perform specific tasks. Role-based administration involves Windows users and groups. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.

ISA Server distinguishes between enterprise-level roles and array-level roles. The following table describes the ISA Server roles for enterprise administration.

Role	Description
ISA Server Enterprise Auditor	Users and groups assigned this role can view the enterprise configuration and all array configurations. They can also view the local configuration (in the registry of an array member)
ISA Server Enterprise Administrator	Users and groups assigned this role have full control over the enterprise and all array configurations. The Enterprise Administrator can also assign roles to other users and groups. They can also view and change the local configuration (in the registry of an array member)

Note:
A user assigned the ISA Server Enterprise Administrator role can run highly privileged processes on the ISA Server computers in the enterprise. ISA Server also provides a policy administrator role. A user with this role can view and change specific policies.

Roles and Activities

Each ISA Server role has a specific list of ISA Server tasks associated with it. The following table lists some ISA Server administrative tasks along with the roles in which they are performed.

Activity	ISA Server Enterprise Administrator	ISA Server Enterprise Auditor
View enterprise policies	Allowed	Allowed
Create enterprise policies	Allowed	Not allowed
Apply enterprise policies to an array	Allowed	Not allowed
View array-level firewall policy	Allowed	Allowed
View array configuration	Allowed	Allowed
Modify array configuration	Allowed	Not allowed
Create an array	Allowed	Not allowed
View local configuration (in registry of array member)	Allowed	Allowed
Change local configuration (in registry of array member)	Allowed	Not allowed

Roles for Domain and Workgroup (Enterprise Edition)

Depending on the specific topology of your network, different permissions should be configured for the roles accessing the Configuration Storage server.

Computer Running ISA Server Services Belongs to a Workgroup

If the computer running the ISA Server services belongs to a workgroup, but the Configuration Storage server belongs to a domain, user accounts configured on the domain should be used to access the Configuration Storage server.

Create mirrored accounts on each array member, for intra-array communication and administration. The accounts should be created with the same settings as the user account specified on the initial array member.

For example, suppose that the Configuration Storage server belongs to the Microsoft.com domain. Two computers running ISA Server services each belong to a workgroup. The enterprise administrator, with user name Adina, will administer this enterprise. Adina must belong to the Enterprise Administrators group. For this example, the following actions are required:

Create mirrored accounts for Adina on both computers running ISA Server services. (The accounts must have identical credentials.)
Add Adina's domain user name to the users allowed to access the Configuration Storage server.
Add the user name (specified in the mirrored account) to the list of mirrored accounts used for monitoring this array.

When the enterprise administrator connects to the enterprise, the following actions are performed:

Specifies the credentials of the user who is logged on when specifying how to connect to the Configuration Storage server.
Specifies different credentials when specifying how to connect to each array member.
Specifies Adina as the user name for the array member credentials.

Computer Running ISA Server Services Belongs to a Domain

If the computer running the ISA Server services belongs to a domain, but the Configuration Storage server belongs to a workgroup, create an administrative account on the Configuration Storage server.

Note that in this scenario, only one Configuration Storage server can be used for the enterprise. Create domain accounts for intra-array communication and administration.

Computer Running ISA Server Services and Configuration Storage Server Belong to a Workgroup

If both the computer running the ISA Server services and the Configuration Storage server belong to the same workgroup, create a single administrative account.

Note that in this scenario, only one Configuration Storage server can be used for the enterprise. You do not have to create domain accounts for intra-array communication and administration.

Create mirrored accounts on each array member for intra-array communication and administration. You may want to create mirrored accounts for each administrator. Alternatively, create mirrored accounts for each role.

Credentials

When requested to present credentials, use strong passwords. A password is considered strong if it provides an effective defense against unauthorized access. A strong password does not contain all or part of the user account name, and contains at least three of the four following categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, or #).

Best Practices

Consider the following best practices.

Permissions

Apply the principle of least privilege when configuring permissions for ISA Server administrators, as described in the following section. Carefully determine who is allowed to log on to the ISA Server computer, eliminating access to those who are not critical to the server functions.

Least Privileges

Apply the principle of least privilege, where a user has the minimum privileges necessary to perform a specific task. This helps ensure that if a user account is compromised, the impact is minimized by the limited privileges held by that user.

Keep the Administrators group and other user groups as small as possible. A user who belongs to the Administrators group on the ISA Server computer, for example, can perform any task on the ISA Server computer.

In Standard Edition, users in the Administrators group are implicitly assigned the role of ISA Server Full Administrator. They have full rights to configure and monitor ISA Server.

In Enterprise Edition, users who belong to the Administrators group on the Configuration Storage server can control the enterprise configuration. They can directly modify any data on the Configuration Storage server.

Logging On and Configuring

When you log on to the ISA Server computer, log on with the least privileged account necessary to do the task. For example, to configure a rule, you should log on as an ISA Server administrator. However, if you only want to view a report, log on with lesser privileges.

In general, use an account with restrictive permissions to perform routine tasks that are unrelated to administration, and use an account with broader permissions only when performing specific administrative tasks.

Guest Accounts

We recommend that you do not enable the Guest account on the ISA Server computer.

When a user logs on to the ISA Server computer, the operating system checks whether the credentials match a known user. If the credentials do not match a known user, the user is logged on as Guest, with the same privileges allowed to the Guest account.

ISA Server recognizes the Guest account as the default All Authenticated Users user set.

Discretionary Access Control Lists

With a new installation, ISA Server discretionary access control lists (DACLs) are appropriately configured. In addition, ISA Server reconfigures DACLs when you modify administrative roles and when the Microsoft ISA Server Control service (isactrl) is restarted. For more information, see the section Role-Bas e d Administration Features earlier in this document.

Caution:
Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure. Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users: Folder for reports (when you select to publish the reports). Configuration files created when exporting or backing up the configuration. Log files that are backed up to a different location. Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by ISA Server, be sure to keep the data source name (DSN) secure. Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry. If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is Inherit permission from parent.

Caution:

Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure.
Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users:
Folder for reports (when you select to publish the reports).
Configuration files created when exporting or backing up the configuration.
Log files that are backed up to a different location.
Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by ISA Server, be sure to keep the data source name (DSN) secure.
Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry.
If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is Inherit permission from parent.

Tip:
We recommend that you do not save critical data (such as executables and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitionsTip

Revoking User Permissions

When you revoke administrative permissions for an ISA Server administrator, we recommend that you delete the user account from Active Directory® directory service, to ensure that the user no longer has access.

Removing Administrator Permissions

To remove administrator permissions, remove the user from the specific administrator group.

To remove ISA Server administrators who are logged on, from a security group, and add them into a new group, perform the following steps

Add the administrator account into the new group.
Log off and then log on with the administrator account, so that the new settings take effect

Remove the administrator account from the original group

Manage Your Profile | Contact Us | Newsletter

Product Families

Resources

About Microsoft

Popular Places

Popular Searches

Popular Downloads

Administrative Roles (Standard Edition)

Roles and Activities

Array-Level Administrative Roles (Enterprise Edition)

Roles and Activities

Enterprise-Level Administrative Roles (Enterprise Edition)

Roles and Activities

Computer Running ISA Server Services Belongs to a Workgroup

Computer Running ISA Server Services Belongs to a Domain

Computer Running ISA Server Services and Configuration Storage Server Belong to a Workgroup

Credentials

Permissions

Least Privileges

Logging On and Configuring

Guest Accounts

Discretionary Access Control Lists

Revoking User Permissions

Removing Administrator Permissions