Microsoft recently released its ISA 2004 Best Practices Analyzer (BPA) Tool. Like the BPAs released for other Microsoft server products, the ISA firewall's BPA can be used to analyze your ISA firewall's configuration and then come up with suggestions for how you can correct problems with your ISA firewall. In this article we'll take a look at what the ISA firewall BPA does and the type of information you'll get after running the tool.
Obtaining and using BPA
The first step is to download the BPA from the Microsoft Web site. The ISA firewall BPA will work on both Standard Edition and Enterprise Edition. You will need to make sure that the .NET framework 1.1 is installed before installing the ISA firewall BPA.
After downloading the tool to a management station, scan the file with your favorite AV/AS software, then copy it to the ISA firewall. Double click on the IsaBPA.msi to install the application. At the end of installation, leave the checkmark in the Invoke Microsoft ISA Server Best Practices Analyzer Tool when the wizard closes checkbox, as seen in Figure A, and click Finish.
|The last page of the ISA BPA Tool Setup Wizard|
The screen in Figure B appears. The Microsoft ISA Server Best Practices Analyzer Tool window opens and at this point you can run a new scan or read more about the tool by clicking the the ISA Server Best Practices Analyzer Help link. You don't need to read the Help file to use the tool, since there aren't any entries in the Help file except those that refer to the tool's findings after running a check. Click the Start a new Best Practices scan link to run your first BPA scan.
|Beginning a new ISA BPA scan|
On the Start a Scan page, enter a name for the scan in the Enter the scan label text box. This allows you to refer to the scan at a later time and keep track of your scans. You might want to run the BPA tool on a regular basis as part of your ISA firewall auditing scheme, or you could run the tool after making changes to the ISA firewall so that you know you didn't do anything to break the ISA firewall's security configuration.
In the Task drop down list you have the following options:
- Health Check + ISAInfo - This option tells the BPA to check the ISA firewall's configuration against the list of best practices checks and also runs a comprehensive scan of the ISA firewall's firewall policy and computer configuration and settings and includes this information in the report that follows the scan.
- Health Check - This option tells the BPA to check the ISA firewall's configuration against a list of best practices checks.
- Run ISAInfo - his option tells the BPA to only run the ISAInfo tool
I recommend running the Health Check + ISAInfo the first time you run the BPA, as shown in Figure C. That's what I'll do in this example. After making your Scan Type section, click Start Scanning.
|Selecting the type of scan to perform|
It'll take a few minutes for the scan to complete. Once it's complete, you'll see that eight general categories of checks were completed. Those tasks are:
- Basic Settings
- Operating System
- Web Publishing
Click the View a report of this Best Practices scan link to see a report of the scan results. You'll see the results on the screen shown in Figure D.
|All scans are completed|
The default report view is the Full Issues List. This report lists only problems and significant issues that you should be aware of regarding your ISA firewall or system configuration. I ran the BPA on a correctly configured ISA firewall (multiple NICs, full firewall configuration, joined to the domain) that provides secure outbound access for Web proxy and Firewall clients, and publishes the full suite of Exchange Server services. The issues pointed out in this example are:
- This computer has less than 512MB or memory - This is a reasonable alert, as it's recommended that the ISA firewall have at least 512MB of RAM.
- A logical disk has less than 3GB of available space - Not sure why they needed to point this out. Yes, I know that when I run out of disk space no more logging will take place and puts the ISA firewall into lockdown mode. That's why we configured the Logging features on the ISA firewall post installation. I suppose if you hadn't read the book (or the Help file) you wouldn't know this.
- This ISA Server Computer is not hardened - How did the BPA make this assessment? Its as hard as I want it to be, and I did take measures to secure the configuration, such as locking down system policy, not running client applications on the ISA firewall, downloading updates to a management workstation before installing them on the ISA firewall, and others. The reason why the BPA pointed out that the system wasn't hardened was because the Windows Server Service is running on the machine. However, since no SMB/CIFS access is allowed to the ISA firewall, it doesn't matter.
|Viewing the types of ISA BPA reports|
There are other reports you can view. The full list of reports, shown in Figure E, includes:
- Full Issues List - This report lists the major issues discovered by the ISA firewall BPA.
- Items of Interest - This report lists issues that are "interesting" (not sure who defined "interesting" or how "interesting" was defined)
- Hidden Items List - This is a list of hidden items, but I'm not sure why they are defined as "hidden" and who they're hidden from.
- Detailed View - This provides a very detailed view of the ISA firewall's BPA findings and calls out areas with Information, Warning, and Alert icons. This detailed information is presented in a tree format, as we'll see later.
- Summary View - This provides a list of all Information, Warning and Alert areas discovered by the ISA firewall BPA. This is the report I go to first.
Figure F shows the output in the Items of Internet report. Interesting items are denoted with the Information icon. These items are for your information and do not necessarily indicate a problem, but they are things you should be aware of as they impact the ISA firewall configuration and management in either a direct or peripheral manner. You can see in my report entries such as the amount of available disk space, the amount of memory installed and the number of network adapters.
|Viewing the Items of Interest Report|
The problem is that I actually have 256MB of memory installed, and Logical Disk D: is a CD/DVD drive. So, I'd warn you not to take the information in this report at face value.
The Hidden Items report reports on "Hidden Items". I'm not sure what items are being hidden and who they're being hidden from. In my report it shows that the DNS search order is blank and an available operating system service pack is not installed. I'm fully aware that I've configured my ISA firewall's adapters correctly and that Windows Server 2003 Service Pack 1 is not installed, so those facts weren't hidden from me.
The DNS search order is blank finding is interesting, and something I would not have included in the ISA firewall BPA. As I mentioned earlier, this ISA firewall is correctly configured, including the DNS settings. The correct configuration for most ISA firewall's is to configure the internal interface with an internal DNS server that is capable to resolving both public and private names, and then moving the internal interface to the top of the adapter list.
Why were my settings called out? Because I didn't have a DNS server configuration on the external interface of the ISA firewall. At first glance you'd get the impression that the ISA firewall BPA messed up. However, if you click the Tell me more about this issue and how to resolve it link, shown in Figure G, you'll find a good description of how to configure DNS settings on the ISA firewall and what the optimal configuration is.
|Viewing the Hidden Items Report|
So, while I would consider calling out my DNS settings as an issue to be erroneous, the guidance is correct. They should have moved the DNS settings to the Items of Interest report when the DNS settings are correct, as they are in my configuration.
The Detailed View, Figure H, gives you a comprehensive list of what the ISA firewall BPA found during its analysis in a tree view format. You can drill down into those sections where there are Information, Warning and Alert icons. This is where I found out how why the ISA firewall BPA determined that I hadn't hardened by system.
|Viewing the Detailed View Report|
The Summary View, Figure I, provides you with a list of all the Information, Warning and Alert areas identified by the ISA firewall BPA. This is my favorite report, as I can get all the information I need about the important findings regarding my configuration.
|Viewing the Summary View Report|
Figures J and K show the list of BPA issues as found in the ISA firewall BPA Help file. It would be worth your time to read through each of these issues, as you can get a lot of insight into correct ISA firewall configuration and management from this material.
|List of best practices issues in the ISA BPA Help file|
|Continuing the list of best practices issues in the ISA BPA Help file|
Note that for each report you have the options to:
- Find - This feature allows you search the contents of the report by matching a string you enter into the Find text box.
- Export Report - This feature allows you to export the report to an .xml file that you can copy to another machine. You also can export to HTML or CSV. However, if you use HTML or CSV, you will only be able to save the current report and not the entire data file used to generate all of the reports. Figure L illustrates this option.
- Print Report - This option allows you to print the current report.
|Saving the report in a variety of formats|
One other feature worth mentioning is the Update the ISA Server Best Practices Analyzer option, which you can find in the left pane of the ISA firewall BPA window. When you click that link, the ISA firewall BPA will connect to the Microsoft Web site responsible for housing updates to the BPA. If there are updates, the BPA will download and install them for you automatically, as seen in Figure M. You'll then need to restart the ISA firewall BPA before the updated definitions and settings are used.
|Updating the ISA BPA configuration set|
After checking for updates, you'll be given the opportunity to always check for updates when you open the ISA firewall BPA by putting a checkmark in the Check for updates on startup checkbox, as seen in Figure N.
|Updating the ISA BPA configuration set|
Bottom line on the ISA Firewall Best Practices Analyzer
I found the ISA firewall BPA to be an excellent tool for checking out the configuration of ISA firewalls that were set up by someone else. The ISA firewall BPA is able to find misconfiguration issues before I even need to look at the ISA firewall in question. The tool allows me to first focus my efforts on the obvious problems pointed out by the tool and free me up to search for more subtle issues in the ISA firewall setup and configuration.
However, I didn't find the ISA firewall BPA much use when checking ISA firewalls that I've setup and managed. I suppose the reason is that I usually know what I'm doing and always use ISA firewall best practices, even when the customer tries to convince me to subvert the ISA firewall's security model.
While the evaluation and assessments made by the ISA firewall BPA will be especially useful for the neophyte and busy ISA firewall admin, you still have to be careful. As noted earlier in this article, you can't always take the output in the reports at face value, and you need to critically assess what the reports are telling you. For example, the DNS issue reported in my ISA firewall wasn't an issue at all and if you clicked the link to the explanation, you would know it. However, a busy or inexperienced ISA firewall administrator might interpret the error as a suggestion to enter DNS server addresses on all the ISA firewall's interfaces, or worse, enter public and private DNS server addresses on all the ISA firewall's interfaces.
Perhaps even more problematic are some of the observations included in the Help file guidance. For example, in more than one place the ISA firewall BPA explicitly states Installing ISA Server 2004 on a domain controller is a supported configuration. While I know that Microsoft needs to say this because ISA Server 2004 is included in SBS 2003 Service Pack 1, any experienced firewall or security administrator realizes that this is a poor security solution. It would have been better leave out all references to the domain controller status of the ISA firewall, since SBS users already know this, and other's who make the ISA firewall a domain controller should be admonished for doing so instead of getting an implicit "thumbs up" for that configuration.
The ISA firewall BPA does include exceptional support for troubleshooting SSL Web Publishing scenarios. These are the most problematic issues ISA firewall administrators face, as most of them aren't fully conversant regarding PKI. The ISA firewall BPA will be exceptionally useful for those ISA firewall administrators.
I would have liked to have seen more best practices analysis and recommendations. Much of the ISA BPA at this time is focused on troubleshooting issues rather than best practices. I'm talking about recommendations such as those found at:
Overall, the ISA firewall BPA tool is an excellent resource for troubleshooting ISA firewall setup and configuration issues. It is even more valuable to relatively inexperienced ISA firewall administrators who aren't aware of the many subtleties involved with correct ISA firewall installation and configuration. For experienced ISA firewall administrators, the ISA firewall BPA tool adds little to their current armamentarium. However, I fully expect the tool to continue to improve as the scan database files are updated and will end up being a must have tool for all ISA firewall administrators, regardless of their experience with ISA firewalls.