ISA server Domain Member or Workgroup????

This question is most common when you have Microsoft ISA server to be deployed in your organization. Whether to keep ISA a domain member or in workgroup?

 

Well….there is no specific answer to this question as ISA can be a domain member as well as work fine in workgroup scenarios. I really would like to laugh at people who tells me that putting ISA server in workgroup environment is more secure. It’s not important to know where to put, but it’s important to know why to put.

 

In my opinion, the ISA server should be a part of domain because it provides more flexibility in implementing many features which worksgroup scenario does not provide.

 

If you have ISA server 2006 in workgroup you want to use smart card functionality, you may not be able to use it because the smart card implementation does not work with RADIUS and LDAP (AD)

 

Some people think that if domain connected computer is compromised then its more chances that complete network is exposed. I would say if your workgroup ISA server is compromised then even it is in workgroup it’s still connected to the internal network and anyone can modify the access rules accordingly to gain access. Though, its not a easy task to gain access to ISA server since it hardens the OS as well when installed on Windows 2003.

 

Also, we recommend that you run SCW on the ISA server and choose the specific template for ISA server. It ensures that no un neccesary services are running

 

one of friend said that if some hacks my ISA machine then using the Certificate he/she can read the encrypted content within my network. And i was WOW !!!, i replied saying that on workgroup scenario its a requirement to have certificates installed on ISA server, now if you have certificate on it already then anyone can use it for anything including enrypted file reading 😉

 

If you dont have the ISA server in domain then you cannot use user certification authentication. It may be required when you dont want users to enter their username and password instead you want them to enter passcode and certificate. In workgroup you cannot use client authetication certificates

 

For more details read article at http://www.redline-software.com/eng/support/articles/isaserver/security/debunking-myth-that-isa-firewall-should-not-domain-member.php by Thomas Shinder

Security Best Practices

Security Best Practices:

Domain Controller (Windows 2003)

1.     Enable Audit policies for logon failures which will help you know when someone tries to do a dictionary attack

2.     Enable Account lockout policies and password policies for defending against dictionary attacks

3.     Run SCW (Security configuration wizard) and select the Domain Controller template

 

DNS Server (Windows 2003)

1.     Zone transfer should be turned off if you have only one DNS server. If you have multiple DNS servers, then point zone transfer to specific servers by mentioning their IP addresses

2.     Disable Recursion

3.     Use Root hints in place of Forwarders

4.     Use IPsec to limit the traffic only on Port TCP 53 and UDP 53

5.     Use SCW to secure the DNS Server

People who say Microsoft products are not secure enough…..think again. MSIT is securing www.microsoft.com from attacks everyday and as per a report out of 365 days Microsoft.com is under attack almost 245 days 🙂 and microsoft.com is the highest and favorite targeted website for attackers / hackers.

 

The biggest problem is that people dont know how to configure Windows products and also, they dont study about the best practices or case studies before their own implementation. There are 100’s of documents available on Microsoft.com which talks about how to secure your Windows Infrastructure. Check the security guides for your products from Microsoft. Also, check your configurations against the checklists from Microsoft which discusses about the configuration thats must for the specific product.

 

Its you who have to secure your Servers :), Microsoft can only tell you "HOW"