Microsoft ISA Server 2006 configured in a Web Proxy Profile for Microsoft Exchange 2003 OWA Server
Procedural Reviews for ISA Services must be done annually.
A regular review of current security policies and procedures is necessary to maintain the desired security posture of application proxies and firewalls such as Microsoft Internet Security and Acceleration (ISA). Policies and procedures should be measured against current Department of Defense (DoD) policy, Security Technical Implementation Guide (STIG) direction, vendor-specific guidance and recommendations, and site-specific or other security policy. Information Assurance OfficerDCAR-1
ISA-Unique security requirements, such as Interface Model, server role, and protected assets must be documented.
Functional Architecture documentation must be developed and maintained for ISA servers at each location. For example, if the ISA server is performing an Exchange 2003 Proxy role vs. an Exchange 2007 Proxy role, the specifics of that implementation should be documented. The chosen network interface model with pertinent private and public addresses, as well as protected assets shielded by each ISA server must be documented in the system security plan and other relevant network schematics.
If additional content filtering, encryption (at rest or in motion), or other handling is implemented, they should also be described. The risk of missing or inaccurate ISA server system documentation could result in other network devices being misconfigured. If traffic is allowed to bypass the ISA server, the result could be compromised applications or servers. If traffic is blocked in error, the result could be inadvertant Denial of Service to applications or servers. Information Assurance OfficerDCFA-1
Configuration Management (CM) procedures must be implemented for ISA services.
Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All software libraries related to ISA services need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross boundaries. It is important, however, for the boundaries of CM responsibility to be clearly defined and assigned to ensure no libraries or configurations are left unaddressed.
Information Assurance OfficerDCPR-1
ISA Server Administrator role must be assigned or authorized by the IAO.
Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Firewall Administrator, must be carefully regulated and monitored.
All appointments to IA roles, such as DAA, IAM, and IAO must be in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The ISA Firewall Administrator Role is assigned and controlled by the IAM. The IAM role owns the responsibility to document responsibilities, privileges, training and scope for the ISA Firewall Administrator role. It is with this definition that the IAO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks.
The default roles for ISA server administrators are as follows:
1 – ISA Server Enterprise Administrator – Full control of enterprise, array configurations, and the ability to assign other roles.
2 – ISA Server Enterprise Auditor – View all configurations.
3 – ISA Server Administrator – ISA server tasks such as rules configuration, apply network templates, and monitor server activity.
4 – ISA Server Array Auditor – All monitoring tasks such as log configuration, alert definitions, and monitoring functions in a basic monitoring role.
5 – ISA Server Array Monitoring Auditor – Monitor one ISA server, monitor network activity, no permissions to create monitoring configuration.
Information Assurance OfficerDCSD-1
ISA services must be documented in the System Security Plan.
A System Security Plan defines the security procedures and policies applicable to the AIS. It includes definition of responsibilities and qualifications for those responsible for administering the AIS security. For ISA services, this includes specifically the ISA Fire Wall Administrator in addition to the standard SA and IAO roles. Without a security plan, unqualified personnel may be assigned responsibilities that they are incapable of meeting and ISA proxy security is prone to an inconsistent or incomplete implementation.
Security controls applicable to ISA services may not be documented, tracked, or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of ISA services vulnerabilities or configurations.
Information Assurance OfficerDCSD-1
ISA Recovery Data must be restricted to Administrators and Backup/Recovery processes.
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the backup and recovery data exposes it to risk of potential theft or damage that may ultimately prevent a successful restoration, should the need become necessary.
Adequate protection ensures that backup components can be used to provide transparent or easy recovery from losses or operations outages. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the ISA system. Included in this category are physical media, online configuration file copies, and any user data that will need to be restored.
Information Assurance OfficerECLP-1
Automated tools must be available for review and reporting on ISA Services audit records.
Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. ISA 2006 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion.
Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. However, audit record collection may quickly overwhelm storage resources and an auditor’s ability to review it in a productive manner. Add to that, an audit trail that is not monitored for detection of suspicious activities provides little value. Regular or daily review of audit logs not only leads to the earliest possible notice of a compromise, but can also minimize the extent of the compromise.
Automated Log Monitoring gives the additional boost to the monitoring process, in that noteworthy events are more immediately detected, provided they have been defined to the automated monitoring process. Log data can be mined for specific events, and upon detection, they can be analyzed and summarized by such tools to provide choices for alert methods, reports, trend analyses, attack scenario solutions.
Information Assurance OfficerECRG-1
ISA audit records must be retained for at least one year.
Audit data retention serves as a history that can aid in determining actions executed by users and administrators. Reasons for such research include both malicious actions that may have been perpetrated, as well as legal evidence that might be needed for proof of activity. Audit data records are required to be retained for a period of 1 year. Information Assurance OfficerECRR-1
Audit Logs must be included in Backups.
Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit logs are essential to the investigation and prosecution of unauthorized access to ISA software and data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data. Audit records should be backed up not less than weekly on to a different system or media than the system being audited, to ensure preservation of audit history. ISA Server AdministratorECTB-1
The ISA Backup and Recovery strategy must be documented and must be tested according to the INFOCON schedule.
All automated information systems are at risk of data loss due to disaster or compromise. Threat identification and risk analysis serve to define elements of a comprehensive Disaster Recovery Plan with objectives that provide for the smooth transfer of all mission or business essential functions. Alternate site locations may be identified for the duration of an event, data transfer with little or no loss of operational continuity, communications and acceptance plans, and recovery back to original locations are typical elements in a Disaster Recovery Plan. Not to be overlooked, plan testing must be performed periodically to ensure that the plan is viable and that system components (such as backups) are intact. INFOCON instructions contain requirements for testing frequency. Information Assurance OfficerCODP-2
Software Critical Copies for ISA Services must be backed up and available for restore action.
There is always potential that accidental loss can cause system loss and that restoration will be needed. In the event that the installation site is compromised, damaged or destroyed, copies of critical software media may be needed to recover the systems and become operational.
Copies of the OS and other critical software such as E-mail services applications must be created and stored off site in a fire rated container. If a site experiences loss or compromise of the installed software libraries, available copies can reduce the risk and shorten the time period for a successful ISA services recovery.
Information Assurance OfficerCOSW-1