WHAT'S HOT
PARTS:
Part 15
Part 16
Part 17
Part 18
Part 19
Part 20
Part 21
Part 22
Part 23
Part 24
Part 25
Part 26
Part 27
Part 28
Part 29
Part 30
Part 31
Part 32
Part 33
Part 34
Prev | Current Page 369 | Next

Jesse Varsalone and Jan Kanclirz Jr.

"Microsoft Forefront Security Administration Guide"

2 TCP/IP Confi guration for Internal NIC
Configuring Microsoft Internet Security and Acceleration Server 2006 ??? Chapter 11 385
TIP
Collect all of the pertinent network information you can before you begin
installing and confi guring your ISA Server. For existing networks, collect
network address, subnet mask, and default gateway information for each
subnet as well as the IP addresses of existing servers providing network
services such as DNS and DHCP. It is a good idea to have a diagram of the
network layout as well. Bring all of this documentation with you when you
go to install and confi gure the ISA Server.
Domain Membership
Although the debate has not been won outright by either side, it is generally
considered a best practice to make the ISA Servers domain members. The ISA
guru, Thomas Shinder, has written a good article covering the pros and cons of
making your ISA Servers members of your domain or a workgroup (www.isaserver.
org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.
html), so I won??™t try to outdo him in a couple of paragraphs here.
I do think it is worthwhile to discuss one of the points in his article further, though.
He argues that although the Active Directory Domain Admins group will be added to
the local Administrators group on each ISA Server device, you should be able to trust
your domain admins with permissions on these systems. However, the basic principles
of least privilege and separation of duties hold that you absolutely should not give your
Windows domain administrators unrestricted permissions on the fi rewalls unless they
require it, part of the reason being provided in the disclaimer I placed in the introduction:
Very good Windows system administrators with years of experience confi guring
permissions, performance options, and security options throughout a variety of Microsoft
Windows server infrastructures do not necessarily have the detailed technical knowledge
of the TCP/IP stack required to be fi rewall administrators.


Pages:
357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381
Service-Oriented Java Business Integration (page 321) Foundation Flex for Designers (page 19) Mastering phpMyAdmin 2.11 for Effective MySQL Management (page 91)