You could easily implement this separation by
creating an ISA Firewall Admins group in Active Directory, placing the appropriate users
in the group, and giving the ISA Firewall Admins group administrative rights on the ISA
fi rewalls. Then remove the Domain Admins group from the local Administrators group
on the devices running ISA Server. Be aware that this may impact your particular setup in
unforeseen ways, and as with any confi guration changes, you should test this in a lab before
deploying it in production.
System Hardening
Any device at the perimeter of your network should be locked down as much as
possible. Even the ones inside the perimeter should be locked down, but for your
fi rewall you need to take special care to harden the system. Since ISA Server runs on
top of a Windows operating system the following main ideas should be kept in mind:
1. Use the most secure version of Windows available.
2. Disable all unnecessary services.
3. Apply additional system hardening parameters.
The fi rst point means you should probably not be running ISA Server on older
versions of Windows Server. Even though Windows Server 2000 is not exceedingly
old, numerous security enhancements were made to Server 2003, and default installations
of Windows Server 2003 will be somewhat less susceptible to attack than default
installations of Windows 2000 Server. In addition to simply using a newer version
of Windows Server, the fi rst point means that you must be religious about applying
security patches to your fi rewalls.
Pages:
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383