As always, patches should be tested in a lab before
being placed into production, but patching and updating must be done in a timely
manner for these perimeter devices. This point cannot be stressed enough.
Configuring Microsoft Internet Security and Acceleration Server 2006 ??? Chapter 11 387
The second point is equally important, but a bit more complex. Primarily, the ISA
Server system should be running the most basic installation of the Windows operating
system possible. All unnecessary system software should be unchecked during installation.
For most software there is going to be an associated service or set of services created
in Windows, and these need to be disabled. If the software is not installed in the fi rst
place it means less work because the services that come with the installed programs
will not have to be disabled. It also means there is less software that will require a
hotfi x later. The only piece of software that really needs to be installed on this system
is ISA Server, and if ISA Server relies on another piece of software to function it will
let you know when you install it. So during the installation of the operating system
(OS) use this rule: when in doubt, leave it out.
NOTE
The National Institute of Standards and Technology (NIST) has developed secure
confi guration checklists for most versions of Windows and secure deployment
guidelines for most network services. It is worth checking out these resources
at checklists.
Pages:
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384