Alexander’s Blog

I am working on securing the entire network for one of my clients. I ran into this article on TechNet that targets the specific area of extranet and how you can best secure it. The article is full of valuable information for securing your extranet environment and is called Plan security hardening for extranet environments.

Part of the article discusses this extranet hardening tool that’s offered by Microsoft. It’s called Extranet hardening planning tool: back-to-back perimeter (http://go.microsoft.com/fwlink/?LinkId=85533&clcid=0×409).

The tool will help you figure out which ports are required for our ISA Server, routers and firewalls. This tool is a Microsoft Office Visio file that you can edit to customize for your own environment. For example, here are some things that you can do with this tool:

• Add your custom port numbers, where applicable.
• Where a choice of protocols or ports is provided, indicate which ports you will use.
• Indicate the specific ports that are used for database communication in your environment.
• Add or remove requirements for ports based on:
  1. Whether you are configuring e-mail integration.
  2. Which layer you deploy the query role to.
  3. If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.

If you are trying to get your external NIC on the ISA Server obtain an IP address from a DHCP server and can’t, check out this KB article 841141 from Microsoft. This solution applies to both ISA Server 2004/2006.

The external network adapter on your ISA Server 2006 or ISA Server 2004 computer cannot obtain an IP address from a DHCP server

SYMPTOMS
When you try to configure the external network adapter on your Microsoft Internet Security and Acceleration (ISA) Server 2006 computer or on your ISA Server 2004 computer to obtain its Internet Protocol (IP) address from a Dynamic Host Configuration Protocol (DHCP) server, the external network adapter does not receive a valid IP address.

CAUSE
This behavior occurs because the default ISA Server system policy does not permit DHCP replies from external DHCP servers to the ISA Server computer.

RESOLUTION
To resolve this behavior, follow these steps:
1.    Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2.    In the console tree, click Firewall Policy.
3.    In the right pane, click the Tasks tab, and then click Show System Policy Rules.
4.    Click Allow DHCP replies from DHCP servers to ISA Server.
5.    In the details pane, click Edit System Policy.
6.    Click the From tab.
7.    Click Add.
8.    If you know the IP address of the external DHCP server, follow these steps:
a.     In the New list, click Computer.
b.     In the New Computer Rule Element dialog box, type a name for the DHCP computer rule element in the Name box, type the IP address of the DHCP server in the Computer IP Address box, and then click OK.
c.     Expand Computers, click the DHCP computer rule element that you just created, click Add, and then click Close.
To add the external network instead of the specific DHCP server, expand Networks, click External, click Add, and then click Close.

Note Microsoft recommends that you add the specific DHCP server instead of the external network to make the ISA Server computer less susceptible to external attacks.
9.    Click OK, and then click Apply to save the changes and update the configuration.
Note This procedure is for renewals only. If you do not have an IP address, you may want to allow DHCP traffic from any network until an address is leased. If you do not already have a lease, the “specific DHCP server” setting in step 8 will not work because Windows will be forced into DHCP Discover mode. This mode is strictly for broadcast traffic.

If you haven’t used ISA Server 2006 Capacity Planner you might want to check it out. It’s an online tool that lets you plan secure publishing, branch office gateway, and Web access protection.The tool recommends how many CPUs, amount of disk space and amount of memory that will be suitable for you based on the questions that you answer. While you can argue that the tool is not really exact science but it is a great place to start if you are trying to figure out what kind of hardware you will need to configure and ISA Server in your environment.

You can check out ISA Server Capacity Planner here.

The Data Encryption Toolkit for Mobile PCs describes how to effectively use both EFS and BitLocker to help address your organization’s requirements to protect data on mobile PCs. The Toolkit also provides you with software tools and scripts to help you centrally configure, deploy, and manage encryption settings on all your mobile PCs.
The Data Encryption Toolkit for Mobile PCs includes the following four components:

Executive Overview. This document provides a broad survey from a business and regulatory perspective of how mobile data is at risk and how the Data Encryption Toolkit for Mobile PCs can help. It also provides information about how you can use the guidance and tools in this Solution Accelerator as well as tools you may already have licensed to mitigate these risks.

Security Analysis. This guide provides an in-depth review of how EFS and BitLocker can help you address the unique risks associated with data on mobile PCs.

Planning and Implementation Guide. This guide describes how to plan for, configure, deploy, and operate EFS and BitLocker in your organization.

Microsoft Encrypting File System Assistant. The EFS Assistant is a software tool you can use to centrally control EFS settings on all your PCs (the EFS Assistant also works with desktop PCs). The EFS Assistant can help you encrypt the sensitive files on your users’ laptops, regardless of where those files are located. In addition, the EFS Assistant operates transparently to end users, eliminating training issues or other impacts. Note that you can obtain the EFS Assistant in one of two ways. The Microsoft version of the tool is available on this page. A community version of the tool is available for download from CodePlex, Microsoft’s shared source development site at www.codeplex.com/EFSAssistant.

You can download the toolkit here.