1030 Part V • ISA Server NOTE We recommend that you disable the IIS services on the ISA server. When properly config- ured, the ISA Server Firewall and Web Proxy services confer a high level of security against external network attacks. Adding services to the ISA server creates portals of attack that Internet criminals can use to compromise the ISA server and the internal net- work. Well-known exploits can be aimed against any of the IIS services and potentially disable security provided by the ISA Server software or create a denial-of-service (DoS) condition. The IIS Web Publishing Service is especially problematic in this regard. Although we will spend quite a bit of time discussing methods you can use to publish services on the ISA server itself, never do so unless budgetary constraints prevent you from purchasing a dedicated ISA Server computer. You obtain a level of security based on how much money you can spend. How do you know if socket pooling is enabled on the ISA server? You can you the netstat –na command to list all the active listening ports. Note that just because a port is lis- tening doesn’t mean that anyone can connect to it. If you enabled packet filtering on the ISA server, none of the listeners on the external interface are available unless you explicitly create a publishing rule or packet filter allowing access to the socket (a socket is a combination of a TCP or UDP port number and an IP address). Figure 27.1 shows the results of a netstat –na before disabling socket pooling. Notice in the Local Address column the entries for IP address 0.0.0.0.Those entries indicate that the associated port is listening on all IP addresses.A large number of services are listening on all IP addresses. We need to disable socket pooling to prevent the server from listening on TCP ports 21 (FTP), 25 (SMTP), 80 (HTTP), and 119 (NNTP) for all interfaces. Note that TCP 42 (WINS) and UDP 53 (DNS Query) are also listening on all interfaces. The TCP 42 entry indicates that a WINS server is installed on this ISA server (something that we should disable before bringing the server into production), and UDP 53 indicates that a DNS server is installed on this machine.There aren’t any contraindications to running a DNS server on the ISA server, but you should configure the DNS service to listen on the internal interface only. You can change the DNS service’s listening address in the server’s Properties dialog box in the DNS console. www.syngress.com Figure 27.1 Results of netstat –na Before Disabling Socket Pooling 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1030 Advanced Server Publishing with ISA Server • Chapter 27 1031 Disabling Web and FTP Service Socket Pooling W3SVC and FTP service socket pooling is disabled using the same method.The only difference is the service name you enter in the command line. Perform the following steps to disable FTP and/or Web service socket pooling: 1. Open a command prompt and navigate to the \Inetpub\Adminscripts\ folder. 2. Type net stop msftpsvc and press Enter.Type net stop w3svc and press Enter. 3. Type in the following command: cscript adsutil.vbs set msftpsvc/ disablesocketpooling true (to disable FTP service socket pooling) or cscript adsutil.vbs set w3svc/disablesocketpooling true (to disable W3SVC service socket pooling), and then press Enter. 4. You should see what appears in Figure 27.2. 5. Restart the W3SVC by running net start w3svc at the command prompt. Restart the FTP service by running net start MSFTPSVC at the command prompt. If you run a netstat –na again after disabling Web and FTP socket pooling, you’ll see that they are still listening on all IP addresses.The reason for this is that the default setting for the built-in FTP and Web sites is to listen on all addresses. Keep in mind that a service can still listen on all IP addresses even if socket pooling is disabled.The difference is that after you disable socket pooling, you then have the option to configure the service to listen on only one IP address.You’ll see the services listen only on the address you configure in the IIS console after you go into the IIS console and configure the sites to listen on the internal interface’s address. Figure 27.3 shows what you see after disabling socket pooling for FTP and WWW services, and what happens after configuring the services to use a specific IP address on the internal inter- face. Notice that immediately after disabling socket pooling, the FTP and Web services continue to listen on 0.0.0.0.You then see that both the FTP and Web services listen on 10.0.0.1 after configuring them to do so in the Internet Information Services console. www.syngress.com Figure 27.2 Disabling Socket Pooling Figure 27.3 Running netstat –na After Disabling Socket Pooling 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1031 1032 Part V • ISA Server Disabling SMTP and NNTP Service Socket Pooling You have to use a technique other than the one just discussed to disable socket pooling for the SMTP and NNTP services—why is unclear. In fact, no one seems to have any idea! We won’t let this lack of understanding prevent us from disabling socket pooling for these services. The first thing you need to do is get the mdutil.exe utility.You might be able to find it somewhere on the Microsoft Web site, but you’ll always be able to download it at ftp:// ftp.tacteam.net/isaserver/mdutil.exe. Perform the following steps after downloading the mdutil.exe utility: 1. Put the Mdutil.exe executable in the \Inetpub\Adminscripts folder. 2. Open a command prompt window, change the focus to \Inetpub\Adminscripts, and run the following commands (Figure 27.4): ■ mdutil set -path smtpsvc/1 -value 1 -dtype 1 -prop 1029 -attrib 1 (for the SMTP service) ■ mdutil set -path nntpsvc/1 -value 1 -dtype 1 -prop 1029 -attrib 1 (for the NNTP service) 3. You will need to run these commands multiple times if you have more than one SMTP or NNTP virtual server.The difference is that you increment the value in nntpsvc/1 and smtpsvc/1 to the next higher value. If you have two SMTP and NNTP virtual servers, the second time you run the commands you would include nntpsvc/2 and smtpsvc/2. 4. Go to the Internet Information Services console, right-click on the Default SMTP Virtual Server, and click Properties. Change the listening address to the internal interface of the ISA server. Do the same for the NNTP service so that it listens only on the internal IP address. Disabling IIS Services on the ISA Server Disabling socket pooling handles the port contention problem, but the real solution is to disable IIS services on the ISA server. We can’t emphasize strongly enough how important it is to avoid www.syngress.com Figure 27.4 Disabling SMTP and NNTP Socket Pooling 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1032 Advanced Server Publishing with ISA Server • Chapter 27 1033 running IIS services on the ISA server. In addition to increasing your security risks by running the IIS services, one of the most common reasons why publishing rules fail is that the ISA Server administrator has failed to disable socket pooling or the IIS services entirely. Even after almost two years and several hundreds of ISA Server installations, we continue to forget to disable IIS services on the ISA server. It’s only after the publishing rules fail that we realize our error! At one time, we recommended that you uninstall IIS from the ISA Server computer. While this fixes the IIS services problems, it introduces another.There have been several reliable reports of problems installing and uninstalling ISA Server after uninstalling IIS.The only way to install or uninstall ISA Server is to reinstall IIS.There is no compelling reason to uninstall IIS; all you need to do is disable the IIS services. Perform the following steps to disable the IIS services: 1. Open the Services console from the Administrative Tools menu. 2. Double-click on the FTP Publishing Service in the right pane of the Services console. 3. In the FTP Publishing Services Properties (Local Computer) dialog box, change the Startup type to Manual.You’ll still be able to start the service without having to restart the server. If you set the Startup type to Disabled, you will have to change the Startup type to Automatic or Manual and then restart the server to start up the service. 4. Click Stop to stop the service. Click Apply, and then click OK. 5. Repeat these steps with the NNTP, SMTP, and WWW publishing services. You do not need to restart the ISA server for these changes to take effect. Server Publishing Server publishing rules allow you to publish almost any type of server protocol. As noted earlier, server publishing rules essentially perform a reverse NAT that allows the ISA server to accept packets on a certain IP address and port number and forward them to the same port number to an IP address on the internal network. While server publishing rules do not allow the ISA server to examine the data portion of the communication on their own, “smart” application filters can be applied to protect communications forwarded by server publishing rules. In this section, look at how to publish the following services: ■ Terminal Services ■ Terminal Services Advanced Client (TSAC) Sites ■ FTP Servers ■ HTTP and HTTPS Servers ■ VNC Servers ■ pcAnywhere Servers www.syngress.com 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1033 1034 Part V • ISA Server Publishing Terminal Services on the Internal Network Publishing a Terminal server on the internal network is relatively straightforward.All you need is a protocol definition with Primary Connection set for Inbound TCP 3389, and a server pub- lishing rule that uses this protocol definition.The only thing that can interfere with Terminal Server publishing rules is port contention.The best way to eliminate the Terminal Services port contention is to disable Terminal Services on the ISA server. However, most of us want to run Terminal Services on the ISA server to ease server administration, so we’ll go over how to run Terminal Services on the ISA server and publish an internal network Terminal server at the same time later in this chapter. Let’s begin with how to publish Terminal Services on an internal network server when Terminal Services is not running on the ISA server. Perform the following steps to publish a Terminal server: 1. Open the ISA Management console. Expand your server name and then expand the Policy Elements node. 2. Right-click on the Protocol Definitions node, point to New, and click Definition. 3. On the Welcome to the New Protocol Definition Wizard page, type RDP Server for the Protocol Definition name and click Next. 4. On the Primary Connection Information page, type 3389 for the Port number and change the Direction to Inbound. Click Next. 5. The Remote Desktop Protocol (RDP) does not use secondary connections, so select No and click Next. 6. Click Finish on the Complete the New Protocol Definition Wizard page. 7. Expand the Publishing node in the left pane of the ISA Management console. Right-click on Server Publishing Rules, point to New, and click Rule. 8. On the Welcome to the New Server Publishing Rule Wizard page, type Terminal Server 1 in the Server publishing rule name text box and click Next. 9. On the Address Mapping page, enter the IP address of the Terminal Server on the internal network in the IP address of internal server text box. Click Browse and select the IP address on the external interface of the ISA server you want to listen for Terminal Services requests. Click Next. 10. On the Protocol Settings page, select the RDP Server protocol definition. Note that protocol definitions with a primary connection as inbound are shown here. No protocol definitions with a primary connection as outbound will show up here. Click Next. 11. On the Client Type page, decide whether you want to allow all external hosts to con- nect to the Terminal server, or if you want to limit access to hosts contained in a client address set.You should limit the number of hosts that can connect to the Terminal server via the RDP server publishing rule. Note that you must enable packet filtering in order to apply a client address set to control what computers can access the server publishing rule. Packet filtering is enabled by default, but you might need to double check to www.syngress.com 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1034 Advanced Server Publishing with ISA Server • Chapter 27 1035 ensure that it’s still enabled. Select the Client address sets specified below option and click Next (Figure 27.5). 12. On the Add Client Sets page, click Add. Select the client address set you created for Terminal Services clients and click Add.The client address set will appear in the Include these sets frame. Click OK (Figure 27.6). 13. Click Next on the Client Sets page. 14. Click Finish on the Complete the New Server Publishing Rule Wizard page. Now go to a machine configured as an external network client and connect to the Terminal server by using the external IP address on the ISA server used by the RDP publishing rule.After establishing the connection, check the name of the server you connected to by right-clicking on the My Computer icon and then clicking the Properties command. Click the Network Identification tab. If you see the name of the ISA server instead of the internal network server, you forgot to disable Terminal Services on the ISA server! Disable Terminal Services on the ISA server, restart the computer, and try again. Publishing Terminal Services on an Alternate Port You have to be careful about publishing Terminal Services. If intruders are able to connect to a Terminal server, they’ll have a powerful launch point for subsequent attacks.You’ve already seen how you can limit access to a few selected Terminal Services clients on the Internet by applying a client address set to the RDP server publishing rule. Using client address sets is a good start, but there’s more that you can do to secure your Terminal Services publishing rule. Since TCP port 3389 is a well-known port, and Terminal Services is an attractive service to attack, you might want to impede Internet criminals by changing the port number used by Terminal Services.You can change the listening port number to any unused port number on the www.syngress.com Figure 27.5 Selecting the Client Address Sets Option on the Client Type Page Figure 27.6 Selecting the Client Address Set 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1035 1036 Part V • ISA Server ISA server’s external interface, and then publish the Terminal Server on that alternate port. In order to do so, you’ll have to make a Registry change at the Terminal Server and then change the port number that the Terminal Services client uses to call the Terminal Server. If you use the new Remote Desktop Client software to connect to a Terminal Server, you don’t need to make any changes on the client side. All you need to do is include the port number in the address you’re calling. For example, if you want to call a published Terminal Server at 1.1.1.1 and that Terminal Server is listening on TCP port 58927, just enter the address 1.1.1.1:58927 on the Remote Desktop Client and it will make the connection. It’s not quite this easy with the original Windows 2000 or Windows NT 4.0 Terminal Services client software. NOTE You can obtain the Remote Desktop Client software for various operating systems at the following URLs: ■ Windows www.microsoft.com/windowsxp/pro/downloads/rdclinetdl.asp ■ Macintosh www.microsoft.com/mac/download/misc/rdc.asp ■ Linux and UNIX www.rdesktop.org Perform the following steps to change the listening port for the Windows NT 4.0 Terminal Services Edition Terminal Server and the Windows 2000 Terminal Server.These steps should be performed on the Terminal Server you’re publishing on the internal network. However, you can also change the listening port for the Terminal Server on the ISA server using the same procedure: 1. Click Start and then click Run.Type regedt32 in the Open text box and click OK. 2. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\ WinStations\RDP-Tcp 3. Find the PortNumber value in the right pane and double-click it. 4. In the DWORD Editor dialog box, select the Decimal option. Change the port number to something else. In this example, we’ll change it to 64646. Click OK. 5. Restart the Terminal Server computer. Perform the following steps to create the new RDP server protocol definition: 1. Open the ISA Management console. Expand your server name and then expand the Policy Elements node. 2. Right-click on the Protocol Definitions node, point to New, and click Definition. 3. On the Welcome to the New Protocol Definition Wizard page, type RDP Server 64646 for the Protocol Definition name and click Next. 4. On the Primary Connection Information page, type 64646 for the Port number and change the Direction to Inbound. Click Next. 5. RDP does not use secondary connections, so select No and click Next. www.syngress.com 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1036 Advanced Server Publishing with ISA Server • Chapter 27 1037 6. Click Finish on the Complete the New Protocol Definition Wizard page. Perform the following steps to create the server publishing rule to publish the Terminal Server on the alternate port: 1. Expand the Publishing node in the left pane of the ISA Management console. Right-click on Server Publishing Rules, point to New, and click Rule. 2. On the Welcome to the New Server Publishing Rule Wizard page, type Terminal Server 2 in the Server publishing rule name text box and click Next. 3. On the Address Mapping page, type in the IP address of the Terminal Server on the internal network in the IP address of internal server text box. Click Browse and select the IP address on the external interface of the ISA server that you want it to listen on for Terminal Services requests. Click Next. 4. On the Protocol Settings page, select the RDP Server 64646 protocol definition. Click Next. 5. On the Client Type page, select the appropriate client type. In this example, we’ll select Any request, but you should use a client address set in your production environment. 6. Click Finish on the Complete the New Server Publishing Rule Wizard page. The last step is to configure the Terminal Services client to use the alternate port number: 1. Click Start | Programs. Point to Terminal Services Client and click Client Connection Manager. 2. In the Client Connection Manager, click File | New Connection. Go through the steps in the wizard to create a connection object for your published Terminal Server. Remember to use the IP address or FQDN that resolves to the external IP address on the ISA server that’s publishing the Terminal Server. 3. Click on the icon for the connection in the Client Connection Manager window, and then click File | Export. Give the connection a name and save it on your desktop. 4. Right-click the Terminal Services client connection object on the desktop and click the Open With command. Select Notepad from the list of applications. If you are using a Win9x client, you’ll have to open Notepad and open the connection object within Notepad. 5. In Notepad, find the Server Port= entry and change it to the port number you’re using to publish your Terminal Server. Save the file and close Notepad. 6. Drag the icon on the desktop onto the Client Connection Manager window.A Client Connection Manager dialog box will appear and ask if you want to replace the connection object with the new one. Click Ye s .A Client Connection Manager dialog box appears and asks if you want to replace the connection settings for all duplicates. Click No. 7. Double-click on the connection object in the Client Connection Manager window. Log on and confirm that you’re connected to the correct server. Go to the ISA Server com- www.syngress.com 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1037 1038 Part V • ISA Server puter and run netstat –na.You’ll see an active connection to the alternate RDP server port used in the new server publishing rule. Publishing Terminal Services on the ISA Server Publishing services on the ISA server is always problematic.Your goal should be to run as few services as possible on the ISA Server computer. However, running Terminal Services on the ISA server is acceptable because you can create secure connections to the Terminal Server, and Terminal Services provides the best way to remotely manage an ISA server. We consider Terminal Services as secure as an SSL Web-based remote management solution. You almost always have two options when publishing services on the ISA server itself.The easiest method is to create a packet filter so that external network clients can connect directly to the services via the external interface.The other way is to use a server publishing rule.The latter option can be used if you can configure the service to listen only on an IP address or set of addresses on the internal interface. NOTE Although you can always “publish” services that are on the ISA server itself by creating packet filters, the packet filter approach prevents you from using server publishing rules to publish services on the internal network using the same socket. Remember that a socket is the combination of an IP address, a protocol (TCP or UDP), and a port number. For example, if you create a packet filter to publish the Terminal server on the ISA server on 1.1.1.1 TCP port 3389, you will not be able to use 1.1.1.1 TCP port 3389 to publish a Terminal server on the internal network. The Windows Terminal Server listens on all interfaces by default.This is similar to how the IIS socket-pooling feature works. Like the IIS socket pooling feature, you can configure it so that Terminal Services does not listen on all interfaces. Although you can choose what interface Terminal Services listens on, you cannot choose a specific IP address on the interface. If there are multiple IP addresses bound to the interface,Terminal Services will listen on all of them.This is an important consideration when you bind multiple addresses to the internal or external interface of the ISA server. Publishing Terminal Services on the ISA Server Using Packet Filters Let’s look at how to publish Terminal Services using simple ISA Server packet filters: 1. Click Start | Programs Administrative Tools | Terminal Services Configuration. 2. In the Terminal Services Configuration console, click on the Connections node in the left pane of the console. In the right pane of the console, Double-click on the RDP-Tcp entry. www.syngress.com 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1038 Advanced Server Publishing with ISA Server • Chapter 27 1039 3. Click on the Network Adapter tab. Click the Down arrow in the Network adapter drop-down list box. Notice that the default is All network adapters configured with this protocol.You can also choose a specific adapter.The adapters are listed by the adapter manufacturer’s name rather than the name you give to the interface in the Network and Dial-up Connections window. When publishing the Terminal Server on the ISA server using packet filters, you can allow the Terminal Server to listen on all interfaces. By doing it this way, you won’t have to loop back through the external inter- face to access the Terminal Server from an internal network client. However, if you plan to publish the Terminal Server by using server publishing rules, you’ll need to configure Terminal Services to listen only on the internal interface (Figure 27.7). 4. Open the ISA Management console. Expand your server name, and then expand the Access Policy node. 5. Right-click on the IP Packet Filters node, point to New | Filter. 6. On the Welcome to the New IP Packet Filter Wizard page, type RDP (in) in the IP packet filter name text box and click Next. 7. On the Filter Mode page, select the Allow packet transmission option and click Next. 8. On the Filter Type page, select the Custom option and click Next. 9. On the Filter Settings page, choose TCP for the IP protocol. Choose Inbound for the Direction. Choose Fixed port for the Local port and make the Port number value 3389. For the Remote port, select All ports (Figure 27.8). Click Next. www.syngress.com Figure 27.7 Configuring Terminal Services to Listen on the Internal Interface Figure 27.8 Configuring the RDP Packet Filter 252_BDFW_ch27.qxd 9/19/03 1:03 PM Page 1039 [...]... want to reset the communication between the FTP server and the ISA server if you find you’re having problems You don’t need to restart the FTP server to reset the Firewall client connection.Try this: 1 Stop the Firewall service 2 Restart the Firewall service 3 Stop the FTP service on the FTP server 4 Restart the FTP service on the FTP server Confirm that the FTP server is communicating with the ISA server... Configuring Authentication Requirements for the Web Publishing Rule 11 In the Rule Action dialog box, select the Redirect the request to this internal Web server (name or IP address) option.Then, type in the name of the server on the internal network In this example, we will use the same name the user on the external network uses to access the server.This allows the same name to appear in the Web Proxy... expand your server or array name, and then expand the Extensions node in the left pane of the console 2 Click on the Application Filters node in the left pane of the console 3 In the right pane of the console, right-click the Ftp Access Filter entry and click Disable Choose the option to restart the Firewall Service and click OK It might take a few moments for the Firewall service to restart.That’s not... 252_BDFW_ch27.qxd 9/ 19/ 03 1:03 PM Page 1042 1042 Part V • ISA Server Do the following to publish a TSAC site: 1 Install the TSAC software on the Web server 2 Publish the TSAC Web server 3 Publish the Terminal Server(s) 4 Connect to the TSAC Web site and then connect to the Terminal Server Installing the TSAC Software on the Web Server Perform the following steps to install the TSAC Web software on a server on the. .. interface of the ISA server you used in the TSAC Web server publishing rule.You can also enter the public IP address If the external IP address you used in the server publishing rule is the same IP address used by the Incoming Web Requests listener for the Web publishing rule used to access the TSAC Web site, users can type in the same FQDN they used to access the Web site in the Server text box Select the. .. listener that will accept requests for the TSAC Web site.This is not the name of the server on the internal network In the Path text box, enter /tsweb* .The Web Proxy service uses this path to redirect the request to the appropriate Web server on the internal network .The wildcard at the end of the path indicates that requests for the tsweb folder and all subfolders of the tsweb folder will be accessible... publish the servers on the internal network I Publish the Terminal Server on the ISA server using server publishing rules or packet filters, and then access the other Terminal Servers on the internal network by running the Terminal Services client inside the Terminal Services session on the ISA server Any of these techniques will work If you have a single IP address bound to the external interface of the. .. to the Web Proxy service as HTTP requests, and are then forwarded to the published server as FTP requests The Web Proxy service receives the information from the FTP server and returns the data via HTTP to the requesting host The Incoming Web Requests listener accepts basic, integrated, and digest authentication.You can also require SSL for the connection between the client and the ISA server When the. .. redirect the request to tsac.internal.net.This is the same name the external users use to access the server and in this example it resolves to 192 .168.1.33 on the external interface of the ISA server When the ISA server redirects the request, it will resolve tsac.internal.net to 10.0.0.2 because we put an entry in the HOSTS file on the ISA server to map tsac.internal.net to the internal IP address for the. .. Change the FTP Site’s Listening Port The next step is to change the port number the FTP site listens on 1 On the FTP server, open the Internet Information Services console from the Administrative Tools menu 2 Expand your server name and right-click on Default FTP Site Click the Properties command 3 On the FTP Site tab (Figure 27. 19) , type the alternate port number you want to use for the site in the TCP . Configuring the RDP Packet Filter 252_BDFW_ch27.qxd 9/ 19/ 03 1:03 PM Page 10 39 1040 Part V • ISA Server 10. On the Local Computer page, select the option that best fits your situation .The Default. publish the servers on the internal network. ■ Publish the Terminal Server on the ISA server using server publishing rules or packet filters, and then access the other Terminal Servers on the internal. administrative purposes, you can publish the Terminal Server on the ISA server with the default port number (TCP 33 89) and then use alternate port numbers for the other servers on the internal network. No matter