------------------------------------------------------------------- SearchWin2000.com's Security Tip -------------------------------------------------------------------- TODAY'S SECURITY TIP: A bevy of ISA tips ==================================================================== SPONSORED BY: NetIQ ==================================================================== Free Security Guide from NetIQ. Want to keep the bad guys out? Learn how by reading NetIQ's security guide, "Jack the Hacker Tells All: Insights into Security Dos and Don'ts." Learn security defenses, how to protect your organization and ways to respond to security threats before they become major incidents from Jack, the reformed hacker. Download now at http://www.netiq.com/sponsor/default.asp?318. ==================================================================== "A bevy of ISA tips" By Roberta Bragg Thinking about deploying Microsoft's Internet Security and Acceleration (ISA) Server 2000? Check out solutions to common ISA problems from security consultant, columnist and author Roberta Bragg. Bragg fielded over 60 security questions from Windows IT pros in a live expert Q&A on July 25. Here are her some answers to many of your pressing ISA security questions. Got a Windows Security tip? Why not send it in? We'll post it on our site, and we'll also enter you in our tips contest for some nifty prizes. Just go to http://searchwin2000.techtarget.com/tipsSubmit/1,289485,sid1,00.html. -------------------------------------------------------------------- Q: To fully utilize client software, does the ISA Server need to be a member of the domain? A: If you are going to require authenticated access, any and many of the reasons for loading the client are to use applications that may require this. Consequently, to really take advantage, there needs to be some domain membership of ISA used as proxy. On the other hand, I'd make my 'firewall' a standalone server and make sure domain used ports are not open to external network. Q: Should DNS be on the ISA Server or on a different internal server? A: While it is not impossible to run DNS service on ISA server, I would not recommend it. I'd put DNS for internal network on a separate internal server. Q: When using VPN on ISA with L2TP, is there an alternative to using certificates to provide authentication. Does it handle IKE packets? A: The wizards are going to set up with certs. Microsoft has a knowledge base article that says how to set up RRAS VPNs without certs at http://support.microsoft.com/support/kb/articles/Q176/9/24.ASP?LN=EN-US&SD=gn&FR=0&qry=RRAS%20VPN&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=ISAS. I haven't tried to do this with ISA. It's theoretically possible. If you mean by handling IKE that you can put a tunnel endpoint behind ISA and it will pass L2TP over IPSec, no. If you mean, is IKE used to negotiate keys? Then the answer is yes. Q: When using VPN through ISA, my Win2k and NT4 users are unable to browse the internal network. Mapping is successful but users are required to authenticate to these resources. Is there a way to have a single point of authentication for my end users? Win9x users are authenticated when the tunnel is created. A: Have you checked http://support.microsoft.com/support/kb/articles/q150/8/00.asp for general remote network browsing issues? You say "unable to browse" then mention authentication problems. The article above should help with browsing. Are you saying Win98 clients are not challenged when then attempt to access some resource? Have you included the ISA as RRAS server in Win2k? Then consider adding additional DNS suffixes in client configurations. To read even more ISA Server questions and answers from Roberta Bragg, click here: http://searchwindowsmanageability.techtarget.com/originalContent/0,289142,sid33_gci759990,00.html. Bragg's original expert Webcast can be heard and seen at: http://www.italkservices.com/iTalkSlides/CustomerDocs/tcht01/viewLogin.asp?prov=15161&pres=1&U=6a1a37ba-8055-11d5-a8dc-00d0b79d93bf&SA=1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Have you implemented ISA Server in your enterprise? Share your opinions and experiences at our security forum: http://searchwindowsmanageability.discussions.techtarget.com/WebX?[EMAIL PROTECTED]^[email protected]. ==================================================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DID YOU LIKE THIS TIP? ==================================================================== We need your feedback! Whether you loved this tip or hated it, why not let us know? Rate it at http://www.searchWin2000.com/tip/1,289483,sid1_gci761885,00.html. Have additional comments? E-mail us at mailto:[EMAIL PROTECTED] to sound off. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ==================================================================== BONUS TIPS ==================================================================== For more ways to secure your systems, check out these user-submitted security tips. Be sure to rate them, too! We count on your feedback to help us pick our monthly winners! Submit a tip of your own while you're there to become eligible for this month's prize -- a set of Klipsch ProMedia 2.1 THX Certified Multimedia Speakers! "Don't remove SYSTEM from root permissions" by Mike Armstrong http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci761638,00.html "Script permissions" by Santino Santiago http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci760106,00.html ==================================================================== FEATURED BOOK ==================================================================== "Configuring ISA Server 2000: Building Firewalls for Windows 2000" Author: Tom Shinder Publisher: Syngress Media Published: Apr. 2001 The complete guide to implementing ISA Server in the enterprise. Because security and network performance - the two-pronged purpose of ISA Server -- are so important in today's interconnected world, ISA Server plays a vital role in your overall network design. Configuring ISA Server 2000 will play an equally vital role in helping you understand Microsoft's much-anticipated Web-caching, filtering and connection-sharing software package, Internet Security and Acceleration Server 2000. http://www.digitalguru.com/dgstore/product.asp?isbn=1928994296&ac_id=73 ==================================================================== If you would like to sponsor this or any techtarget newsletter, please contact Mike Kelly at mailto:[EMAIL PROTECTED]. ==================================================================== If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchWin2000.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
