You may have already read Using the Windows Server 2003 Security Configuration Wizard to Harden the ISA Firewall and now your VPN is broken…
I don’t want to critize DR Shinder a lot, because isaserver.org is a great resource when you want to setup an isa server and you are not so experienced in configuring firewalls….. but this remark frankly stunnished me.. His article about hardening windows 2003 on a ISA 2004 box with Security Configuration Wizard is just full of errors.

Furthermore, Tom Shinder response when users have problems with VPN after applying the tutorial to there production environment:

LOL!

Now you know whyI usually don’t waste time “hardening” the ISA firewall. It really doesn’t need if if you correctly configure firewall and System Policy. But there are some kind of psychological mollification that takes place when people “harden” the box, so I let them knock themselves out going to town on their system hardening

Ouch, hardening is more than betting on one horse.

SCW is a great tool in addition to hardening your ISA. And any productive isa configuration can be more secured with Security Configuration Wizard, because:

• You can save more resources by disabling services (and you could mitigate more on windows updates)
• You can define authentication protocols that Windows server is using
• Services that do not run on the server can be attacked in any way if the ISA Services stops for any particular reason

Please keep in mind the following things when running SCW on a ISA 2004 and a VPN configuration:

Make sure that Remote access/VPN server is selected

If you authenticate user against Active directory I advice you to enable dns-client, dns-registration client, Microsoft-network client

If you are using L2TP please enable IPSEC service! (This is NOT default by SCW) When you are configuring authentication, please take to following in consideration…

Please select both if you value your security of your server

Although VPN will authenticate users on the domain without this setting for some reason it’s save to do set it

Please select clocks are synchronized, because this makes a better kerberos protocol a bit better

In this screenshot I’ve disabled the use of LM-hashes (which is a very good thing). Furthermore, I’ve set NTLMv2 as default, and set NTLMv1 to fallback if NTLMv2 cannot be used.

The authentication protocol that is used by RRAS is MS-Chap (v2). Because MS-Chap (v2) authenticates by design with active directory with NTLMv1 you cannot disable NTLMv1 here. The only way to do is by apply the following hotfix: KB893318. I haven’t tested it, but with this hotfix you can uncheck the second checkbox aswell.

I am sorry for the Dutch screenshots and the poor quality… But I hope you have a working VPN configuration after you played with SCW.

Last Modified : June 14th, 2006 Filed under : Network-/System Administration TAG(s) : authentication, hardening-Windows, ISA-Configuration, ISA-Firewall, Network-/System Administration, Security-Configuration-Wizard, VPN, Windows-2003, Windows-server Navigate : Previous post / Next post