Using the Security Configuration Wizard to Harden the ISA Firewall without breaking VPN
You may have already read Using the Windows Server 2003 Security Configuration Wizard to Harden the ISA Firewall and now your VPN is brokenâ€¦
I donâ€™t want to critize DR Shinder a lot, because isaserver.org is a great resource when you want to setup an isa server and you are not so experienced in configuring firewallsâ€¦.. but this remark frankly stunnished me.. His article about hardening windows 2003 on a ISA 2004 box with Security Configuration Wizard is just full of errors.
Furthermore, Tom Shinder response when users have problems with VPN after applying the tutorial to there production environment:
Now you know whyI usually don’t waste time “hardening” the ISA firewall. It really doesn’t need if if you correctly configure firewall and System Policy. But there are some kind of psychological mollification that takes place when people “harden” the box, so I let them knock themselves out going to town on their system hardening
Ouch, hardening is more than betting on one horse.
SCW is a great tool in addition to hardening your ISA. And any productive isa configuration can be more secured with Security Configuration Wizard, because:
- You can save more resources by disabling services (and you could mitigate more on windows updates)
- You can define authentication protocols that Windows server is using
- Services that do not run on the server can be attacked in any way if the ISA Services stops for any particular reason
Please keep in mind the following things when running SCW on a ISA 2004 and a VPN configuration:
The authentication protocol that is used by RRAS is MS-Chap (v2). Because MS-Chap (v2) authenticates by design with active directory with NTLMv1 you cannot disable NTLMv1 here. The only way to do is by apply the following hotfix: KB893318. I havenâ€™t tested it, but with this hotfix you can uncheck the second checkbox aswell.
I am sorry for the Dutch screenshots and the poor qualityâ€¦ But I hope you have a working VPN configuration after you played with SCW.