Documente Academic
Documente Profesional
Documente Cultură
Internet Security
and Acceleration
Server
Version: 1.6
Last Saved: 2008-11-12
File Name: MS_ISA2006_ADD_1.6.docx
Abstract
This document is the Guidance Documentation Addendum of ISA Server 2006 Standard Edition
and Enterprise Edition.
Keywords
CC, ISA, Common Criteria, Firewall, Guidance Documentation Addendum
Guidance Documentation Addendum Page 2/44
Table of Contents
Page
1 INTRODUCTION TO THE GUIDANCE ADDENDUM ....................................................... 6
1.1 Scope ......................................................................................................................... 6
1.2 Security Functions and Associated Chapters ............................................................. 7
1.3 Warnings about Functions and Privileges ................................................................... 7
1.4 Installation of the Evaluated ISA Server 2006 Standard Edition ................................. 8
1.4.1 Installation Requirements ....................................................................................... 8
1.4.2 Installation Procedures ........................................................................................... 9
1.5 Installation of the Evaluated ISA Server 2006 Enterprise Edition .............................. 11
1.5.1 Installation Requirements ..................................................................................... 11
1.5.2 Installation Procedures ......................................................................................... 12
2 SECURITY FUNCTIONS ................................................................................................ 16
2.1 SF1 - Web Identification and Authentication ............................................................. 16
2.2 SF2 - Information Flow Control ................................................................................. 18
2.3 SF3 - Audit ............................................................................................................... 19
2.4 Administration-Related Interfaces............................................................................. 19
2.5 TOE User Interfaces................................................................................................. 20
3 OPERATING ENVIRONMENT ........................................................................................ 21
3.1 Assumptions ............................................................................................................ 21
3.2 Organizational Security Policies ............................................................................... 22
3.3 Secure Usage Assumptions - IT Security Requirements for the IT Environment ...... 22
3.4 Security Objectives for the Environment ................................................................... 23
3.5 Requirements for the Operational Environment ........................................................ 23
4 SECURITY-RELEVANT EVENTS ................................................................................... 25
5 TOE INTEGRITY ............................................................................................................. 26
5.1 Integrity of the CD-ROM Content.............................................................................. 26
5.2 Integrity of the Package............................................................................................ 28
5.3 Version Number for the TOE .................................................................................... 29
6 ANNOTATIONS .............................................................................................................. 31
6.1 Authentication methods ............................................................................................ 31
6.1.1 Single Sign On...................................................................................................... 31
6.1.2 Authentication Process ......................................................................................... 32
6.1.3 Client Authentication Methods for Receipt of Client Credentials ............................ 33
6.1.4 Methods for Validation of Client Credentials ......................................................... 34
6.1.5 Authentication Delegation ..................................................................................... 35
6.2 Lockdown Mode ....................................................................................................... 36
6.2.1 Affected functionality............................................................................................. 37
6.2.2 Leaving lockdown mode ....................................................................................... 37
7 FLAW REMEDIATION GUIDANCE ................................................................................ 38
7.1 How to report detected security flaws to Microsoft .................................................... 38
7.2 How to get informed about Security Flaws and Flaw Remediation ........................... 39
Guidance Documentation Addendum Page 4/44
List of Tables
Page
List of Figures
Page
1.1 Scope
This document extends the ISA Server 2006 manual [MSISA] and provides required
information for the ISA Server 2006 common criteria evaluation.
The evaluated Guidance Documentation ([MSISA] and this document) is valid for ISA
Server 2006 Standard Edition and ISA Server 2006 Enterprise Edition. Its software version is
for both evaluated configurations 5.0.5720.100.
1
„ISA Server 2006“ references both configurations „ISA Server 2006 Standard Edition“ and „ISA Server 2006
Enterprise Edition“.
Guidance Documentation Addendum Page 7/44
After installation, apply the registry settings shown in Figure 1.1. These settings enforce 128 bit
encryption for Forms-based authentication. Without applying the registry keys a 56 bit SSL
connection for Forms-based authentication might be established (e.g. when a client is used
which does not support 128 bit encryption). This means that even when in the HTTPS listener
Guidance Documentation Addendum Page 11/44
128 bit encryption is enforced for the data transfer user credentials will be sent over a weak
encrypted connection.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
Please also check Section 3.5 “Requirements for the Operational Environment”.
User name and product key (picture not shown completely) Installation options
After installation, apply the registry settings shown in Figure 1.2. These settings enforce 128 bit
encryption for Forms-based authentication. Without applying the registry keys a 56 bit SSL
connection for Forms-based authentication might be established (e.g. when a client is used
which does not support 128 bit encryption). This means that even when in the HTTPS listener
128 bit encryption is enforced for the data transfer user credentials will be sent over a weak
encrypted connection.
Guidance Documentation Addendum Page 15/44
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
Guidance Documentation Addendum Page 16/44
2 Security Functions
This chapter identifies all the security functions available to the administrator. The security
functions are derived from the ISA Server 2006 security functions described in the ISA Server
2006 Security Target (ST).
For administration, ISA Server 2006 includes graphical taskpads and wizards. These simplify
navigation and configuration for common tasks. These features are embedded in the Microsoft
Management Console and do not belong to the TOE. They are provided by the environment.
The underlying operating system is the certified Windows Server 2003, Standard Edition
(English) SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027
(KB896422), and update KB907865. (The same installation has been used for Windows
Server 2003 Common Criteria EAL 4+ evaluation; Validation Report Number CCEVS-VR-05-
0131, [WINST] and [WINVR], and referenced as Windows Server 2003 in this document.)
Warnings
The administrator must ensure that ISA Server 2006 is installed and used with
Windows Server 2003. More details can be found in the Security Target of ISA Server
2006 Standard Edition/Enterprise Edition [ST].
The administrator has to observe the Security Bulletins, to ensure that all possible
countermeasures are used.
The administrator should check http://www.microsoft.com/security/ regularly for the
latest ISA Server 2006 service packs and hotfixes.
The administrator should only use programs that are required to administer and
operate the firewall. The administrator should not install additional software which may
compromise the security of the TOE or the underlying operating system.
in the local user database or a remote authentication server using Remote Authentication Dial-
In User Service (RADIUS).
Important
When trying to connect to a Web site via HTTP (not HTTPS) that is published using ISA Server
2006, you receive an error message (see Figure 2.1), when all the following conditions are
true:
The Web listener has any one of the following authentication methods enabled:
o Basic authentication
o Radius authentication
o Forms-Based authentication
The Web listener is configured to listen for HTTP traffic.
The “Require all users to authenticate” check box is selected for the Web listener or the
Web publishing rules apply to a user set other than the default All users user set.
You connect to the published Web site by using HTTP instead of by using HTTPS.
Figure 2.1 – Error messages
If the ISA Server Web listener has Basic authentication enabled, you receive the following error
message:
Error Code: 403 Forbidden.
The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server
administrator. (12211)
If the ISA Server Web listener has RADIUS authentication or Microsoft Outlook Web Access
Forms-Based authentication (Cookie-auth) enabled, you receive the following error message:
Error Code: 500 Internal Server Error.
An internal error occurred. (1359)
When you use HTTP-to-HTTP bridging, ISA Server 2006 does not enable traffic on the
external HTTP port if the Web listener is configured to request one or more of the following
kinds of credentials:
Basic authentication
Radius authentication
Forms-based authentication
This behavior occurs because these kinds of credentials should be encrypted. These
credentials should not be sent in plaintext over HTTP.
ISA Server 2006 prevents you from entering credentials in plaintext. When you try to do this,
you receive an error message2.
2
For ISA Server 2004 versions that are earlier than ISA Server 2004 SP2, you are prompted to enter credentials in
plaintext. This behavior may cause the credentials to be transmitted over the network in plaintext if you have not
Guidance Documentation Addendum Page 18/44
Warnings
When using Forms-based authentication, depending on the application on the
computer which could "cache" the password, the user must ensure that the
environment is locked, when it is unattended.
To secure transferred user identification and authentication credentials, ensure that
strong SSL encryption (at least 128 bit) is enforced.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
implemented some other form of network security, such as an external Secure Sockets Layer (SSL) accelerator or
an encrypted tunnel. ISA Server 2006 does not provide these forms of security.
Guidance Documentation Addendum Page 19/44
Add the DWORD Value: DisableIPSourceRouting. Set the value to 2. This value
disables IP source routing processing. By default, this key does not exist.
Warning
It should be assured that there is always enough free disk space. Choosing the right
resource and the right parameters for logging is mandatory. Creating logs that are too
large or creating too many files can lead to problems. Nevertheless, it is possible to
create an alert, which will move or delete old or unneeded log files.
3 Operating Environment
The security environment of the evaluated configurations of ISA Server 2006 is described in
the ISA Server 2006 Standard Edition/Enterprise Edition Security Target [ST] and identifies the
threats to be countered by ISA Server 2006, the organizational security policies, and the usage
assumptions as they relate to ISA Server 2006. The administrator should ensure that the
environment meets the organizational policies and assumptions. They are restated here from
the Security Target.
To use the TOE in the evaluated configuration, the underlying environment must be the
certified Windows Server 2003 operating system (see chapter 3.5).
3.1 Assumptions
Table 3.1 lists the TOE Secure Usage Assumptions for the IT environment and intended
usage.
Table 3.1 – Assumptions for the IT environment and intended usage
# Assumption name Description
1 A.DIRECT The TOE is available to authorized administrators only. Personnel who has
physical access to the TOE and can log in the operating system is assumed to
act as an authorized TOE administrator.
2 A.GENPUR The TOE stores and executes security-relevant applications only. It stores only
data required for its secure operation. Nevertheless the underlying operating
system may provide additional applications required for administrating the TOE
or the operating system.
3 A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance.
4 A.ENV The environment implements following functionality:
local identification and authentication of user credentials used for web
publishing (see A.WEBI&A for Radius identification and authentication; in case
of a successful authentication the TOE analyses the returned value and allows
or denies the access to network resources depending on that value), reliable
time stamp (log file audit), file protection (for log file access protection, registry
protection, and ADAM protection), cryptographic support (for SSL encryption),
administration access control, reliable ADAM implementation (for EE
configuration only), Network Load Balancing (for EE configuration only,
disabled by default).
5 A.PHYSEC The TOE is physically secure. Only authorized personal has physical access to
the system which hosts the TOE.
6 A.SECINST Required certificates and user identities are installed using a confidential path.
7 A.SINGEN Information can not flow among the internal and external networks unless it
passes through the TOE.
8 A.WEBI&A User credentials are verified by a Radius Server. The Radius Server returns a
value if a valid account exists or not.
Web Identification & Authentication with a Radius Server requires that the
Radius server is placed on the internal network, so that data (user credentials
and return values) transferred to and from the Radius Server is secured by the
TOE from external entities.
9 A.SSL All web publishing rules which support Form-based authentication have to be
configured by the administrator so that strong encryption for SSL is enforced
(at least 128bit encryption).
Guidance Documentation Addendum Page 22/44
describing how to complete a specific task to "bug" articles documenting known issues with
Microsoft products.
When you scan your computer for available updates, through the Windows Update Web site,
the Windows Update Web site displays a number along with the title of the update, for
example, "Update for Windows Media Player 9 Series (KB837272)." This KB number is
included in the security bulletin to help identify the corresponding KB article in the Microsoft
Knowledge Base.
Because the computer on which ISA Server 2006 is running is often the primary interface to
the External network, we recommend to secure this computer. The Security Best Practices
[MSISAHARD]3 document “ISA Server 2004 Security Hardening Guide,” available on the ISA
Server Web site, containing details how to secure the ISA Server 2004 Enterprise Edition
computer, is applicable to ISA Server 2006 (SE and EE), and is updated periodically with new
information.
Additional information can be found on
http://www.microsoft.com/technet/isa/2006/security_guide.mspx
Warning
The administrator should check http://www.microsoft.com/security/ regularly for the latest
Windows Server 2003 hotfixes.
3
online available: http://go.microsoft.com/fwlink/?LinkID=24507
Guidance Documentation Addendum Page 25/44
4 Security-Relevant Events
This subsection describes all types of security-relevant events and what administrator action (if
any) to take to maintain security. Security-relevant events that may occur during operation of
ISA Server 2006 must be adequately defined to allow administrator intervention to maintain
secure operation. Security-relevant events are defined as events that signify a security related
change in the system or environment. These changes can be grouped as routine or abnormal.
The routine events are already addressed in subsection Security Functions.
Audit Log file overflow. If the ISA Server [MSISA] Monitoring > Monitoring:
computer runs out of disk space, the How To > Configure Logging >
administrator has to configure the Configure logging to an MSDE
maximum number of log files. database
Guidance Documentation Addendum Page 26/44
5 TOE Integrity
This chapter describes how the administrator can verify that the evaluated version of the TOE
is used.
4
Installation instruction and download link on following Web page:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290
Guidance Documentation Addendum Page 27/44
99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex)
and shall be verified before executing the download. This can be done using any
tool capable of calculating SHA-1 values.
2. Download the "Integrity Check ISA 2006" and "CC Guidance Documentation
Addendum" to the directory where FCIV has been extracted.
3. Open a command prompt and change to directory where FCIV has been extracted.
4. Check the integrity of "Integrity Check ISA 2006" using
fciv "Integrity Check ISA 2006.zip" –sha1
and verify that the result is
<compare the output of sha-1 checksum and verified filename with the value listed
on the ISA Server common criteria web page>
5. Check the integrity of the CC Guidance Addendum using
fciv "CC Guidance Documentation Addendum for ISA 2006.pdf" –
sha1
and verify that the result is
<compare the output of sha-1 checksum and verified filename with the value listed
on the ISA Server common criteria web page>
6. Follow the CC Guidance Addendum for further Installation and Configuration of the
TOE.
6 Annotations
• Delegation of authentication to Web servers that are behind the TOE, such as servers
running SharePoint Portal Server 2003.
Note
The first two components are configured on the Web listener that receives client requests.
The third is configured on the publishing rule. This means that you can use the same listener
for different rules, and have different types of delegation.
The authentication process for forms-based authentication is demonstrated in the following
figure. Note that this is a simplified description of the process, presented to describe the
primary steps involved.
Step 1, receipt of client credentials: The client sends a request to connect to the corporate
Outlook Web Access server in the Internal network. The client provides the credentials in an
HTML form (Frontend authentication).
Steps 2 and 3, sending credentials: The TOE sends the credentials to the authentication
provider, such as a domain controller for Integrated Windows authentication, or a RADIUS
server, and receives acknowledgment from the authentication provider that the user is
authenticated (Gateway authentication).
Step 4, authentication delegation: The TOE forwards the client's request to the Outlook Web
Access server, and authenticates itself to the Outlook Web Access server using the client's
credentials. The Outlook Web Access server will revalidate those credentials, typically using
the same authentication provider (Backend authentication).
Note
The Web server must be configured to use the authentication scheme that matches the
delegation method used by the TOE.
Step 5, server response: The Outlook Web Access server sends a response to the client,
which is intercepted by the TOE.
Guidance Documentation Addendum Page 33/44
Step 6, forwarding the response: The TOE forwards the response to the client.
Note
• If you do not limit access to authenticated users, as in the case when a rule allowing access
is applied to all users, the TOE will not validate the user's credentials. The TOE will use the
user's credentials to authenticate to the Web server according to the configured delegation
method.
• We recommend that you apply each publishing rule to all authenticated users or a specific
user set, rather than selecting Require all users to authenticate on the Web listener, which
requires any user connecting through the listener to authenticate.
• Forms-based authentication
6.1.3.1 No Authentication
You can select to require no authentication. If you do so, you will not be able to configure a
delegation method on rules that use this Web listener.
6.1.3.2 Forms-Based Authentication
Forms-based authentication in ISA Server 2006 can be used for publishing any Web server.
One type of forms-based authentication is available in the TOE (Passcode form and
Passcode/Password form have not been evaluated):
• Password form. The user enters a user name and password on the form. This is the type of
credentials needed for Integrated and RADIUS credential validation.
Notes
• The HTML forms for forms-based authentication can be fully customized.
• When the TOE is configured to require authentication, because a publishing rule applies to a
specific user set or All Authenticated Users, or a Web listener is configured to Require all
users to authenticate, the TOE validates the credentials before forwarding the request.
• By default, the language setting of the client's browser determines the language of the form
that the TOE provides. The TOE provides forms in 26 languages. The TOE can also be
configured to serve forms in a specific language regardless of the browser's language.
• When you configure a time-out for forms-based authentication, we recommend that the time-
out be shorter than that imposed by the published server. If the published server times out
before the TOE, the user may mistakenly think that the session ended. This could allow
attackers to use the session, which remains open until actively closed by the user or timed
out by the TOE as configured on the form setting.
Guidance Documentation Addendum Page 34/44
• You should ensure that your Web application is designed to resist session riding attacks
(also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before
publishing it using the TOE. This is particularly important for Web servers published through
the TOE, because clients must use the same trust level for all of the Web sites they access
through the publishing ISA Server firewall.
5
The MSRC's PGP key is available at http://www.microsoft.com/technet/security/MSRC.asc
Guidance Documentation Addendum Page 39/44
7.2 How to get informed about Security Flaws and Flaw Remediation
A security update that is issued by the MSRC is always accompanied with a bulletin. The
bulletin contains the information that Microsoft makes available for the customers so that they
can take a decision whether to install the fix and on what systems. Every bulletin comes with a
rating to reflect its criticality (four levels). A KB is also provided but it is mostly a pointer to the
bulletin article.
The public page with Microsoft bulletins is located at
http://www.microsoft.com/security/bulletins/default.mspx
The original finder of the problem is kept in the picture throughout the process, if he chooses.
MSRC manages the communication with the reporter throughout the process.
Security updates typically can be installed on the current service pack and the previous one.
However, this is only a general rule. If the previous service pack is more than two years old,
the patch may be limited to only the current service pack. Conversely, if several service packs
have been released in short order, the patch may install on additional ones. The security patch
will be included automatically in the next service pack. Service packs, and patches, are
generally available for the previously released service pack. The security bulletin will always
provide specific information on the service pack requirements for the patch.
All security bulletins for Microsoft products are available at
http://www.microsoft.com/technet/security/current.aspx , and newly released bulletins are
highlighted on http://www.microsoft.com/security , http://www.microsoft.com/technet/security ,
and http://www.microsoft.com/isaserver Web sites.
In addition, Microsoft offers a free service through which customers can receive a technical or
non-technical bulletin synopsis by email. Customers can sign up for mailer at
https://www.microsoft.com/technet/security/bulletin/notify.mspx. Microsoft digitally signs the
technical synopsis, and the PGP key located at
http://www.microsoft.com/technet/security/MSRC.asc can be used to validate the signature.
Microsoft security bulletins always discuss the risk the vulnerability poses, the software it
affects, and the steps customers can take to eliminate it – including, in the case of patches,
specific locations for obtaining them. In addition, security bulletins also frequently include a
public thank-you to the Finder, subject to the qualification criteria discussed at
http://www.microsoft.comtechnet/security/bulletin/policy.mspx .
Microsoft strongly encourages customers to sign up for the security bulletins.
So the steps to be always informed of security flaws and how to install them are:
1. Signing up for security bulletins (registering for receiving bulletins by email)
2. Checking for security bulletins (if not registered)
3. Deciding, whether to download and install a remedy
4. Downloading the fix, authentication of the fix
5. Installing the fix/remedy (follow bulletin description, see above)
Guidance Documentation Addendum Page 40/44
8.1 References
General Common Criteria Documents
[CC] Common Criteria for Information Technology Security Evaluation, version 2.3,
revision August 2005
Part 1: Introduction and general model, CCMB-2005-08-001,
Part 2: Security functional requirements, CCMB-2005-08-002,
Part 3: Security Assurance Requirements, CCMB-2005-08-003
ISA Server 2006 Administrator Guidance and Publicly Available Evaluation Developer Documents
[MSISA] Microsoft Internet Security and Acceleration Server 2006 Help, Microsoft Corp.,
Version 2006 Standard Edition / Enterprise Edition
This help file is installed during ISA Server 2006 setup (isa.chm, stored on CD-
ROM).
[MSISAHARD] Security Hardening Guide - Microsoft Internet Security and Acceleration Server 2004,
Microsoft Corp., Version 2006, downloadable from
http://go.microsoft.com/fwlink/?LinkID=24507
[ST] ISA Server 2006 SE/EE Common Criteria Evaluation - Security Target, Version 1.1,
2007-06-05, Microsoft Corp.
[WINST] Microsoft Windows Server 2003 or Windows XP Security Target, Version 1.0.
28.09.2005, Microsoft Corporation
[WINVR] National Information Assurance Partnership, Common Criteria Evaluation and
Validation Scheme Validation Report Microsoft Windows Server 2003 and
Windows XP Workstation Report Number: CCEVS-VR-05-0131 Dated: November 6,
2005 Version: 1.1
Guidance Documentation Addendum Page 43/44
8.2 Acronyms
CC Common Criteria
EAL Evaluation Assurance Level
FCIV File Checksum Integrity Verifier
PP Protection Profile
SF Security Function
SFP Security Function Policy
SSL Secure Sockets Layer
ST Security Target
TOE Target of Evaluation
8.3 Glossary
application filters Application filters can access the data stream or datagrams associated
with a session within the Microsoft Firewall service and work with some or
all application-level protocols.
authentication Authentication is "A positive identification, with a degree of certainty
sufficient for permitting certain rights or privileges to the person or thing
positively identified." In simpler terms, it is "The act of verifying the claimed
identity of an individual, station or originator" [Schou, Corey (1996).
Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State
University & Information Systems Security Organization)].
Basic authentication Basic authentication is the standard authentication method for Hypertext
Transfer Protocol (HTTP). Although user information is encoded, no
encryption is used with Basic authentication.
feature pack A feature pack contains new product functionality that is distributed
outside the context of a product release, and usually is included in the
next full product release.
Firewall service log A firewall service log contains entries with connection establishments and
terminations.
identification Identification, according to a current compilation of information security
terms, is "the process that enables recognition of a user described to an
automated data processing system. This is generally by the use of unique
machine-readable names" (Schou, Corey (1996). Handbook of INFOSEC
Terms, Version 2.0. CD-ROM (Idaho State University & Information
Systems Security Organization)).
ISA Server In this document, ISA Server refers to Microsoft Internet Security and
Acceleration Server 2006, except where it explicitly states otherwise.
Guidance Documentation Addendum Page 44/44