DHCP Not Working After Applying ISA 2004 SP2?

I’ve come across reports of 7 seperate servers where after installing ISA 2004 SP2, the DHCP server does not work as expected. Reports are that the DHCP receive/request rules are in place but not functioning. The current resolution is to create a new set of DHCP receive/request rules.

Follow this article to create the rules, if you are having this problem. Hopefully later, I’ll be able to post more on why the system rules are broken.

Mailbag: To Firewall or not?

I received this question in my mailbox the other day. It wasn’t the first time. Thought I may as well post the answer too.

Amy, I’ve heard you on the SBS Show and read your comments in the Yahoo
groups and on your own blog. I recently ran across Thomas Shinder’s
blog post called “Why SBS is Insecure by Design and Not Even an ISA
Firewall can Fix the Problem” which can be found here:

http://blogs.isaserver.org/shinder/2006/09/03/why-sbs-is-insecure-by-des
ign-and-not-even-an-isa-firewall-can-fix-the-problem/

I wanted to get your opinion on a specific statement Mr. Shinder makes
in this post:

“The SBS 2003 SP1/ISA firewall box with a “hardware” firewall or NAT
device in front of it is no more secure than the SBS 2003 SP1 box
without the “hardware” firewall or NAT device in front of it. Putting a
“hardware” firewall in front of the SBS box is psychological exercise in
futility, and the money spent on the PIX 501 would be much better spent
on a couple hours of psychotherapy or a few bottles of Dom P. Whether
you choose the PIX, the shrink or the Dom, you’ll end up with the same
level of security.”

Do you think a hardware firewall in front of an SBS box is no more
secure then an SBS box without a hardware firewall in front of it? Do
the companies you consult for usually have a hardware firewall in front
of the SBS box, regardless of whether or not they are running ISA on
SBS?

Your opinion on this would be greatly appreciated!


______________________________________________________________________

Dear Reader,

Security is not an absolute. Most people agree that it is about risk mitigation. As a small business consultant I can say with certainty that SBS does make small business more functional and more secure. Without exception when I make first contact with a small business they are operating their business without backup, with expired anti-virus software, with a high speed Internet connection and without a firewall. After we install SBS, provide for backup, subscribe and deploy an anti-virus solution, configure monitoring and patching and deploy a firewall the business is more secure than before we started. Are they as secure as an enterprise that has embraced least privilege and separation of duties? No, but at least they are now on the right path.

You should always deploy a firewall. I only use SBS Premium in my practice because I believe that ISA can protect Microsoft products better than the competition and I’ve got a lot of Microsoft products running on SBS. Now, is a hardware firewall necessary in front of ISA? No, this will not make you anymore secure. If my clients have an ISP supplied router with some firewall capabilities built-in, then I enable that only because they already have it. I would never recommend that they go out and purchase one.

If you are using SBS standard, then you had better go out and purchase the best firewall that money can buy to protect it. You’ve got a lot of eggs in your basket to protect.

Amy Babinchak

Publishing Project Server Portal

Over at SmallBizServer.net a new article has been published on how to publish a Microsoft Project Server portal through ISA 2004. You can read the article here.

Many of the articles from SmallBizServer.net require a subscription. This one doesn’t seem to, so get it while it’s available. My only comment is that in Step 1 under ISA, it says Create a New Rule. Since we have 3 types of rules to choose from in ISA, this really ought to read Create a New Web Publishing rule.

They are doing some great work over at SmallBizServer.net so if you aren’t familar with them it would be a good idea to check out the entire site.

Deciding Where to put the rule you just created

Lately I’ve seen too many ISA Firewall Policies with all of the custom created rules sitting at the top of the firewall policy. At the top isn’t always the best place for a new rule. New rules should be placed according to function. There is a great TechNet article that explains how to determine where to place your new rule.

The article starts like this and then goes into further detail about how to order the rules within these categories:

Ordering the rule base
We recommend that you organize your access rules in this order:

1.
Global deny rules. Rules that deny specific access to all users. These rules should use the rule elements that require simple networking information. An example of such a rule would be a rule that denies all users access from anywhere to anywhere on protocols used for peer-to-peer file sharing.

2.
Global allow rules. Rules that allow specific access to all users. These rules should use the rule elements that require simple networking information. An example of this would be a rule allowing access on the Domain Name System (DNS) protocol from the Internal network to the External network.

3.
Rules for specific computers. Rules that allow or deny access for specific computers, for example, a rule allowing UNIX computers access to the Internet.

4.
Rules for specific users, URLs, and MIME types, and also publishing rules. Rules that contain rule elements that require additional networking information, and that enforce policy for specific users, or for specific Uniform Resource Locators (URLs) or Multipurpose Internet Mail Extensions (MIME) types. Publishing rules should also occur at this point in the rule order.

5.
Other allow rules. Rules that handle traffic that does not match rules that occur previously in the list of rules, assuming the traffic is allowed by your corporate policy. For example, a rule allowing all traffic from the Internal network to the Internet.