Hitchhiker's Guide ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, August 27, 2003 9:08 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Internet Access behind SBS http://www.ISAserver.org Now is where I get to join the fray. The FW client actually adds to your security, not detracts from it. If you (as Paul and Tom both stated) create the ISA policies to disallow anything not specifically allowed, then the FW client actually helps you: 1. enforce that policy 2. perfrom your necessary forensic tasks (user and machine names!) You can also block applications themselves, not just the protocols they use. You can configure an "ain't no way" "Common Configuration" settings section that includes "disable=1" and use the "disable=0" for those app you want to allow through. This way, even if the internal clients disable the FW client itself and become SecureNAT clients (who the hell allows that?!?), the ISA policies tell them to zark off (three social points for that reference). Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Wed, 27 Aug 2003 18:12:44 +1000 "Paul Aitchison" <pdaitch@xxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org I agree with ya there Tom! Documentation on the ini file is pretty smoky. I just know in an SBS2000 install with ISA set up thru the Internet Connection Wizard, the firewall client is able to access everything so you'd need to spend some time configuring the ini files etc to prevent users having open access via ISA. I've had cases where we've taken over providing IT services for SBS users and the previous company has left the ISA with no configuration short of the SBS defaults, needless to say spyware and other nasty things were rampant throughout the network. I tend to go into an SBS ISA install and just do it from scratch to make sure its right :-) Basically in my experience it comes down to what ppl need to run over the net. If its just web surfing, leave the client off their machine as it's a security hole you don't have to worry about. Of course if I was much more versed in the wspcfg.ini file I could lock it down Cheers Paul -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, 27 August 2003 5:01 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Internet Access behind SBS http://www.ISAserver.org Hi Paul, You shoud rethink your opinion of the Firewall client. The firewall client is one of the major features that separates an ISA firewall from other firewalls. Without the Firewall client, you have just a dumb, no intelligent outbound access control firewall like a pix. Why? Because its this client piece that allows user/group based access controls for *ALL* protocols and it does not require the application to be proxy aware and there does not need to be a dedicated "proxy" component. Even with SOCKS, the application has to be written to be SOCKS aware. The Firewall client allows you to use any application behind the ISA firewall. No other firewall that I'm aware can do this. The Firewall client is the way, the truth and the light. The only compliant I have is that the documentation on how to actually use the settings in the wspcfg.ini file are as clear as mud. :-) Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')