How to make ISA stop ALL useful traffic - for some users
So I was actually in the United States for a couple of days last week and decided to get the long overdue ISA server running at home. After all, how hard could this be? In ISA 2004, with the new "firewall configuration by cartoon" interface, you just pick the cartoon that looks most like your network. Heck, since I have SBS, it actually clicks the right cartoon for you.
And what was the reason for this excursion you might ask? Why not spend the time with kids, or whisky, or maybe both, instead? Well, part of me just wants to learn more about ISA. Part of me is mostly interested in blocking my 7-year olds administrative account from surfing the web. You see, he needs to have an administrative account because of all the bad software out there that won't run as a regular user. To manage that I gave him two accounts, one that is a local administrator and one that is not. Then I am now trying to block the one that is a local admin from surfing the web. I actually think this is a very useful thing to do. One of the major ways malware gets installed is when well-meaning people who surf the web with too high privileges accidentally or intentionally click the wrong button. If we can keep them from surfing the web using privileged accounts we can stop much of the malware right there. ISA server has the ability to do this because it has the ability to identify users. This is one of those very useful things that not many firewalls allow you to do. However, it turned out to be a little trickier than I thought, so I figured it would make sense to tell people about some of the problems I encountered and how I solved it.
Theoretically, all this should be simple. You install SBS, then install ISA from the SBS Premium Technologies disk. The installer will create the "SBS Internet Users Group" and you just remove the users you want to block from the web from that group. If only things were so easy. Once you start restricting things like this SecureNAT clients (clients without the ISA client, or clients with the ISA client that can't authenticate to the domain) can no longer connect anywhere. This happens because the SBS Internet Users Group needs to replace All Users in the outbound web rule. Once it does that, you must authenticate to connect out. Otherwise you are anonymous and it does not work. SecureNAT clients do not authenticate. This causes a major problem with my work laptop since it cannot be a domain member (it is already a domain member elswhere) and hence cannot authenticate out.
To solve that Chad Gross suggested setting up DHCP reservations for the laptop and setting up an ISA rule and allow those addresses to connect out. (Susan Bradley suggested ditching ISA, but what would be the fun in that?) Kind of cumbersome, but it works. Thanks Chad!
The next thing I notice is that my FrontPage webs do not work. I host a few of them and now I could not get to any of them via FrontPage. This caused a huge problem for my wife because she hosts all the pictures on her blog on one of them and of course it was a critical business requirement to be able to upload new ones immediately. The oddest part was that they work from my work laptop when I am VPNd into work. Checking the ISA logs I see requests for https://<IP address>/_vti_bin/_vti_aut/author.dll which are blocked. That's odd, but explains why they are blocked, or do not work. If they do not have the right host headers the IIS server won't find them. I fire up netmon, however, and don't see them at all. Even stranger.
To figure out what was going on I set up a temporary rule to allow one of my internal machines to send http to anyone, all networks. Now it works and of course ISA shows that it is the new rule that is letting the traffic through. Going to netmon I don’t see anything on the external interface. Going to the internal interface, however, I see a very standard request from my internal client to the local machine, using the proper host header. The only thing I can think of is that ISA gets paranoid. Basically, there is a request here to the external address, but it is coming from the inside. That can’t be good, let’s block it. But why? The key was in the logs really. The request was anonymous. I had the firewall client turned off on that machine. I also had that rule that blocked certain users from getting to the Internet (no local admins are allowed to surf the web). Since the firewall client was disabled, the user was anonymous and ISA blocked it. Turn on the firewall client and now it can get there.
It looks like the magic combination was the override rule for the corp laptop that Chad suggested, and ensure the firewall client is on. If you also have a need to allow non-domain members out you need exception rules for those. I also have to add “All Users” to the SBS Internet Access Rule” for the same reason. Once I do that, everything seems to work, but there are a lot of magic rules that need to be there.
ISA is doing exactly the right thing here. The problem exists, as usual, between the chair and keyboard (PEBCAK). The trick is to use a judicious combination of Network Monitor and ISAs log, pay particular attention to who is making the requests, and really analyze the impact of all the rules. Keep in mind that if any of the rules apply to anything other than "all users" you must have a firewall client or an override rule to get through.
Comments
- Anonymous
October 25, 2005
And you're saying I'm sick ;)
Hope you're doing well my friend! - Anonymous
October 25, 2005
"And you're saying I'm sick ;) "
Hey, hey...none of that... Excuse me some of us think he's quite well thank you very much. - Anonymous
October 29, 2005
Hi,
Regarding the problem with bad behaving programs that require Admin access, you might want to try something like this:
http://www.joeware.net/win/free/tools/cpau.htm
It encapsulates the RunAs command inside an encrypted batch file. You then pass this file to the executable with the decode parameter and the RunAs is executed without exposing the password.
I did this for all the games that require admin access and it works fine, without having to give your kids any admin passwords.
Give the encrypted files a common extension (like .CPAU), then associate that extension with the command "<yourpath>cpau.exe -dec -file %1 -profile" in Windows explorer and you are done. - Anonymous
October 31, 2005
Hi Jesper,
how about using MakeMeAdmin.cmd for elevatingn the own account temporarly to the admin level? This should be easier to use as a second logon.
Regards!
Daniel - Anonymous
November 16, 2005
I like the idea of encapsulating the runas. For kids, and senior management, I'm not sure that using Runas will work properly. Encapsulating it gives them something tehy can do automatically. I'll try that. - Anonymous
December 13, 2005
it sure is a complicated IT world; now try to explain this to a non-IT user, and let's find out what gets him working: disabling firewall
it's not you, sure; it's the complicated things that need to be done to get things going, that makes mosts users to just ignore the problems and warnings and just leave their systems wide open with no protection at all
and, beaneath all that technicality, yours was a really nice advice
sure, most users won't use an ISA; they'll use something else, with more pop-ups, or less pop-ups, asking them what to do; the problem is, most times, they don't know what to answer, and just do it on a flip-a-coin basis
worried? me too; i know a lot like that... :) - Anonymous
December 13, 2005
Paulo, you are spot on. What worries me most right now is not technology, but people. We have succeeded in building technology that and security that few people can use. How are we going to allow the masses to make intelligent security decisions?