Last month we submitted the ISA Server 2004 Best Practices Analyzer Tool (codename IsaBPA).
What is IsaBPA?The ISA Server Best Practices Analyzer is a tool that collects configuration data from the local ISA Server computer, such as ISA configuration settings, hardware configuration, OS configuration and more. It examines the above information. Then it notifies the user if there are any configuration issues, and provides information regarding how to fix them.
What Does IsaBPA Cover?The current release of IsaBPA performs more than 100 checks. Some of the issues that can be detected are:
IsaBPA FeaturesThe ISA Server Best Practices Analyzer has several cool features. The tool has a live update mechanism. It allows the administrator to check whether there are new updates for the tool and download them. You can set this tool to check for live updates every time the tool starts. In addition, if you are a command-line person, you can run this tool from the command-line or schedule a weekly scan.
Using IsaBPAIsaBPA can be used in a number of ways. It can be used to proactively check the health of the ISA Server deployment, finding issues that may increase the stability of the system, improve security and improve performance. It can also be used to assist troubleshooting of a particular issue. In many cases, the use of IsaBPA can eliminate the need for calling Microsoft support.It is noteworthy that the tool is not invasive in any way. It does not change anything in the system. IsaBPA only informs you about probable issues and suggests ways to fix them.
Getting IsaBPAThe IsaBPA is available for download for free and can be found at:http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
What’s next?First of all, we are looking into listing hundreds of ISA properties, so you may all view your ISA settings (even some settings that cannot be viewed via the MMC). Next we are thinking about adding new checks. We might add several OWA checks, for instance a check that examines the ports specified for listening and for bridging. We are also thinking about adding basic Configuration Storage Server checks, some RADIUS checks, and more. Finally, we are looking into bugs found in the last release.
Idan Plonsky, ISA Team
is it true that i found some bugs?
1) ISABPA reports ISA installed on Virtual PC but Virtual Server 2005 R2 is installed
2) It is not possible to run ISAINFO in ISABPA. ISABPA creates the ISAINFO XML file but nothing is displayed in ISABPA. YOu have to run ISAINFO manually. I tested it with ISABPA 2.5.3439.50 and configuration file 4.0.3440.277 english and german ISA)
3) ISA reports missing certificates but there are two certificates in the computer certificate store.
4) The link to the ISA Security Hardening Guide is wrong. The correct path is: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx
The IsaBPA can run the ISAInfo. You can find the output at the IsaBPA install directory at %programfiles%\Microsoft IsaBPA. To view this file at its best, you can also download the ISAInfo xml parser, which is not included in the IsaBPA package.
The certificates that the IsaBPA are looking for should have a corresponding private key as well as being located at the computer certificate store.
The other issues are known and will be fixed for next version.
Overall, I think the BPA at the point is more of a troubleshooting tool for those unquainted with the ISA firewall. But I have to say I didn't find much in terms of "best practices". Thanks! --Tom.
I have installed and tested ISA BPA on my ISA Servers.
The following message 'This ISA Server computer is not hardened' has been displayed in the report.
What are the criteria used to say that the ISA Server is not hardened?
Can we have the exact details of the tests performed?
I too have run the SCW and BPA tool and still get the message that this server is not hardened. Kind of frustrating when the link it points to for hardening basically says to use the SCW if you have 2k3 SP1 and then not much else otherwise.
This issue has been fixed in the next ISA Server 2004 Best Practices Analyzer version.
You are welcome to download it from the Microsoft Download Center.
Kind of frustrating when the link it p.