I want to provide a little bit more detail regarding the Discretionary Access Control Lists (DACLs) used by ISA Server.  These ensure that the ISA installation and logging folders are configured with the proper NTFS security permissions required by ISA services. This topic is handled briefly in the ISA TechNet documentation handling the Role-based Administration of ISA:

Discretionary Access Control Lists

With a new installation, ISA Server discretionary access control lists (DACLs) are appropriately configured. In addition, ISA Server reconfigures DACLs when you modify administrative roles and when the Microsoft ISA Server Control service (isactrl) is restarted. For more information, see the section Role-Based Administration Features earlier in this document.

Caution:

Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure.
Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users:
Folder for reports (when you select to publish the reports).
Configuration files created when exporting or backing up the configuration.
Log files that are backed up to a different location.
Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by ISA Server, be sure to keep the data source name (DSN) secure.
Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry.
If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is Inherit permission from parent.

Tip:

We recommend that you do not save critical data (such as executables and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitions

Source: http://technet.microsoft.com/en-us/library/bb794769.aspx

 

Q: How does this affect my daily work with ISA?

A: We think that this will have no negative effect on your work, and that it will help ISA remain stable ;-) The DACLs are in place to make sure ISA Server has all proper permissions on its installation directories and registry locations.

Q: How are DACLs affecting my ISA Server at all?

A: When you configure or change any Administrative Role on ISA (regardless of Enterprise or Standard Edition), the file and registry DACLs will be modified.

Important! Any changes you made earlier in the NTFS security settings, which don't match the roles configured in ISA, will be removed!!
 Example: You recently added NTFS permissions  to  a user named BACKUP (manually, by GPO or sth. like this...). This use should be able to backup the ISA folders. All permissions you granted to this user will be removed after you make any changes or restart ISACTRL, if you haven't configured this user in the ISA Administrative Roles. Therefore your backup of ISA Server will most likely fail.

Q: Which Role provides which access to the ISA Folders?

A: See the following Tables for details...

ISA 2006 Standard Edition

ISA Server Monitoring Auditor

ISA Server Auditor

ISA Server Full Administrator

%ISAINSTALLDIRECTORY%

RE,L,R

RE,L,R

Full Control

ISALogs

no access

RE,L,R

Full Control

ISASummaries

no access

RE,L,R

Full Control

StgData

no access

no access

Full Control

Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN

RE,L,R

RE,L,R

Full Control

Table 1: ISA 2006 Standard Edition SP1 (RE = Read & Execute, L = List Folder Contents, R = Read)

ISA 2006 Enterprise Edition

ISA Server Enterprise Auditor

ISA Server Enterprise Administrator

ISA Server Array Monitoring Auditor

ISA Server Array Auditor

ISA Server Array Administrator

%ISAINSTALLDIRECTORY%

RE,L,R

RE,L,R

RE,L,R

RE,L,R

RE,L,R

ISALogs

RE,L,R

Full Control

no access

RE,L,R

Full Control

ISASummaries

RE,L,R

Full Control

no access

RE,L,R

Full Control

StgData

no access

no access

no access

no access

no access

Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN

RE,L,R

RE,L,R

RE,L,R

RE,L,R

RE,L,R

Table 2: ISA 2006 Enterprise Edition SP1 (RE = Read & Execute, L = List Folder Contents, R = Read)

 

 

ISA 2004 Standard Edition

ISA Server Basic Monitoring

ISA Server Extended Monitoring

ISA Server Full Administrator

%ISAINSTALLDIRECTORY%

RE,L,R

RE,L,R

Full Control

ISALogs

no access

Full Control

Full Control

ISASummaries

no access

Full Control

Full Control

StgData

no access

no access

Full Control

ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, SDisaTemplates, Trace, UI_HTMLs, Uninstall, VPN

RE,L,R

RE,L,R

Full Control

Table 3: ISA 2004 Standard Edition SP3 (RE = Read & Execute, L = List Folder Contents, R = Read)

ISA 2004 Enterprise Edition

ISA Server Enterprise Auditor

ISA Server Enterprise Administrator

ISA Server Array Monitoring Auditor

ISA Server Array Auditor

ISA Server Array Administrator

%ISAINSTALLDIRECTORY%

RE,L,R

RE,L,R

RE,L,R

RE,L,R

RE,L,R

ISALogs

RE,L,R

Full Control

no access

RE,L,R

Full Control

ISASummaries

RE,L,R

Full Control

no access

RE,L,R

Full Control

StgData

no access

no access

no access

no access

no access

Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN

RE,L,R

RE,L,R

RE,L,R

RE,L,R

RE,L,R

Table 4: ISA 2004 Enterprise Edition SP3 (RE = Read & Execute, L = List Folder Contents, R = Read)

Q: Which Role provides which access to the ISA RegKeys?

A: See the following Tables for details... 'root key' for the relevant ISA RegKeys is.

ISA 2006 Standard Edition

ISA Server Monitoring Auditor

ISA Server Auditor

ISA Server Full Administrator

HKLM\SOFTWARE\Microsoft\Fpc and Subkeys

R

R

Full Control

HKLM\IsaStg_Eff1 and [ArrayID] Subkeys Alerts, ConnectivityVerifiers, Logs, NetConfig, RuleElements, Servers,

R

R

Full Control

HKLM\IsaStg_Eff1\Arrays\[ArrayID]\ Subkeys AdminSecurity,ArrayPolicy, Cache, ClientConfigSettings, Extensions, NetworktemplateUsed, Reports, SD, VendorParametersSets

no access

R

Full Control

HKLM\IsaStg_Eff1Policy

no access

R

Full Control

HKLM\IsaStg_Eff1Prot

R

R

Full Control

Table 5: ISA 2006 Standard Edition SP1 (R = Read (Query + Enumerate Subkeys + Notify + Read Control)

 

ISA 2006 Enterprise Edition

(Array Member Server)

ISA Server Enterprise Auditor

ISA Server Enterprise Administrator

ISA Server Array Monitoring Auditor

ISA Server Array Auditor

ISA Server Array Administrator

HKLM\SOFTWARE\Microsoft\Fpc and Subkeys

R

R

R

R

R

HKLM\IsaStg_Eff1 HKLM\IsaStg_Eff1Policy

HKLM\IsaStg_Eff1Prot

no access

no access

no access

no access

no access

HKLM\IsaStg_Eff2

HKLM\IsaStg_Eff2Policy

HKLM\IsaStg_Eff2Prot

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

HKLM\IsaStg_Cache

HKLM\IsaStg_CacheArrPolicy

HKLM\IsaStg_CacheArrProt

HKLM\IsaStg_CacheEntPolicies

HKLM\IsaStg_CacheEntProt

R

R

R

R

R

Table 5: ISA 2006 Enterprise Edition SP1 (R = Read (Query + Enumerate Subkeys + Notify + Read Control)

 

ISA 2004 Standard Edition

ISA Server Monitoring Auditor

ISA Server Auditor

ISA Server Full Administrator

HKLM\SOFTWARE\Microsoft\Fpc and Subkeys (except Storage)

R

R

Full Control

HKLM\SOFTWARE\Microsoft\Fpc\Storage\Array-Root\Arrays and [ArrayID] Subkeys Alerts, ConnectivityVerifiers, Logs, NetConfig, RuleElements, Servers,  Sessions, SignaledAlerts

R

R

Full Control

HKLM\IsaStg_Eff1\Arrays\[ArrayID]\ Subkeys AdminSecurity, ArrayPolicy, Cache, ClientConfigSettings, Extensions, NetworktemplateUsed, Report, Reports, VpnQuarantine

no access

R

Full Control

Table 6: ISA 2004 Standard Edition  (R = Read (Query + Enumerate Subkeys + Notify + Read Control)

 

ISA 2004 Enterprise Edition

(Array Member Server)

ISA Server Enterprise Auditor

ISA Server Enterprise Administrator

ISA Server Array Monitoring Auditor

ISA Server Array Auditor

ISA Server Array Administrator

HKLM\SOFTWARE\Microsoft\Fpc and Subkeys

R

R

R

R

R

HKLM\IsaStg_Eff1 HKLM\IsaStg_Eff1Policy

HKLM\IsaStg_Eff1Prot

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

HKLM\IsaStg_Eff2

HKLM\IsaStg_Eff2Policy

HKLM\IsaStg_Eff2Prot

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

R but no access to Subkeys

HKLM\IsaStg_Cache

HKLM\IsaStg_CacheArrPolicy

HKLM\IsaStg_CacheArrProt

HKLM\IsaStg_CacheEntPolicies

HKLM\IsaStg_CacheEntProt

R

R

R

R

R

Table 5: ISA 2004 Enterprise Edition (R = Read (Query + Enumerate Subkeys + Notify + Read Control)

 

Author

Philipp Sand

Microsoft Support Specialist ISA Server

Technical Reviewer

Jim Harrison

Microsoft Forefront (ISA/TMG) Sustained Engineering Team