Discretionary Access Control Lists
With a new installation, ISA Server discretionary access control lists (DACLs) are appropriately configured. In addition, ISA Server reconfigures DACLs when you modify administrative roles and when the Microsoft ISA Server Control service (isactrl) is restarted. For more information, see the section Role-Based Administration Features earlier in this document.
Because ISA Server periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs on the ISA Server objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that ISA Server tries to configure.Do not modify the DACLs set by ISA Server. Note that ISA Server does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users:Folder for reports (when you select to publish the reports).Configuration files created when exporting or backing up the configuration.Log files that are backed up to a different location.Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs on objects that are indirectly used by ISA Server. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by ISA Server, be sure to keep the data source name (DSN) secure. Configure strict DACLs for all applications running on the ISA Server computer. Be sure to configure strict DACLs for associated data in the file system and in the registry.If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is Inherit permission from parent.
We recommend that you do not save critical data (such as executables and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitions
Q: How does this affect my daily work with ISA?
A: We think that this will have no negative effect on your work, and that it will help ISA remain stable ;-) The DACLs are in place to make sure ISA Server has all proper permissions on its installation directories and registry locations.
Q: How are DACLs affecting my ISA Server at all?
A: When you configure or change any Administrative Role on ISA (regardless of Enterprise or Standard Edition), the file and registry DACLs will be modified.
Important! Any changes you made earlier in the NTFS security settings, which don't match the roles configured in ISA, will be removed!! Example: You recently added NTFS permissions to a user named BACKUP (manually, by GPO or sth. like this...). This use should be able to backup the ISA folders. All permissions you granted to this user will be removed after you make any changes or restart ISACTRL, if you haven't configured this user in the ISA Administrative Roles. Therefore your backup of ISA Server will most likely fail.
Q: Which Role provides which access to the ISA Folders?
A: See the following Tables for details...
ISA 2006 Standard Edition
ISA Server Monitoring Auditor
ISA Server Auditor
ISA Server Full Administrator
Appliance, ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, sdconfig, SDisaTemplates, UI_HTMLs, Uninstall, VPN
Table 1: ISA 2006 Standard Edition SP1 (RE = Read & Execute, L = List Folder Contents, R = Read)
ISA 2006 Enterprise Edition
ISA Server Enterprise Auditor
ISA Server Enterprise Administrator
ISA Server Array Monitoring Auditor
ISA Server Array Auditor
ISA Server Array Administrator
Table 2: ISA 2006 Enterprise Edition SP1 (RE = Read & Execute, L = List Folder Contents, R = Read)
ISA 2004 Standard Edition
ISA Server Basic Monitoring
ISA Server Extended Monitoring
ChainCfg, CookieAuthTemplates, ErrorHtmls, MSDE, Network Templates, ReportHTMLs, SDisaTemplates, Trace, UI_HTMLs, Uninstall, VPN
Table 3: ISA 2004 Standard Edition SP3 (RE = Read & Execute, L = List Folder Contents, R = Read)
ISA 2004 Enterprise Edition
Table 4: ISA 2004 Enterprise Edition SP3 (RE = Read & Execute, L = List Folder Contents, R = Read)
Q: Which Role provides which access to the ISA RegKeys?
A: See the following Tables for details... 'root key' for the relevant ISA RegKeys is.
HKLM\SOFTWARE\Microsoft\Fpc and Subkeys
HKLM\IsaStg_Eff1 and [ArrayID] Subkeys Alerts, ConnectivityVerifiers, Logs, NetConfig, RuleElements, Servers,
HKLM\IsaStg_Eff1\Arrays\[ArrayID]\ Subkeys AdminSecurity,ArrayPolicy, Cache, ClientConfigSettings, Extensions, NetworktemplateUsed, Reports, SD, VendorParametersSets
Table 5: ISA 2006 Standard Edition SP1 (R = Read (Query + Enumerate Subkeys + Notify + Read Control)
ISA 2006 Enterprise Edition
(Array Member Server)
R but no access to Subkeys
Table 5: ISA 2006 Enterprise Edition SP1 (R = Read (Query + Enumerate Subkeys + Notify + Read Control)
HKLM\SOFTWARE\Microsoft\Fpc and Subkeys (except Storage)
HKLM\SOFTWARE\Microsoft\Fpc\Storage\Array-Root\Arrays and [ArrayID] Subkeys Alerts, ConnectivityVerifiers, Logs, NetConfig, RuleElements, Servers, Sessions, SignaledAlerts
HKLM\IsaStg_Eff1\Arrays\[ArrayID]\ Subkeys AdminSecurity, ArrayPolicy, Cache, ClientConfigSettings, Extensions, NetworktemplateUsed, Report, Reports, VpnQuarantine
Table 6: ISA 2004 Standard Edition (R = Read (Query + Enumerate Subkeys + Notify + Read Control)
ISA 2004 Enterprise Edition
Table 5: ISA 2004 Enterprise Edition (R = Read (Query + Enumerate Subkeys + Notify + Read Control)
Microsoft Support Specialist ISA Server
Microsoft Forefront (ISA/TMG) Sustained Engineering Team