Internet Security and Acceleration (ISA) Server 2006

 Internet Security and Acceleration (ISA) Server 2006 ADDENDUM Version 1, Release 0.1 11 January 2008 Developed by DISA for the DoD UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD Trademark Information Internet Security and Acceleration (ISA) server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other names are registered trademarks or trademarks of their respective companies. ii UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD TABLE OF CONTENTS 1. INTRODUCTION.................................................................................................................... 1 1.1 Background ........................................................................................................................... 1 1.2 Authority ............................................................................................................................... 1 1.3 Scope ..................................................................................................................................... 2 1.4 Writing Conventions ............................................................................................................. 2 1.5 Vulnerability Severity Code Definitions .............................................................................. 2 1.6 DISA Information Assurance Vulnerability Management (IAVM) ..................................... 2 1.7 DISA Gold Standard ............................................................................................................. 3 1.8 STIG Distribution ................................................................................................................. 3 1.9 Document Revisions ............................................................................................................. 3 2. COURSE OF ACTION 2 (COA2) REQUIREMENTS ........................................................ 2 2.1 Install OCSP Application on ISA Server .............................................................................. 2 2.2 Create the ISA Web Publishing Rule ................................................................................... 2 2.2.1 Perform the following steps to create the Web Publishing Rules:................................. 3 2.2.2 Configure the Web Listener Client Certificate Settings ................................................ 6 2.3 DoD Windows Mobile ISA 2006 Configuration .................................................................. 6 3. HARDING THE TCP/IP STACK AGAINST DENIAL OF SERVICE ATTACKS IN WINDOWS SERVER 2003 .......................................................................................................... 9 3.1 TCP/IP Registry Values That Harden the TCP/IP Stack ...................................................... 9 APPENDIX A. RELATED PUBLICATIONS ........................................................................ 13 APPENDIX B. LIST OF ACRONYMS ................................................................................... 17 iii UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD This page is intentionally left blank. iv UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD 1. INTRODUCTION 1.1 Background This Addendum to Microsoft’s Security Guides for Internet Security and Acceleration Server 2006 was developed to enhance the confidentiality, integrity, and availability of sensitive Department of Defense (DoD) Automated Information Systems (AISs) using Internet Security and Acceleration Server 2006 on Windows 2003 operating systems (OSs). This Addendum is coordinated with the following documents here after collectively known as the Internet Security and Acceleration Server 2006 and Windows Server 2003 Guides:   Microsoft “Internet Security and Acceleration Server Security Guide”, 2006 Microsoft “Solutions for Security, Windows 2003 Security Guide”, 2005 The ISA 2006 Addendum is designed to provide recommendations about how to harden and securely configure and administer computers running Microsoft Internet Security and Acceleration (ISA) Servers 2006 Enterprise Edition in the United States Department of Defense (DoD) environment. Recommendations in this guide include ISA Server deployment strategies to include all possible deployment scenarios as outlined in courses of action (COA) 2 deployment guides. 1.2 Authority DoD Directive 8500.1 requires “all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines” and tasks DISA to “develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA.” This document is provided under the authority of DoD Directive 8500.1. The use of the principles and guidelines in this STIG will provide an environment that meets or exceeds the security requirements of DoD systems operating at the Mission Assurance Category (MAC) II Sensitive level, containing sensitive information. The Information Operations Condition (INFOCON) for the DoD recommends actions during periods when a heightened defensive posture is required to protect DoD computer networks from attack. The IAO will ensure compliance with the security requirements of the current INFOCON level and will modify security requirements to comply with this guidance. It should be noted that DISA Field Security Operations (FSO) support for the Security Technical Implementation Guides (STIGs), Checklists, and Tools is only available to DoD Customers. 1 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD 1.3 Scope The requirements set forth in this document will assist System Administrators (SAs), Information Assurance Managers (IAMs), and Information Assurance Officers (IAOs), in securing the Internet Security and Acceleration Server 2006 on Windows 2003. 1.4 Writing Conventions Throughout this document, statements are written using words such as “will” and “should.” The following paragraphs are intended to clarify how these STIG statements are to be interpreted. A reference that uses “will” indicates mandatory compliance. All requirements of this kind will also be documented in the italicized policy statements in bullet format, which follow the topic paragraph. This makes all “will” statements easier to locate and interpret from the context of the topic. The IAO will adhere to the instruction as written. For each italicized policy bullet, the text will be preceded by parentheses containing the STIG Identifier (STIGID), which corresponds to an item on the checklist and the severity code of the bulleted item. An example of this will be as follows: "(G111: CAT II)." If the item presently does not have an STIGID, or the STIGID is being developed, it will contain a preliminary severity code and "N/A" (i.e., "[N/A: CAT III]"). Throughout the document accountability is directed to the IAO to “ensure” a task is carried out or monitored. These tasks may be carried out by the IAO or delegated to someone else as a responsibility or duty. A reference to “should” indicates a recommendation that further enhances the security posture of the site. These recommended actions will be documented in the text paragraphs but not in the italicized policy bullets. All reasonable attempts to meet this criterion will be made. 1.5 Vulnerability Severity Code Definitions Category I Vulnerabilities that allow an attacker immediate access into a machine, allow superuser access, or bypass a firewall. i.e. Granting unnecessary accounts the User Right Act as Part of the Operating System as an example with Windows. Vulnerabilities that provide information that have a high potential of giving access to an intruder. i.e. Not requiring password complexity would increase the risk of an intruder gaining access. Vulnerabilities that provide information that potentially could lead to compromise. i.e. Allowing users to install printer drivers could potentially lead to compromise with unapproved drivers. Table 1.1. Vulnerability Severity Code Definitions 1.6 DISA Information Assurance Vulnerability Management (IAVM) The DoD has mandated that all IAVMs are received and acted on by all commands, agencies, and organizations within the DoD. The IAVM process provides notification of these 2 UNCLASSIFIED Category II Category III Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD vulnerabilities alerts and requires that each of these organizations take appropriate actions in accordance with the issued alert. IAVM notifications can be accessed at the Joint Task Force Global Network Operations (JTF-GNO) web site: http://www.jtfgno.mil. 1.7 DISA Gold Standard The Gold Standard was developed with Information Technology (IT) security as well as operational impact in mind. Operational impact includes required security settings, which will disable or cause loss of functionality of the information system or application. Operational impact cannot override security; the operational impact must be weighed against the risk of not implementing a security control. The Gold Standard is the establishment of a minimum-security baseline applied to DoD systems. The Gold Standard provides a high level of assurance that the functionality of the information system or application will not be adversely impacted as a result of implementing the Gold Standard settings. Security controls designated as Platinum Standard provide a higher level of security assurance but may impact operations. 1.8 STIG Distribution Parties within the DoD and Federal Government's computing environments can obtain the applicable STIG from the Information Assurance Support Environment (IASE) web site. This site contains the latest copies of any STIG, as well as checklists, scripts, and other related security information. The NIPRNet URL for the IASE site is http://iase.disa.mil/. 1.9 Document Revisions Comments or proposed revisions to this document should be sent via e-mail to fso_spt@disa.mil. DISA FSO will coordinate all change requests with the relevant DoD organizations before inclusion in this document. 3 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD This page is intentionally left blank. 1 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD 2. COURSE OF ACTION 2 (COA2) REQUIREMENTS The main objective of COA2 is to allow the DoD to utilize CAC logon during Outlook Web Access (OWA) authentication. Microsoft Outlook Web Access (OWA) was not originally designed to allow the user the ability to authenticate by using a smartcard. Across the services several solutions have been proposed, which are labeled as separate COA. Through a process of detailed engineering discussion and planning with the core developer teams for Windows, Exchange, and ISA, Microsoft Consulting Services and the Office of the Microsoft Federal Chief Technology Officer have developed a solution referred to as COA 2. COA2 is built upon Exchange Server 2003 and enhancements to Internet Security and Acceleration (ISA) Server 2006. One of the major improvements included in the new ISA 2006 firewall is the ability to support delegation of Kerberos credentials for users that authenticate with the ISA firewall using PKI (public key infrastructure) user certificates. ISA Server 2006 support for Kerberos Constrained Delegation (KCD) allows users to present a subscriber certificate to the ISA firewall and have that user’s credentials automatically forwarded to the destination web server. This prevents users from having to provide credentials a second time. COA2 requires ISA 2006 Server installation within the same Domain as Exchange Front and Back end Servers. 2.1 Install OCSP Application on ISA Server CRL validation is required on the ISA Server 2006. The ISA server will validate presented certificates before authenticating the user against Active Directory when the OWA client presents a certificate for authentication. This means the ISA Server 2006 computer must be able to download the DoD PKI CRL, or an approved OCSP client application, must be loaded on the ISA server. (DISA tested with the Tumbleweed Desktop Validator client application). An ISA Access rule must be created to ensure the ISA machine either allows CRL downloads or allows OCSP traffic to traverse the Internet. For DoD PKI, CRL downloads will happen via port 80/ Transmission Control Protocol (TCP) (HTTP). OCSP traffic will happen via port 80/TCP (HTTP). 2.2 Create the ISA Web Publishing Rule The COA2 implementation requires configuration of a Web Publishing rule to enable ISA 2006 to listen for Client OWA request. The following part of the document is only for a quick outline of the COA2 specific requirements. Please refer to the COA2 document for detailed configuration steps. 2 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD 2.2.1 Perform the following steps to create the Web Publishing Rules: 1. In the ISA Firewall console, expand the Arrays node and then expand the array name. Click the Firewall Policy node and then click the Tasks tab in the Task Pane. On the Tasks tab at the far right, click the Publish Exchange Web Client Access link. 2. On the Welcome to the New Exchange Publishing Rule Wizard page, enter a name for the rules in the Exchange Publishing rule name text box. In this example we will name the rule CAC OWA Publish. Click Next. 3. On the Select Services page, select the Exchange Server 2003 option from the Exchange version drop down list box. Select the Outlook Web Access checkbox from the Web client mail services options. Click Next. 4. On the Publishing Type page, click Publish a single Web site or load balancer and click Next. TECHNICAL NOTE: The lab was configured with a single Exchange front-end server. Do not use Windows’ integrated NLB (Network Load Balancing) capabilities on the FE servers when configuring for redundancy with multiple FE servers.. Rather, use the ISA Server 2006 capabilities to publish a farm of web servers, pointing the publishing rule to multiple FE servers. This capability provides a better load balancing solution than using the built-in Windows NLB. 5. On the Server Connection Security page, click Use SSL to connect to the published Web server or server farm. This option tells the ISA firewall to forward the connection request over a secure SSL channel, and this is an ISA firewall best practice. If this option is not selected, the connection would be forwarded over an unsecured channel. TECHNICAL NOTE: While the subscriber credentials are not at risk in this scenario because KCD has been utilized, the data moving over the link is easily accessible by another with a network capture utility. For this reason, unless there are compelling security reasons to enable the low security always use SSL from the ISA firewall to the published Web server. Click Next. 6. On the Internal Publishing Details page, enter the common/subject name on the website certificate bound to the FE Exchange Server’s websites. In this example, the website certificate bound to the FE Exchange Server’s websites has the common/subject name of owa.af.mil. Click Next. 7. On the Public Name Details page, enter the common/subject name of the certificate that will be bound to the web listener. In this scenario, if the common/subject name on the certificate bound to the Web listener is owa.af.mil, so we enter that name in the Public 3 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD name text box. This is the name that users will use to access the OWA both internally and externally, Make sure external and internal DNS zones have the appropriate DNS entries for this name. The external DNS server should resolve this name to the external IP address of the ISA server. The internal DNS server should resolve this name to the IP address of the Exchange FE server. Click Next. 8. On the Select Web Listener page, click New to create a new SSL Web listener. 9. On the Welcome to the New Web Listener Wizard page, enter a name for the web listener in the web listener name text box and click Next. 10. In this example the name will be OWA Web Listener. 11. On the Client Connection Security Page, click Require SSL secured connections with clients. Click Next. 12. On the Web Listener IP Addresses page, select what ISA firewall Networks to allow the web listener to accept incoming connections. In this example we want to allow connections from the ISA firewall’s default External Network and also from the ISA firewall’s default Internal Network. Click Next. 13. On the Listener SSL Certificates page select the certificate to bind to the web listener. In this example we have only a single certificate that we want to bind to the web listener. This certificate enables the ISA firewall to impersonate the SSL Web site on the FE Exchange Server. Click Select Certificate. 14. Select the certificate to bind to the web listener on the Select Certificate page. The new ISA firewall makes certificate management much easier by providing useful information about the status of the certificate. In the figure below you can see that there is a single website certificate installed on the ISA firewall that can be bound to the web listener. The interface provides you information about the validity of the certificate and if the private key is included with the certificate. Click the xxx.xx.mil certificate and click Select. 15. Click Next on the Listener SSL Certificates page. 16. The Authentication Settings page selects how the ISA firewall to authenticate the users connecting to the Exchange FE Server. Select the SSL Client Certificate Authentication option. Windows (Active Directory) will automatically be selected. Keep this setting at the default and Click Next. 4 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD TECHNICAL NOTE: This step is where ISA is configured to only allow CAC logon as opposed to any sort of username/password. By selecting this, we force the client to present a certificate to the ISA server for authentication. 1. Click Next on the Single Sign On Settings page. Leave this blank. 2. Click Finish on the Completing the New Web Listener Wizard page. 3. A pop-up dialog box that asks if you would like to enable the Allow all HTTP traffic from ISA Server to all networks for CRL downloads rule. Click. TECHNICAL NOTE: If this rule is chosen, this rule will allow outbound port 80/TCP (HTTP) traffic from the ISA Server 2006 computer to any destination on the Internet. Create a specific rule allowing only the ISA Server 2006 computer(s) to have outbound port 80/TCP (HTTP) traffic to the specific OCSP responders necessary for your implementation. It should also be noted that even though this rule specifies “CRL downloads, this will not allow the ISA server to download DoD PKI CRLs because the DoD PKI CDP is an HTTP CDP. Another specific rule must be configured to allow the ISA Server 2006 computer(s) to download the CRL via port 389/TCP (LDAP). 4. Click Next on the Select Web Listener page. 5. On the Authentication Delegation page, select the Kerberos constrained delegation option. a. From the Select the method used by ISA Server to authenticate to the published Web server drop down list. b. In the Type the Service Principle Name (SPN) used by ISA Server for Kerberos constrained delegation text box, accept the default entry http/xxxfe. (If publishing an Exchange FE Server Web Farm the SPN would be http/*.) c. Click Next on the Authentication Delegation page. 6. On the User Sets page, accept the default entry of All Authenticated Users, and click Next. 7. Click Finish on the Completing the New Exchange Publishing Rule Wizard page. 8. Click OK in the dialog box indicating that Active Directory SPNs must be configured to make this work. 9. Click Apply to save the changes and update the firewall policy. 5 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD 10. Click OK in the Saving Configuration Changes dialog box 2.2.2 Configure the Web Listener Client Certificate Settings To view the certificate options, click the Firewall Policy node in the left pane of the console and click the Toolbox tab. In the Toolbox tab, click the Network Objects section and then click the Web Listeners folder. Double-click the OWA Web Listener entry. 1. In the OWA Web Listener Properties dialog box, click the Authentication tab. 2. On the Authentication tab, click Advanced…. 3. In the Advanced Authentication Options dialog box, click the Client Certificate Trust List tab. 4. Select the only accept client certificates trusted by the Root Certification Authorities selected below option and then select the DOD Root CAs. Have these ROOT CA certificates installed on the ISA server based on the core requirements section earlier in this document. 5. Click Apply to save the changes and update the firewall policy. 6. Click OK in the Saving Configuration Changes dialog box. 2.3 DoD Windows Mobile ISA 2006 Configuration The following steps should be completed when configuring the ISA server for WMM:  Create a firewall rule for Exchange ActiveSync (EAS)  Configure the firewall rule. Here is a list of required rules:       Action: Allow From: External & Local Hosts To: enter outer facing IP address of web site Computer Name: list name of Front-end Exchange Server Traffic: HTTPS Listener: set up SSL 443 listener 6 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD    Public: same as To address Authentication Delegation: No delegation, but client may authenticate directly Paths: for Internal Path:  /OMA and /Microsoft-Server-ActiveSync  Bridging:   Check Web server Check Redirect requests to SSL Port, enter 443 7 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD This page is intentionally left blank. 8 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD 3. HARDING THE TCP/IP STACK AGAINST DENIAL OF SERVICE ATTACKS IN WINDOWS SERVER 2003 Windows 2003 Server that ISA 2006 is hosted should be hardened against IP Stack attack, especially, denial of service attack. Configure various TCP/IP parameters in the Windows registry in order to protect against network-level denial of service attacks including SYN flood attacks, ICMP attacks and SNMP attacks. Denial of service (DoS) attacks are network attacks that are aimed at making a computer or a particular service on a computer unavailable to network users. Denial of service attacks can be difficult to defend against. To help prevent denial of service attacks, use one or both of the following methods:   Keep your computer updated with the latest security fixes Harden the TCP/IP protocol stack on your Windows Server 2003 computers. The default TCP/IP stack configuration is tuned to handle standard intranet traffic. ISA Server computers are usually connected directly to the Internet, the recommendation is that you harden the TCP/IP stack against denial of service attacks. 3.1 TCP/IP Registry Values That Harden the TCP/IP Stack The following list explains TCP/IP-related registry values that can be configured to harden the TCP/IP stack on computers that are directly connected to the Internet. All of these values should be created under the following registry key, unless otherwise noted: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services NOTE: All values are in hexadecimal unless otherwise noted. • Value name: SynAttackProtect Key: Tcpip\Parameters Value Type: REG_DWORD Valid Range: 0,1 Default: 0 This registry value causes TCP to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly during a SYN attack (a type of denial of service attack). The following parameters can be used with this registry value: • 0 (default value): No SYN attack protection 9 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD • 1: Set SynAttackProtect to 1 for better protection against SYN attacks. This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if the system detects that a SYN attack is in progress. Windows uses the following values to determine whether an attack is in progress: • TcpMaxPortsExhausted • TCPMaxHalfOpen • TCPMaxHalfOpenRetried Note In Windows Server 2003 Service Pack 1, the default value for the SynAttackProtect registry entry is 1. • Value name: EnableDeadGWDetect Key: Tcpip\Parameters Value Type: REG_DWORD Valid Range: 0, 1 (False, True) Default: 1 (True) The following list explains the parameters that you can use with this registry value: • 1: If EnableDeadGWDetect is set to 1, TCP is permitted to perform dead-gateway detection. When dead-gateway detection is enabled, TCP may ask the Internet Protocol (IP) to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in the Network tool in Control Panel. • 0: Microsoft recommends EnableDeadGWDetect be set to 0. If you do not set this value to 0, an attack may force the server to switch gateways and cause it to switch to an unintended gateway. • Value name: EnablePMTUDiscovery Key: Tcpip\Parameters Value Type: REG_DWORD Valid Range: 0, 1 (False, True) Default: 1 (True) The following list explains the parameters that you can use with this registry value: • 1: If EnablePMTUDiscovery is set to 1, TCP attempts to discover the maximum transmission unit (MTU) or the largest packet size over the path to a remote host. TCP can remove fragmentation at routers along the path that connect networks with different 10 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD MTUs by discovering the path MTU and limiting TCP segments to this size. Fragmentation adversely affects TCP throughput. • 0: Microsoft recommends that EnablePMTUDiscovery be set to 0. When you do so, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker may force the MTU value to a very small value and overwork the stack. Important Setting EnablePMTUDiscovery to 0 negatively affects TCP/IP performance and throughput. Even though Microsoft recommends this setting, it should not be used unless you are fully aware of this performance loss. • Value name: KeepAliveTime Key: Tcpip\Parameters Value Type: REG_DWORD-Time in milliseconds Valid Range: 1-0xFFFFFFFF Default: 7,200,000 (two hours) This value controls how frequently TCP tries to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. Keep-alive packets are not sent by default. A program to configure this value on a connection. The recommended value setting is 300,000 (5 minutes). • Value name: NoNameReleaseOnDemand Key: Netbt\Parameters Value Type: REG_DWORD Valid Range: 0, 1 (False, True) Default: 0 (False) This value determines whether the computer releases its NetBIOS name when it receives a name-release request. This value was added to permit the administrator to protect the computer against malicious name-release attacks. Microsoft recommends that NoNameReleaseOnDemand be set to value of 1. 11 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD This page is intentionally left blank. 12 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD APPENDIX A. RELATED PUBLICATIONS Government Publications Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510.01, “Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND),” March 2003. Department of Defense (DoD) Directive 8500.1, “Information Assurance,” October 2002. Department of Defense (DoD) Instruction 8500.2, “Information Assurance (IA) Implementation,” February 2003. Defense Information Systems Agency (DISA)/Chief Information Officer, Memorandum for Distribution, “DISA Standard Computer Configurations,” Version 1999-A, November 1998. Defense Information Systems Agency Instruction (DISAI) 630-230-19, “Security Requirements for Automated Information Systems (AIS),” July 1996. Defense Information Systems Agency (DISA)/Defense Information Services Organization (DISO) Naming Convention Standards, March 1994. National Security Agency (NSA), “Information Systems Security Products and Services Catalog” (Current Edition). Defense Logistics Agency Regulation (DLAR) 5200.17, “Security Requirements for Automated Information and Telecommunications Systems,” 9 October 1991. Army Regulation (AR) 25-2, “Information Assurance,” 14 November 2003. Air Force Instruction (AFI) 33-202 Volume 1, "Network and Computer Security”. Secretary of the Navy Instruction (SECNAVINST) 5239.2, “Department of the Navy Automated Information Systems (AIS) Security Program,” 15 November 1989. Navy Staff Office Publication (NAVSO Pub) 5239-15, “Controlled Access Protection Guidebook”, August 1992. General Accounting Office Report to Congressional Requester (GAO/AIMD-96-84), “Information Security Computer Attacks at Department of Defense Pose Increasing Risks”. 13 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD Commercial and Other Publications Microsoft Solutions for Security, Windows 2003 Security Guide, 2005. Microsoft Solutions for Security, Threats and Countermeasures: Security Settings in Windows 2003 and Windows XP, 2005. Microsoft Windows 2003 and XP Specialized Security – Limited Functionality Templates (Included with the MS Threats and Countermeasures guide). Microsoft Internet Security and Acceleration Security Guide, 2006. 14 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD Web Sites DISA DISA Datahouse DISA Information Assurance DoD-JTF-GNO Mergent (encryption software) Microsoft's Knowledge Base Web Site NCSA Netscape RSA Data Systems (encryption software) Symantec Corporation (ESM) Vulnerability Compliance Tracking System (VCTS) http://www.disa.mil https://datahouse.disa.mil https://iase.disa.mil http://www.jtfgno.mil http://www.mergent.com http://www.microsoft.com/kb/ http://www.ncsa.com http://wp.netscape.com/security/index.html http://www.rsa.com http://www.symantec.com https://vms.disa.mil 15 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD This page is intentionally left blank. 16 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD APPENDIX B. LIST OF ACRONYMS ACL Access Control List ADS AIS AS Audit Alternate Data Streams Automated Information System Authentication Server CCB CD Configuration Control Board Compact Disk CERT CIS CMOS COTS DAA DECC DECC-D DII DISA DISAI DLL DNS DoD DoS FTP GAO GOTS HPFS HTTP I&A IAM IAO IAW IE IETF IG IIS INFOSEC INFOWAR IP IPX IS ITA JID JPEG 17 Computer Emergency Response Team The Center for Internet Security Complementary Metal-Oxide Semiconductor Commercial Off-The-Shelf Designated Approving Authority Defense Enterprise Computer Center Defense Enterprise Computer Center - Detachment Defense Information Infrastructure Defense Information Systems Agency Defense Information Systems Agency Instruction Dynamic Link Library Domain Name Server Department of Defense Denial of Service File Transfer Protocol General Accounting Office Government-Off-The-Shelf High Performance File System Hyper Text Transport Protocol Identification and Authentication Information Assurance Manager Information Assurance Officer In Accordance With Internet Explorer Internet Engineering Task Force Inspector General Internet Information Server Information Security Information Warfare Internet Protocol Internetwork Packet Exchange Information System Intruder Alert Joint Intrusion Detector Joint Photographic Experts Group UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD JTF-GNO LAN LM LSA MAPI MD5 Joint Task Force – Global Network Operations Local Area Network LanManager Local Security Authority Mail Application Programming Interface Message Digest Version 5 MMC MOA NCSC NetBEUI NetBIOS NIAP NIC NID NIPRNet NIST NNTP NOSC NSA NSO NTFS OS PC PCT PDC POC POP POSIX Microsoft Management Console Memorandum of Agreement National Computer Security Center NetBIOS Extended User Interface Network Basic Input/Output System National Information Assurance Partnership Network Interface Card Network Intrusion Detector Non-classified (but Sensitive) Internet Protocol Routing Network National Institute of Standards and Technology Network News Transfer Protocol Network Operations and Security Center National Security Agency Network Security Officer NT File System Operating System Personal Computer Private Communications Technology Primary Domain Controller Point-of-Contact Point-of-Presence Portable Operating System Interface for Computing Environments PPE PPP RAM RAS RCC RCERT RISC RNOSC RPC RSA RSC SA SAM SBU SCSI Password Policy Enforcer Point-to-Point Protocol Random Access Memory Remote Access Service Regional Control Center Regional CERT Reduced Instruction Set Computer Regional Network Operations and Security Center Remote Procedure Call Regional Support Activity Regional Service Center System Administrator Security Accounts Manager Sensitive but Unclassified Small Computer Systems Interface 18 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD SID SLA SLIP SMB SMS SMTP SNMP SOP SRM SRR SSL SSO STIG TAPI TASO TCB TCP UDP UPS URL VAAP VCTS VGA VMS WAN WINS WWW Security Identifier Service Level Agreement Serial Line Internet Protocol Server Message Block Systems Management Server Simple Mail Transfer Protocol Simple Network Management Protocol Standard Operating Procedure Security Reference Monitor Secure Readiness Review Secure Sockets Layer Systems Support Office Security Technical Implementation Guide Telephony Applications Programming Interface Terminal Area Security Officer Trusted Computing Base Transmission Control Protocol User Datagram Protocol Uninterruptible Power Supply Universal Resource Locator Vulnerability Analysis and Assistance Program Vulnerability Compliance Tracking System Video Graphics Array Vulnerability Management System Wide Area Network Windows Internet Name Service World Wide Web 19 UNCLASSIFIED Internet Security and Acceleration (ISA) Server 2006 11 January 2008 DISA Field Security Operations Developed by DISA for the DoD This page is intentionally left blank. 20 UNCLASSIFIED