A "secure" Guest account for ISA server

From: BOT House (BOTHouse_at_insight-*-rr-*-com)
Date: 12/14/03 

Date: Sun, 14 Dec 2003 14:16:20 -0500

Humor me on this, please. I know it's a stupid question.

Given:

a)the Guest account has been renamed

b)the Guest account's password is blank

c)the only right the Guest account needs is "access this computer from the network", but it doesn't need file or print access

d)this is a Windows 2000 member server in an NT4 domain (AD to be implemented next year)

How would you go about "securing" the server?

I'm thinking explicit denies on various registry keys and system files.

The problem is this: management wants to deploy an interior anonymous proxy server, but they want to know who uses it to go where.
Probably 75% of the users will be from trusted domains. It is up to the untrusted domains as to how they will prevent "their" users
from using "our" proxy (yes, it's a political nightmare).

The only way around this that I can see (without an ISA everyone/everywhere anonymous rule, which is enforced before authentication)
is a Guest account with a blank password.

This worked well on Proxy 2.0 because it would log PROXYSERVER\UNTRUSTEDDOMAINUSER whenever someone used the Guest account. ISA
unfortunately logs ISASERVER\GUESTACCOUNT, but I can live with that.

The ISA server sits behind a PIX so it's not directly exposed to the Internet. It will support Web Proxy and Firewall clients, but
not SecureNAT clients.

REGARDLESS OF THE UNDENIABLE FACT THAT ENABLING "GUEST" WITH A BLANK PASSWORD IS A BAD IDEA, how would you go about locking it down
as much as possible but retaining ISA functionality?

Relevant Pages

  • Re: A "secure" Guest account for ISA server
    ... Assuming you need to use the guest account, which I don't know for sure since I am ... not an ISA guru, you can replace users/everyone group on acls with the authenticated ... management wants to deploy an interior anonymous proxy server, ... > The ISA server sits behind a PIX so it's not directly exposed to the Internet. ...
    (microsoft.public.security)
  • Re: A "secure" Guest account for ISA server
    ... Assuming you need to use the guest account, which I don't know for sure since I am ... not an ISA guru, you can replace users/everyone group on acls with the authenticated ... management wants to deploy an interior anonymous proxy server, ... > The ISA server sits behind a PIX so it's not directly exposed to the Internet. ...
    (microsoft.public.win2000.security)
  • A "secure" Guest account for ISA server
    ... c)the only right the Guest account needs is "access this computer from the network", but it doesn't need file or print access ... management wants to deploy an interior anonymous proxy server, but they want to know who uses it to go where. ... The only way around this that I can see (without an ISA everyone/everywhere anonymous rule, ...
    (microsoft.public.security)
  • Re: ISA 2004 & companyweb
    ... Server, the traffic will still be handled by the ISA Server because the ... "Bypass proxy server for local addresses" option is disabled, ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA server 2004 and Bluecoat proxy
    ... i want to mention that we have configured a backup rout (backup bluecoat ... i want to ask about event 14130 that related to web proxy chain fauilire. ... If you were able to work around the upstream proxy server, ... upstream ISA Server, you might want to change it back. ...
    (microsoft.public.isa.configuration)