Monitoring Network Security with ISA Server

Configuring ISA Server Logging

ISA Server, by default, creates one log file for the following activities each day:

• Firewall service activity
• Web Proxy service activity
• Packet filtering activity

Information is logged in the ISALogs folder in the ISA Server installation folder:

• FWSEXTDyyyymmdd.log – contains information on packets processed by the ISA Server Firewall service.
• WEBEXTDyyyymmdd.log – contains information on packets processed by the Web Proxy service.
• IPPEXTDyyyykmmdd.log – the default is set to log deny packets only. If you want to log information on allowed packets, then you have to access the IP Packet Filters Properties dialog box, and enable the Log Packets from Allow filters checkbox.

To configure Properties for the different service logs:

1. Open the ISA Management console.
2. Expand the Monitoring Configuration node.
3. Expand the Logs folder.
4. In the details pane, double-click the specific service log that you want to configure to access its logging properties.

The different configuration settings that you can configure for service logs are categorized as follows:

• Select the logging storage format: Available options are:
  • W3C extended log format.
  • ISA Server format.
  • Log to a database in ODBC format.
• Enable or disable the log: The Log tab of the Service Log Properties dialog box allows you to enable or disable logging for the specific service.
• Select frequency of log reports: ISA Server can be configured to create a new log file:
  • Daily
  • Weekly
  • Monthly
  • Yearly
• Specify whether log files should be compressed.
• Define the folder where the log files should be stored.
• Limit the number of log files to retain.
• Specify which fields should be logged: The Fields tab of the Service Log Properties dialog box allows you to select which fields should be included for logging.

The log fields for the Firewall service and Web Proxy service that you can select are listed here:

• Client IP (c-ip); IP address of requesting client.
• Client user name (cs-username); user account from which the request originated.
• Client agent (c- agent); client application type sent by the client in the Hypertext Transfer Protocol (HTTP) header. For active caching, the client type is ISA Server.
• Authorization status (sc-authenticated); defines whether a client was authenticated.
• Date (date); date when the event happened.
• Time (time); time when the event happened.
• Service name (s- svcname); service name logged:
  • Fwsrv; specifies the Firewall service.
  • w3proxy; specifies outgoing Web requests.
  • w3reverseproxy; specifies incoming Web requests.
• Computer name (s-computername); computer name running ISA Server.
• Referring server name (cs-referred); when ISA Server is set up in a chained configuration, this is the downstream server that sent the request.
• Destination name (r-host); domain name for the remote computer of the current connection.
• Destination IP (r- ip); IP address for the remote computer of the current connection.
• Destination port (r-port); reserved port number on the remote computer for the existing connection.
• Processing time (time-taken); time ISA Server needs to handle the current connection.
• Bytes sent (cs- bytes); number of bytes sent from the internal client to the external server for the current connection.
• Bytes received (sc- bytes); number of bytes sent from the external server to the internal client for the current connection.
• Protocol name (cs- protocol); the application protocol used for the current connection:
  • Hypertext Transfer Protocol (HTTP)
  • File Transfer Protocol (FTP)
  • Secure Hypertext Transfer Protocol (HTTPS)
  • Gopher protocol
• Transport (cs- transport); transport protocol used for the current connection:
  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)
• Operation (s-operation); indicates the application method utilized.

For the Firewall service, values include:

• • CONNECT
  • SEND
  • RECEIVE
  • BIND
  • GHBN (GetHostByName)
  • GHBA (GetHostByAddress)

For the Web Proxy service, values include:

• • GET
  • PUT
  • HEAD
  • POST
• Object name (cs- uri); indicates the information within the Uniform Resource Locator (URL) request.
• Object MIME (cs- mime-type); indicates the Multipurpose Internet Mail Extensions (MIME) type for the object.
• Object source (s- object-source); source used to retrieve the current object. Values include:
  • O: source information unavailable.
  • Cache.
  • Inet, for the Internet.
  • Member, source is an array member.
  • NotModified, cache is the source – object not modified.
  • NVCache, source is the cache – object not verified to the cache.
  • Upstream, source is an upstream proxy cache.
  • Vcache, source is the cache – object verified to the cache.
  • VFInet, for the Internet – object verified and modified.
• Result code (sc- status);
  • Values less than 100 – Windows error code.
  • Values between 100 and 1,000 – HTTP status code.
  • Values between 10,000 and 11,004 – Winsock error code.
• Cache info (s- cache-info); indicates the status of the object with regard to the cache.
  • 0x00000001; the request must not be served from the cache.
  • 0x00000002; the request contains the IF-MODIFIED-SINCE header.
  • 0x00000004; the request contains the CACHE- CONTROL:NO-CACHE header or the PRAGMA:NO-CACHE header.
  • 0x00000008; the request contains the AUTHORIZATION header.
  • 0x00000010; the request contains the VIA header.
  • 0x00000020; the request contains the IF-MATCH header.
  • 0x00000040; the request contains the RANGE header.
  • 0x00000080; the request contains the CACHE-CONTROL: NO- STORE header.
  • 0x00000100; the request contains the CACHE-CONTROL: MAX- AGE header, or CACHE-CONTROL: MAX-STALE header, or CACHE-CONTROL: MIN-FRESH header.
  • 0x00000200; cache could not be modified.
  • 0x00000400; indicates the IF-MODIFIED-SINCE contained in the request is more new than the cached LASTMODIFIED time.
  • 0x00000800; the request contains the CACHE-CONTROL: ONLY- IF-CACHED header.
  • 0x00001000; the request contains the IF-NONE-MATCH header.
  • 0x00002000; the request contains the IF-UNMODIFIED-SINCE header.
  • 0x00004000; request contains the IF-RANGE header.
  • 0x00008000; multiple VARY headers.
  • 0x00010000; the response contains the CACHE-CONTROL: PUBLIC header.
  • 0x00020000; the response contains the CACHE-CONTROL: PRIVATE header.
  • 0x00040000; the response contains the CACHE-CONTROL: NO- CACH header, or PRAGMA: NO-CACHE header.
  • 0x00080000; the response contain the CACHE-CONTROL: NO- STORE header.
  • 0x00100000; the response contains the CACHE-CONTROL: MUST-REVALIDATE header or CACHE-CONTROL: PROXY-REVALIDATE header.
  • 0x00200000; the response contains the CACHE-CONTROL: MAX- AGE header or S-MAXAGE header.
  • 0x00400000; the response contains the VARY header.
  • 0x00800000; the response contains the LAST-MODIFIED header.
  • 0x01000000; the response contains the EXPIRES header.
  • 0x02000000; the response contains the SET-COOKIE header.
  • 0x04000000; the response contains the WWW-AUTHENTICATE header.
  • 0x08000000; the response contains the VIA header.
  • 0x10000000; the response contains the AGE header.
  • 0x20000000; the response contains the TRANSFER-ENCODING header.
  • 0x40000000; the response should not be cached.
• Rule #1 (rule#1); the initial rule that allowed/denied the request.
• Rule #2 (rule#2); the second rule that allowed/denied the request.
• Session ID (sessionid); specifies the connections for the session.
• Connection ID (connectionid); specifies the entries that are part of the same connection.

The log fields for packet filtering that you can select are listed here:

• Date (date); date on which the packet was received.
• Time (time); time when packet was received.
• Source IP (source-ip); IP address of the source computer which sent the packet.
• Destination IP (destination-ip); network IP address of the destination computer, which is typically the ISA Server computer address.
• Protocol (protocol); transport protocol used for the current connection:
  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)
  • Internet Control Message Protocol (ICMP)
• Source port (or protocol type, if ICMP) (param#1); remote port which was used to establish the connection (TCP and UDP). With ICMP, it indicates the type utilized when the connection was established.
• Destination port (or protocol code, if ICMP) (param#2); local port which was used to establish the connection (TCP and UDP). With ICMP, it indicates the type utilized when the connection was established.
• TCP flags (tcp- flags); indicates the TCP flag specified within the IP header:
  • ACK
  • FIN
  • PSH
  • RST
  • SYN
  • URG
• Rule (filter-rule); specifies whether the packet was allowed or dropped:
  • 1 – allowed
  • 2 – dropped
• Interface IP address (interface); interface(s) that received the packet.
• Header (ip- header); IP header information, in the hexadecimal format, of the packet which triggered the alert.
• Payload (payload); data payload in the hexadecimal format, following the IP header, of the packet which triggered the alert.

Storing ISA Server logs in an ODBC database

You do not have to store your log information in a file; you can store it in an ODBC database as well. This enables you to more finely control where ISA Server service information is logged. You can also log information from multiple ISA servers in a centralized database.

To log service information in an ODBC database, you have to perform a number of steps:

• Create the database and tables to store logging information. The ISA Server CD-ROM contains a few sample scripts that create tables which support database logging, and indexes that support table queries. These items are in the root folder:
  • FWSRV.sql: Contains the Firewall service log table (FirewallLog), and indexes for queries.
  • W3PROX.sql: Contains the Web Proxy service log table (WebProxyLog), and indexes for queries.
  • Pf.sql: Contains the packet filter log table (PacketFilterLog), and indexes for running queries.
• Create the ODBC Data Source Name (DSN) which will enable ISA Server to move logged data to the database.
• Set the ISA Server logs to log to the ODBC database. This is done on the Service Log Properties dialog box, on the Log tab, by selecting the Database option.

How to configure ISA service logging to a file

1. Open the ISA Management console.
2. Expand the Monitoring Configuration node, and then select the Logs folder.
3. Right-click the service that you want to configure logging settings for and select Properties from the shortcut menu.
4. The Service Log Properties dialog box opens.
5. On the Log tab, select the File option.
6. In the Format drop-down list box, choose the log format for logging activity on this particular service.
7. In the Create A New File drop-down list box, select how often ISA Server should create a new log file.
8. Click the Options button.
9. The Options dialog box opens.
10. If you want to save the log file in the ISA Server installation folder, then select the ISALogs Folder option.
11. If you want to change the location where the log file is stored, then click the Other Folder option and enter the name of the folder in the available textbox.
12. If you want to compress log files, then select the Compress Log Files checkbox.
13. If you want to limit the number of log files that are retained, select the Limit Number Of Log Files checkbox. Enter the number of log files in the textbox.
14. Click OK in the Options dialog box.
15. Click OK in the Service Log Properties dialog box.

How to create the Data Source Name to be used by ISA Server (logging to ODBC database)

1. Click Start, Administrative Tools, and then select ODBC Data Sources (ODBC).
2. Click the System DSN tab.
3. Click Add.
4. The Create New Data Source page opens.
5. Select the driver for the database that you have created.
6. Complete the displayed instructions to create the database.
7. Click Finish.

How to configure the ODBC logging option

1. Open the ISA Management console.
2. Expand the Monitoring Configuration node, and then select the Logs folder.
3. Right-click the service that you want to configure logging settings for and select Properties from the shortcut menu.
4. The Service Log Properties dialog box opens.
5. In the Log Storage Format of the Log tab, click the Database option.
6. In the ODBC Data Source (DSN) box, enter the name of the ODBC data source.
7. In the Table Name box, set the name of the table for the service log.
8. Click the Set Account button.
9. Enter the name of the account to use in the User textbox.
10. Enter the password in the Password and Confirm Password textboxes.
11. Click OK.
12. Click OK in the Service Log Properties dialog box.

How to enable logging for allowed packets

1. Open the ISA Management console.
2. Expand the Access Policy node.
3. Right-click the IP Packet Filters folder and select Properties from the shortcut menu.
4. The IP Packet Filters Properties dialog box opens.
5. Click the Packet Filters tab.
6. Enable the Log Packets From ‘Allow’ Filters checkbox.
7. Click OK.

How to enable logging for blocked packets

1. Open the ISA Management console.
2. Click the View menu and select Advanced.
3. Expand the Access Policy node.
4. Select the IP Packet Filters folder.
5. Right-click the packet filter you want to log blocked pockets for and select Properties from the shortcut menu.
6. Enable the Log Any Packets Matching This Filter checkbox.
7. Click OK.

How to configure fields for logging

1. Open the ISA Management console.
2. Expand the Monitoring Configuration node, and then select the Logs folder.
3. Right-click the service that you want to configure logging fields for and select Properties from the shortcut menu.
4. The Service Log Properties dialog box opens.
5. Click the Fields tab.
6. If you want to clear all fields that are enabled for logging, select the Clear All button.
7. If you want to choose a specific field(s) for logging, then select the checkbox alongside each field.
8. If you want include all fields, select the Select All button.
9. If you want to use the default fields, select the Restore Defaults button.
10. Click OK.

Configuring ISA Server Intrusion Detection

Firewalls that include intrusion detection features are able to detect possible network attack attributes as they inspect packets. ISA Server implements intrusion-detection at the packet filter level and application filter level

ISA Server intrusion-detection also allows you to define what action should be implemented by the system when an attack is detected:

• Send an e-mail message to the administrator.
• Record the event in the Windows 2000 Event Log.
• Run a program or script.
• Stop the Firewall service.

ISA Server can detect the following attacks at the packet filter level:

• All Ports Scan Attack; an attacker is attempting to access more than the configured number of ports. Port scanning or simply scanning, is the process whereby which intruders collect information on the network services on a target network. Here, the intruder attempts to find open ports on the target system.
• Enumerated Port Scan Attack; the unauthorized intruder uses a number of methods to collect information on applications and hosts on the network, and to count the services running on a computer. The intruder probes the ports for a response.
• IP Half Scan Attack; the attacker makes numerous connection attempts to a computer, but does not actually log on. The purpose of the attack is to probe for open ports.
• Land Attack; TCP SYN packets are sent with a spoofed source IP address and port number that match the destination IP address and port number.
• Ping of Death Attack; a large amount of information is appended to a internet Control Message Protocol (ICMP) echo request (ping) packet in an attempt to cause a kernel buffer overflow and crash the computer.
• UDP Bomb Attack; UDP packets that contain illegal values in certain fields are sent in an attempt to cause older operating systems to crash.
• Windows Out of Band Attack; a denial-of-service attack against an internal computer protected by ISA Server.

You can configure POP and DNS intrusion detection filters to check for the following:

• DNS Hostname Overflow
• DNS Length Overflow
• DNS Zone Transfer from Privileged Ports (1-1024)
• DNS Zone Transfer from High Ports (above 1024)

How to configure intrusion detection

1. Open the ISA Management console.
2. Expand the Access Policy node and then expand IP Packet Filters.
3. Right-click IP Packet Filters and select Properties from the shortcut menu.
4. Select the Enable Packet Filtering checkbox.
5. Select the Enable Intrusion Detection checkbox.
6. Click the Intrusion Detection tab.
7. Select the Windows Out-Of-Band (WinNuke) checkbox.
8. Select the Land checkbox.
9. Select te Ping Of Death checkbox.
10. Select the IP Half Scan checkbox.
11. Select the UDP Bomb checkbox.
12. Select the Port Scan checkbox.
13. In the Well-Known Ports textbox, specify the maximum number of well-known ports that should be scanned prior to an event being generated.
14. In the Ports textbox, specify the number of ports that should be scanned prior to an event being generated.
15. Click OK.

How to configure the DNS intrusion Detection filter

1. Open the ISA Management console.
2. Expand the Application Filters node.
3. Right-click the DNS Intrusion Detection Filter and select Properties from the shortcut menu.
4. The DNS Intrusion Detection Filter dialog box opens.
5. Select the Enable checkbox on the General tab.
6. Select the DNS hostname overflow checkbox.
7. Select the DNS length overflow checkbox.
8. Select the DNS zone transfer from privileged ports (1-1024) checkbox.
9. Select the DNS zone transfer from privileged ports (above 1024) checkbox.
10. Click OK.

Configuring Alerts in ISA Server

ISA Server uses alerts to notify you when specific events occur. Each alert pertains to a specific event. By default, 39 alerts are enabled when ISA Server is installed. In total, ISA Server includes 45 alerts. Alerts write information on an event in the Windows event log by default. You can view these events in the Application Log of Event Viewer.

To view the ISA Server alerts:

1. Open the ISA Management console.
2. Expand the Monitoring Configuration node.
3. Select the Alerts folder.
4. All alerts are displayed in the details pane.

You can configure alerts to respond with a specific action:

• Start or stop ISA Server services.
• Log an event to the Windows event log.
• Perform a specific action, such as running a program.
• Send an email.

You can configure alerts by setting a number of thresholds that in turn define when the alert action will be initiated:

• Specify the number of events that should occur before an alert is issued.
• Specify the number of times (in seconds) that the event should occur before an alert is issued. This is known as the event frequency threshold.
• Specify the time to wait before reissuing the alert.

The ISA Server events that you can specify are listed here:

• Alert action failure; action for the alert failed.
• Asymmetric installation; a component for the array does not exist on the server.
• Cache container initialization error; cache container initialization failed.
• Cache container recovery complete; a container recovery has completed.
• Cache file resize failure; failure occurred when attempting to reduce the size of the ISA Server cache file.
• Cache initialization failure; failure that resulted in the Web cache proxy being disabled.
• Cache recovery completed; content recovery has completed.
• Cache write error; failure occurred when writing cached content to the ISA cache.
• Cached object ignored; an object with conflicting information was ignored in the cache recovery process.
• Client/server communication failure; communication between the ISA Server Firewall service and Firewall client failed.
• Component load failure; failure to load an extension component.
• Configuration error; ISA Server configuration incorrect.
• Dial on demand failure; failure to create a dial-on-demand connection.
• DNS Intrusion; either of the following attacks occurred:
  • Host name overflow
  • Length overflow
  • Zone high port
  • Zone transfer
• Event logging failure; event information could not be logged to the event log.
• Failed t retrieve object; object could not be retrieved.
• Intra-array credentials; intra-array credentials invalid.
• Intrusion detected; external user initiated intrusion attack.
• Invalid dial-on-demand credentials; incorrect dial-on-demand credentials.
• Invalid ODBC log credentials; user name or password for ODBC database incorrect.
• IP packet dropped; IP packet denied access and was dropped.
• IP Protocol violation; IP packet with invalid IP options dropped.
• IP Spoofing; invalid IP packet source address.
• Log failure; logging failed for service.
• Network configuration changed; network configuration modification affecting ISA Server.
• OS component conflict; conflict with either of the following operating system components:
  • ICS
  • NAT Editor
  • Routing and Remote Access
• Oversize UDP packet; UDP packet surpassed maximum size and was dropped.
• POP Intrusion; Post Office Protocol (POP) buffer overflow.
• Report Summary Generation Failure; error received when generating a report summary from the log files.
• Resource allocation failure; resource allocation failure occurred.
• RPC filter – server connectivity changed; connectivity to the publishing RPC service has changed.
• Server Publishing Failure; server publishing failure, and the server publishing rule could not be applied.
• Service Initialization failure; service initialization failure occurred.
• Service not responding; ISA Server service ended suddenly.
• Service shutdown; service stopped correctly or properly.
• Service started; service started correctly or properly.
• SMTP Filter Event; SMTP filter event took place.
• SOCKS configuration failure; port specified in SOCKS configuration being used by a different protocol.
• SOCKS request was refused; SOCKS request was refused because of a policy violation.
• The server is out of array’s site; members of the array must be in the same site – the server is in another site.
• Unregistered event; unregistered event occurred.
• Upstream chaining credentials; upstream chaining credentials invalid.
• Web Proxy routing failure; ISA Server Web Proxy service failed to route a request to an upstream server.
• Web Proxy routing recovery; ISA Server Web Proxy service restarted to route requests to an upstream server.
• WMT live stream splitting failure; streaming application filter error occurred when streaming application filter took place.

How to enable an alert

1. Open the ISA Management console.
2. Expand the Monitoring Configuration node.
3. Select the Alerts folder.
4. If you want to enable a specific alert, simply right-click the alert and select Enable from the shortcut menu.

How to create a new alert

1. Open the ISA Management console.
2. Expand the Monitoring Configuration node.
3. Right-click the Alerts folder and then select New and then Alert from the shortcut menu.
4. The New Alert Wizard launches.
5. Provide a name for the new alert and then click Next.
6. If you are working with an ISA Server array, select one of the following options:
   • Any Server
   • This Server

7. Click Next.
8. The Events and Conditions page opens.
9. In the Event drop-down box, select the event.
10. In the Additional Condition drop-down box, choose any additional conditions if applicable and then click Next.
11. The Actions page opens. Select the alert actions:
    • Send an e-mail message.
    • Run a program.
    • Report the event to the Windows event log.
    • Stop selected ISA Server services.
    • Start selected ISA Server services.
    • Click Next.
    • Depending on your event action, on the following page, enter information on where the email should be sent, or specify the information required for running a program, or specify which services should be stopped or started. Click Next.
    • Click Finish.
      

      How to configure alert conditions

    • Open the ISA Management console.
    • Expand the Monitoring Configuration node.
    • Select the Alerts folder.
    • Right-click the alert that you want to configure conditions for and then select Properties from the shortcut menu.
    • Click the Events tab.
    • In the Event drop-down list box, select which event should trigger the alert.
    • In the Additional Condition drop-down list box, specify any additional condition.
    • In the By Server drop-down list box, select the server in the array or specify the Any option to apply the alert for all servers in the array.
    • Click OK.
      

      How to configure alert thresholds

    • Open the ISA Management console.
    • Expand the Monitoring Configuration node.
    • Select the Alerts folder.
    • Right-click the alert that you want to configure thresholds for and then select Properties from the shortcut menu.
    • Click the Events tab.
    • Enable the Number Of Occurrences Before The Alert Is Issued checkbox.
    • Enter the number of events that should occur before an alert is issued.
    • Enable the Number Of Events Per Second Before The Alert Is Issued checkbox.
    • Specify how many events should occur, per second, before the alert is issued.
    • Choose the Immediately option if you want the alert reissued immediately.
    • Choose the After Manual Reset Of Alert option if you want the alert reissued after it was reset.
    • Choose the Time Since Last Execution Is More Than Minutes option if you want the alert reissued after the time that you define.
    • Click OK.
      

      How to configure alert actions

    • Open the ISA Management console.
    • Expand the Monitoring Configuration node.
    • Select the Alerts folder.
    • Right-click the alert that you want to configure alert actions for and then select Properties from the shortcut menu.
    • Click the Actions tab.
    • If you want an email sent once an alert condition takes place, then select the Send E-mail checkbox. Specify the following information:
      • Simple Mail Transfer Protocol (SMTP) server name.
      • Email recipient information.
      • Email sender information.
    • If you want a program initiated once an alert condition takes place, then select the Program checkbox. Specify the following information:
      • Command to run.
      • Account for running the program.
    • If you want to log the event once an alert condition takes place, then select the Report To Windows 2000 Event Log checkbox.
    • If you want to stop ISA Server once an alert condition takes place, then select the Stop Selected Services checkbox. Specify the following information:
      • Click the Select button to specify the ISA Server services that should be stopped.
    • If you want to start ISA Server once an alert condition takes place, then select the Start Selected Services checkbox. Specify the following information:
      • Click the Select button to specify the ISA Server services that should be started.
    • Click OK.
      

      How to reset an alert

    • Open the ISA Management console.
    • Expand the Monitoring Configuration node.
    • Select the Alerts folder.
    • If you want to reset an alert, simply right-click the alert and select Reset Alert from the shortcut menu.
      

      How to configure the Intrusion Detected alert to send an email message

    • Open the ISA Management console.
    • Expand the Monitoring Configuration node.
    • Select the Alerts folder.
    • Right-click Intrusion Detected and then select Properties from the shortcut menu.
    • The Intrusion Detected Properties dialog box opens.
    • Click the Actions tab.
    • Select the Send E-mail checkbox.
    • In the SMTP Server textbox, enter the Simple Mail Transfer Protocol (SMTP) server name.
    • In the To textbox, enter the recipient information.
    • In the From textbox, enter the email sender information.
    • To test the configuration, click the Test button.
    • Click OK when a message is displayed, detailing that the simulation was successfully completed.
    • Click OK in the Intrusion Detected Properties dialog box.
      

      How to disable an alert

    • Open the ISA Management console.
    • Expand the Monitoring Configuration node.
    • Select the Alerts folder.
    • If you want to reset an alert, simply right-click the alert, and then select Disable from the shortcut menu.
      

      Troubleshooting Network Security and Usage Problems

    There are three strategies which you can use to monitor for network security and usage problems:

    • Use Security Configuration And Analysis feature: The Security Configuration and Analysis feature, initially introduced in Windows 2000, enables you to create, modify and apply security settings through the use of security templates. The tool is useful for scanning, analyzing, and setting local system security. The Security Configuration and Analysis tool is also capable of comparing a security template(s) to the existing security settings of a local computer so that you can identify any potential security discrepancies. Once the analysis is complete, you are shown all detected discrepancies. You should use the Secedit command-line tool to analyze a large number of computers.
    • Use the Netstat utility: You can use the Netstat utility to:
      • Determine the current state of TCP/IP connections and to view protocol statistical information.
      • Obtain information on the following protocols:
        • IP
        • TCP
        • UDP
        • ICMP
      • View client mappings, and to determine which process or application is the owner of a particular connection.
    • Use the Network Monitor utility: You can use Network Monitor to monitor network traffic, and to troubleshoot network issues or problems. You can also use Network Monitor to gather network information that can be used in capacity planning efforts, and to establish baselines. Network Monitor allows you to monitor and log network activity as it occurs. You can run the Network Monitor on an interface of the ISA Server if you want to view packet information. You can also view connections and connection attempts, protocol types, and source and destination address information.

    There are two versions of Network Monitor available:

    • • The basic Network Monitor version which is included with Windows 2000 and Windows Server 2003.
      • The full Network Monitor version which is included with Microsoft Systems Management Server (SMS).

    The Network Monitor driver is the component of Network Monitor which captures frames passed to and passed from the network adapter on which it is installed. The Network Monitor driver therefore needs to be installed on the machine for which you want to monitor network activity. The network monitor tools are used to examine and analyze traffic which was captured by the Network Monitor driver.

    How to save the Security Configuration And Analysis snap-in console under the Administrative Tools menu

    • Click Start, Run, and enter mmc in the Run dialog box. Click OK.
    • In the Console menu, click Add/Remove Snap-In, and click Add.
    • Click Security Configuration And Analysis, and then click Add.
    • Click Close.
    • In the Console menu, click Save.
    • Enter a name for the console, and then click Save.
    • You can now access the Security Configuration And Analysis console from the Administrative Tools menu.

    How to create a security configuration and analysis database

    • Open the Security Configuration And Analysis console.
    • Right-click Security Configuration And Analysis, and select Open Database on the shortcut menu.
    • To use an existing database, select the database, and click Open.
    • To create a new database, enter the name of the file in File Name, and click Open.
    • When the Import Template dialog box opens, choose the security template that should be imported into the new database. Click Open.
      

      How to apply a security template to a local policy

    • Open the Security Configuration and Analysis console.
    • Right-click Security Configuration and Analysis, and then click Open Database from the shortcut menu.
    • Enter a name for the database, and click Open.
    • Choose a template from the Import Template window. Click Open.
    • Right-click Security Configuration and Analysis, and then click Configure Computer Now to apply the security settings to the local computer.
      

      How to analyze the security settings of the local computer

    • Open the Security Configuration And Analysis console.
    • Right-click Security Configuration And Analysis and then select Analyze Computer Now on the shortcut menu.
    • When the Perform Analysis dialog box opens, verify that the path specified for the log file is correct. If not, enter the proper path for the log file.
    • Click OK to start the analysis of the computer.
    • You can view the contents of the log file by right-clicking the Security Configuration And Analysis, and then clicking View Log File on the shortcut menu.
      

      How to install Network Monitor

    • Click Start, and then click Control Panel.
    • Click Add Or Remove Programs to open the Add Or Remove programs dialog box.
    • Click Add/Remove Windows Components.
    • The Windows Components Wizard launches.
    • Select Management and Monitoring Tools and click the Details button.
    • On the Management and Monitoring Tools dialog box, select the Network Monitor Tools checkbox and click OK.
    • Click Next when you are returned to the Windows Components Wizard.
    • If prompted during the installation process for additional files, place the Windows Server 2003 CD-ROM into the CD-ROM drive. If the required files exist on the network, specify the location to these files.
    • Click Finish on the Completing the Windows Components Wizard page.

    How to capture and view packets on the ISA Server interface

    • Click Start, Administrative Tools, and then click Network Monitor.
    • Specify which network should be monitored.
    • Click the Capture menu and then select Start.
    • After sufficient data has been collected, click the Capture menu and click Stop and then View.