Problem solve Get help with specific problems with your technologies, process and projects.

Securing the Windows gateway: a checklist

Make sure your Windows gateway, the entry point to your network, is as secure as possible by following these five steps.

It takes work to make any installation of an operating system secure -- or at least secure against the vast majority of threats out there, since the idea of total computer security is somewhat misleading. If you're using Windows as your gateway server, via Microsoft's ISA Server or a similar product, then you need to give your gateway extra-special attention.

A full exploration of all the possible roles for ISA Server (as a front-end firewall, as a perimeter network firewall, etc.) would be beyond the scope of this piece, but consider the following core considerations for keeping a Windows-based gateway computer secure:

 Checklist: Securing the Windows gateway
1. Plan your server to match your topology. Figure out exactly what this server is going to be responsible for and configure it to match that role. For instance, a server that will
handle all traffic between your network and the Internet needs to be locked down a lot more heavily than a perimeter server (one that protects one network segment from the rest of your
LAN). It may also need different hardware, such as an edge server, multi-homed, to keep up with the amount of traffic going through. Finally, don't install anything on this server
that does not absolutely have to be there; the cleaner the system to begin with, the better.
2. Start with the basics. First, get the system up to speed as far as service packs and security hotfixes go. No house can be built on a shaky foundation. Once you install ISA
Server itself (if that's what you're using), be sure to bring it up to speed, too, with the appropriate updates.
3. Perform a baseline security analysis. One of the most useful tools Microsoft provides for hardening a system -- they call it "reducing the attack surface" -- is the Baseline Security
Analyzer. The BSA scans for security problems in any product supported by Microsoft Update, in addition to Windows itself, and prints out a detailed report of what to change and
why. Even if you're not running ISA Server, this is an excellent way to gather information about what to lock down.
4. Harden ISA itself. Microsoft's ISA Server Security Hardening Guide is a long, extremely detailed and very comprehensive step-by-step guide to locking down ISA Server. Read
it thoroughly before employing any of it. Note that you should not modify any of ISA Server's Discretionary Access Control Lists (DACLs) via Group Policy or another mechanism;
let ISA Server manage those directly or you'll have a conflict between your custom settings and ISA's settings.
5. Configure your clients to get the most out of your gateway as well. Make sure all the clients in your network are taking advantage of the way your gateway is configured,
especially if they use the Firewall Client. One of the client tools for this job is the Firewall Client Tool. It provides tools to check that the ISA server and auto-detection mechanisms are all working correctly for a given computer that is using the Firewall Client for ISA.
(If you're having problems that may be due to a driver misconfiguration on the client machine, check out the Firewall Kernel Mode Tool for extremely detailed information about what might be wrong.)

You may download a printer-friendly version of this checklist.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

More information from

  • Book Excerpt Protect Your Windows Network: From Perimeter to Data
  • Topic: Perimeter security
  • Webcast: Building a secure network perimeter

  • Dig Deeper on Windows Server troubleshooting

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.