ISA and SBS 2003: Creating Alerts [Windows Small Business Server 2003 Best Practices book excerpt]

Howdy folks – I am the author of the above book – and I like to hold vritaul book readings by posting up a passage. Here is a passge on creating alerts in the ISA environment in SBS 2003!

 

cheers…harrybbbb

Harry Brelsford, CEO at smb nation www.smbnation.com

Microsoft Small Business Specialist SBSC, MBA, MCSE, MCT, MCP, CNE, CLSE, CNP

PS – did u know I host a technology conference in the New York City area each spring? Save the date for March 6-8, 2009 and watch “voice meet data” in the SMB space!

PPS – my SBS 2008 book will be out in mid-November 2008!

PPPS – my Microsoft Response Point Primer book is here NOW!

Creating Alerts

Another interesting configuration you can apply to SBS 2003 is the ability to send alerts to a public folder named “Security” so that you can monitor intrusion-related matters. I’ve found the business value of this to be that customers I serve as an SBS consultant can really see ISA Server 2000 at work. By sending the alerts to a public folder, the alerts are easily viewed from any client computer running Outlook. What I’m really saying here is you can add business value and be communicative with your SBS customers. The ISA Server 2000 alerts provide an opportunity to have dialog about how things are going (see my book, SMB Consulting Best Practices, for more of this discussion over 600 pages). So let’s get started. You’ll first create the public folder titled “Security” from the PRESIDENT machine. You will then log on to the server and configure the alerting capability in ISA Server 2000. It’s jolly good fun.

1                    Log on as NormH with the password Purple3300 on PRESIDENT.

2                    Start Outlook from Start, E-mail.

3                    Expand Public Folders under Folder List.

4                    Right-click All Public Folders and select New Folder.

5                    On the Create New Folder dialog box, type Security in the Name field and select Mail and Post Items in the Folder contains field. Click OK.

 

6. Verify the security folder appears under All Public Folders. Now you’ll switch over to the SBS 2003 server machine to complete the following procedures to implement and test the alerting.

1                    Log on as Administrator with the password Husky9999! on SPRINGERS1.

2                    Click Start, Server Management (assuming you added the ISA Man­agement snap-in into the Server Management console) and high­light ISA Management. Otherwise click Start, All Programs, Microsoft ISA Server, ISA Management to launch the ISA Man­

 

agement Microsoft Management Console (MMC).

3.         Expand Servers and Arrays.

 

1                    Expand SPRINGERS1.

2                    Expand Access Policy.

3                    Right-click IP Packet Filters and select Properties.

4                    Select Enable Intrusion detection on the General tab of the IP Packet Filters Properties dialog box.

5                    Click the Intrusion Detection tab and select all attack detection options as seen in Figure 13-15. Also reduce to 1 (one) the values in both Detect after attacks on fields. Click OK.

 

Figure 13-15

This is an important configuration area to complete correctly to implement the intrusion detection capability.

BEST PRACTICE: So why did you reduce the values in the detection occurrence fields down to one? That’s simple. You want to generate a lot of traffic to show your customers they aren’t alone out there in the big bad world. Small business clients often like to think no one knows they exist or cares about them. Filling the Security public folder with alerts is one way to thump ‘em good and show that many folks are trying all the time to intrude!

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

This point also underscores the fact that the alerting capability is advisory in nature.

 

9. Proceed to expand the Monitoring Configuration object.

 

10.       Expand Alerts.

 

11.       Double-click the Intrusion detected alert.

 

12.       Verify on the General tab of the Intrusion detected Properties dia­log box that the Enable checkbox is selected.

 

13.       Select the Events tab and check the Number of occurrences before the alert is issued. Set the value to 1 (one) to generate activity.

 

14.       Complete the Actions tab similar to Figure 13-16 to configure where to send the alert e-mail to.

 

15. Click OK. Figure 13-16

You will configure the alerts to send to the Security public folder on the SPRINGERS1 server machine.

You would now proceed to “black hat” yourself (on the outside network adapter card) using a port scanner, such as GFI’s Network Security Scanner (featured in Chapter 5). This will generate tons of intrusion detection traffic and fill the

Security public folder. In the real world, you’ll be surprised how often intrusion detection alerts are fired to the Security public folder. A screenshot from a real customer site is shown in Figure 13-17.

Figure 13-17

Just when you thought it was safe to go out in the neighborhood again, the alerts fired to the Security public folder remind you that the world is an intense place.

BEST PRACTICE: Perhaps you’ve heard the phrase or even worked with a super speedy secretary in the “old days” who could “type faster than the computer.” You know what I mean. Back in the days of WordStar (even before the heyday of Word Perfect), a super speedy secretary could out-type the computer or get ahead of the characters appearing on the screen. We’ve got a little bit of that with respect to the above procedure. When you added the Security public folder, which is indeed SMTP e-mail-enabled by default, there is a propagation period whereby Active Directory needs a few minutes to catch up and make the Security public folder available for use. So if you’re super speedy and you’ve completed the above procedure so fast that Active Directory is lagging behind you, take a

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

ten-minute break and try the last exercise again where you create

traffic to fire the alert.

BEST PRACTICE: Be sure to learn how to extend ISA Server 2000

with its Feature Pack 1 (details at http://www.microsoft.com/isa). Go for it!

Advertisements

Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s