Importing ISA Server Computer Set from Standard Edition to Enterprise Edition

Note: you should backup ISA Server configuration before trying out following workarounds (just in case) ;-)

My customers are no exception; they too are getting attacked¹ from IP addresses belonging to China address space. For some of them we simply decided to block all traffic originating in China. For customers using ISA server as a firewall, I decided to use "Country by Country ISA Computer Sets" prepared by Thor (thank you Thor).

The scripts that we could download were prepared for ISA Server 2004 or ISA Server 2006 Standard Edition and they could not be imported to ISA Server Enterprise Edition. If you try to import it to ISA Server Enterprise Edition you would get the following error:

Error: 0xc00403a4
Enterprise Edition settings cannot be imported into Standard Edition, and Standard Edition settings cannot be imported into Enterprise Edition.
The error occurred on object 'ComputerSets' of class 'Computer Sets' in the scope of array 'Firewall'.

I really didn't want to copy and paste or manually recreate the computer set. After playing around with the XML file containing computer set I figured out that if you change fpc4:Edition line from

to

you can now import computer set to ISA Server 2006 Enterprise Edition even if it was exported from ISA Server 2006 Standard Edition. You should see the above line near the top of the XML file.

Here are also screenshots of the XML file (before and after):

Standard Edition

Enterprise Edition

1. I will write more about the attacks themselves in my next post...

Bleeding Edge Conference...

I am getting ready for Bleeding Edge conference. The conference will be held on October 1st in Portorož – Slovenia.

It is one day event with two tracks. Speakers will be Dejan Sarka, Dušan Zupančič, Matevž Gačnik, Miha Markič, Miha Valenčič and myself. Hm – it looks like we will have "Miha track…" :-)

I am really looking forward to this event. It should be very educational! I hope to see you there!

Fine grained policies and Password Policy Manager (PPM)

Windows 2008 AD DS (Active Directory Domain Services) allow administrators to set different password policies to different users or groups. In practice this could mean that administrator can set a password policy of e.g. minimum 5 characters ¹ for a password that must be changed every 60 days for ordinary users wile a group of administrators must have a password with at least e.g. 14 characters that they need to change every 30 days.

To achieve this, administrator must create different Password Settings objects (PSO) and apply them directly to user objects or better to group. Any member of the group will now have password policy that PSO linked to the group defines.

My friend Miha Jakovac and I wrote (well Miha did most of the writing ;-) ) a free tool called Password Policy Manager or PPM that allows administrators to use GUI tools for creating and applying PSO to users or groups.

You can also use the tool to search for any existing PSOs, edit existing PSOs, delete existing PSOs and view applied PSOs to users or groups.

You can download and use PPM for free.

Let Miha or me know what you think about the tool ...

1. I don’t recommend using password policy that allows users such short passwords
   

Following are some screenshots of the tool...

Creating new PSO

Applying PSO to user

Checking for any existing PSOs applied to the object

Result of the check will show PSO that users is a member of. Here you can also remove user (or group) from applied PSO

Searching

Hint 1: You can use keywords...
Hint 2: You could search for specific user or group and apply new PSO to it...


Result of the search

With return list of PSOs you can view details of the PSOs, edit them, delete them etc.


Viewing PSO details

You can view details of PSO such as password length, password history and other settings. You can also remove any user from PSO that might be linked to it. If you wish, you could export the settings to LDF formatted file.