Role based administration in ISA Server 2006

Marc Grote photo
How to implement a role based administration model with Microsoft ISA Server 2006 for distributed administration.

ISA Server 2006 allows the delegation of administrative permissions to individual users to make the Administration model more flexible. ISA Server 2006 uses two different models to assign permissions to individual users. ISA Server 2006 Standard uses a simple model that controls access for specific parts of the ISA configuration. ISA Server 2006 Enterprise uses a more distributed model which lets you assign permissions at the Enterprise level and at array level.


Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

ISA Server 2006 Standard role

Tasks

ISA Server Monitoring Auditor

Users assigned to this role can monitor ISA Server 2006 but cannot view the ISA Server configuration.

ISA Server Auditor

Users and groups assigned this role can perform all monitoring activities like Firewall log configuration, definition of ISA alerts and can view, but not modify the ISA Server 2006 configuration.

ISA Server Full Administrator

Users and groups can perform any ISA Server 2006 task. This is the most powerful role in ISA Server 2006.

Table 1: ISA Server 2006 Standard roles

Every normal Windows user or Windows group can be assigned permissions for ISA Server roles. No special privileges or Windows permissions are required.

Note:
There is one exception to what is written above. When a user tries to open Perfmon for viewing the ISA Server 2006 Performance counters or the ISA Server Dashboard, the account must be a Member of the Windows Server 2003 Performance Monitor User group.

To assign administrative roles, start the ISA Server 2006 Management console; right click the Server objects properties and navigate to the Assign Roles tab. You must be an Administrator with the assigned role “ISA Server Full Administrator” to delegate permissions.

Click Add to select users or groups which you would like to assign specific roles.


Figure 1: Assign ISA management roles

After selecting the user group or user, select the role that you want to assign to the user or user group.


Figure 2: Select the management role

Example permission of ISA Server roles

Activity

ISA Server Monitoring Auditor

ISA Server Auditor

ISA Server Full Administrator

View Dashboard, alerts, connectivity, sessions, services

Allowed

Allowed

Allowed

Acknowledge alerts

Allowed

Allowed

Allowed

View log information

Not allowed

Allowed

Allowed

Create alert definitions

Not allowed

Not allowed

Allowed

Create reports

Not allowed

Allowed

Allowed

Stop and start sessions and services

Not allowed

Allowed

Allowed

View firewall policy

Not allowed

Allowed

Allowed

Configure firewall policy

Not allowed

Not allowed

Allowed

Configure cache

Not allowed

Not allowed

Allowed

Configure a virtual private network (VPN)

Not allowed

Not allowed

Allowed

Table 2: ISA Server 2006 detailed permissions (Source: Role-based Administration in ISA Server 2006)

Attention:
If you remove the assigned ISA management role for a specific user or user group, the users removed from this group retain ownership of the objects they created, so that it is possible that an ISA Administrator can delete objects he created although the user is no longer a member of an ISA Server role.


Figure 3: Users retain ownership of objects they created

Open the ISA Management console with no access

Another interesting thing is what happens when a user tries to open the ISA Server 2006 management console when the user has no assigned ISA Server 2006 roles. I tried it with the user Auditor who has no assigned ISA Server role. You can see the result in the following picture.


Figure 4: Messages when a user tries to open the ISA Management console without assigned roles

Testing the ISA role concept

As a next step, I logged on with the user Auditor which I assigned the ISA Server Auditor rule. After the Management console has opened, I tried to create a new firewall rule but this should not succeed, because the ISA Server Auditor rule should not have the right to create firewall rules.


Figure 5: The ISA Server Auditor rules doesn’t have the permission to create a firewall rule

Defining Enterprise-Level Administrative Roles

ISA Server 2006 Enterprise also uses a role-based model to organize enterprise and array administrators with predefined roles. Users with a specific role are allowed to complete specific ISA Server tasks. ISA Server 2006 distinguishes between enterprise-level roles and array level roles. ISA Server 2006 Enterprise can assign the following Enterprise roles:

ISA Server 2006 Enterprise role

Tasks

ISA Server Enterprise Administrator

This role allows full control over the enterprise and the configuration of all arrays in the enterprise. Users with this role can create enterprise policies and apply them to an array, manage array configurations, and assign roles to other users and groups.

ISA Server Enterprise Auditor

This role allows users to view the enterprise configuration and the configuration of all arrays in the enterprise.

ISA Server Enterprise Policy Editor

Enterprise administrators can assign administrators permissions for specific enterprise policies, thus limiting enterprise-level administration to a specific policy. Enterprise Policy Editors can create rules for the specific enterprise policy, but cannot create new enterprise policies.

Table 3: ISA Server 2006 Enterprise roles

Discretionary Access Control Lists

When ISA Server 2006 is installed, it uses discretionary access control lists (DACLs) to configure permission. ISA Server 2006 reconfigures the DACLs every time when the Microsoft ISA Server Control service (ISACTRL) is restarted or when you add new administrative ISA Server roles.

Conclusion

In this article I tried to show you how to delegate administrative permissions for administering ISA Server 2006 with different users and user groups. Distributing the Firewall administration is often required in enterprise environments where many ISA Servers must be administered and administrative work is distributed through the admin staff.

In my opinion, delegating administrative permissions in ISA Server 2006 is extremely useful in ISA Server 2006 Enterprise, because of the array model and the enterprise environment it may be useful to separate the administrative permissions to administer ISA Server 2006.

Related links

About Marc Grote

Marc Grote photo Marc Grote is an MCSA/MCSE Messaging & Security, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance IT Trainer and Consultant in the north of Germany near Hanover. He works with Invenate GmbH on special projects. You can find more information about Invenate at ttp://www.invenate.de. He specializes in ISA Server, Exchange, Security for Windows 2000/2003 and Windows Server 2008 designs, migrations and implementations, and Citrix Metaframe implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004. You can visit his homepage at http://www.it-training-grote.de.

Click here for Marc Grote's section.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center

Readers' Choice

Which is your preferred ISA Monitoring and Management solution?