Lockdown mode
A critical function of a firewall is to react to an attack. When an attack occurs, it may seem that the first line of defense is to disconnect from the Internet, isolating the compromised network from malicious outsiders. However, this is not the recommended approach. Although the attack must be handled, normal network connectivity must be resumed as quickly as possible, and the source of the attack must be identified.
The lockdown feature introduced with ISA Server 2004 combines the need for isolation with the need to stay connected. Whenever a situation occurs that causes the Microsoft Firewall service to shut down, ISA Server enters the lockdown mode. This occurs when:
- An event triggers the Firewall service to shut down. When you configure alert definitions, you decide which events will cause the Firewall service to shut down. Essentially, you configure when ISA Server enters lockdown mode.
- The Firewall service is manually shut down. If you become aware of malicious attacks, you can shut down the Firewall service, while configuring the ISA Server computer and the network to handle the attacks.
Affected functionality
When in lockdown mode, the following functionality applies:
- The Firewall Packet Filter Engine (fweng) applies the firewall policy.
- The following system policy rules are still applicable:
-
- Allow ICMP from trusted servers to the local host.
- Allow remote management of the firewall using MMC (RPC through port 3847).
- Allow remote management of the firewall using RDP.
- Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response, on the same connection.
- No incoming traffic is allowed, unless a system policy rule (listed previously) that specifically allows the traffic is enabled. The one exception is DHCP traffic, which is always allowed. That is, the UDP Send protocol on port 68 is allowed from all networks to the Local Host network. The corresponding UDP Receive protocol on port 67 is allowed.
- VPN remote access clients cannot access ISA Server. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
- Any changes to the network configuration while in lockdown mode are applied only after the Firewall service restarts and ISA Server exits lockdown mode. For example, if you physically move a network segment and reconfigure ISA Server to match the physical changes, the new topology is in effect only after ISA Server exits lockdown mode.
- ISA Server does not trigger any alerts.
Leaving lockdown mode
When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as previously. Any changes made to the ISA Server configuration are applied after ISA Server exits lockdown mode.
