In addition, although enabling Automatic Updates to perform this
function may seem ideal, it is not recommended to automatically install any updates on
a running server, particularly a security-based server.
Determining Domain Membership Versus
Workgroup Isolation
Before ISA Server 2006 is installed, a particularly important decision must be made:
whether or not to make that server a member of an Active Directory domain. The answer
to this question is not simple, but there is a general consensus that it is best to limit the
scope of what is accessible by any server that is exposed to unsecured networks such as
the Internet.
Although there are few concrete, easily identifiable security threats to back this up, it is
general best practice to reduce the exposure that the ISA server has, and limit it to only
the functionality that it needs. Consequently, one of the big improvements in ISA Server
2006 is its ability to run as a workgroup member, as opposed to a domain member. There
are certain pieces of functionality that differ between each of these scenarios, and it is
45
2
Determining Domain Membership Versus Workgroup Isolation
subsequently important to outline the deployment scenarios and functional limitations of
both scenarios.
Pages:
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144