Forefront Threat Management Gateway (Forefront TMG) is Microsoft's Firewall, Web Proxy and VPN Gateway Product

Welcome!  Here you'll find free scripts and resources for Microsoft Internet Security and Acceleration Server (ISA Server) and Microsoft Forefront Threat Management Gateway (Forefront TMG). All the scripts are in the public domain with no rights reserved and no registration required. More scripts are in development, and if there is a type of script you'd really like to see here, let me know and maybe I'll write it!

My name is Jason Fossen, I'm a security consultant at Enclave Consulting LLC and I regularly teach a week-long course on Windows security for the SANS Institute. This web site is where I share materials with my conference attendees, consulting clients, and anyone else interested in security for Microsoft-based networks. -- Cheers!
 

• www.isaserver.org (English)
• www.isatools.org (English)
• www.isaserver.bm (English)
• isainsbs.blogspot.com (English)
• www.msisafaq.de (German)
• www.isaserver.it (Italian)
• www.isaserverfr.org (French)
• www.isafirewalls.org (French)
• www.isacn.org (Chinese)
• www.isahowto.org (Chile)

• Microsoft's Official ISA Server Site
• www.microsoft.com/isaserver/
• ISA Server Communities
• ISA Server Newsgroups
• ISA Server Webcasts
• ISA Product Team Blog

In the zip file, look in the \ISA_Server folder for the ISA Server scripts. The comment headers in the scripts provide more information and most scripts have a "/?" switch for help too. 

• ISA_Array_Sizing_Spreadsheet.xls
  A firewall array sizing spreadsheet based on Microsoft's Best Practices for Performance whitepaper, but you can plug in your own traffic requirements and it'll calculate the estimates for you. (BETA)
   
• HTTP_Header_Descriptions.xls (Spreadsheet)
  Spreadsheet of all the RFC 2616 HTTP request, response, entity and general headers and their descriptions to assist in editing HTTP application-layer filters and interpreting log data.
   
• ISA_Fill_Domain_Name_Set.vbs
  Create or update a Domain Name Set with domains obtained from a local file or from an HTTP URL, such as for the blacklisted domains of spammers, advertisers, pornographers, hate groups, etc.
   
• ISA_Fill_URL_Set.vbs
  Create or update a URL Set with URLs obtained from a local file or from an HTTP URL, such as for the blacklisted URLs of spammers, advertisers, pornographers, hate groups, etc.
   
• ISA_Fill_Computer_Set_Subnets.vbs
  Create or update a Computer Set with subnets obtained from a local file or from an HTTP URL, such as for bogon routes, unallocated routes, known attackers, unwanted countries, etc.
   
• ISA_Fill_Computer_Set_Computers.vbs
  Create or update a Computer Set with computer objects obtained from a text file containing hostnames and their IP addresses.
   
• ISA_Copy_HTTP_Filter_Settings.vbs
  Copies the HTTP application-layer filter settings from one rule to another in the firewall policy so that you only have to create the filter once.  Can display the raw XML of the filter for analysis or backup too.
   
• ISA_Enable-Disable_Rule.vbs
  Enable/disable firewall rules from the command line.
   
• ISA_Manage_Domain_Name_Sets.vbs
  Variety of functions for viewing, creating, deleting and modifying Domain Name Set objects. For VBScript coders.
   
• ISA_Manage_Subnets.vbs
  Variety of functions for viewing, creating, deleting and modifying Subnet objects. For VBScript coders.
   
• ISA_Manage_URL_Sets.vbs
  Variety of functions for viewing, creating, deleting and modifying URL Set objects. For VBScript coders.

• ISA_Server_Error_Codes.xls (Spreadsheet)
  Spreadsheet of names, descriptions and hex numbers of ISA Server error, cache and response codes. Handy for troubleshooting. You might also want to get Microsoft's event log messages help file for ISA Server.
   
• ISA_Quick_WHOIS.vbs
  Copy a line of log data on the Logging tab to the clipboard using the Tasks pane, run the script, and a WHOIS query of the client's IP address pops up.  Copy the script to the Start menu or associate a keyboard shortcut with it if you need to do it often.
   
• ISA_MSDE_Max_Memory.vbs
  Displays or edits the maximum amount of memory the MSDE service (sqlservr.exe) is permitted to use, since database logging can sometimes cause a memory leak (KB909636).
   
• ISA_MSDE_Detach_Database.vbs
  Gracefully detach one or all MSDE logging database files so that they can be deleted, copied or moved from the ISA Server.
   
• ISA_LogParser.vbs
  Demonstrates over 20 queries against ISA Server and IIS log files using the free Microsoft Log Parser tool to show, for example, which rules are the most frequently used, which IP addresses are sending the most denied packets, which users are consuming the most bandwidth, who is sending Ping of Death packets, etc.
   
• ISA_Parse_Raw_Hex_Payload.vbs
  Uses the command-line version of the free Wireshark sniffer to analyze the raw hex fields of offending packets in firewall logs.

• ISA_List_Alert_Definitions.vbs
  Lists all alert definitions and their detailed properties.
   
• ISA_E-Mail_Alert.vbs
  Script to e-mail the output of any chosen command, such as "ipconfig /all", when the script is executed by an ISA Server alert action, scheduled job, EventTriggers.exe, Performance Monitor alert, etc. Unlike ISA Server e-mail alerts, you can specify a username and password, and use SSL for SMTPS. Especially nice for being alerted when DHCP-assigned IP addresses change.
   
• ISA_Reset_Acknowledge_Alerts.vbs
  View, reset and acknowledge triggered alerts by severity level.
   
• ISA_Panic_Script.bat
  A batch script to run when you really need to go into lockdown mode.

• ISA_DNS_Binding_Order.vbs
  To be used on VPN clients, the script changes the order in which DNS servers are queried so that the DNS servers associated with the VPN connection are always used first. This helps to solve a known name resolution problem for Windows VPN and dial-up clients (KB311218).
   
• ISA_CARP_Name_Resolution.vbs
  Manages how the names or IP addresses of CARP array members in an Enterprise Edition array are represented in the cache array script download by Web Proxy clients.  Useful when the array has multiple network objects which have Web Proxy clients on each network.
   
• ISA_Add-Remove_Cached_File.vbs
  Add/remove individual files to or from the Web Proxy cache, such as for pre-loading files into the cache from URL or local drive sources.
   
• ISA_Manage_Sessions.vbs
  Dump current sessions into a comma-delimited format (imports to Excel); functions for disconnecting sessions based on IP address, user name or client process name; and a function to disconnect VPNs by IP address.
   
• ISA_Manage_SSL_Ports.vbs
  View and edit permitted outbound HTTPS/SSL ports, since ISA Server only permits TCP 443 and 563 out by default (KB283284).
   
• BlackHole.bat
  Adds, removes and lists "blackholed" routes in ISA Server's route table; these are routes to IP's or subnets that drops packets without editing firewall rules or disrupting other communications. If you blackhole an internal machine's IP address, for example, it will not be able to maintain a Firewall Client channel or Web Proxy connection to the ISA Server, but its other internal communications won't be affected. Similar in purpose to the "rathole script" Microsoft uses on its own ISA Server arrays.
   
• RRAS_Account_Lockout.vbs
  Manages the RRAS user lockout feature on local or remote ISA Server VPN gateways to thwart password-guessing attacks.
   
• ISA_Server_Security_Template.inf
  Security template for ISA Server firewalls for use with SECEDIT.EXE or the Security Configuration & Analysis snap-in.  This disables unneeded services and can break things, so make sure to make a backup first and test the template on a non-production server!

• ISA_Allow_Basic_Authentication_Without_SSL_KB821724.reg
• ISA_Disable_IP_Spoofing_Detection_KB838114.reg
• ISA_FTP_Kernel_Mode_Data_Pump_KB837572.reg
• ISA_Increase_Authentication_Throughput_KB326040.reg
• ISA_Increase_Memory_Buffers_KB837572.reg
• ISA_OWA_Should_Authenticate_Using_RADIUS_KB884560.reg
• ISA_Skip_Authentication_For_Routing_Information_KB885683.reg
• Windows_Enable_PMTU_Discovery_KB902347.reg
• Exchange_2003_Proxy_Authenticate_Outlook_RPC_Clients_KB302914.reg
• NetBIOS_Node_Type_P_KB160177.reg

The following scripts and files are also in the zip file, but they are not specifically for ISA Server. Most are in the \Day6 folder in the zip file.

• Set_Service_Recovery_Options.bat
  Uses SC.EXE to set service failure response actions for the Windows services listed in an input file; for example, configure your critical services to send an alert e-mail to admins when any one fails.
   
• WMI_ADO_DumpEventLog.vbs
  Dump and clear local or remote Event Logs to local comma-delimited CSV file which can be cleanly opened in Excel, imported into a database, or easily searched (with sample searches).
   
• Import_To_Excel.vbs
  Imports a one- or two-dimensional array into a new Excel spreadsheet.  Useful when sifting through large amounts of tabular data, such as log entries or a list of sessions.
   
• CDOSYS_Send_Mail.vbs
  Script for sending e-mail without an e-mail client or the SMTP service locally installed.  Supports authentication and SMTPS.
   
• SnapShot.bat
  Create an auditing baseline snapshot of a server to be used later to analyze changes to the box, such as after a compromise or failure.
   
• Start-Telnet.bat
  Pass in IP address of XP or later machine, script configures remote machine to only support NTLM Telnet authentication, enables Telnet service, opens Telnet session, then stops and disables Telnet service afterwards.  Use with an IPSec policy to encrypt Telnet traffic.
   
• Search_Text_Log.vbs
  Searches a text log from ISA, IIS or whatever source for matches from a file of regular expression patterns that indicate malware or hacking, then prints a report of the number of signature matches found. Includes a file (signatures.txt) of 35 potential hacking signatures in ISA Web Proxy or IIS logs.
   
• IPSecPol_* and NetShell_*
  Example scripts for managing IPSec and networking settings, such as configuring a NIC with static settings or creating an IPSec policy.
   
• Firewall_*
  A bunch of scripts for the Windows Firewall (not ISA Server).
   
• ADO_*
  A bunch of scripts for database queries and manipulation, such as for managing imported log data.
   
• ADSI_*
  A bunch of scripts for Active Directory and user account management, including one for brute-force password guessing attacks over LDAP with a dictionary file.
   
• CAPICOM_*
  Some scripts for PKI and cryptography, including a script for Group Policy to remove unwanted trusted root CA certificates.
   
• WMI_*
  A bunch of scripts for system management with Windows Management Instrumentation, such as for remote execution, process termination, listing of processes/drivers/patches/packages, forcing logoff/shutdown/reboots, starting and stopping services in dependency sets, setting registry values, etc.

Last Updated: 2.Mar.2011