Threat Management Gateway (Forefront TMG) is Microsoft's Firewall, Web Proxy and
VPN Gateway Product
Here you'll find free scripts and resources for Microsoft Internet Security and
Acceleration Server (ISA Server)
and Microsoft Forefront Threat Management Gateway (Forefront
TMG). All the scripts are in the public domain with no rights reserved and
no registration required. More scripts are in development, and if there is a
type of script you'd really like to see here, let me know and maybe I'll write
My name is Jason Fossen, I'm a
security consultant at
Enclave Consulting LLC and I
regularly teach a week-long course on Windows security for the
SANS Institute. This web site is where I share materials with my conference
attendees, consulting clients, and anyone else interested in security for
Microsoft-based networks. --
Hey, The Scripts Are Free, But I Have To Pay For This Site Somehow!
ISA Server Websites & Blogs
| Firewall Policy Scripts
All the scripts and files described below
are in this zip file.
In the zip file, look in
the \ISA_Server folder for the ISA Server scripts. The comment headers in the
scripts provide more information and most scripts have a "/?" switch for help
A firewall array sizing spreadsheet based on Microsoft's
Best Practices for Performance whitepaper, but you can plug in your own
traffic requirements and it'll calculate the estimates for you. (BETA)
Spreadsheet of all the
RFC 2616 HTTP request, response,
entity and general headers and their descriptions to assist in editing HTTP
application-layer filters and interpreting log data.
Create or update a Domain Name Set with domains obtained from a local file or
from an HTTP URL, such as for the
blacklisted domains of spammers, advertisers,
pornographers, hate groups, etc.
Create or update a URL Set with URLs obtained from a local file or from an HTTP
URL, such as for the
blacklisted URLs of spammers, advertisers,
pornographers, hate groups, etc.
Create or update a Computer Set with subnets obtained from a local file or from
an HTTP URL, such as for
bogon routes, unallocated routes,
Create or update a Computer Set with computer objects obtained from a text file
containing hostnames and their IP addresses.
Copies the HTTP application-layer filter settings from one rule to another in
the firewall policy so that you only have to create the filter once. Can
display the raw XML of the filter for analysis or backup too.
Enable/disable firewall rules from the command line.
Variety of functions for viewing, creating, deleting and modifying Domain Name
Set objects. For VBScript coders.
Variety of functions for viewing, creating, deleting and modifying Subnet
objects. For VBScript coders.
Variety of functions for viewing, creating, deleting and modifying URL Set
objects. For VBScript coders.
Logging and Error Codes
- ISA_Server_Error_Codes.xls (Spreadsheet)
Spreadsheet of names, descriptions and hex numbers of ISA Server error, cache
and response codes. Handy for troubleshooting. You might also want to get
event log messages help file for ISA Server.
Copy a line of log data on the Logging tab to the clipboard using the Tasks
pane, run the script, and a
WHOIS query of the client's IP
address pops up. Copy the script to the Start menu or associate a keyboard
shortcut with it if you need to do it often.
Displays or edits the
maximum amount of memory the MSDE service (sqlservr.exe) is permitted to
use, since database logging can sometimes cause a memory leak (KB909636).
Gracefully detach one or all MSDE logging database files so that they can be
deleted, copied or moved from the ISA Server.
Demonstrates over 20
queries against ISA Server and IIS log files using the free
Microsoft Log Parser tool to show, for
example, which rules are the most frequently used, which IP addresses are
sending the most denied packets, which users are consuming the most bandwidth,
who is sending Ping of Death packets, etc.
Uses the command-line version of the free
Wireshark sniffer to analyze the raw hex fields
of offending packets in firewall logs.
Lists all alert definitions and their detailed properties.
Script to e-mail the output of any chosen command, such as "ipconfig /all", when
the script is executed by an ISA Server alert action, scheduled job,
EventTriggers.exe, Performance Monitor alert, etc. Unlike ISA Server e-mail
alerts, you can specify a username and password, and use SSL for SMTPS.
Especially nice for being alerted when DHCP-assigned IP addresses change.
View, reset and acknowledge triggered alerts by severity level.
A batch script to run when you really need to go into lockdown mode.
| Cache - RRAS - DNS - Misc.
To be used on VPN clients, the script changes the order in which DNS servers are
queried so that the DNS servers associated with the VPN connection are always
used first. This helps to solve a
known name resolution problem for Windows VPN and dial-up clients (KB311218).
Manages how the names or IP addresses of CARP array members in an Enterprise
Edition array are represented in the cache array script download by Web Proxy
clients. Useful when the array has multiple network objects which have Web
Proxy clients on each network.
Add/remove individual files to or from the Web Proxy cache, such as for
pre-loading files into the cache from URL or local drive sources.
Dump current sessions into a comma-delimited format (imports to Excel);
functions for disconnecting sessions based on IP address, user name or client
process name; and a function to disconnect VPNs by IP address.
View and edit permitted outbound HTTPS/SSL ports, since ISA Server only permits
TCP 443 and 563 out by default (KB283284).
Adds, removes and lists
"blackholed" routes in ISA Server's route table; these are routes to IP's or
subnets that drops packets without editing firewall rules or disrupting other
communications. If you blackhole an internal machine's IP address, for example,
it will not be able to maintain a Firewall Client channel or Web Proxy
connection to the ISA Server, but its other internal communications won't be
affected. Similar in purpose to the "rathole
script" Microsoft uses on its own ISA Server arrays.
Manages the RRAS
lockout feature on local or remote ISA Server VPN gateways to thwart
Security template for ISA Server firewalls for use with SECEDIT.EXE or the
Security Configuration & Analysis snap-in. This disables unneeded services and
can break things, so make sure to make a backup first and test the
template on a non-production server!
| Registry Edits
The following are REGEDIT.EXE exports for registry values that frequently need
to be changed on an ISA Server. They are also in the download
| Other Useful Scripts
The following scripts and files are also in the zip file,
but they are not specifically for ISA Server. Most are in the \Day6
folder in the zip file.
Uses SC.EXE to set service failure response actions for the Windows services
listed in an input file; for example, configure your critical services to send
an alert e-mail to admins when any one fails.
Dump and clear local or remote Event Logs to local comma-delimited CSV file
which can be cleanly opened in Excel, imported into a database, or easily
searched (with sample searches).
Imports a one- or two-dimensional array into a new Excel spreadsheet. Useful
when sifting through large amounts of tabular data, such as log entries or a
list of sessions.
Script for sending e-mail without an e-mail client or the SMTP service locally
installed. Supports authentication and SMTPS.
Create an auditing baseline snapshot of a server to be used later to analyze
changes to the box, such as after a compromise or failure.
Pass in IP address of XP or later machine, script configures remote machine to
only support NTLM Telnet authentication, enables Telnet service, opens Telnet
session, then stops and disables Telnet service afterwards. Use with an IPSec
policy to encrypt Telnet traffic.
Searches a text log from ISA, IIS or whatever source for matches from a file of
regular expression patterns that indicate malware or hacking, then prints a
report of the number of signature matches found. Includes a file
(signatures.txt) of 35 potential hacking signatures in ISA Web Proxy or IIS
- IPSecPol_* and NetShell_*
Example scripts for managing IPSec and networking settings, such as configuring
a NIC with static settings or creating an IPSec policy.
A bunch of scripts for the Windows Firewall (not ISA Server).
A bunch of scripts for database queries and manipulation, such as for managing
imported log data.
A bunch of scripts for Active Directory and user account management, including
one for brute-force password guessing attacks over LDAP with a dictionary file.
Some scripts for PKI and cryptography, including a script for Group Policy to
remove unwanted trusted root CA certificates.
A bunch of scripts for system management with Windows Management
Instrumentation, such as for remote execution, process termination, listing of
processes/drivers/patches/packages, forcing logoff/shutdown/reboots, starting
and stopping services in dependency sets, setting registry values, etc.
THE SOFTWARE AND OTHER FILES AND
INFORMATION ON THIS WEB SITE ARE PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, CORRECTNESS,
ERROR-FREE OPERATION, ACCURACY, RELIABILITY OR OTHERWISE. YOU ASSUME ALL RISKS
IN USING OR RELYING UPON THIS WEB SITE OR THE INFORMATION OR SOFTWARE RELATED TO
IT. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY THE AUTHOR OR THOSE
ASSOCIATED WITH THIS WEB SITE SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE
SCOPE OF ANY WARRANTY, UNLESS SUCH WARRANTIES ARE IN WRITING AS A PART OF A
COMMERCIAL AGREEMENT OR CONTRACT. IN NO EVENT SHALL THE AUTHOR, ENCLAVE
CONSULTING LLC OR THOSE ASSOCIATED WITH THIS WEB SITE BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF THERE HAS BEEN ADVISEMENTS OF THE
POSSIBILITY OF SUCH DAMAGES. ACCESSING THIS WEB SITE OR DOWNLOADING FILES FROM
IT WILL NOT CREATE A CUSTOMER OR CLIENT RELATIONSHIP WITH ANY PARTY ASSOCIATED
WITH THIS WEB SITE. CERTAIN STATES DO NOT PERMIT EXCLUSIONS OF IMPLIED
WARRANTIES OR LIMITATIONS OF LIABILITY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU
OR MAY APPLY TO YOU ONLY IN PART. YOU MAY HAVE OTHER LEGAL RIGHTS WHICH VARY
FROM STATE TO STATE.
This web site is not associated with or endorsed by Microsoft Corporation in any
This site is produced and sponsored solely by Enclave Consulting LLC.
Microsoft, Windows, Internet Security and Acceleration Server, ISA Server,
Forefront, Forefront Threat Management Gateway, TMG, Exchange Server, IIS,
SharePoint, Active Directory, ActiveSync, .NET, Visual Basic, VBScript, Active
Server Pages, Visual Studio, Office, Excel, SQL Server, PowerShell, WMI, Windows
Management Instrumentation, SecureNAT, PowerShell, Outlook, Outlook Web Access,
and OWA are either registered trademarks, trademarks or products of Microsoft
Corporation in the United States and/or other countries. Other trademarks are
the property of their respective owners.