Page 1 of 2

ISA Server

PostPosted: Mon Nov 01, 2010 3:25 am
by iistapp
So, we got a ISA server running at my school, and I read one of it's features are to "inspect network traffic (including web contents, secure web contents and emails)"

So, does this mean they actually can read my emails? As I got some stuff on my mail that I don't really want people to be reading, and if they can, how could I avoid it?

Re: ISA Server

PostPosted: Mon Nov 01, 2010 6:35 am
by msbachman
If they claim to be able to read emails, I'd take a stab at guessing it's able to read emails. :lol:

I'd be sure to access your email account--assuming the school doesn't control that already--securely. They won't be able to read it if it's done over a secure link. If they could, https://, TLS, etc. would be meaningless.

Re: ISA Server

PostPosted: Mon Nov 01, 2010 10:02 am
by tremor77
The ISA server (Internet Security and Acceleration Server) is a Microsoft Proxy Server. It serves as a firewall, proxy and cache server. Basically ALL traffic coming IN and going OUT of your school network will be managed, routed, logged and potentially blocked by the ISA server... depending on the moxy of the installation and administration personnel of course.

Just FYI ISA server is first and foremost a level of protection against malicious usage and outside attack, and a routing and remote access tool. It's secondary mission is network performance and quality of service. Only as a tertiary benefit is ISA used for 'spying' as you'd have it. So, simply because they are installing one does not mean that is the primary reason. ISA is being now in the process renamed to Microsoft Forefront Threat Management Gateway or TMG.

As far as privacy and internet usage at your institution, sou should ask to review any policy agreement that the network has in place. Simply by signing (most often) on you are mostly likely 'agreeing' to a user policy that you may not even be aware of. here is some legal:

Code: Select all
Under the Electronic Communications Privacy Act (ECPA) it provides for implied authorization to review employee emails, and that a company should state their policy of monitoring e-mails in the company handbook. However, pursuant to Title III of the ECPA, it unlawful for anyone to intentionally intercept any email communication while it is en route. ECPA 18 USC 2701.


Employee/Company can be well substituted for student/university although there may be some alternative guidelines regulating schools. Basically... the law says that your personal communications are protected in transmission... except, however... if it is explicitly stated in a policy.

In short - ask to see the school's computer & internet usage policy statement. If they don't have one, then they are bound by the law and your e-mails should be safe from prying eyes. If they do have one, then I suggest not communicating things of a private nature whilst on the school network. (Even securely)

Re: ISA Server

PostPosted: Mon Nov 01, 2010 3:47 pm
by Goatboy
Encrypt anything important with PGP. Problem solved.

Re: ISA Server

PostPosted: Tue Nov 02, 2010 10:57 am
by iistapp
Thanks a lot guys : )

Our teacher sat up a ISA server just for our class, so I suppose he's up to something having a reason to put it up in the first place, I just randomly discovered it while I was trying to access some shared files from my friends computer in class.

I got some e-mails and are sending some that I don't really want people to see other than myself.

I will ask about the school's computer and internet usage policy statement and see if they even got one, and if they happen to not have how should I proceed? As I suppose they will start putting one together if they figure they actually don't have one.

Re: ISA Server

PostPosted: Tue Nov 02, 2010 11:39 am
by tremor77
You could be a driving force in creating a positive and thoughtful discussion between school administration, faculty, parents and students on internet usage policy, both how to protect against malicious and unintended usage, while also maintaining freedom of speech and privacy within the letter of the law. If presented thoughtfully, a student council or even school board would bring it up in a measure for discussion.

Don't let the school get away with the 'we are the teachers, you are kids and this is the way it is'...

Many times a school network admin, often a teacher who basically steps into the role by default of their having the 'most' knowledge... falls into what is known ad Admin God Syndrome. When it comes to things like the school's computers and network they have a mentality of ownership, and ownership of everything that goes on within it, including your private work.

Let it be known however that this continues to be a major debate in schools and workplaces all over the world right now... the line between free speech and privacy, and limits, regulations and policies put in place by network owners/admins. In many cases an employer or school will argue that since the computer and the network are their property, they have the right to enforce whatever policy they choose....

I find it interesting that these situations occur in a microcosmic environment likes schools and workplaces, because it is a mirror of the larger scope of all the internet with Net Neutrality and Information Privacy Act and a gamut of other, really important national debates involving technology.

Re: ISA Server

PostPosted: Wed Nov 03, 2010 2:48 am
by iistapp
Cheers mate, thanks for the help! :D

Re: ISA Server

PostPosted: Wed Nov 03, 2010 3:30 am
by IncandescentLight
Here's a resource on how hacking the ISA Server is actually done: http://www.secniche.org/papers/Case_Study_Hacking_ISA_Servers.pdf
Seems like a pretty tough nut to crack.

Re: ISA Server

PostPosted: Wed Nov 03, 2010 5:18 am
by iistapp
IncandescentLight wrote:Here's a resource on how hacking the ISA Server is actually done: http://www.secniche.org/papers/Case_Study_Hacking_ISA_Servers.pdf
Seems like a pretty tough nut to crack.


Think I'll skip that idea ^^ But thanks anyways :)

Re: ISA Server

PostPosted: Wed Nov 03, 2010 8:42 pm
by sanddbox
Did anyone else find Tremor's post inspiring and awesome?