[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

This document describes how Microsoft® Internet Security and Acceleration (ISA) Server handles personally identifiable information (PII). As an administrator, you should be aware of how ISA Server handles PII, to help you comply with legal or corporate guidelines as required.

Personally Identifiable Information

Personally identifiable information is information that can be used to identify or contact you. While typically this may include items such as your name, e-mail address, home or work address, or telephone number, in the case of ISA Server it is likely to include:

  • Computer names (which may be personally identifiable)

  • User names

  • IP addresses (which may be associated with PII)

  • URLs (which may contain PII)

ISA Server and PII

The possible collection of PII by ISA Server is described for the following features:

  • Logging

  • Cache

  • Tracing

  • Windows Error Reporting

  • Customer Experience Improvement Program

  • Alerts, event log, and Microsoft Operations Manager

Details are provided in this document about each of these features.

Logging

The ISA Server log stores PII such as computer names and user names, as well as URLs, which may contain PII. Note that you can configure the ISA Server log to not store these fields.

To configure what fields an ISA Server log records

  1. In the console tree of ISA Server Management, click Monitoring.

  2. In the details pane, click the Logging tab.

  3. On the Tasks tab, select the appropriate task:

    • Configure Firewall Logging. To configure the Firewall log.

    • Configure Web Proxy Logging. To configure the Web Proxy log.

    • Configure SMTP Message Screener Logging. To configure the SMTP Message Screener log.

  4. On the Fields tab, do one of the following:

    • To select specific fields, select the appropriate check box.

    • To clear all the check boxes in the field list, click Clear All.

    • To select all the check boxes in the field list, click Select All.

    • To select a default set of fields in the ISA Server log file, click Restore Defaults.

Cache

The ISA Server cache does not typically contain PII, unless you select the option Content requiring user authentication for retrieval in the properties for a cache rule. In this case, PII such as user names, and any PII that is included in the cached pages, is stored in the cache. The information in the cache can only be viewed by an ISA Server administrator. For more information about ISA Server administrator permissions, see ISA Server Help.

Tracing

Passwords are removed from ISA Server tracing data before the tracing data output is created. PII such as user names, and content that may contain PII such as URLs and Web content, is included in the trace. The trace information can only be viewed by an ISA Server administrator. For more information about ISA Server administrator permissions, see ISA Server Help.

Windows Error Reporting

Microsoft Windows® Error Reporting (WER), formerly known as Watson, is a set of technologies built into the Microsoft Windows Server™ 2003 and Windows XP operating systems. WER captures product failure data, allows end users to report the information, and allows software and hardware vendors to analyze and respond to these problems. WER reports can contain PII. PII that ISA Server is aware of, such as passwords, will be encrypted in the report, so it is not readable. However, other PII, such as PII that may be contained in Web content, will not be encrypted, and will be readable in the report. For more information about the types of data that may be included in a WER report, see http://oca.microsoft.com/en/dcp20.asp.

WER does not send a report without the approval of an administrator. You can review the report contents before you agree to send it. You can also configure WER to add reports to a queue, rather than triggering a message, so that you will be informed of the issue and report when you next log on. Also, you can configure WER to save reports locally, so that you can review them and send selected reports to Microsoft. We recommend that you use one of these approaches to administer WER to handle reports containing PII. For information about configuring WER, see "System and program error reporting overview" at the Microsoft TechNet Web site. This article links to other WER topics.

Customer Experience Improvement Program

The optional Microsoft Customer Experience Improvement Program (CEIP) is provided with ISA Server 2006. If you choose to participate, CEIP will send to Microsoft data about ISA Server usage. This information is useful to Microsoft to understand how ISA Server is deployed and which features are being used, and helps us to improve the product.

By default, CEIP is not enabled on ISA Server. You can choose to enable it on Customer Feedback tab of the ISA Server computer or array properties.

CEIP does not collect PII, or other user-specific information, or information about specific ISA Server administrators. It also does not collect information about specific rules configured in ISA Server. It does collect other policy information, for example, whether firewall chaining is used, how many URL sets are defined (but not the content of the URL sets), and whether RADIUS accounting is used.

For more information about CEIP, see "Microsoft Customer Experience Improvement Program" at the Microsoft Windows Web site.

Alerts, Event Log, and Microsoft Operations Manager

ISA Server alerts, events written by ISA Server to the Windows Server event log, and ISA Server events in Microsoft Operations Manager (MOM) may contain IP addresses.

For more information about the collection of data by the ISA Server management pack for MOM, see "Microsoft Operations Manager Privacy Statement" at the Microsoft TechNet Web site.