Microsoft Discontinues A Number Of Forefront Products

It was generally known on the Internet that something was up; Forefront Threat Management Gateway (TMG) was considered by many (on forums and blogs) as walking dead.  People knew it was just a matter of time that an announcement would come.  And so it did yesterday, but I did not expect the actual breadth of the announcement.  The following products will no longer be available after December 1st, 2012:

User Access Gateway continues; it’s been used by people who have deployed W2008 R2 Direct Access so that they don’t have to deploy IPv6 on the LAN.  It’s only a matter of time, because that functionality has been put in WS2012 Direct Access, meaning that UAG won’t be required for current version DA deployments.

Forefront Identity Manager apparently has a roadmap and will “continue to be actively developed”.

The produce formerly known as Forefront Endpoint Protection (the client and server file system/memory AV scanner) was moved to System Center with the release of SysCtr 2012 because of the reliance on Configuration Manager as the management console (also can use Intune).  The definition updates are common across versions so updates will continue.

What about anti-malware protection for Exchange?  Here’s what Microsoft had to say:

As part of this effort, the next release of Forefront Online Protection for Exchange, which has long been part of the Office 365 solution, will be named Exchange Online Protection. 

In response to customer demand, we are adding basic antimalware protection to Exchange Server 2013.  This protection can be easily turned off, replaced, or paired with other services (like Exchange Online Protection) to provide a layered defense.

Forefront Online Protection is the cloud based product; think Postini or MessageLabs, but run by Microsoft for Exchange.  Anyone planning on running Exchange 2010 or older will not have an on-premises defence for Exchange after December 1st (see FPE in the above table).  If you want on-site Exchange protection, you’ll have to look at 3rd party Exchange security solutions, otherwise upgrade to Exchange 2013 for “basic antimalware protection”.  I’ve been recommending online and onsite protection – onsite protection defends against “internal” threats such as roaming or remote workers.

Technorati Tags: ,,

Comparing the Core CAL and Enterprise CAL Suites

With Windows Server products, you typically have to buy server licensing (SharePoint) and user/device client access licensing (CAL) for each user/device connecting to the server.  One could buy each of these CALs one at a time.  But there are more efficient ways (accounting and cost) to buy them if you’re using several of those products.  You can buy a CAL suite.  There is a Core CAL suite that includes Standard edition CALs (e.g. Exchange Standard and SharePoint Standard), and an Enterprise CAL Suite (e.g. Exchange Enterprise and SharePoint Enterprise).  They include a bunch of products.  From a customer’s point of view, they’re cheaper and easier to account for.  From a resellers point of view, there’s potentially more work there if a customer has CALs for unused solutions.

The documents on this site compare and contrast the two suites and the features that they support.

Core CAL Suite:

  • Windows Server 2008 R2 CAL
  • Exchange Server 2010 Standard CAL
  • Lync Server 2010 Standard CAL
  • SharePoint Server 2010 Standard CAL
  • System Center Configuration Manager 2012 client ML (Interesting that it’s listed as “2012”)
  • Forefront Endpoint Protection

Enterprise CAL Suite:

  • Everything in the Core CAL Suite
  • Exchange Server 2010 Enterprise CAL
  • Lync Server 2010 Enterprise CAL
  • SharePoint Server 2010 Enterprise CAL
  • System Center Operations Manager 2007 R2 client ML
  • System Center Service Manager 2010 client ML
  • System Center Data Protection Manager 2010 client ML
  • System Center Opalis client ML
  • Forefront Protection Suite (Forefront Protection 2010 for Exchange Server, Forefront Protection 2010 for SharePoint, Forefront Security for Office Communications Server, Forefront Online Protection for Exchange(formerly Exchange Hosted Filtering), Forefront Threat Management Gateway Web Protection Service)
  • Forefront Unified Access Gateway
  • Microsoft Windows Rights Management Services

How HM Treasury Was Allegedly Attacked & How to Defend Against It

I was listening to The Guardian’s Tech Weekly podcast on the way into work this morning and they were discussing some of the recent announcements from the British government about the cyberwar research that the MoD/GCHQ is doing.  In the discussion they mentioned that there was a recent attempted attack on HM Treasury (department of finance), and that the attacks allegedly came in two forms:

  • Drive-by browsing: this is where a user innocently goes onto a legitimate website, but an outsourced advert uses a browser vulnerability to inject some software onto the user’s computer.
  • Malware attachments: Some piece of dodgy software is sent as a normal looking attachment in an email.  This file has some sort of built in attack, like a trojan downloader, and the PC becomes a bot (something the attacker can remotely control by commands that the downloader will pull down from a service or website running on the Internet).

I am not a security expert.  In fact, most of the self-proclaimed security experts that you meet are not security experts.  I have met real security experts.  They speak a whole other language that we IT Pros don’t understand.  I’ve also met “security experts” with their recently downloaded checklists who do more damage than good.  The good news is that there is lots that you can do to protect yourself from attacks such as the above.  The bad news is that there is no 100% perfect defence.  For example, antivirus scanners detect already known threats.  Someone has to get hit somewhere before a threat becomes known.  Let’s stay positive and see what could be done to protect against the above two attacks.

Defending Against Drive-By Browsing

Drive-by browsing has been around for some time.  I’ve attended presentations by Microsoft’s Roger Grimes (serious security dude), where he talked about the website of a certain conservative news broadcaster.  They sold advertising space on their website.  Other than the space, they had no control over content.  That was done by the online advertiser.  And they probably did more outsourcing or bidding.  Allegedly, browsing this website could cause you to become a victim of an attack that was built into one of these outsourced adverts.  You’d just browse the site and *BANG* your PC downloaded a trojan downloader.  In other words, it was 0wned.

The most basic defence against drive-by attacks is to keep your browser up to date with security fixes.  Don’t be a fanboy sheep: all browsers are vulnerable.  I remember listening to another podcast (TWiT Windows Weekly) a few months ago where they discussed how Safari took seconds to smash, and Chrome/IE lasted a bit longer but eventually gave in at some hack-athon.  Google and Microsoft are constantly releasing updates.  Google do it via new versions of Chrome.  Microsoft do it through security hotfixes.

If you run anything but the smallest business then you need to manage these updates.  This is one of IE’s strengths because it can be updated immediately (or after internal testing) via Windows Updates, WSUS, and System Center (Configuration Manager 2007 or System Center Essentials 2010).  There really is no excuse for a business not to be doing this, monitoring patch update levels, and remediating any deployment issues.

This adverts are effectively downloading a trojan installer.  A proxy malware scanner can help defend against this.  Forefront Threat Management Gateway (TMG) includes a Malware Inspection Filter, as do many other firewall and proxy products.  I’ve always like the ISA (now TMG) family because they are AD integrated, and I can reuse security groups and user accounts for rules and exceptions.

Malware Attachment

The problem with email is that is pretty open, and trusting.  If I know the name or IP address of your SMTP gateway then there’s nothing to stop me from creating a malformed email that appears to come from someone you know and trust, and attaching a piece of malware to do bad things to your PC (and then your network).

Last night I read about some executive of a large corporation who sent out a memo to all employees to instruct that they should confirm the source of all emails before opening them. That certainly is one way to prevent the opening of an attachment. I just wonder if this executive answered the 20,000+ phone calls from his employees when they called to confirm that he really sent that email. Let’s get real – people have jobs to do and they cannot spend 3/4 of the day calling people to see if so’n’so really sent an email. Why would we have email at all in that case?

Sure we can do a bit of user education.  I don’t need to open an attachment with a .EXE file extension.  I don’t need to read an email from the wife of some deposed king.  And I really don’t need pills for you-know-what Smile  Common sense education helps.  But as Steve Riley has said in presentations in the past: the vulnerability lies in the meat that sits between the chair and the keyboard.  If we cannot fix that. then maybe we need to wrap our email system in defences to counter those weaknesses.

Lets start with the mail server.  Stick some malware scanning on there, like Forefront for Exchange (or another solution).  That will protect the server against external threats.  I know you’ll interject here with another suggestion (and I’ll get there).  Think about how IT is changing.  Consumerisation of IT has caused users to bring all sorts of devices onto our networks.  Lord knows what they connect to when they are not on our network.  And those same devices will be used to connect to the company’s mail services.  You need to protect the company’s email (and reputation) against those internal threats.

Next up is the online malware scanning service, such as Forefront Online Protection for Exchange (FOPE) or others.  The company’s MX record points to this, all incoming email is scanned for spam and malware, and then sent on to the company’s SMTP gateway.  You’re in complete control – you can even integrate the management of Forefront for Exchange with FOPE via a free (I believe) management console (it also can manage Forefront for SharePoint).  Now you can filter out the incoming rubbish before it gets to the company’s expensive Internet connection, and you have a layered defence.

Third Party Update Catalog

We aren’t finished yet.  Antivirus scanners are not perfect, especially when it comes to custom written or brand new threats.  The more serious attacks out there are not done by script kiddies in a basement; they’re done by organised crime, your competitors, and state agencies.  They have the time and money to create new programs to leverage discovered vulnerabilities.  For example, it’s one thing to scan for Conficker, it’s another thing to fix the vulnerability that it attacks so you can prevent anyone else from attacking it.

So you can use Windows Update, WSUS, ConfigMgr, or SCE to patch Windows.  Great!  The attachment that was used in the allegedly attack on HM Treasury was allegedly based on an Adobe product.  How often do you see Adobe products looking to update themselves to fix some security issue?  It feels to me like it happens a few times a week.  I bet most of you, and your users, disable these annoying updates – and that’s what the attacker is betting on!  They can write a custom attack, build it into a PDF (or whatever), send it to a user in your organisation using a crafted email that appears innocent enough, it’ll sail through the scanners (because it is an unknown attack), the attachment is opened in a vulnerable reader, and *badda bing* the attacker now has control of a PC on your network.

*PANIC* This is where you uninstall Adobe Reader, Flash, etc, and use third party alternatives – not so fast, my friend! (Why do I keep quoting Lee Corso?).  Adobe products, like every other, has vulnerabilities.  If you think those other readers don’t then you’re fooling yourself.  If you’re a big enough target, then an attacker will figure out what third party reader you use via social engineering, and craft an attack for that.  With Adobe, you at least have a way to force updates for your users.

No, we cannot trust users to run Adobe updates by themselves, just like we cannot trust them to run Microsoft updates for themselves.  Adobe has created software update catalogues that we can use in System Center Configuration Manager (MSFT’s main way to adopt/control consumerisation of IT) and System Center Essentials.  This will allow you to centrally download, test, approve, and deploy updates to relevant machines in an automated, and scheduled manner, with deployment deadlines.  Now you can force those vulnerable PCs to update, and secure your network against those vulnerabilities.


With all this you get layered defences.  Is it 100% secure?  No.  Like I said, I’m honest enough to say that I’m not a security expert but I know that with the above systems, you could protect yourself against the same attack that allegedly targeted HM Treasury (based on the information that I heard this morning).  Combine this with protection for PCs, servers, SharePoint, Lync, and so on, and you’ll have a nice fortress.  You can’t rely on people to protect the castle, and that’s why you need an automated portcullis approach like this.  The responsibility then falls on you as the gatekeeper to ensure that the gate is built correctly.

Note: I don’t know why some people always assume that virtual machines (on any hypervisor) assume that security should be any different for them.  The virtualised workloads still need the same levels of protection that they physical alternative would.

Forefront TMG (or any Firewall) & Virtualisation

I was asked today about using (W2008 R2 SP1 Hyper-V) Dynamic Memory and Forefront Threat Management Gateway (TMG).  To be honest, I hadn’t looked at TMG on virtualisation before – Microsoft has a huge product catalogue.

I searched, and found a long and detailed article on the subject.  The guidance starts with understanding the network role of the TMG installation in question.  That means understanding workloads (network and server) that the VM will be handling.  This leads to some general TMG configurations, which will obviously affect resource requirements and performance.  We are reminded that the TMG VM will be sharing a host with other VM workloads, and therefore a spiking TMG VM could affect resource utilisation of other VMs.  Consider this when sizing hosts or placing virtual machines.  The TMG group recommends doing a 2 week proof-of-concept or assessment to gather empirical data for this sizing process.  TMG will eat CPU and memory.

Speaking of memory, a SQL back end is used for logging.  This is normally an Express install.  This edition (at the moment) doesn’t have the ability to deal with expanding memory such as Hyper-V Dynamic Memory.  The minimum RAM for TMG is 2 GB.  Well, SQL Express has a “one GB memory limit for the buffer pool”If you decide you must enable DM on your TMG VM(s), then maybe you should set the start up memory setting for a TMG VM to 2048 MB.  That will leave SQL Express in a healthy state in terms of memory (knowing how much to take at startup) and will ensure that TMG always has the minimum required.  You can set your maximum memory setting to what you find is required after your assessment.

Physical networking is discussed.  Any VLANing or DMZ/edge network designs for a physical installation should still apply.  Don’t redesign or compromise the network design to suit virtualisation; do redesign the virtualisation hosts to suit the network and security requirements.

Ideally, a host used for providing capacity to network security VMs should not run other VM roles, e.g. you ideally won’t mix Exchange VMs and TMG VMs on the same host.  But hey, sounds great in mid/enterprise environments but a bit pricey for SMEs.

There’s lots of advice on lock down policies, patching, and enabling BitLocker on the parent partition.  And of course, only provide access to the parent partition as and when is (business critically) required.

An interesting one which might answer many forum questions, the TMG group recommends that internal and external virtual NICs should not share virtual switches.  That means you should ideally use different physical NICs for those networks, and maybe use different virtual NICs that are created by your network provider (e.g. Broadcom, HP NCU, etc).

There is a reminder to disable everything except the virtual switch protocol in the parent partition NICs that are used for external virtual switches.

You should have a way to log into or manage/monitor the parent partition separately from the virtual machine workloads.  In other words, have a dedicated parent partition physical network card that is not used by virtual networks.  This will allow you to manage the parent partition and it’s other workloads if something like a DOS attack happens and the internet facing NIC for the TMG VM is being hammered.

For your virtual machine disks, it is recommended that you place OS, SQL logs on different drives.  If you are using host server internal disks then you’ll need to create different LUNs.  Things aren’t that simple in a SAN where virtual disk systems are used, because different LUNs are actually striped across the same disks in the disk group.  I’d consider a CSV with all VHDs on there.  And then you get into the normal CSV/backup design decision making process.  Remember to keep IOPS requirements (from the assessment) in mind.

The article ends with a discussion of various virtual networking designs and how they will impact on the performance of your TMG VM.