Forefront Server Products Ronald Beekelaar Beekelaar Consultancy

Slides:



Advertisements
Similar presentations
Mission Critical Messaging Platform Roni Havas Unified Communications Solution Specialist Specialists Technology Unit – EPG - Microsoft Israel
Advertisements

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
WSUS Presented by: Nada Abdullah Ahmed.
Microsoft Security Solutions A Great New Way of Making $$$ !!! Jimmy Tan Platform Strategy Manager Microsoft Singapore.
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
AppManager 7: Deep Technical Dive Tim Sedlack & Michi Schniebel Sr. Product Managers.
Ronald Beekelaar Beekelaar Consultancy Forefront Overview.
Ronald Beekelaar Beekelaar Consultancy Forefront Overview.
Staff Computer Training Exchange 2003: More User Friendly Vicki Hecht Cherry Delaney ITaP Luncheon October 14, 2003.
Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Maintaining Windows Server 2008 File Services
VMware vCenter Server Module 4.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Sebastian Vijeu Microsoft Romania Microsoft Forefront Server & Client Technology.
Lee Hickin CISSP Security Specialist
Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
16.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.
Forefront Security Exchange. Problem Meddelande system och sammarbetsprodukter är underbarar mål för elak kod och “distrubition” av äkta dynga… Viruses.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Partnering For Profitability Growing your business with Microsoft Forefront Security Solutions Mark Hassall Director Security & Access BG Microsoft Corporation.
Claus Petersen Sr. PTS Forefront Server Products.
Forefront Server Security
Forefront Security for Messaging and Collaboration Gary Verster Microsoft Corporation.
For SharePoint 2010 In This Presentation: Connect Overview Connect Requirements Connect Installation Connect Initial Launch Explore SharePoint Upload.
Acceleratio Ltd. is a software development company based in Zagreb, Croatia, founded in We create innovative software solutions for SharePoint,
Hands-On Microsoft Windows Server 2008

Module 8: Managing Client Configuration and Connectivity.
Using Windows Firewall and Windows Defender
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.
Module 6: Manage and Configure Messaging. Configuring Internet Mail Using Small Business Server (SBS) 2008 Console Configuring Protection Configuring.
IT:Network:Applications.  How messaging servers work  Initial tips for success Exchange management  Server roles  Exchange Server Management  Message.
Chapter Fourteen Windows XP Professional Fault Tolerance.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Module 7: Fundamentals of Administering Windows Server 2008.
Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.
Module 9 Configuring Messaging Policy and Compliance.
Module 6 Planning and Deploying Messaging Security.
ServerProtect 5.58 for NT Tech Support Dep.. Table of Contents Introduction and Installation Managing ServerProtect Configuring ServerProtect Maintaining.
Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.
Module 9 Configuring Messaging Policy and Compliance.
What’s New in WatchGuard XCS v9.1 Update 1. WatchGuard XCS v9.1 Update 1  Enhancements that improve ease of use New Dashboard items  Mail Summary >
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
PLANNING A MICROSOFT EXCHANGE SERVER 2003 INFRASTRUCTURE Chapter 2.
Yaniv Feldman Microsoft Security Regional Director Infrastructure & Security Lead Israel.
Exchange Deployment Planning Services Exchange 2010 Complementary Products.
Jorke Odolphi Product Technology Specialist WebCentral Using Microsoft Operations Manager To Monitor And Maintain Your Farm.
EXC306 - Microsoft Forefront Security Efficient and Effective Virus Scanning for Microsoft Exchange 2007 Nishkar Maharaj Technical Specialist Microsoft.
1 Configuring Sites Configuring Site Settings Configuring Inter-Site Replication Troubleshooting Replication Maintaining Server Settings.
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
Windows Small Business Server 2003 R2 Powering Small Businesses.
Managing Messaging and Collaboration System Threat Protection: A Technical Dive of Forefront Server Security Ketil Pedersen Technology Specialist Manager.
Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.
Planning Server Deployments Chapter 1. Server Deployment When planning a server deployment for a large enterprise network, the operating system edition.
Module 11 Configuring and Managing Distributed File System.
Maintaining and Updating Windows Server 2008 Lesson 8.
Maintaining Windows Server 2008 File Services
Securing the Network Perimeter with ISA 2004
MICROSOFT OUTLOOK and Outlook service Provider
Presentation transcript:

Forefront Server Products Ronald Beekelaar Beekelaar Consultancy

2 Introductions Presenter – Ronald Beekelaar MVP Windows Security MVP Virtual Machine Technology Work Beekelaar Consultancy Security consultancy Forefront, IPSec, PKI Virtualization consultancy Create many VM-based labs and demos

3 Agenda Overview of Forefront Server Exchange Scanning Transport Scanning How Mail Store Scanning Works Mail Store Scanning Options File filtering Forefront Server Security Management Console (FSSMC) Forefront Security for SharePoint

4 Specifications Three Win2003 R2 VMs + Exchange Forefront for Exchange + Outlook SharePoint Services Forefront for SharePoint + Forefront Management Console (beta) Memory: 2 GB required Demo environment

5 Forefront Security for Exchange Server includes multiple scan engines from industry-leading security firms, integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam. Comprehensive Protection Protection OptimizedPerformance Simplified Management Ships with & manages multiple antivirus engines Multi-layered protection in Exchange 2007 File filtering and premium anti-spam protection Deep integration with Exchange Server Scanning innovations & performance controls Maintains uptime and optimizes performance Easily manage configuration and operation Automated signature updates Reporting, notifications and alerts

6 History Sybari Antigen 8.0 for Exchange For Exchange 5.5 and Exchange 2003 Microsoft Antigen 9.0 for Exchange For Exchange 2003 Forefront Security 10.0 for Exchange For Exchange 2007 Forefront Security for Exchange

7 Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from: Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously Internal Messaging Servers A B C E D Multiple Scan Engines

8 Engines from eight different vendors All delivered and licensed by Microsoft You can select a maximum of 5 (out of 8) engines Note: Since 16-Jan-2007, CA Vet and CA InoculateIT combined Customer benefits Rapid response to new threats Greater protection through diversity of anti-virus engines Continuous protection Ahn Labs Authentium Command CA Kaspersky Microsoft Norman Sophos Virus Buster Multiple Scan Engines

9 Multiple Scan Engines Results from AV-test.org (2006) Signature response times in hours MM/YY VIRUSFF Set 1FF Set 2FF Set 3FF Set 4 FF Set 5Vendor A Vendor B Vendor C Spybot!04C Nugache.a Numuen.F Numuen.H Numuen.G Rbot!E , Bagle.EG Feebs.EU Virut.A ,317.0 < 5 hours between hours > 24 hours

10 Multiple Scan Engines Bias setting Available: 8 engines Select: max 5 engines (from 8) Bias setting: how many used on single (1..5) Max Certainty:uses all selected engines (100%) - 5 Favor Certainty:uses all available engines - 5 or 4 Neutral:uses at least 50% of selected engines - 3 Favor Performance:uses up to 50% of selected engines - 3, 2 or 1 Max Performance: uses one engine for every scan - 1 A B

11 Scan Engines Multiple Scan Engine Performance 3Sharp conducted analysis on the incremental impact of additional scan engines on performance Findings: The additional protection offered by multiple engines greatly offsets the minimal impact to server performance

12 Scan Engine Updates Forefront for Exchange polls for updates Available at: Share at another Forefront Server Share at Forefront Management Console (FSSMC) But NOT available at: Antivirus vendor Web site (Norman, Sophos, etc)

13 Scan Mechanisms Scan for viruses - using scan engines Signature based File filtering - block specific attachments File name or content based Scan inside "containers" (zip, rar, doc, etc) Max 5 levels deep Re-creates rest of container-file, if virus detected

14 Enterprise network SMTP Servers Mailbox RoutingHygieneRoutingPolicy Voice Messaging Client Access Public Folders Fax Applications: OWA Protocols: ActiveSync, POP, IMAP, RPC / HTTP … Unified Messaging Edge Transport Hub Transport INTERNET Exchange 2007 Roles

15 Transport scanning Try to minimize effect on Message Store Do not scan if scanned already - AV-stamp Inbound:at Edge role (not at Mailbox role) Outbound:at Hub role (not at Mailbox role) Internal:at Hub role (not at Mailbox role) AV-stamp Antivirus header stamp is written to each as it is first scanned (at Edge or Hub role) X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0 Checked by later scanning operations (at Hub or Store role) If found - mail is not re-scanned When mail is saved in the Store, antivirus stamp properties are saved as a MAPI property The header is stripped from the Scanning at Transport

16 A Quick Look At Transport Scanning How It Works Inbound mail Scanned at the Edge or Hub role (whichever comes first) Outbound mail Scanned at the first Hub role Internal Mail Scanned at the first Hub role (not in the Store) Mail in Sent Items is not scanned Public Folder postings Not scanned on submission

17 Edge Server INTERNET Hub Role Mailbox Role Public Folder Client SCAN + AV-STAMP NO SCAN Mail scanned only once at the Edge Saves processing load on Hub and Mailbox servers Scanning - Inbound Mail

18 Edge Server INTERNET Hub Role Mailbox Role Public Folder Client SCAN + AV-STAMP NO SCAN On-submission scanning at the Mailbox server (store) is turned off by default Scan takes place at the Hub role Saves processing load on Edge and Mailbox servers Scanning - Outbound Mail

19 Edge Server INTERNET Hub Role Mailbox Role Public Folder Client SCAN + AV-STAMP NO SCAN Internal mail is routed through Hub role Saves processing load on Mailbox servers Scanning - Internal Mail

20 Store scanning Proactive scanning - off by default Scan on message submission to the store On-access scanning - on by default Scan when a message is accessed or viewed But do not scan if scanned before (looks at AV-stamp) Useful for: Outbox, Sent-Items, Public Folders Background Scan - off by default Runs once a day Scan only message less than x days old (ignores AV-stamp) Manual Scan - off by default Runs on a set schedule or on demand (ignores AV-stamp) Quick Scan - off by default Easy way to run one-time manual scan (ignores AV-stamp) Scanning at Store

21 Automatic Scanning Behavior Changes Scanning behavior changes in Exchange 2007 User ActionProactive Scanning on (Exchange 2000/2003 default) Proactive Scanning off (Exchange 2007 default) 1. User attaches an infected file to an and sends . Virus is detected in the Outbox by the Realtime Scan Job and deleted. Virus is detected in the Outbound mail queue by the Transport Scan Job and deleted. 2. User checks Sent Items folder. Virus is already deleted, detected in the Outbox by the Realtime Scan Job. Mail is scanned by On Access scanning (Realtime Scan Job) and virus deleted. Each scan job has separate settings, so scan behavior may vary in Exchange 2007

22 "Outbreak mode" Warning: do not use, except with major outbreak Scan on Scanner Update setting Invalidates AV-stamp after each engine update Result: Enables proactive (submission) scanning Scans each incoming message at store, even if just scanned on transport Scans each mail on access, if engine has been updated Conclusion: Significant increase in amount of store scanning, but always scanned with latest engines

23 File Filtering Block file attachments, based on name (or content) Extension - file name or file content *.exe, *.vbs, etc Inbound/outbound/size *.exe, *.doc *.mp3>5MB, *>10MB Can also configure for "detect only"

24 Filter Rules: Delete *.exe Quarantine File Filtering – Zip File Behavior Forefront scans within ZIP and other compressed formats, deletes only the offending file and then repackages the ZIP Container file before scan EXEDOC JPGBMP Container file after scan TXTDOC JPGBMP Custom deletion text Quarantine EXE

25 Premium Anti-spam Protection Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007 Deployed on Exchange Edge or Hub server role Edge server can be deployed in front of Exchange 2003 mailboxes Built upon base anti-spam in Exchange 2007, premium anti-spam protection adds: Microsoft IP reputation filter service and automated updates Automated updates every 15 minutes for Microsoft Smartscreen spam heuristics, phishing Web sites and Intelligent Message Filter (IMF) Targeted spam signature data and automatic updates to identify latest spam campaigns Rights to use Exchange Hosted Services Filtering

26 Forefront Server Security Management Console

27 Centralizes management through the Web-based console Automates signature updates for multiple antivirus engines Generates comprehensive reports Microsoft® Forefront™ Server Security Management Console allows administrators to easily manage Forefront Security for Exchange Server, Forefront Security for SharePoint® and Microsoft Antigen installed on multiple servers across the enterprise. Provides outbreak response Rapidly distributes signature and scan engine updates Optimized Performance Comprehensive Protection Integration with Microsoft SQL Server™ 2005 and Windows Server® 2003 Redundancy maintains server availability Support for Exchange 2007 CCR clusters Simplified Management

28 FSSMC Forefront Server Security Management Console (FSSMC) provides: - management - reporting - alerting/events for the Forefront Server products This includes Antigen Server products, but not Forefront Client Security Successor to Antigen Enterprise Manager (AEM) Released: October 2007 Future: "Stirling" management console covers: Forefront Client Forefront Server Forefront Edge

29 Support matrix and history Sybari Enterprise Manager (SEM) Antigen Enterprise Manager (AEM) Forefront Server Security Management Console (FSSMC) Sybari Antigen for Exchange 8.0 Sybari Antigen for SharePoint 8.0 Sybari Antigen for LCS 8.0 Microsoft Antigen for Exchange 9.0 Forefront Security for Exchange 10.0 Forefont Security for SharePoint 10.0

30 Exchange 2007 Edge Server Exchange 2007 Hub Server Exchange 2000 or 2003 Routing Server Exchange 2007 Mailbox Server Exchange 2000 or 2003 Mailbox Server Microsoft Office SharePoint Server 2007 or Windows SharePoint Services 3.0 Forefront Server Security Management Console DMZ servers not supported Supported Topology

31 Minimum System Requirements Operating System Microsoft Windows Server 2003 SP2 (x86) Recommended: Install the latest security patches from Windows Update Memory128 Mb of available memory Hard Disk 65 MB of available disk space on a NTFS formatted drive for Forefront Server Security Management Console 185 MB of available disk space on a NTFS formatted drive for prerequisites listed below Prerequisites Internet Information Services (IIS) 6.0 or higher with ASP.NET 2.0 enabled Microsoft SQL Server 2000 Standard Edition (SP3a recommended), Microsoft SQL Server 2005 Standard Edition or SQL Server 2005 Express Edition* The following prerequisites are included in the trial download and installed automatically if they are not already present:.NET Runtime v2.0 Microsoft Message Queuing (MSMQ)and MSMQ Triggers Microsoft Core XML Services (MSXML) 6.0 SP1 * Forefront Server Security Management Console supports SQL Server 2005 Express Edition, which is installed when selecting the “Express Install” option.

32 Feature Overview

33 Add a Server First step is to identify and add the Forefront or Antigen server Can be added directly or use the Browse feature Once added, the FSSMC Agent software must be installed on the target server by a job that will push and install the Agent Target server credentials are entered through the FSSMC console Installation progress and status shown on screen

34 Jobs Overview Jobs are management tasks that are run on demand or based on a schedule Deployment jobs Software, license files, templates Signature redistribution jobs Schedule reports General options Manual Scan Job Log retrieval

35 Job – Signature Distribution A primary task for the FSSMC The FSSMC server serves as the central download agent for all scan engines and updates They are then distributed proactively to the Forefront and Antigen servers Engine updates are delivered to all servers. You cannot choose among them. Select the Update Schedule and choose the engines to download

36 Job – Signature Distribution Set the time intervals and download path. Choose the scan engines for Forefront and Antigen.

37 Engine Partner Updates Internet Forefront Engine Adaptor Internet Automated Signature Updating

38 Internet PrimaryBackup Forefront Servers 6 Redundancy Signature Distribution The Backup server connects to Internet and retrieves the Forefront (FF) engine manifest file The Primary Server connects to the Internet and retrieves signature updates Primary notifies all FF clients that updates are available The Backup Server connects to Primary and compares file manifest to files available on Primary If files are newer, Backup copies them If Primary is out of date, Backup downloads from the Internet Backup notifies client machines that it also has signature updates Clients will pull signatures from Backup if they are more up to date

39 Auto-discovery of Exchange Servers A nightly scan of Active Directory searches for Exchange servers Compares discovered servers with known servers in the Forefront Server Security Management Console All previously undiscovered Exchange servers are highlighted on the screen and available via a daily report Forefront/Antigen can then be deployed to these servers

40 At a Glance screen highlights newly discovered servers. Auto-discovery of Exchange Servers (cont.)

41 Reporting – At a Glance A system status screen showing key data points from the past 24 hours Virus statistics Skipped, cleaned, detected, blocked, etc. Spam statistics Skipped, purged, identified, etc. Antigen 9 only Filter Statistics File filters, keyword filters, subject line filters Top 5 Viruses Most Active Servers

42 Reporting – Out-of-date engine and signature version report Problem: Security Admins want to be kept up to date of whether their systems are up-to-date. Out-of-date signatures and engines should be identified. Solution: FSSMC makes it possible to view the signature and engine version on each managed server. It does not matter whether the server is updated by FSSMC or not.

43 Alert Management Example: An alert can be sent when no virus activity is seen for a specified period of time A lack of virus detections can indicate a scanning failure Possible scan job crash Possibly misconfigured server

44 Reporting – Out-of-date engine and signature version report Turns RED when there is no internet connection

45 Forefront Security for SharePoint

46 How Do Viruses Get to SharePoint? Today, viruses arrive primarily by accident – not design User uploads document with embedded payload Possibly malicious user activity Risks in an extranet deployment User maps a network drive to \\server\sites\teamsite \\server\sites\teamsite If a user is infected by a virus that attempts to propagate to network shares, then the virus can propagate to SharePoint sites SQL Document Library SharePoint Portal Server Users

47 Why SharePoint Antivirus? File Server AV does not provide the level of protection needed to prevent SharePoint-related infections Desktop AV is not enough to solve the problem Desktop AV may detect infection within the cached copy, but cannot clean the stored copy in the document library Forefront Security for SharePoint cleans the document in the library, ensuring all posted and downloaded documents are safe Signature distribution is often slow and problematic, and never contains five scanning engines

48 Forefront Antivirus Scanning Forefront provides two types of scan jobs: Realtime Scan Job – Scans any files being uploaded to or downloaded from SharePoint Works with web browser or any other application accessing SharePoint Provides proactive protection Manual Scan Job – Scans all or part of SharePoint document library on demand Scans can be scheduled Can be used to scan with engines different than Realtime scan job

49 Forefront Realtime Scan Job Realtime scanning always uses the VSAPI Basic Realtime scan settings are centrally configured through the SharePoint interface, not the Forefront console Click here to change settings Then click “Operations,” followed by “Antivirus”

50 Virus - user experience

51 Realtime Scan Virus Detection Actions When Forefront detects a virus, several Actions are available: Skip: detect only – Logs presence of virus, but does not block or delete it Not a secure setting! Can be used for testing/evaluation purposes Clean: repair document – Attempts to clean the file. If file cannot be cleaned, it is blocked Delete: block document – GOOD CHOICE !!

52 Realtime Virus Deletion Text When a file is deleted because it contains a virus, Forefront replaces it with a text file File keeps name, but gets a.txt extension Deletion text is only used in Realtime scanning when replacing files within a ZIP file The text file contains a configurable “Deletion Text” that can include system information By default, the deletion text reads:

53 Forefront Manual Scan Job Manual Scan provides tree-view into document library All or part of the library can be set for scanning by using check boxes Settings will not include new sites by default unless the top box is checked Use Quick Scan to scan a particular part of the library

54 File Filtering – Forefront vs. SharePoint SharePoint also supports file blocking, but performs only file extension checking Will not catch a file if extension is changed to a an approved file extension If SharePoint and Forefront rules overlap, SharePoint rule is applied first SharePoint file scanning requires less overhead and should be used in conjunction with Forefront Block the same list of files in both places Skip: detect mode can be used to inventory the library or understand real-time file storage patterns

55 Large File Support Large file support has been added to the VSAPI in SharePoint 2007 The VSAPI hook can load and transfer pieces of the file on demand Forefront requests file data in chunks Maximum file size that can be scanned is 2GB If the file is larger than 2GB, then the ForefrontService will return a value of MSOVSI_STATUS_INFECTED The Virus Information string will note “Exceeded File Size”

56 The SharePoint process (AVM) reads and writes to the DB AV engines do not have to interact with DB VSE returns results and the AVM takes action, e.g. block, clean, etc. SharePoint Front End Antivirus Manager (AVM) SharePoint DB COM Layer Virus Scan Engine (VSE) Antivirus Vendor Component VSAPI 1.4 Architecture

57 SharePoint API integration Utilizes the SharePoint Virus API to scan files during upload and download Optimized for performance in a SQL environment Files are not rescanned if engines have not been updated Up to ten simultaneous scanning threads to help ensure users are not delayed waiting for documents to scan Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly

58 Troubleshooting Tips 1. FSCUtility.exe FSCUtility /status - Gives an on-screen report showing the status of Forefront Security and the server FSCUtility /disable - Disables Forefront Security dependencies FSCUtility /enable - Enables Forefront Security dependencies 2. FSCDiag 3. Programlog.txt 4. Event Logs 5. Perfmon Counters 6. MOM Packs 7. Forum:

59 Microsoft Operations Manager Over 100 Events, Performance Counters, and Services Monitored Monitors the state of Forefront. Collects statistical data on scanning, detection, and removal of messages and attachments Polls Forefront Services - Provides timed events to poll systems for critical process health Key Tasks Triggers scan engine updates Centralizes storage and deployment of license files Imports, exports and deploys setting changes Initiates and/or schedules manual scan jobs Starts/Stops control of Forefront services

60 Q&A