Download presentation
Presentation is loading. Please wait.
PublishAri Boden Modified over 9 years ago
1
Forefront Server Products Ronald Beekelaar Beekelaar Consultancy ronald@beekelaar.com
2
2 Introductions Presenter – Ronald Beekelaar MVP Windows Security MVP Virtual Machine Technology E-mail: ronald@beekelaar.com Work Beekelaar Consultancy Security consultancy Forefront, IPSec, PKI Virtualization consultancy Create many VM-based labs and demos
3
3 Agenda Overview of Forefront Server Exchange Scanning E-mail Transport Scanning How Mail Store Scanning Works Mail Store Scanning Options File filtering Forefront Server Security Management Console (FSSMC) Forefront Security for SharePoint
4
4 Specifications Three Win2003 R2 VMs + Exchange 2007 + Forefront for Exchange + Outlook 2003 + SharePoint Services 3.0 + Forefront for SharePoint + Forefront Management Console (beta) Memory: 2 GB required Demo environment
5
5 Forefront Security for Exchange Server includes multiple scan engines from industry-leading security firms, integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam. Comprehensive Protection Protection OptimizedPerformance Simplified Management Ships with & manages multiple antivirus engines Multi-layered protection in Exchange 2007 File filtering and premium anti-spam protection Deep integration with Exchange Server Scanning innovations & performance controls Maintains uptime and optimizes performance Easily manage configuration and operation Automated signature updates Reporting, notifications and alerts
6
6 History Sybari Antigen 8.0 for Exchange For Exchange 5.5 and Exchange 2003 Microsoft Antigen 9.0 for Exchange For Exchange 2003 Forefront Security 10.0 for Exchange For Exchange 2007 Forefront Security for Exchange
7
7 Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from: Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously Internal Messaging Servers A B C E D Multiple Scan Engines
8
8 Engines from eight different vendors All delivered and licensed by Microsoft You can select a maximum of 5 (out of 8) engines Note: Since 16-Jan-2007, CA Vet and CA InoculateIT combined Customer benefits Rapid response to new threats Greater protection through diversity of anti-virus engines Continuous protection Ahn Labs Authentium Command CA Kaspersky Microsoft Norman Sophos Virus Buster Multiple Scan Engines
9
9 Multiple Scan Engines Results from AV-test.org (2006) Signature response times in hours MM/YY VIRUSFF Set 1FF Set 2FF Set 3FF Set 4 FF Set 5Vendor A Vendor B Vendor C 0406 Mytob.NQ@mm 1.51.0 3.19.9 17.42.1 0406 Mytob.NQ@mm 1.01.11.0 28.1 11.63.5 0406 Spybot!04C2 23.01.023.025.3 1.00 29.939.0 0406 Nugache.a 1.025.51.0 34.1 12.948.1 0506 Numuen.F 024.400 01.0 10.315.0 0506 Numuen.H 1.031.71.0 103.8 251.9114.8 0506 Numuen.G 3.28.23.2 1.0 151.8469.0 0506 Banwarum.C@mm 87.51.087.5 1.0116.7 73.0129.3 0506 Banwarum.B@mm 12.11.01.8 1.0116.7 22.432.9 0506 Rbot!E905 0000 01,141.8 217.61.0 0606 Bagle.EG 0000 00 7.30 0606 Bagle.EH@mm 01.300 00 18.40 0606 Bagle.EG@mm 03.600 1.00 26.50 0606 Bagle.LY@mm 0000 00 6.42.5 0706 Feebs.gen@mm 0000 00 0503.8 0706 Feebs.EU 01.000 052.3 173.239.0 0706 Virut.A 0000 00 01,317.0 < 5 hours between 5 - 24 hours > 24 hours
10
10 Multiple Scan Engines Bias setting Available: 8 engines Select: max 5 engines (from 8) Bias setting: how many used on single email (1..5) Max Certainty:uses all selected engines (100%) - 5 Favor Certainty:uses all available engines - 5 or 4 Neutral:uses at least 50% of selected engines - 3 Favor Performance:uses up to 50% of selected engines - 3, 2 or 1 Max Performance: uses one engine for every scan - 1 A B
11
11 Scan Engines Multiple Scan Engine Performance 3Sharp conducted analysis on the incremental impact of additional scan engines on performance Findings: The additional protection offered by multiple engines greatly offsets the minimal impact to server performance
12
12 Scan Engine Updates Forefront for Exchange polls for updates Available at: http://forefrontdl.microsoft.com Share at another Forefront Server Share at Forefront Management Console (FSSMC) But NOT available at: Antivirus vendor Web site (Norman, Sophos, etc)
13
13 Scan Mechanisms Scan for viruses - using scan engines Signature based File filtering - block specific attachments File name or content based Scan inside "containers" (zip, rar, doc, etc) Max 5 levels deep Re-creates rest of container-file, if virus detected
14
14 Enterprise network SMTP Servers Mailbox RoutingHygieneRoutingPolicy Voice Messaging Client Access Public Folders Fax Applications: OWA Protocols: ActiveSync, POP, IMAP, RPC / HTTP … Unified Messaging Edge Transport Hub Transport INTERNET Exchange 2007 Roles
15
15 Transport scanning Try to minimize effect on Message Store Do not scan if scanned already - AV-stamp Inbound:at Edge role (not at Mailbox role) Outbound:at Hub role (not at Mailbox role) Internal:at Hub role (not at Mailbox role) AV-stamp Antivirus header stamp is written to each email as it is first scanned (at Edge or Hub role) X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0 Checked by later scanning operations (at Hub or Store role) If found - mail is not re-scanned When mail is saved in the Store, antivirus stamp properties are saved as a MAPI property The header is stripped from the email Scanning at Transport
16
16 A Quick Look At Transport Scanning How It Works Inbound mail Scanned at the Edge or Hub role (whichever comes first) Outbound mail Scanned at the first Hub role Internal Mail Scanned at the first Hub role (not in the Store) Mail in Sent Items is not scanned Public Folder postings Not scanned on submission
17
17 Edge Server INTERNET Hub Role Mailbox Role Public Folder Client SCAN + AV-STAMP NO SCAN Mail scanned only once at the Edge Saves processing load on Hub and Mailbox servers Scanning - Inbound Mail
18
18 Edge Server INTERNET Hub Role Mailbox Role Public Folder Client SCAN + AV-STAMP NO SCAN On-submission scanning at the Mailbox server (store) is turned off by default Scan takes place at the Hub role Saves processing load on Edge and Mailbox servers Scanning - Outbound Mail
19
19 Edge Server INTERNET Hub Role Mailbox Role Public Folder Client SCAN + AV-STAMP NO SCAN Internal mail is routed through Hub role Saves processing load on Mailbox servers Scanning - Internal Mail
20
20 Store scanning Proactive scanning - off by default Scan on message submission to the store On-access scanning - on by default Scan when a message is accessed or viewed But do not scan if scanned before (looks at AV-stamp) Useful for: Outbox, Sent-Items, Public Folders Background Scan - off by default Runs once a day Scan only message less than x days old (ignores AV-stamp) Manual Scan - off by default Runs on a set schedule or on demand (ignores AV-stamp) Quick Scan - off by default Easy way to run one-time manual scan (ignores AV-stamp) Scanning at Store
21
21 Automatic Scanning Behavior Changes Scanning behavior changes in Exchange 2007 User ActionProactive Scanning on (Exchange 2000/2003 default) Proactive Scanning off (Exchange 2007 default) 1. User attaches an infected file to an email and sends email. Virus is detected in the Outbox by the Realtime Scan Job and deleted. Virus is detected in the Outbound mail queue by the Transport Scan Job and deleted. 2. User checks Sent Items folder. Virus is already deleted, detected in the Outbox by the Realtime Scan Job. Mail is scanned by On Access scanning (Realtime Scan Job) and virus deleted. Each scan job has separate settings, so scan behavior may vary in Exchange 2007
22
22 "Outbreak mode" Warning: do not use, except with major outbreak Scan on Scanner Update setting Invalidates AV-stamp after each engine update Result: Enables proactive (submission) scanning Scans each incoming message at store, even if just scanned on transport Scans each mail on access, if engine has been updated Conclusion: Significant increase in amount of store scanning, but always scanned with latest engines
23
23 File Filtering Block file attachments, based on name (or content) Extension - file name or file content *.exe, *.vbs, etc Inbound/outbound/size *.exe, *.doc *.mp3>5MB, *>10MB Can also configure for "detect only"
24
24 Filter Rules: Delete *.exe Quarantine File Filtering – Zip File Behavior Forefront scans within ZIP and other compressed formats, deletes only the offending file and then repackages the ZIP Container file before scan EXEDOC JPGBMP Container file after scan TXTDOC JPGBMP Custom deletion text Quarantine EXE
25
25 Premium Anti-spam Protection Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007 Deployed on Exchange Edge or Hub server role Edge server can be deployed in front of Exchange 2003 mailboxes Built upon base anti-spam in Exchange 2007, premium anti-spam protection adds: Microsoft IP reputation filter service and automated updates Automated updates every 15 minutes for Microsoft Smartscreen spam heuristics, phishing Web sites and Intelligent Message Filter (IMF) Targeted spam signature data and automatic updates to identify latest spam campaigns Rights to use Exchange Hosted Services Filtering
26
26 Forefront Server Security Management Console
27
27 Centralizes management through the Web-based console Automates signature updates for multiple antivirus engines Generates comprehensive reports Microsoft® Forefront™ Server Security Management Console allows administrators to easily manage Forefront Security for Exchange Server, Forefront Security for SharePoint® and Microsoft Antigen installed on multiple servers across the enterprise. Provides outbreak response Rapidly distributes signature and scan engine updates Optimized Performance Comprehensive Protection Integration with Microsoft SQL Server™ 2005 and Windows Server® 2003 Redundancy maintains server availability Support for Exchange 2007 CCR clusters Simplified Management
28
28 FSSMC Forefront Server Security Management Console (FSSMC) provides: - management - reporting - alerting/events for the Forefront Server products This includes Antigen Server products, but not Forefront Client Security Successor to Antigen Enterprise Manager (AEM) Released: October 2007 Future: "Stirling" management console covers: Forefront Client Forefront Server Forefront Edge
29
29 Support matrix and history Sybari Enterprise Manager (SEM) Antigen Enterprise Manager (AEM) Forefront Server Security Management Console (FSSMC) Sybari Antigen for Exchange 8.0 Sybari Antigen for SharePoint 8.0 Sybari Antigen for LCS 8.0 Microsoft Antigen for Exchange 9.0 Forefront Security for Exchange 10.0 Forefont Security for SharePoint 10.0
30
30 Exchange 2007 Edge Server Exchange 2007 Hub Server Exchange 2000 or 2003 Routing Server Exchange 2007 Mailbox Server Exchange 2000 or 2003 Mailbox Server Microsoft Office SharePoint Server 2007 or Windows SharePoint Services 3.0 Forefront Server Security Management Console DMZ servers not supported Supported Topology
31
31 Minimum System Requirements Operating System Microsoft Windows Server 2003 SP2 (x86) Recommended: Install the latest security patches from Windows Update Memory128 Mb of available memory Hard Disk 65 MB of available disk space on a NTFS formatted drive for Forefront Server Security Management Console 185 MB of available disk space on a NTFS formatted drive for prerequisites listed below Prerequisites Internet Information Services (IIS) 6.0 or higher with ASP.NET 2.0 enabled Microsoft SQL Server 2000 Standard Edition (SP3a recommended), Microsoft SQL Server 2005 Standard Edition or SQL Server 2005 Express Edition* The following prerequisites are included in the trial download and installed automatically if they are not already present:.NET Runtime v2.0 Microsoft Message Queuing (MSMQ)and MSMQ Triggers Microsoft Core XML Services (MSXML) 6.0 SP1 * Forefront Server Security Management Console supports SQL Server 2005 Express Edition, which is installed when selecting the “Express Install” option.
32
32 Feature Overview
33
33 Add a Server First step is to identify and add the Forefront or Antigen server Can be added directly or use the Browse feature Once added, the FSSMC Agent software must be installed on the target server by a job that will push and install the Agent Target server credentials are entered through the FSSMC console Installation progress and status shown on screen
34
34 Jobs Overview Jobs are management tasks that are run on demand or based on a schedule Deployment jobs Software, license files, templates Signature redistribution jobs Schedule reports General options Manual Scan Job Log retrieval
35
35 Job – Signature Distribution A primary task for the FSSMC The FSSMC server serves as the central download agent for all scan engines and updates They are then distributed proactively to the Forefront and Antigen servers Engine updates are delivered to all servers. You cannot choose among them. Select the Update Schedule and choose the engines to download
36
36 Job – Signature Distribution Set the time intervals and download path. Choose the scan engines for Forefront and Antigen.
37
37 Engine Partner Updates www.microsoft.com Internet Forefront Engine Adaptor Internet Automated Signature Updating
38
38 Internet PrimaryBackup 1 2 3 4 5 Forefront Servers 6 Redundancy Signature Distribution The Backup server connects to Internet and retrieves the Forefront (FF) engine manifest file The Primary Server connects to the Internet and retrieves signature updates Primary notifies all FF clients that updates are available The Backup Server connects to Primary and compares file manifest to files available on Primary If files are newer, Backup copies them If Primary is out of date, Backup downloads from the Internet Backup notifies client machines that it also has signature updates Clients will pull signatures from Backup if they are more up to date
39
39 Auto-discovery of Exchange Servers A nightly scan of Active Directory searches for Exchange servers Compares discovered servers with known servers in the Forefront Server Security Management Console All previously undiscovered Exchange servers are highlighted on the screen and available via a daily report Forefront/Antigen can then be deployed to these servers
40
40 At a Glance screen highlights newly discovered servers. Auto-discovery of Exchange Servers (cont.)
41
41 Reporting – At a Glance A system status screen showing key data points from the past 24 hours Virus statistics Skipped, cleaned, detected, blocked, etc. Spam statistics Skipped, purged, identified, etc. Antigen 9 only Filter Statistics File filters, keyword filters, subject line filters Top 5 Viruses Most Active Servers
42
42 Reporting – Out-of-date engine and signature version report Problem: Security Admins want to be kept up to date of whether their systems are up-to-date. Out-of-date signatures and engines should be identified. Solution: FSSMC makes it possible to view the signature and engine version on each managed server. It does not matter whether the server is updated by FSSMC or not.
43
43 Alert Management Example: An alert can be sent when no virus activity is seen for a specified period of time A lack of virus detections can indicate a scanning failure Possible scan job crash Possibly misconfigured server
44
44 Reporting – Out-of-date engine and signature version report Turns RED when there is no internet connection
45
45 Forefront Security for SharePoint
46
46 How Do Viruses Get to SharePoint? Today, viruses arrive primarily by accident – not design User uploads document with embedded payload Possibly malicious user activity Risks in an extranet deployment User maps a network drive to \\server\sites\teamsite \\server\sites\teamsite If a user is infected by a virus that attempts to propagate to network shares, then the virus can propagate to SharePoint sites SQL Document Library SharePoint Portal Server Users
47
47 Why SharePoint Antivirus? File Server AV does not provide the level of protection needed to prevent SharePoint-related infections Desktop AV is not enough to solve the problem Desktop AV may detect infection within the cached copy, but cannot clean the stored copy in the document library Forefront Security for SharePoint cleans the document in the library, ensuring all posted and downloaded documents are safe Signature distribution is often slow and problematic, and never contains five scanning engines
48
48 Forefront Antivirus Scanning Forefront provides two types of scan jobs: Realtime Scan Job – Scans any files being uploaded to or downloaded from SharePoint Works with web browser or any other application accessing SharePoint Provides proactive protection Manual Scan Job – Scans all or part of SharePoint document library on demand Scans can be scheduled Can be used to scan with engines different than Realtime scan job
49
49 Forefront Realtime Scan Job Realtime scanning always uses the VSAPI Basic Realtime scan settings are centrally configured through the SharePoint interface, not the Forefront console Click here to change settings Then click “Operations,” followed by “Antivirus”
50
50 Virus - user experience
51
51 Realtime Scan Virus Detection Actions When Forefront detects a virus, several Actions are available: Skip: detect only – Logs presence of virus, but does not block or delete it Not a secure setting! Can be used for testing/evaluation purposes Clean: repair document – Attempts to clean the file. If file cannot be cleaned, it is blocked Delete: block document – GOOD CHOICE !!
52
52 Realtime Virus Deletion Text When a file is deleted because it contains a virus, Forefront replaces it with a text file File keeps name, but gets a.txt extension Deletion text is only used in Realtime scanning when replacing files within a ZIP file The text file contains a configurable “Deletion Text” that can include system information By default, the deletion text reads:
53
53 Forefront Manual Scan Job Manual Scan provides tree-view into document library All or part of the library can be set for scanning by using check boxes Settings will not include new sites by default unless the top box is checked Use Quick Scan to scan a particular part of the library
54
54 File Filtering – Forefront vs. SharePoint SharePoint also supports file blocking, but performs only file extension checking Will not catch a file if extension is changed to a an approved file extension If SharePoint and Forefront rules overlap, SharePoint rule is applied first SharePoint file scanning requires less overhead and should be used in conjunction with Forefront Block the same list of files in both places Skip: detect mode can be used to inventory the library or understand real-time file storage patterns
55
55 Large File Support Large file support has been added to the VSAPI in SharePoint 2007 The VSAPI hook can load and transfer pieces of the file on demand Forefront requests file data in chunks Maximum file size that can be scanned is 2GB If the file is larger than 2GB, then the ForefrontService will return a value of MSOVSI_STATUS_INFECTED The Virus Information string will note “Exceeded File Size”
56
56 The SharePoint process (AVM) reads and writes to the DB AV engines do not have to interact with DB VSE returns results and the AVM takes action, e.g. block, clean, etc. SharePoint Front End Antivirus Manager (AVM) SharePoint DB COM Layer Virus Scan Engine (VSE) Antivirus Vendor Component VSAPI 1.4 Architecture
57
57 SharePoint API integration Utilizes the SharePoint Virus API to scan files during upload and download Optimized for performance in a SQL environment Files are not rescanned if engines have not been updated Up to ten simultaneous scanning threads to help ensure users are not delayed waiting for documents to scan Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly
58
58 Troubleshooting Tips 1. FSCUtility.exe FSCUtility /status - Gives an on-screen report showing the status of Forefront Security and the server FSCUtility /disable - Disables Forefront Security dependencies FSCUtility /enable - Enables Forefront Security dependencies 2. FSCDiag 3. Programlog.txt 4. Event Logs 5. Perfmon Counters 6. MOM Packs 7. Forum: http://forums.microsoft.com/Forefront/default.aspx?ForumGroupID=275&SiteID=41 http://forums.microsoft.com/Forefront/default.aspx?ForumGroupID=275&SiteID=41
59
59 Microsoft Operations Manager Over 100 Events, Performance Counters, and Services Monitored Monitors the state of Forefront. Collects statistical data on scanning, detection, and removal of messages and attachments Polls Forefront Services - Provides timed events to poll systems for critical process health Key Tasks Triggers scan engine updates Centralizes storage and deployment of license files Imports, exports and deploys setting changes Initiates and/or schedules manual scan jobs Starts/Stops control of Forefront services
60
60 Q&A
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.