Embed Size (px)
Citation preview
2
Introductions
Presenter – Ronald Beekelaar
MVP Windows Security
MVP Virtual Machine Technology
E-mail: [email protected]
Work
Beekelaar ConsultancySecurity consultancy
Forefront, IPSec, PKI
Virtualization consultancyCreate many VM-based labs and demos
3
Agenda
Overview of Forefront Server
Exchange Scanning
E-mail Transport Scanning
How Mail Store Scanning Works
Mail Store Scanning Options
File filtering
Forefront Server Security Management Console (FSSMC)
Forefront Security for SharePoint
4
SpecificationsThree Win2003 R2 VMs + Exchange 2007 + Forefront for Exchange + Outlook 2003 + SharePoint Services 3.0 + Forefront for SharePoint + Forefront Management Console (beta)
Memory: 2 GB required
Demo environment
5
Forefront Security for Exchange Server includes multiple scan engines from industry-leading security firms, integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam.
ComprehensiveComprehensive
ProtectionProtection
OptimizedOptimized
PerformancePerformance
Simplified Simplified ManagementManagement
•
• Ships with & manages multiple antivirus engines
• Multi-layered protection in Exchange 2007• File filtering and premium anti-spam
protection• Deep integration with Exchange Server• Scanning innovations & performance
controls• Maintains uptime and optimizes
performance•Easily manage configuration and operation
•Automated signature updates•Reporting, notifications and alerts
6
History
Sybari Antigen 8.0 for ExchangeFor Exchange 5.5 and Exchange 2003
Microsoft Antigen 9.0 for ExchangeFor Exchange 2003
Forefront Security 10.0 for ExchangeFor Exchange 2007
Forefront Security for Exchange
7
Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from:
Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously
Internal Messaging Servers
A B C ED
Multiple Scan Engines
8
Engines from eight different vendorsAll delivered and licensed by MicrosoftYou can select a maximum of 5 (out of 8) engines
Note:Since 16-Jan-2007, CA Vet and CA InoculateIT combined
Customer benefitsRapid response to new threatsGreater protection through diversity of anti-virus enginesContinuous protection
Ahn LabsAuthentium CommandCAKaspersky
Microsoft Norman SophosVirus Buster
Multiple Scan Engines
9
Multiple Scan EnginesResults from AV-test.org (2006)
Signature response times in hours
MM/YY VIRUS FF Set 1 FF Set 2 FF Set 3 FF Set 4 FF Set 5 Vendor A Vendor B Vendor C
0406 Mytob.NQ@mm 1.5 1.0 1.0 1.0 3.1 9.9 17.4 2.1
0406 Mytob.NQ@mm 1.0 1.1 1.0 1.0 1.0 28.1 11.6 3.5
0406 Spybot!04C2 23.0 1.0 23.0 25.3 1.0 0 29.9 39.0
0406 Nugache.a 1.0 25.5 1.0 1.0 1.0 34.1 12.9 48.1
0506 Numuen.F 0 24.4 0 0 0 1.0 10.3 15.0
0506 Numuen.H 1.0 31.7 1.0 1.0 1.0 103.8 251.9 114.8
0506 Numuen.G 3.2 8.2 3.2 3.2 3.2 1.0 151.8 469.0
0506 Banwarum.C@mm 87.5 1.0 87.5 87.5 1.0 116.7 73.0 129.3
0506 Banwarum.B@mm 12.1 1.0 1.8 1.8 1.0 116.7 22.4 32.9
0506 Rbot!E905 0 0 0 0 0 1,141.8 217.6 1.0
0606 Bagle.EG 0 0 0 0 0 0 7.3 0
0606 Bagle.EH@mm 0 1.3 0 0 0 0 18.4 0
0606 Bagle.EG@mm 0 3.6 0 0 1.0 0 26.5 0
0606 Bagle.LY@mm 0 0 0 0 0 0 6.4 2.5
0706 Feebs.gen@mm 0 0 0 0 0 0 0 503.8
0706 Feebs.EU 0 1.0 0 0 0 52.3 173.2 39.0
0706 Virut.A 0 0 0 0 0 0 0 1,317.0
< 5 hours< 5 hours between 5 - 24 hoursbetween 5 - 24 hours > 24 hours> 24 hours
10
Multiple Scan EnginesBias setting
Available: 8 engines
Select: max 5 engines (from 8)
Bias setting: how many used on single email (1..5)
• Max Certainty: uses all selected engines (100%) - 5 • Favor Certainty: uses all available engines - 5 or 4• Neutral: uses at least 50% of selected engines - 3• Favor Performance: uses up to 50% of selected engines - 3, 2 or 1• Max Performance: uses one engine for every scan - 1
A
B
11
Scan Engines
Multiple Scan Engine Performance
3Sharp conducted analysis on the incremental impact of additional scan engineson performance
Findings:The additional protection offered by multiple engines greatly offsets the minimal impact to server performance
12
Scan Engine Updates
Forefront for Exchange polls for updates
Available at:
http://forefrontdl.microsoft.com
Share at another Forefront Server
Share at Forefront Management Console (FSSMC)
But NOT available at:
Antivirus vendor Web site (Norman, Sophos, etc)
13
Scan Mechanisms
Scan for viruses - using scan engines
Signature based
File filtering - block specific attachments
File name or content based
Scan inside "containers" (zip, rar, doc, etc)
Max 5 levels deep
Re-creates rest of container-file, if virus detected
14
Enterprise networkSMTPSMTP
ServersServers
Mailbox
Mailbox
Routing
Hygiene
Routing
Policy
Voice Messaging
Client Access PublicFolder
s
Fax
Applications:
OWAProtocols:ActiveSync, POP, IMAP,
RPC / HTTP …
Unified Messaging
EdgeTransport
HubTransport
IINNTTEERRNNEETT
Exchange 2007 Roles
15
Transport scanningTry to minimize effect on Message StoreDo not scan if scanned already - AV-stamp
Inbound: at Edge role (not at Mailbox role)Outbound: at Hub role (not at Mailbox role)Internal: at Hub role (not at Mailbox role)
AV-stampAntivirus header stamp is written to each email as it is first scanned(at Edge or Hub role)
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
Checked by later scanning operations (at Hub or Store role)If found - mail is not re-scanned
When mail is saved in the Store, antivirus stamp properties are savedas a MAPI property
The header is stripped from the email
Scanning at Transport
16
A Quick Look At Transport ScanningHow It Works
Inbound mail
Scanned at the Edge or Hub role (whichever comes first)
Outbound mail
Scanned at the first Hub role
Internal Mail
Scanned at the first Hub role (not in the Store)
Mail in Sent Items is not scanned
Public Folder postings
Not scanned on submission
17
Edge ServerEdge ServerIINNTTEERRNNEETT
Hub RoleHub Role Mailbox RoleMailbox Role
Mailbox RoleMailbox Role
Public FolderPublic Folder
ClientClient
SCAN+ AV-
STAMP
NO SCANNO SCAN NO SCANNO SCAN
Mail scanned only onceat the Edge
Saves processing loadon Hub and Mailbox servers
Scanning - Inbound Mail
18
Edge ServerEdge ServerIINNTTEERRNNEETT
Hub RoleHub Role Mailbox RoleMailbox Role
Mailbox RoleMailbox Role
Public FolderPublic Folder
ClientClient
SCANSCAN+ AV-STAMP+ AV-STAMP
NO SCANNO SCAN NO SCANNO SCAN
On-submission scanning at the Mailbox server (store) is turned off by default
Scan takes place at the Hub role
Saves processing loadon Edge and Mailbox servers
Scanning - Outbound Mail
19
IINNTTEERRNNEETT
Hub RoleHub Role Mailbox RoleMailbox Role
Mailbox RoleMailbox Role
Public FolderPublic Folder
ClientClient
SCANSCAN+ AV-+ AV-
STAMPSTAMP
NO SCANNO SCAN
NO SCANNO SCAN
Internal mail is routedthrough Hub roleSaves processing loadon Mailbox servers
Scanning - Internal Mail
20
Store scanningProactive scanning - off by default
Scan on message submission to the storeOn-access scanning - on by default
Scan when a message is accessed or viewedBut do not scan if scanned before (looks at AV-stamp)
Useful for: Outbox, Sent-Items, Public Folders
Background Scan - off by defaultRuns once a dayScan only message less than x days old (ignores AV-stamp)
Manual Scan - off by default Runs on a set schedule or on demand (ignores AV-stamp)
Quick Scan - off by default Easy way to run one-time manual scan (ignores AV-stamp)
Scanning at Store
21
Automatic ScanningBehavior Changes
Scanning behavior changes in Exchange 2007User Action Proactive Scanning on
(Exchange 2000/2003 default)
Proactive Scanning off (Exchange 2007 default)
1. User attaches an infected file to an email and sends email.
Virus is detected in the Outbox by the Realtime Scan Job and deleted.
Virus is detected in the Outbound mail queue by the Transport Scan Job and deleted.
2. User checks Sent Items folder.
Virus is already deleted, detected in the Outbox by the Realtime Scan Job.
Mail is scanned by On Access scanning (Realtime Scan Job) and virus deleted.
Each scan job has separate settings, so scan behavior may vary in Exchange 2007
22
"Outbreak mode"
Warning: do not use, except with major outbreak
Scan on Scanner Update setting
Invalidates AV-stamp after each engine update
Result:Enables proactive (submission) scanning
Scans each incoming message at store,even if just scanned on transport
Scans each mail on access, if engine has been updated
Conclusion:Significant increase in amount of store scanning,but always scanned with latest engines
23
File Filtering
Block file attachments, based on name (or content)
Extension - file name or file content*.exe, *.vbs, etc
Inbound/outbound/size<in>*.exe, <out>*.doc
*.mp3>5MB, *>10MB
Can also configure for "detect only"
24
Filter Rules: Delete *.exeQuarantine
File Filtering – Zip File Behavior
Forefront scans within ZIP and other compressed formats, deletes only the offending file and then repackages the ZIP
Container file before scan
EXE DOC
JPGBMP
Container file after scan
TXT DOC
JPGBMP
Custom deletion text
Quarantine
EXE
25
Premium Anti-spam Protection
Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007
Deployed on Exchange Edge or Hub server roleEdge server can be deployed in front of Exchange 2003 mailboxes
Built upon base anti-spam in Exchange 2007, premium anti-spam protection adds:
Microsoft IP reputation filter service and automated updates
Automated updates every 15 minutes for Microsoft Smartscreen spam heuristics, phishing Web sites and Intelligent Message Filter (IMF)
Targeted spam signature data and automatic updates to identify latest spam campaigns
Rights to use Exchange Hosted Services Filtering
26
Forefront Server Security Management Console
27
Centralizes management through the Web-based console
Automates signature updates for multiple antivirus engines
Generates comprehensive reports
Microsoft® Forefront™ Server Security Management Console allows administrators to easily manage Forefront Security for Exchange Server, Forefront Security for SharePoint® and Microsoft Antigen installed on multiple servers across the enterprise.
Provides outbreak responseRapidly distributes signature and scan engine updates
OptimizedPerformance
Comprehensive
Protection
Integration with Microsoft SQL Server™ 2005 and Windows Server® 2003
Redundancy maintains server availabilitySupport for Exchange 2007 CCR clusters
Simplified Management
28
FSSMC
Forefront Server Security Management Console (FSSMC)provides: - management - reporting - alerting/eventsfor the Forefront Server products
This includes Antigen Server products,but not Forefront Client Security
Successor to Antigen Enterprise Manager (AEM)Released: October 2007
Future: "Stirling" management console covers:Forefront ClientForefront ServerForefront Edge
29
Support matrix and history
30
Exchange 2007 Edge
Server
Exchange 2007 Hub Server
Exchange 2000 or 2003 Routing Server
Exchange 2007 Mailbox Server
Exchange 2000 or 2003 Mailbox Server
Microsoft Office SharePoint Server 2007 or Windows SharePoint Services 3.0
Forefront Server Security Management Console
DMZ servers not supported
Supported Topology
31
Minimum System RequirementsOperating System • Microsoft Windows Server 2003 SP2 (x86)
• Recommended: Install the latest security patches from Windows Update
Memory •128 Mb of available memory
Hard Disk • 65 MB of available disk space on a NTFS formatted drive for Forefront Server Security Management Console• 185 MB of available disk space on a NTFS formatted drive for prerequisites listed below
Prerequisites • Internet Information Services (IIS) 6.0 or higher with ASP.NET 2.0 enabled• Microsoft SQL Server 2000 Standard Edition (SP3a recommended), Microsoft SQL Server 2005 Standard Edition or SQL Server 2005 Express Edition* • The following prerequisites are included in the trial download and installed automatically if they are not already present:
• .NET Runtime v2.0 • Microsoft Message Queuing (MSMQ)and MSMQ Triggers • Microsoft Core XML Services (MSXML) 6.0 SP1
* Forefront Server Security Management Console supports SQL Server 2005 Express Edition, which is installed when selecting the “Express Install” option.
32
Feature Overview
33
Add a Server
First step is to identify and add the Forefront orAntigen server
Can be added directly or use the Browse feature
Once added, the FSSMC Agent software must be installed on the target server by a job that will push and install the Agent
Target server credentials are entered through the FSSMC console
Installation progress and status shown on screen
34
Jobs Overview
Jobs are management tasks that are run on demand or based on a schedule
Deployment jobsSoftware, license files, templates
Signature redistribution jobs
Schedule reports
General options
Manual Scan Job
Log retrieval
35
Job – Signature Distribution
A primary task for the FSSMC
The FSSMC server serves as the central download agent for all scan engines and updates
They are then distributed proactively to the Forefront and Antigen servers
Engine updates are delivered to all servers. You cannot choose among them.
Select the Update Schedule and choose the engines to download
36
Job – Signature Distribution
Set the time intervals and
download path.
Set the time intervals and
download path.
Choose the scan engines for Forefront
and Antigen.
Choose the scan engines for Forefront
and Antigen.
37
Engine Partner Updates
www.microsoft.com
Internet
ForefrontEngineAdaptor
Internet
Automated Signature Updating
38
Internet
Internet
Primary
Backup
12
3
4
5
Forefront Servers
6
Redundancy Signature Distribution
The Backup server connects to Internet and retrieves the Forefront (FF) engine manifest file
The Primary Server connects to the Internet and retrieves signature updates
Primary notifies all FF clients that updates are available
The Backup Server connects to Primary and compares file manifest to files available on Primary
If files are newer, Backup copies them
If Primary is out of date, Backup downloads from the Internet
Backup notifies client machines that it also has signature updates
Clients will pull signatures from Backup if they are more up to date
39
Auto-discovery of Exchange Servers
A nightly scan of Active Directory searches for Exchange servers A nightly scan of Active Directory searches for Exchange servers Compares discovered servers with known servers in the Forefront Compares discovered servers with known servers in the Forefront
Server Security Management ConsoleServer Security Management Console All previously undiscovered Exchange servers are highlighted on All previously undiscovered Exchange servers are highlighted on the screen and available via a daily report the screen and available via a daily report
Forefront/Antigen can then be deployed to these serversForefront/Antigen can then be deployed to these servers
40
At a Glance screen highlights newly
discovered servers.
Auto-discovery of Exchange Servers (cont.)
41
Reporting – At a Glance
A system status screen showing key data points from the past 24 hours
Virus statisticsSkipped, cleaned, detected, blocked, etc.
Spam statisticsSkipped, purged, identified, etc.
Antigen 9 only
Filter StatisticsFile filters, keyword filters, subject line filters
Top 5 Viruses
Most Active Servers
42
Reporting – Out-of-date engine and signature version reportProblem: Security Admins want to be kept up to date of whether their systems are up-to-date. Out-of-date signatures and engines should be identified.
Solution: FSSMC makes it possible to view the signature and engine version on each managed server. It does not matter whether the server is updated by FSSMC or not.
43
Alert Management
Example:
An alert can be sent when no virus activity is seen for a specified period of time
A lack of virus detections can indicate a scanning failure
Possible scan job crash
Possibly misconfigured server
44
Reporting – Out-of-date engine and signature version report
Turns RED when there is no
internet connection
45
Forefront Security for SharePoint
46
How Do Viruses Get to SharePoint?
Today, viruses arrive primarily by accident – not design
User uploads document with embedded payloadPossibly malicious user activity
Risks in an extranet deployment
User maps a network drive to \\server\sites\teamsiteIf a user is infected by a virus that attempts to propagate to network shares, then the virus can propagate to SharePoint sites
SQL Document Library SharePoint Portal Server Users
47
Why SharePoint Antivirus?
File Server AV does not provide the level of protection needed to prevent SharePoint-related infections
Desktop AV is not enough to solve the problem
Desktop AV may detect infection within the cached copy, but cannot clean the stored copy in the document library
Forefront Security for SharePoint cleans the document in the library, ensuring all posted and downloaded documents are safe
Signature distribution is often slow and problematic, and never contains five scanning engines
48
Forefront Antivirus Scanning
Forefront provides two types of scan jobs:
Realtime Scan Job – Scans any files being uploaded to or downloaded from SharePoint
Works with web browser or any other application accessing SharePointProvides proactive protection
Manual Scan Job – Scans all or part of SharePoint document library on demand
Scans can be scheduledCan be used to scan with engines different than Realtime scan job
49
Forefront Realtime Scan Job
Realtime scanning always uses the VSAPI
Basic Realtime scan settings are centrally configured through the SharePoint interface, not the Forefront console
Click here to change settings
Then click Then click “Operations,“Operations,” followed by ” followed by “Antivirus”“Antivirus”
50
Virus - user experience
51
Realtime Scan Virus Detection Actions
When Forefront detects a virus, several Actions are available:
Skip: detect only – Logs presence of virus, but does not block or delete it
Not a secure setting!
Can be used for testing/evaluation purposes
Clean: repair document – Attempts to clean the file. If file cannot be cleaned, it is blocked
Delete: block document – GOOD CHOICE !!
52
Realtime Virus Deletion Text
When a file is deleted because it contains a virus, Forefront replaces it with a text file
File keeps name, but gets a .txt extensionDeletion text is only used in Realtime scanning when replacing files within a ZIP file
The text file contains a configurable “Deletion Text” that can include system information
By default, the deletion text reads:
53
Forefront Manual Scan Job
Manual Scan provides tree-view into document library
All or part of the library can be set for scanning by using check boxes
Settings will not include new sites by default unless the top box is checked
Use Quick Scan to scan a particular part of the library
54
File Filtering – Forefront vs. SharePoint
SharePoint also supports file blocking, but performs only file extension checking
Will not catch a file if extension is changed to a an approved file extension
If SharePoint and Forefront rules overlap, SharePoint rule is applied first
SharePoint file scanning requires less overhead and should be used in conjunction with ForefrontBlock the same list of files in both places
Skip: detect mode can be used to inventory the library or understand real-time file storage patterns
55
Large File Support
Large file support has been added to the VSAPI in SharePoint 2007The VSAPI hook can load and transfer pieces of the file on demandForefront requests file data in chunksMaximum file size that can be scanned is 2GBIf the file is larger than 2GB, then the ForefrontService will return a value of MSOVSI_STATUS_INFECTEDThe Virus Information string will note “Exceeded File Size”
56
The SharePoint process (AVM) reads and writes to the DB
AV engines do not have to interact with DB
VSE returns results and the AVM takes action, e.g. block, clean, etc.
SharePoint Front End
Antivirus Manager (AVM)
SharePoint DBCOM Layer
Virus Scan Engine (VSE)Antivirus Vendor Component
VSAPI 1.4 Architecture
57
SharePoint API integration
Utilizes the SharePoint Virus API to scan files during upload and download
Optimized for performance in a SQL environment
Files are not rescanned if engines have not been updatedUp to ten simultaneous scanning threads to help ensure users are not delayed waiting for documents to scanAutomatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly
58
Troubleshooting Tips
1. FSCUtility.exe
FSCUtility /status - Gives an on-screen report showing the status of Forefront Security and the serverFSCUtility /disable - Disables Forefront Security dependenciesFSCUtility /enable - Enables Forefront Security dependencies
2. FSCDiag3. Programlog.txt4. Event Logs5. Perfmon Counters6. MOM Packs7. Forum: http://forums.microsoft.com/Forefront/default.aspx?ForumGroupID=275&SiteID=41
59
Microsoft Operations Manager
Over 100 Events, Performance Counters, and Services Monitored
Monitors the state of Forefront.
Collects statistical data on scanning, detection, and removal of messages and attachments
Polls Forefront Services - Provides timed events to poll systems for critical process health
Key Tasks
Triggers scan engine updates
Centralizes storage and deployment of license files
Imports, exports and deploys setting changes
Initiates and/or schedules manual scan jobs
Starts/Stops control of Forefront services
60
Q&A
