Forefront Server Security

Agenda

Introduction to Forefront Server Security products- Comprehensive Protection Features- Optimized Performance Features- Simplified Management Features

Forefront Security for Exchange Server- Exchange 2007 Role Support- Premium Anti-spam Services- File filtering

Forefront Security for SharePoint- SharePoint API- Content filtering

Summary

Server Security Product RoadmapPastPast

ClientClient

ServerServer

EdgeEdge

Next Generation Client SecurityNext Generation Client Security

Next Generation Server SecurityNext Generation Server Security

Next Generation Edge Security & AccessNext Generation Edge Security & Access

Inte

gra

ted

Pro

tectio

n &

In

teg

rate

d P

rote

ction

&

Man

ag

em

en

tM

an

ag

em

en

tC

od

en

am

ed

‘Stirlin

g’

Cod

en

am

ed

‘Stirlin

g’

(Beta 2)

PresentPresent FutureFuture

Comprehensive Protection

Problem Single Point of Failure

SharePointSharePoint

ISA ISA ServerServer

SMTP SMTP ServerServer

Internet

Viruses

Anti-virus Approaches

ExchangExchangee

ExchangExchangee

Single Vendor

Single Engine

Worms

Spam

A A

A A A

A

A A

Problem Management/Cost

SharePointSharePoint

ISA ISA ServerServer

SMTP SMTP ServerServer

Internet

Viruses

Anti-virus Approaches

ExchangExchangee

ExchangExchangee

Multi-vendorMulti-engine

Worms

Spam

A B

C

A

ED

B C

Harnessing the Strength of Multiple Engines

Forefront Server Security products integrate and ship with industry-leading antivirus scan engines from

Each scan job in a Forefront Server Security product can run up to five engines simultaneously

Internal Messaging and Collaboration Servers

A B C ED

The Multiple Engine Advantage

Rapid response to new threatsFail-safe protection through redundancyDiversity of antivirus engines and heuristics

Response time1 (in hours)The Microsoft

multiple-engine solutionWildList Number

MalwareName

Forefront Set 1

Forefront Set 2

Forefront Set 3

Vendor A* Vendor B* Vendor C*

10/2006 Areses!Itw30 0.00** 0.00 0.00 0.00 0.00 0.0010/2006 Areses!Itw36 0.00 0.00 0.00 1598.78 0.00 0.0010/2006 Areses!Itw37 0.00 0.00 0.00 0.00 52.30 175.4510/2006 Areses!Itw41 0.00 0.00 0.00 0.00 13.15 194.3510/2006 Mytob!Itw590 0.00 0.00 0.00 1332.17 0.00 0.0010/2006 Rontokbro!Itw36 0.00 0.00 0.00 0.00 0.00 613.4010/2006 Sdbot!Itw1809 0.00 0.00 0.00 9.97 166.07 270.3910/2006 Sdbot!Itw1831 65.95 52.23 41.78 59.43 1.00 46.3810/2006 Sdbot!Itw1847 56.54 56.54 204.79 416.27 29.92 85.3210/2006 Stration!Itw101 0.00 0.00 0.00 93.88 23.46 96.8510/2006 Stration!Itw102 0.00 0.00 0.00 26.00 28.05 30.8310/2006 Stration!Itw42 0.92 0.92 0.92 3.72 3.12 7.0510/2006 Stration!Itw43 2.00 2.00 2.00 4.80 4.20 8.1310/2006 Stration!Itw44 0.00 0.00 0.00 5.60 2.00 7.5810/2006 Stration!Itw45 0.00 0.00 0.00 3.55 2.00 7.5810/2006 Stration!Itw46 0.00 0.00 0.00 2.75 2.20 6.7810/2006 Stration!Itw47 0.00 0.00 0.00 3.72 3.12 7.0510/2006 Stration!Itw60 0.00 0.00 0.00 0.00 4.64 6.3211/2006 Rbot!Itw2090 0.00 0.00 0.00 1739.10 0.00 298.6411/2006 Sdbot!Itw1814 0.00 0.00 0.00 1.00 0.00 0.0011/2006 Sdbot!Itw1866 0.00 0.00 0.00 26.80 1.00 35.2711/2006 Sdbot!Itw1867 0.00 0.00 0.00 14.00 12.84 23.1411/2006 Sdbot!Itw1876 0.00 0.00 0.00 468.60 306.82 430.8011/2006 Stration!Itw124 0.00 0.00 0.38 0.66 1.88 8.8012/2006 Bagle!Itw137 0.00 0.00 0.00 4.01 0.00 13.8312/2006 Bagle!Itw141 0.00 0.00 0.00 17.15 0.00 13.8312/2006 Puce!Itw1 0.00 0.00 0.00 0.00 0.00 1.0012/2006 Rbot!Itw2038 0.00 0.00 0.00 1026.27 0.00 0.0012/2006 Sdbot!Itw1889 0.00 0.00 0.00 128.28 255.20 63.96

* Includes beta signatures** 0.00 denotes proactive detection

1 Source: AV-Test.org 2007 (www.av-test.org)

Other single-engine solutions

= Less than 5 hours

= 5 to 24 hours = More than 24 hours

Optimized Performance

Optimized Performance Controls

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

A

B

C

D

Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

Optimized Performance Controls

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

A

B

Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

Simplified Management

SharePoint Servers

Exchange Servers

Forefront Server Security Management Console Features

Central management console - Deploys and configures

Forefront/Antigen Security for Exchange and SharePoint environments

Automates signature updates across the enterprise- Scans for and pulls updates

for multiple antivirus engines

- Distributes updates to all Forefront/Antigen servers

Forefront Server Security Management Console Features

Comprehensive reporting- Detected viruses, keyword filters or file filters- Actions taken by Forefront/Antigen on

detection of a virus or content violation- Message traffic activity- Antivirus engine versions

Outbreak alerts- SNMP and SMTP alerts sent when administrator-

defined thresholds for viruses, file and content filters are exceeded

- Alerts can be forwarded to Microsoft Operations Manager

Automated Signature Updating

Internet

Engine Partner Updates

www.microsoft.com

Internet

ForefrontEngineAdaptor

Notifications & Reporting

Microsoft Operations Manager Forefront Management Pack for MOM 2005

Over 100 Events, Performance Counters, and Services Monitored- Monitors the state of Forefront.- Collects statistical data on scanning, detection,

and removal of messages and attachments- Polls Forefront Services - Provides timed events

to poll systems for critical process health Key Tasks

- Triggers scan engine updates- Centralizes storage and deployment of license

files- Imports, exports and deploys setting changes- Initiates and/or schedules manual scan jobs- Starts/Stops control of Forefront services

Forefront Security for Exchange Server

Microsoft® Forefront™ Security for Exchange Server includes multiple scan engines from industry-leading security firms, integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam.

Secure Messaging

Comprehensive

Protection

Optimized Performance

Simplified Management

Ships with & manages multiple antivirus engines

Multi-layered protection in Exchange 2007

File Filtering and premium anti-spam protection

Deep integration with Exchange Server Scanning innovations & performance

controls Maintains uptime and optimizes

performance Easily manage configuration and operation

Automated signature updates Reporting, Notifications and Alerts

What’s New in This Release?

Forefront Security for Exchange Server- Support for three Exchange roles in single product- 64-bit support (32-bit support only for evaluation)- Localization into 11 languages- Support for new Exchange AV features

AV transport stamp Targeted background scanning for optimized performance

- Access to all scan engines included with license- Premium anti-spam services for Exchange 2007- Cluster Server improvements including new

Exchange 2007 CCR cluster support

Mailbox

ClientAccess

Unified Messaging

EdgeTransport

HubTransport

Enterprise networkOtherSMTP

Servers

Mailbox

Routing

Hygiene Routing Policy

Voice Messaging

PBX or VoIP

PublicFolders

Fax

Applications:- OWA

Protocols:- ActiveSync, POP,

IMAP, RPC / HTTP …

Programmability:- Web services, - Web parts

Exchange 2007 Enterprise Topology

INTERNET

Email Transport Scanning

New intelligent scanning does not scan email that has already been scanned- By default, email scanned at Edge Transport

or Hub Transport does not get scanned again when routed or deposited into mailboxes

Minimizes AV scanning overhead to maximize mail system performance- Significantly reduces scanning impact at the

store- Can be turned off to allow scanning at all

points

INTERNET

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

Client

SCAN and STAMP

NO SCAN NO SCAN

• Mail scanned only once at the Edge

• Saves processing load on Hub and Mailbox servers

Transport Scanning – Inbound Mail

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

Client

SCAN and STAMP

NO SCAN NO SCAN

NO SCAN

Transport Scanning – Internal Mail

Internal mail is routed through Hub role

Proactive scanning at the Mailbox server (store) is turned off by default

Saves processing load on Mailbox servers

Internet

Mail Store Scanning – Multiple Options

Standard mode- Background Scan to sweep the store once each

day, scanning only the most vulnerable files- On-access protection for unscanned mail

Outbreak mode- Re-scan on-access whenever scan engines update

Ultimate security mode- Scan on submission to store- Re-scan on access whenever scan engines update- Continuous background scan with new signatures

Incremental Background Scanning

Ability to scope background scanning allows for daily “sweep” of store with latest updates

Scan only messages delivered in the past-4, 6, 8, 12, 18 hours-1, 2, 3, 4, 5, 7, 30 days

Combines security and performance-The most dangerous messages are scanned-The bulk of the store does not get scanned

repeatedly for no reason

Premium Anti-spam Protection

Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007

Deployed on Exchange Edge or Hub server role- Edge server can be deployed in front of

Exchange 2003 mailboxes Built upon base anti-spam in Exchange 2007,

premium anti-spam protection adds:- Microsoft IP reputation filter service and automated

updates- Automated updates for Microsoft Smartscreen spam

heuristics, phishing Web sites and Intelligent Message Filter (IMF)

- Targeted spam signature data and automatic updates to identify latest spam campaigns

File Filtering

A key part of any mail protection strategy

File filtering proactively blocks a specific range of potentially dangerous file types whether or not a signature exists-Suggested files to block: EXE, COM, PIF,

SCR, VBS, SHS, CHM and BAT -Some users will block the same file types

that are blocked by Outlook 2003 See Outlook online help for list

Use *.exe and All Types of files to block anything named *.exe

Use *.* and EXEFILE to block any executable file no matter what it is named

File FilteringSetting up file filters

Forefront blocks by extension and true file type- Can’t fool filter by simple change of

extension- Each is configured differently

File FilteringSetting up file filters

Search for specific files by name, e.g. “resume.doc”- Wildcards supported, e.g. “*resume*.doc”- Each * represents 250 characters

File filters can be Inbound or Outbound- <in>*.exe, <out>*.doc

Files can be blocked based on size, and size/name/type/direction combinations- <in>*.mp3>2mb- <out>*.mp3>5mb- <in>*.*>10mb

File Filtering Actions

Every filter or filter list can have a separate

action applied, offering great flexibility- Skip:Detect only – logs the event but does

not block or alter the message Not a secure setting! Useful for monitoring and discovery purposes Allows for pre-testing of new rules without end

user impact- Delete:Remove contents – removes the

attachment only and replaces with the customized deletion text

- Purge:Eliminate message – deletes both the attachment and the message body End user receives nothing

Filter Rules: Delete *.exeQuarantine

File Filtering – Zip file behavior

Forefront scans within ZIP and other compressed formats, deletes only the offending fileand then repackages the ZIP

Container file before scan

EXE DOC

JPGBMP

DOC

JPGBMP

TXT

Container file after scanEXE

Quarantine

Custom deletion text

Forefront Security for SharePoint

Microsoft Forefront Security for SharePoint integrates multiple scan engines from industry-leading vendors and provides content controls to help businesses protect their Microsoft Office SharePoint 2007 and Windows SharePoint Services 3.0 collaboration environment by eliminating documents containing malicious code, confidential information, and inappropriate content.

Secure Collaboration

Ships with & manages multiple antivirus engines

File & Content Keyword Filtering Support for Open XML & IRM-protected docs Deep integration with SharePoint Server Scanning innovations and performance

controls Maintains uptime and optimizes performance. Easily manage configuration and operation Automated signature updates Reporting, Notifications and Alerts

Comprehensive

Protection

OptimizedPerformance

Simplified Management

What’s New in This Release?

Forefront Security for SharePoint-Both 32-bit and 64-bit support- Localization (11 languages)-Support for SharePoint Information

Rights Management Documents-Keyword filtering on Office XML

Open Format and Excel formats-Access to all scan engines

included with license

Forefront Security for SharePoint

SQL Document Library

DocumentUsers

Document

SharePoint Server

Virus Protection for Document Libraries

Integrates scan engines from eight industry leading vendorsReal-time scanning of documents uploadedand downloaded from document libraryManual and scheduled scanning of document library

Content Policy EnforcementFile filtering to block documents frombeing posted based on name match, file type or file extensionContent filtering by keywords withindocuments for inappropriate words and phrases

Protects MOSS 2007 and WSS 3.0

SharePoint API integration

Utilizes the SharePoint Virus API to scan files during upload and download- Optimized for performance in a

SQL environment Files are not rescanned if engines have

not been updated Up to ten simultaneous scanning threads

to help ensure users are not delayed waiting for documents to scan

Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly

Forefront Server Security Management Console

Centralized, web-based console Automated signature updates for multiple AV

engines Comprehensive reporting

Simplified Management

Forefront Server Security Management Console allows administrators to easily manage Forefront Security for Exchange Server, Forefront Security for SharePoint and Microsoft Antigen, providing a web-based console to centralize configuration and operation, automate the download and distribution of signature and scan engine updates, and generate comprehensive reports.

Outbreak response Rapid update distribution

Integration with SQL Server 2005 & Windows Server 2003

Redundancy maintains server availability Support for Exchange 2007 CCR clusters

Comprehensive

Protection

OptimizedPerformance

What’s New in Forefront Server Security Management Console?

Exchange 2007 CCR Cluster SupportSQL 2005 Support*Auto-discovery of Exchange Servers*Exchange Server Filter*Redundancy*Localization in 11 languages**

* Beta 2 (mid-2007)** RTM (2H 2007)

Forefront Server Security Management Console

Sybari Enterprise Manager

Antigen Enterprise Manager

Forefront Server

Security Management

Console

Sybari Antigen for Exchange/SMTP 8.0

Sybari Antigen for SharePoint 8.0

Sybari Antigen for Instant Messaging 8.0

Microsoft Antigen for Exchange/SMTP 9.0

Microsoft Forefront Security for Exchange Server

Microsoft Forefront Security for SharePoint

Support Matrix and History

Customer Testimonials

“Forefront works like a dream. We don’t have to do anything to it until we’re ready to upgrade. With a small IT staff, that’s exactly what we want.”Alexander Fischer, Chief of IT Infrastructure, Koehler Paper Group

“We looked at Forefront and it blew us away. We’re a Microsoft shop. We want to use products that will integrate well with what we have. And we’ve seen the Microsoft roadmap for the Forefront product range, so we know this is a product we can use to increasing advantage in the years to come.”

Peter Oescheger, CIO, Sasfin

“We wouldn’t put anything else for e-mail security on our Exchange Server 2007 machines. The software is well-respected. It’s been around; it’s proven. Our own experience with Microsoft Antigen is that it’s an outstanding product. Forefront Security for Exchange Server makes it even better.”

Chris Habala, Senior Architect/Analyst, Del Monte

“The integration of Forefront with Exchange is even better than the integration we saw with Antigen. It integrates proactively as part of the scanning flow. It’s not complicated to install or administer. Microsoft has taken one of the best antivirus products for Exchange and just made it better.”

Will Wilson, Director of Information Systems, Guardian Management

Summary

Microsoft Forefront Server Security products:- Provide comprehensive antivirus, antispam and

content filtering protection for Exchange Server, SharePoint Server, Windows SharePoint Services, and Live Communications Server

- Strengthen messaging and collaboration security by integrating multiple industry-leading antivirus technologies in a single solution

- Optimize performance of messaging and collaboration servers with scanning innovations and performance bias controls

- Simplify management of messaging and collaboration security

© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Appendix

* Magic Quadrant for E-Mail Security Boundary, 2006. Peter Firstbrook, Arabella Hallawell Publication Date: 25 September 2006/ID Number: G00142431

Gartner Magic Quadrant forE-Mail Security Boundary

2006 *

Industry Analyst Perspective

Magic Quadrant Disclaimer This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Microsoft. Go to: www.microsoft.com/forefront. The Magic Quadrant noted on slide 16 is copyrighted September 25, 2006, by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.