Forefront Client Security (FCS) Enterprise Manager is a tool that will allow customers to centrally report on events across multiple event logging & reporting servers (collection servers). This tool enables a Forefront Client Security management console to provide centralized management and reporting across multiple FCS deployments (i.e. enable hierarchical management). By using this, customers will be able to:

• Easily deploy FCS policy to the entire organization.
• Centrally view & administer alerts collected by multiple event logging servers.
• Use a single dashboard to monitor the security state of the entire enterprise. 
• Review unified reports to access the current and historical security state of the entire enterprise

Download the Forefront Client Security Enterprise Manager at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Want to know more about Microsoft Forefront security products and how they can be used to protect your networked clients and servers? One great way to do this is to use virtual labs. Each lab is about 90 minutes and there’s no setup required. Just start the lab, read the manual and have at it!

Check out these virtual labs for Forefront products:

• TechNet Virtual Lab: Managing Microsoft Forefront Servers with Forefront Server Security Management Console (FSSMC)
• TechNet Virtual Lab: Configuring Load Balancing using ISA Server 2006 (Part 1)
• TechNet Virtual Lab: Configuring Load Balancing using ISA Server 2006 (Part 2)
• TechNet Virtual Lab: Implementing Antivirus Defenses on Exchange Server 2007 with Microsoft Forefront Security
• TechNet Virtual Lab: Troubleshooting Forefront Client Security
• TechNet Virtual Lab: Deploying Forefront Client Security Part 1
• TechNet Virtual Lab: Deploying Forefront Client Security Part 2
• TechNet Virtual Lab: Microsoft Operations Manager 2005 Technical Overview with Forefront Client Security
• TechNet Virtual Lab: Forefront Edge Security and Access - Creating and Configuring Intelligent Application Gateway (IAG) 2007 Portal Websites
• TechNet Virtual Lab: Forefront Edge Security and Access - Remote Access with Intelligent Application Gateway (IAG) 2007 and Internet Access Protection with ISA Server 2006
• TechNet Virtual Lab: Forefront Security for SharePoint
• TechNet Virtual Lab: Forefront Security for Exchange Server
• TechNet Virtual Lab: Using Antigen Server to Protect SharePoint Servers and Instant Messaging
• TechNet Virtual Lab: Using Antigen Server to Protect Exchange Server Against Viruses and Spam

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Do you know the security status of your network? Get a visual. The Visio 2007 Connector for Microsoft Baseline Security Analyzer (MBSA) lets you view the results of an MBSA scan in a clear, comprehensive Microsoft Office Visio 2007 network diagram. You must have both Visio 2007 Professional and MBSA 2.1, a free security tool from Microsoft, for this connector to work properly.

• Convey information powerfully and succinctly with data graphics (text, data bars, icons) and color-coding on your diagrams.
• Pinpoint vulnerabilities on the color-coded diagram.
• Prioritize actions based on the results presented in the network diagram

Download the connector at:

http://technet.microsoft.com/en-us/security/cc1849...5.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

You’re the Microsoft security admin for your company. While your real job is to take care of the security design and management of your company’s computing infrastructure, your second job seems to be to take care of your family and friends computer’s. This happens to all IT people — whenever you see your friends or family, or go to a party, you become the “go to” guy for all sorts of computer problems. And as the “security guy”, they will give you an extra pummeling of questions related to viruses, worms, trojans, and whatever the malware du jour happens to be.

If you need to duck out of these questions, Microsoft can help you with a Web page they’ve created for newbies. The security at home page has articles about Microsoft security that are written with the newb in mind. Lot of good advice that even the most Mac-minded Windows user can use to make his computer more secure.

Check out security at home at:

http://www.microsoft.com/protect/default.mspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

Microsoft Forefront codename “Stirling” is an integrated security system that delivers comprehensive, coordinated protection across endpoints, messaging, and collaboration applications. It also provide the network edge that is easier to manage and control. By delivering simplified management and providing critical visibility into threats, vulnerabilities, and configuration risks, “Stirling” helps you reduce costs and achieve greater insight into your enterprise security state. Attend this session to get an overview of this new security system from Microsoft.

In the second part of our overview on Microsoft Forefront codename “Stirling,” we cover the next-generation versions of Forefront Client Security, Forefront Security for Exchange Server, Forefront Security for SharePoint, and Microsoft Internet Security & Acceleration Server (ISA), which is to be renamed the Forefront Threat Management Gateway.  We also have our June 2008 Security Bulletin.

Check out the podcasts at:

http://technet.microsoft.com/en-us/bb510143.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

My friend Steve Riley is at it again — this time with a new twist. In a blog post over at http://blogs.technet.com/steriley/archive/2008/06/...6.aspx he describes a vision where the corpnet can be extended to any location in the world. Thus, there will be no difference between an “internal” host and an “external” host. All managed clients will be considered as part of the same security zone (corpnet), regardless of their location.

This solution depends on two core technologies:

• Universal connectivity using IPv6
• Connection security and privacy provided by IPsec

IPv6 will remove all NAT requirements and Steve says that all you need is a router configured to allow inbound UDP 500 (for IKE) and TCP protocol 50 (for ESP). That’s it. No need for firewalls at the corpnet edge, since there will no longer be a corpnet, just a worldwide network of managed clients that Group Policy, Forefront Client Security and NAP will protect.

It’s an attractive idea. Wouldn’t it be nice to join my kitchen computer to the distributed corpnet, the one that I share with the wife and kids ? And how about my main workstation at home, that should be a member of the corpnet too. And that laptop I lug around the world, connecting it to unsecure and unmanaged networks with great abandon, that should be part of the corpnet too. Sweet!

However, there’s a problem with this scenario that Steve hasn’t addressed — outbound access control and the ”quality” of clients.

First, let’s look at the outbound access control issue. Outbound access control has two primary goals — to prevent users from downloading stuff that the company doesn’t want on corpnet computers and to prevent users on corpnet computers from uploading stuff the company doesn’t want uploaded. We might also add a third goal — to prevent users from viewing information that could put the company at risk for any number of legitimate or illegitimate reasons (from a criminal and civil law perspective).

Steve’s “network of the future” doesn’t have any provisions for outbound access control. While Forefront Client Security is a great anti-malware solution, it doesn’t protect against zero-day threats. And while NAP does a darned good job at preventing unhealthy clients from connecting to the network, there’s more to the security game then just protecting us from known malware and unhealthy clients. Thus, without outbound access controls, you reduce the overall “quality” of the machines because they have an increased “attacker” surface, because of unrestricted access to any content using any protocol using any application.

So this first issue plays into the second problem with Steve’s “network of the future” — the “quality” of clients located on Steve’s distributed corpnet. Let’s look at an analogy.

A woman is in love with two men (hey, it can happen) and has decided that she wants to marry one of them so that she can settle down and have a happy life. She manages both of these men pretty well, except one of them has a long history of being a womanizer and has slept with hundreds of women in his life. However, she’s sure he’s given up that life to be with her. The other man has only been with one other woman in his life and has no history of womanizing.

What would you recommend to this woman? Both of these men have been “well managed” by her and she’s sure that she’ll be able to manage either one of them in the future. But would you say both of these men were of the same “quality” when it come to potential future risk?

Isn’t the womanizer much like the off-site computer that connects to a multiplicity of networks with unknown security states? And even if the Bedouin off-site computers were only connected to secure networks, who has been working on those computers and who is really logged onto those machines? What if the off-site “corpnet” machine is in the hands of an attacker — to what degree will that attacker be able to leverage his new found connectivity to the corpnet?

What do we do about this situation? It’s clear that off-site clients are in a different security zone than the “bolted-in” corpnet clients. But then again, is there such thing as a bolted-in corpnet client anymore? Many companies are providing laptop computers to their users that they can take home, and then they can bring them back and plug them into the corporate network. Are these machines any different than the off-site distributed network “new world order” corpnet machines?

So, maybe the issue of client “quality” is moot, and the concern regarding the difference in quality, and thus different security zones for mobile and “fixed” corporate assets is more apparent than real. This still leave the issue of outbound access controls.

Steve mentions enabling the Windows Firewall with Advanced Security on the clients. While this is a great suggestion for controlling inbound access (as is the router configuration to the physical “corpnet”), it does nothing for outbound access control.

So, what is the solution? I suspect the only way we can actually solve the problem and make Steve’s “network of the future” a reality is to have an ISA (actually it’ll be a TMG ) firewall on every client, and enable centralized management of that firewall via a consolidated agent, such as the Firewall client, which could be wrapped into the Forefront Client Security agent. Only after having this or a similar solution, will we get close enough close to leveling the playing field enough to make the “network of the future” a truly secure, distributed corpnet.

Next time, we’ll tackle the task of reperimeterization and the unmet challenges we have there.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

I’ve written a bit on how important a Security Development Lifecycle is to creating secure software. Without an SDL, software is designed for functionality first, and then security is “bolted on” at the end of the development process. This can lead to software with more security bugs then you’d care to think about. With an SDL, those bugs never find their way into the software, because the SDL process forces security issues to be considered from the initial inception of the software to the final code release. For any software purchase you make, you need to ask the vendor how they implement an SDL in their own software development process. If they can’t provide you this information, then you should reconsider the software purchase and look to a vendor that can provide you details of their SDL.

But what if you’re a software development house and you don’t have the knowledge or the talent in house to implement an effective SDL? There are a lot of options, but one of the best is to bring in some experts who can perform fast and effective knowledge transfer to bring your developers and project managers up to speed. Which experts should you choose? I think that you can’t do much better than the Microsoft ACE Team. The Microsoft Application Consulting and Engineering Team can do code reviews and train your staff in secure application development. I’ve had the chance to work with this team and they are top notch secure application development professionals.

For more information about Microsoft ACE, check out their blog at:

http://blogs.msdn.com/ace_team/default.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Microsoft Security Architect / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

As all Microsoft security admins know, you have to be good at protocol analysis to find out what’s happening on the wire. But what’s the best protocol analyzer to use? There are plenty of commercial protocol analyzers you can use, but if you want to use a free one that provides commercial level functionality and flexibility, then it’s hard to do better than Network Monitor 3.

To learn more about NM 3, check out the video Help links on the Network Monitor blog at:

http://blogs.technet.com/netmon/archive/2008/07/11...3.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Shawn Travers presents a fine Webcast about Windows Vista security. Topics include:

• Windows Service Hardening
• Antispyware enhancements
• Antiphishing enhancements
• Windows Firewall with Advanced Security
• IPv6
• BitLocker
• EFS
• Smart Card enhancements
• And more!

Check out this on-demand Webcast at:

http://www.microsoft.com/events/series/detail/webc...312729

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Your network is running smoothly, your end users are happy with their new PDAs and laptops, and your boss thinks you’re a security genius, but how do you know what you’re defending against? Microsoft provides learning path resources to understand the current threat landscape and identify ways to help protect your business and customers. You’ll find analysis of data collected from millions of users—as well as respected security experts—complete with strategies, mitigations, and countermeasures to help you take next steps.

Check this learning guide out at:

http://technet.microsoft.com/en-us/security/cc5140...3.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)