In this session, we talk about Network Policy Server (NPS) in Windows Server 2008, and how to implement Network Access Protection (NAP). We start with an introduction to the Network Policy Server, and show how it plays a valuable role in maintaining the integrity of an internal computer network. We also explain how to deploy and configure NAP, how NAP works, and how it employs NPS. Learn to enable debug tracing, and how it can be used for monitoring and troubleshooting connectivity problems. Finally, see how to use load balancing and how to set up fallback servers, in addition to various techniques for deploying backup/recovery plans to maintain a high-availability network access system.

Presenter:  Blain Barton, IT Pro Evangelist, Microsoft Corporation

In his 12 years at Microsoft, Blain Barton has organized and delivered a wide array of educational programs. He has presented at more than 400 live events and received six top presenter awards in the last several years. Blain has also worked on worldwide original equipment manufacturer (OEM) system engineering and headed up the Microsoft Visual Basic support team. In presentations, Blain is known for getting his audiences personally involved in every demo. He plays the drums in his free time, and he taught professional-level snow skiing in Washington State before moving to Florida, where he currently resides.

Check out the Webcast at:

http://www.microsoft.com/events/series/detail/webc...366207

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Over the last few years virtualization has become increasingly popular. I’ve been virtualizing my datacenters for the last eight years, so the sudden rush to virtualization came as a bit of a surprise to me. However, it was a good surprise, because it showed that I was right to promote virtualization as a management, high availability and disaster recovery solution, even when nobody seemed to care about it.

With all the goodness that virtualization gives, there’s one thing that it doesn’t provide — a security solution. Virtualization is many things to many people, but one thing it’s not is a security solution. This means you need to consider how virtualization affects the security posture of your enterprise.

There are a lot of approaches you can take when designing your virtualized topology. The one I find the most useful is one that works in a non-virtualized infrastructure. You put all machines belonging to the same security zone on the same host machine. Servers that belong to different security zones are put on different host servers.

What this means in practice is that you mirror your network security zones to host servers. There are all types of security zones: anonymous access DMZs, authenticated access DMZs, network services segments, client segments, departmental segments, honeypot segments, and so-forth. The key issue with security zones is that there is a network security device controlling access into and out of the security zone.

So how would we approach this situation in an actual deployment? Let’s take a very simple network, I have the following security zones:

• Network services segment — this contains AD domain controllers, Exchange back-end servers, internal DNS resolvers, and SharePoint servers
• Anonymous access DMZ — this contains public Web servers, public DNS servers, public FTP servers, public media streaming servers, and inbound SMTP relays (Edge Exchange Servers)
• Authenticated access DMZ — this contains resources that require authentication at the firewall before access is allowed to these servers. For example, front-end/client access Exchange Servers, public facing SharePoint servers, and authenticated SMTP relays (used by external users who require SMTP to support POP3 or IMAP4 clients)
• Firewall zone — this zone is separate an distinct from other zones, since the firewall zone has the largest “attacker surface” representing all users on the Internet

Using this model, how many host servers do we require? Since there are 4 security zones, we use 4 different host servers. The goal is to reduce the risk of compromise of high value assets in relatively lower risk security zones by VMs in higher risk security zones. In this way, we don’t put all the VMs in the network services segment host machine at risk of attacks that would take place on VMs located on the public access DMZ host machine.

Keep in mind that we still need to segment these security zones from one another in the same way we did with our non-virtualized environment. What this means is that while we’ve consolidated all the servers located in each zone onto one or more physical host machines, we still need inline network security devices (which can be VMs on separate host machines if you like) to provide network level access controls between the zones. Virtualization doesn’t add any “magic security sauce” to the equation — the same principles of network security and zone segmentation apply. A possible exception to this rule is when you’re using IPsec server and domain isolation to create “virtual” network segments, but that’s another story for a different day.

Most importantly, this answers the question as to whether or not you should run network security devices in a VM. The answer is yes, there’s no problem putting network security devices such as firewalls, remote access VPN servers and SSL VPN gateways in virtual machines, but you have to make sure that you put all of these “edge” devices on a host separate from hosts containing virtual machines belonging to other security zones.

But sometimes a picture is worth a thousand words. Christofer Hoff in his blog entry regarding virtualizing security appliances at http://rationalsecurity.typepad.com/blog/2008/08/f...t.html sums up the entire issue with this picture:

The only thing I would change here is that the top line should read “Every time you deploy a security virtual appliance on the same host as non-security virtual machines….”

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

What is Stirling? Forefront codename “Stirling” is an integrated security system that delivers comprehensive, coordinated protection across endpoints, messaging and collaboration applications, and the network edge that is easier to manage and control.

At release, “Stirling” will include:

• A single management console and dashboard for security configuration and enterprise-wide visibility.

• The next-generation versions of Forefront Client Security, Forefront Security for Exchange Server, Forefront Security for SharePoint, and Internet Security and Acceleration Server (to be renamed Forefront Threat Management Gateway).

Microsoft has published a FAQ on “Stirling” that has information you’ll want to know about. After reading the FAQ, I’m sure you’ll want to download the trial software and give it a go. Check out the FAQ at:

http://www.microsoft.com/forefront/stirling/en/us/...q.aspx

Download the Stirling software at:

http://technet.microsoft.com/en-us/evalcenter/cc33...9.aspx

You can also download preconfigured virtual machines with the “Stirling” software so that you can more quickly get up to speed on what “Stirling” has to offer. The VM download link is on the same page.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

I notice that a lot of small and midsized businesses do not take advantage of the security benefits of putting together a Public Key Infrastructure or PKI. A PKI allows you to take advantage of digital certificates, which can be used in securing your network in a number of ways. Certificates can be used for IPsec server and domain isolation, can be used to secure your network using NAP with HRA and IPsec enforcement, can be used to secure your email messages, can be used to secure connections to your Web sites, and also can be used to encrypt files on your hard disk. And that’s just a small sample of the things you can do with digital certificates.

However, in order to gain these benefits, you need to setup a PKI. The good news is that it’s really not that hard. I found a great article to get the small and medium sized business admin up to speed on putting together a PKI. As they explain:

“After you complete these steps, your network will include an enterprise root CA and you will have access to all of the certificate templates available by using the Certificate Templates snap-in. In addition, client autoenrollment will strengthen authentication for your wireless users by requiring them to use digital certificates during the authentication process. Autoenrollment can make this requirement virtually transparent to users by enabling them to automatically request certificates, retrieve issued certificates, and renew expiring certificates. You can also broaden the protection the Windows Server 2003 PKI provides to your network by expanding your use of the PKI to support additional applications such as digital signatures, IPSec, and so on, that were mentioned earlier“

I think you’ll get a lot out of this article and you’ll learn key PKI concepts without having to deal with the sometimes arcane terminology used in the PKI business. Check it out at:

http://technet.microsoft.com/en-us/library/cc700804.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

A couple of years ago there was information on the www.microsoft.com site about a Forefront Security product for Office Communications Server (OCS). Then for some reason, all references to this product disappeared. I thought that maybe Microsoft decided to ditch the Forefront for OCS product and move on to something else. Well, the good news is that I was wrong!

A beta version of Forefront for OCS is now available. Some features included with it include:

• Multiple anti-malware scanning engines provide better protection
• Keyword filtering and file blocking reduce liability
• Integration with Office Communications Server
• Integration with multiple server roles
• Provides protection for federated connections and public IM users
• Localization

For more information, check out the Forefront Team Blog at:

http://blogs.technet.com/forefront/archive/2008/06...e.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

The SMS Extended Security Update Inventory tool is a scan tool built for the sole purpose of helping customers determine SMS client computers that may need security updates that are not detectable using the existing SMS Security Update Inventory Tool built on MBSA. Like the SMS Software Update Inventory tool, this tool also has the instructions for locating each applicable update, downloading it from Microsoft, and deploying it using SMS . The SMS Extended Security Update Inventory Tool is built on Enterprise Scan Tool (EST) detection technology. For more information about the exact detection capabilities of EST and how it differs from MBSA, see Microsoft Knowledge Base Article 894193 (http://support.microsoft.com/kb/894193). For more information on the SMS Extended Security Update Inventory Tool, please see the included user guide and release notes.

For more information, check out:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

It never hurts to help our end users get smarter. While user education is far from a panacea, it is an important part of a strong defense in depth plan. To this end, Microsoft has provided us with the Windows Defender Support and Training page. Check it out at:

http://www.microsoft.com/windows/products/winfamil...t.mspx

There you will find demos, tutorials and information that helps users of all kinds to get up to speed with the Windows Defender anti-malware solution.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Windows Vista confirms what most Microsoft security professionals think of the Windows browser service:

:)

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Forefront Client Security (FCS) Enterprise Manager is a tool that will allow customers to centrally report on events across multiple event logging & reporting servers (collection servers). This tool enables a Forefront Client Security management console to provide centralized management and reporting across multiple FCS deployments (i.e. enable hierarchical management). By using this, customers will be able to:

• Easily deploy FCS policy to the entire organization.
• Centrally view & administer alerts collected by multiple event logging servers.
• Use a single dashboard to monitor the security state of the entire enterprise. 
• Review unified reports to access the current and historical security state of the entire enterprise

Download the Forefront Client Security Enterprise Manager at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Want to know more about Microsoft Forefront security products and how they can be used to protect your networked clients and servers? One great way to do this is to use virtual labs. Each lab is about 90 minutes and there’s no setup required. Just start the lab, read the manual and have at it!

Check out these virtual labs for Forefront products:

• TechNet Virtual Lab: Managing Microsoft Forefront Servers with Forefront Server Security Management Console (FSSMC)
• TechNet Virtual Lab: Configuring Load Balancing using ISA Server 2006 (Part 1)
• TechNet Virtual Lab: Configuring Load Balancing using ISA Server 2006 (Part 2)
• TechNet Virtual Lab: Implementing Antivirus Defenses on Exchange Server 2007 with Microsoft Forefront Security
• TechNet Virtual Lab: Troubleshooting Forefront Client Security
• TechNet Virtual Lab: Deploying Forefront Client Security Part 1
• TechNet Virtual Lab: Deploying Forefront Client Security Part 2
• TechNet Virtual Lab: Microsoft Operations Manager 2005 Technical Overview with Forefront Client Security
• TechNet Virtual Lab: Forefront Edge Security and Access - Creating and Configuring Intelligent Application Gateway (IAG) 2007 Portal Websites
• TechNet Virtual Lab: Forefront Edge Security and Access - Remote Access with Intelligent Application Gateway (IAG) 2007 and Internet Access Protection with ISA Server 2006
• TechNet Virtual Lab: Forefront Security for SharePoint
• TechNet Virtual Lab: Forefront Security for Exchange Server
• TechNet Virtual Lab: Using Antigen Server to Protect SharePoint Servers and Instant Messaging
• TechNet Virtual Lab: Using Antigen Server to Protect Exchange Server Against Viruses and Spam

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)