Managing Messaging and Collaboration System Threat Protection: A Technical Dive of Forefront Server

1
Managing Messaging and Collaboration System
Threat Protection A Technical Dive of Forefront
Server Security
Ketil Pedersen Technology Specialist Manager
2
Agenda

• Introduction to Forefront Server Security
  products
• Forefront Security for Exchange Server
• Exchange 2007 Role Support
• Premium Anti-spam Services
• File filtering
• Forefront Security for SharePoint
• SharePoint API
• Demo
• Closing remarks

3
Forefront System Center
IT Security
IT Management

• Change Configuration Management
• Backup Recovery
• Virtual Machine Management
• Systems Monitoring

• Client Security
• Application Server Security
• Network Edge Security
• Secure Remote Access

Common Management Infrastructure Platform
Simplified
Productive
Integrated
4
Microsoft Forefront Server Security includes
multiple scan engines from industry-leading
security firms, integrated in a single solution
to help businesses protect their Exchange
messaging environments from viruses, worms, and
spam and protect their Microsoft Office
SharePoint 2007 and Windows SharePoint Services
3.0 collaboration environment by eliminating
documents containing malicious code, confidential
information, and inappropriate content.

• Ships with manages multiple antivirus engines
• File Filtering and premium anti-spam protection
• File Content Keyword Filtering for SharePoint

ComprehensiveProtection

• Deep integration with platform
• Scanning innovations and performance controls
• Maintains uptime and optimizes performance.

Optimized Performance

• Easily manage configuration and operation
• Automated signature updates
• Reporting, Notifications and Alerts

Simplified Management
5
Server Security Product Roadmap
Previous Versions
Current
2007
SP1
Microsoft
Antigen
Messaging Security Suite
SP1
6
Comprehensive Protection
7
Harnessing the Strength of Multiple Engines

• Forefront Server Security products integrate and
  ship with industry-leading antivirus scan engines
  from

• Each scan job in a Forefront Server Security
  product can run up to five engines simultaneously

8
The Multiple Engine Advantage

• Rapid response to new threats
• Fail-safe protection through redundancy
• Diversity of anti-virus engines and heuristics

1AVTest.org, 2006
9
Optimized Performance
10
Optimized Performance Controls
Engines used are not always the same. They are
dynamically allocated from the available pool.
A
C
D
Bias
Max Certainty uses all engines (100) Favor
Certainty uses all available engines Neutral
uses approximately 50 of available
engines Favor Performance uses 25 of available
engines Max Performance uses one engine for
every scan
11
Optimized Performance Controls
Engines used are not always the same. They are
dynamically allocated from the available pool.
A
Bias
Max Certainty uses all engines (100) Favor
Certainty uses all available engines Neutral
uses approximately 50 of available
engines Favor Performance uses 25 of available
engines Max Performance uses one engine for
every scan
12
Simplified Management
13
Forefront Server Security Management Console
Features

• Central management console
• Deploys and configures Forefront/Antigen Security
  for Exchange and SharePoint environments
• Automates signature updates across the
  enterprise
• Scans for and pulls updates for multiple
  antivirus engines
• Distributes updates to all Forefront/Antigen
  servers

14
Forefront Server Security Management Console
Features

• Comprehensive reporting
• Detected viruses, keyword filters or file
  filters
• Actions taken by Forefront/Antigen on detection
  of a virus or content violation
• Message traffic activity
• Antivirus engine versions
• Outbreak alerts
• SNMP and SMTP alerts sent when administrator-defin
  ed thresholds for viruses, file and content
  filters are exceeded
• Alerts can be forwarded to Microsoft Operations
  Manager

15
Notifications Reporting
16
Integrated Management Forefront Management Pack

• Over 100 Events, Performance Counters, and
  Services Monitored
• Monitors the state of Forefront.
• Collects statistical data on scanning, detection,
  and removal of messages and attachments
• Polls Forefront Services - Provides timed events
  to poll systems for critical process health
• Key Tasks
• Triggers scan engine updates
• Centralizes storage and deployment of license
  files
• Imports, exports and deploys setting changes
• Initiates and/or schedules manual scan jobs
• Starts/Stops control of Forefront services

17
Forefront Security for Exchange Server
18
Exchange 2007 Enterprise Topology
Enterprise network
OtherSMTPServers
I N T E R N E T
EdgeTransport
HubTransport

• Routing

• Hygiene

• Routing

• Policy

PBX or VoIP
Unified Messaging

• Applications
• OWA
• Protocols
• ActiveSync, POP, IMAP, RPC / HTTP
• Programmability
• Web services,
• Web parts

• Voice Messaging

• Fax

Mailbox

• Mailbox

Public Folders
ClientAccess
19
Email Transport Scanning

• New intelligent scanning does not scan email that
  has already been scanned
• By default, email scanned at Edge Transport or
  Hub Transport does not get scanned again when
  routed or deposited into mailboxes
• Minimizes AV scanning overhead to maximize mail
  system performance
• Significantly reduces scanning impact at the
  store
• Can be turned off to allow scanning at all points

20
Transport ScanningInbound Mail
Edge Server
Hub Role
Mailbox Role
I N T E R N E T
SCAN and STAMP
NO SCAN
NO SCAN
Client
Mailbox Role

• Mail scanned only once at the Edge
• Saves processing load on Hub and Mailbox servers

Public Folder
21
Transport ScanningInternal Mail
Edge Server
Hub Role
Mailbox Role
NO SCAN
NO SCAN
SCAN and STAMP
Client

• Internal mail is routed through Hub role
• Proactive scanning at the Mailbox server (store)
  is turned off by default
• Saves processing load on Mailbox servers

Mailbox Role
NO SCAN
Public Folder
22
Mail Store ScanningMultiple Options

• Standard mode
• Background Scan to sweep the store once each day,
  scanning only the most vulnerable files
• On-access protection for unscanned mail
• Outbreak mode
• Re-scan on-access whenever scan engines update
• Ultimate security mode
• Scan on submission to store
• Re-scan on access whenever scan engines update
• Continuous background scan with new signatures

23
Incremental Background Scanning

• Ability to scope background scanning allows for
  daily sweep of store with latest updates
• Scan only messages delivered in the past
• 4, 6, 8, 12, 18 hours
• 1, 2, 3, 4, 5, 7, 30 days
• Combines security and performance
• The most dangerous messages are scanned
• The bulk of the store does not get scanned
  repeatedly for no reason

24
Premium Anti-spam Protection

• Forefront Security for Exchange Server licenses
  and activates the premium anti-spam features for
  Exchange 2007
• Deployed on Exchange Edge or Hub server role
• Edge server can be deployed in front of Exchange
  2003 mailboxes
• Built upon base anti-spam in Exchange 2007,
  premium anti-spam protection adds
• Microsoft IP reputation filter service and
  automated updates
• Automated updates for Microsoft Smartscreen spam
  heuristics, phishing Web sites and Intelligent
  Message Filter (IMF)
• Targeted spam signature data and automatic
  updates to identify latest spam campaigns

25
File Filtering

• A key part of any mail protection strategy
• File filtering proactively blocks a specific
  range of potentially dangerous file types whether
  or not a signature exists
• Suggested files to block EXE, COM, PIF, SCR,
  VBS, SHS, CHM and BAT
• Some users will block the same file types that
  are blocked by Outlook 2003
• See Outlook online help for list

26
File FilteringSetting up file filters

• Forefront blocks by extension and true file type
• Cant fool filter by simple change of extension
• Each is configured differently

• Use .exe and All Types of files to block
  anything named .exe

• Use . and EXEFILE to block any executable file
  no matter what it is named

27
File FilteringSetting up file filters

• Search for specific files by name, e.g.
  resume.doc
• Wildcards supported, e.g. resume.doc
• Each represents 250 characters
• File filters can be Inbound or Outbound
• .exe, .doc
• Files can be blocked based on size, and
  size/name/type/direction combinations
• .mp32mb
• .mp35mb
• .10mb

28
File Filtering Actions

• Every filter or filter list can have a separate
  action applied, offering great flexibility
• SkipDetect only logs the event but does not
  block or alter the message
• Not a secure setting!
• Useful for monitoring and discovery purposes
• Allows for pre-testing of new rules without end
  user impact
• DeleteRemove contents removes the attachment
  only and replaces with the customized deletion
  text
• PurgeEliminate message deletes both the
  attachment and the message body
• End user receives nothing

29
File Filtering Zip file behavior

• Forefront scans within ZIP and other compressed
  formats, deletes only the offending file and then
  repackages the ZIP

Custom deletion text
Filter Rules Delete .exeQuarantine
Container file before scan
30

• Real-time threat prevention features
• Multi-layer anti-spam and anti-virus
• Customized content and policy enforcement

• E-mail retention for help with compliance and
  e-discovery
• Customized report generation for help
  demonstrating compliance
• Fully indexed, searchable archive

• Uninterrupted e-mail accessibility
• Rapid recovery from unplanned disasters and
  network outages
• Thirty-day rolling historical e-mail store

• Full e-mail encryption
• No public and private key management
• Gateway, policy-based e-mail encryption

31
Hosted Services Network Infrastructure

• Hosted services provisioned across a reliable
  network infrastructure
• SLA uptime guarantees of 99.999 percent
• Services activated with simple mail exchange
  record redirect
• Requires minimal IT administration centralized
  control
• Scalability without additional cost can handle
  all message volume variations
• Helps free local loop, customers servers, and
  bandwidth from unwanted traffic
• Delivers legitimate messages to customers site

32
Forefront Security for SharePoint
33
Forefront Security for SharePoint

• Virus Protection for Document Libraries
• Real-time scanning of documents uploadedand
  downloaded from document library
• Manual and scheduled scanning of document
  library

SQL Document Library
Document
SharePoint Server
Users
Document

• Content Policy Enforcement
• File filtering to block documents frombeing
  posted based on name match, file type or file
  extension
• Content filtering by keywords withindocuments
  for inappropriate words and phrases

34
SharePoint API integration

• Utilizes the SharePoint Virus API to scan files
  during upload and download
• Optimized for performance in a SQL environment
• Files are not rescanned if engines have not been
  updated
• Up to ten simultaneous scanning threads to help
  ensure users are not delayed waiting for
  documents to scan
• Automatic integration with SharePoint Information
  Rights Management (IRM) to scan protected files
  on the fly

35
Summary

• Comprehensive protection
• Optimized performance
• Simplified management.
• An integral part of Microsoft Forefront
• Visit http//www.microsoft.com/infrastructure
• Learn more about how Forefront Client Security
  fits in the Forefront System Center solution
• Download beta/evaluation software

Forefront works like a dream. We dont have to
do anything to it until were ready to upgrade.
With a small IT staff, thats exactly what we
want. Alexander Fischer, Chief of IT
Infrastructure, Koehler Paper Group
We wouldnt put anything else for e-mail
security on our Exchange Server 2007 machines.
The software is well-respected. Its been around
its proven. Chris Habala, Senior
Architect/Analyst, Del Monte
36
Demo Forefront Security for Exchange Server