Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep Dive

Adwait Joshi Jim HarrisonSr. Product Manager Program Manager

Microsoft Corporation

SESSION CODE: SIA308

Agenda

Business Ready SecurityTMG New Features - overviewDeep Dives with Troubleshooting

URL Filtering Malware Inspection

Summary

Forefront TMG Administrator’s Companion

ANNOUNCING

20% off at the Tech Ed Bookstore!!

Across on-premises & cloud

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Integrate and extend securityacross the enterprise

Block

from:

Enable

Cost Value

Siloed Seamless

to:

Simplify the security experience, manage compliance

Protect everywhere,access anywhere

Highly Secure & Interoperable Platform

Identity

PROTECT everywhere ACCESS anywhere

SIMPLIFY security,MANAGE compliance

Protect endpoints from emerging threats and information loss, while enabling more secure access from virtually anywhere

INTEGRATE and EXTEND security

Secure Endpoint Solution

• Provides unified administration for desktop management and protection

• Increases visibility of potentially vulnerable desktops

• Uses existing System Center Configuration Manager infrastructure

• Builds on and extends Windows security

• Enables multi-layered antimalware protection

• Protects critical data wherever it resides

• Provides more secure always-on access

New Forefront Threat Management Gateway 2010

• Enables employees to safely use the Internet without worrying about malware and other threats.

Comprehensive Web Security

• Includes and improves proven network protection technologies of ISA 2006

Next Generation of

ISA Server

TMG Enhancements• HTTP

Anti-virus/spyware• URL Filtering• HTTPS forward

inspection

Secure Web Access

• VoIP traversal (SIP)• Enhanced NAT• ISP Link Redundancy• Logging Improvements• Updated firewall client• NDIS Filter (Layer-2)

Firewall

• Exchange Edge/FPE integration• Anti-Virus• Anti-spam• Array-based Mgmt

E-mail Protection

• Network Inspection System (GAPA)

• Flood Mitigation

Intrusion Prevention

• NAP integration with VPN role

• Supports SSTP VPN

Remote Access

• Scenario UI & Wizards• Mixed Arrays• Enhanced reporting• W2K8 R1 SP2 or R2,

native 64-bit

Deployment & Management

• Subscription Svcs:• HTTP: AV+URL

Filtering• Email: AV+Anti-Spam

• NIS signatures

Web Protection

7

TMG Deployment Scenarios

•Authenticating proxy with security•Web Anti Malware and URL filtering•Inspection of HTTP and HTTPS traffic

Secure Web Gateway

•All-in-one solution for medium businesses and for branch offices•Firewall, Proxy, VPN, IPS, Email relay in a single box

Unified Threat Management (UTM)

•Dial-in VPN•Site to site VPN•Secure Web Publishing

Remote Access Gateway

•Anti Spam•Anti Virus•Email Filtering

Secure Email Relay Management

URL Filtering

URL Filtering

DEMO

Firewall Service

MRSCache

1

2

3

4

5

67

12

MRS

11

Web Proxy Engine

10.10.0.1:8080

127.0.0.1:8080

WebSvr

10

89

WWSAPI

WinHTTP

X

Log filter = URL contains mrs.microsoft.com

SOAP Req to HTTPS://10.ds.mrs.microsoft.com

GET HTTP://my.kitty.cat.com/calico?gimmenow

HTTP://my.kitty.cat.com/calico?gimmenowHTTP://kitty.cat.com/calico?gimmenowHTTP://cat.com/calico?gimmenowHTTP://com/calico?gimmenow

In MRS Cache?

WWSAPI

MRSCacheNope…

WinHTTP

CONNECT 10.ds.mrs.microsoft.com:443

POST HTTPS://10.ds.mrs.microsoft.com

WinHTTP

WWSAPI

SOAP Response

SOAP Request

WinHTTP SSL Tunnel

WinHTTPSOAP ResponseWWSAPI

200 OK

URL Categories WWSAPI

40312233

MRSCache

Problem AreasFirewall Policies (rule ordering)

WPS License Expired

Users Don’t Read The Error Page (12233.htm, 12233r.htm)

CRL Validation Name ResolutionNetwork WPAD ConfigurationWinHTTP Auto-DiscoveryWinHTTP Proxy Settings

First TMG RFC was for URL Filtering (MRS Queries)

A Real CSS CallToo Much MRS Traffic (~1GB/day)

What Did We Know?TMG logs verify the complaintLOTS of failed attempts to communicate with MRSLOTS of WPAD requests from TMG itself

TMG tells WWSAPI to use localhost:8080

WWSAPI tells WinHTTP to use localhost:8080

SOAP Req to HTTPS://10.ds.mrs.microsoft.com

GET HTTP://my.kitty.cat.com/calico?gimmenow

WWSAPI

WinHTTP

POST HTTPS://10.ds.mrs.microsoft.com

POST HTTPS://10.ds.mrs.microsoft.com

WinHTTP

WWSAPI

What Did We Need?Web Services behavioral data (tracing)

WinHTTP Proxy configuration (netsh winhttp sho pro)Behavioral data (tracing)

NetCaps

Web Services Tracing

Requires Windows SDK: http://www.microsoft.com/downloads/details.aspx?FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505

Use it like unto thusly:1. Click Start, All Programs, Microsoft Windows SDK v7.02. R-click CMD Shell and select “Run as Administrator” (elevated).3. Run the following sequence of commands:

1. wstrace.bat create verbose2. wstrace.bat on3. create the repro4. wstrace.bat dump > C:\Temp\wwstraces.csv

WinHTTP Tracing

Requires Nothing Extra..so we have no link; sorry…

Use it like unto thusly:1. Click Start, All Programs, Accessories2. R-click Command Prompt and select “Run as Administrator” (elevated).3. Run the following command:

1. netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled2. create the repro3. netsh winhttp set tracing state=disabled

Do It All Together1. Click Start, All Programs, Microsoft Windows SDK v7.02. R-click CMD Shell and select “Run as Administrator” (elevated).3. Run the following commands:

netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled wstrace.bat create verbose wstrace.bat on

4. Create the repro5. Run the following commands:

netsh winhttp set tracing state=disabled wstrace.bat dump > C:\Temp\wwstraces.csv

Real Case Discussion

DEMO

TelemetryAnother MRS Request

Same mechanism as MRS LookupsFQDN is 10. s.mrs.microsoft.comAmount of data sent depends on participationSame problem areas as URLF except not (entirely) user-drivenNeed to scan logs for problems

t

Update Center

TMG Update Agent

WSUS or MU

?WUA API

WinHTTP

WU Config

1

2

34

6

8

9

75

WinHTTPWPADSvc

Computer DefaultWSUS or MU (GP, Registry)

MS Updates

Default + MU

WSUS Product Classifications for Forefront TMG

Anti-Malware

Network Inspection System

What Do We Need?Windows Automatic Update Agent

Configuration (MSKB 328010)Behavioral data (logging)

WinHTTP Configuration (netsh winhttp sho pro)Behavioral data (tracing)

WinHTTP Tracing

Requires Nothing Extra..so we have no link; sorry…

Use it like unto thusly:1. Click Start, All Programs, Accessories2. R-click Command Prompt and select “Run as Administrator” (elevated).3. Run the following command:

1. netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled2. create the repro3. netsh winhttp set tracing state=disabled

WAUA Logging / Configuration

Requires Nothing ExtraMSKB 902093 describes it

Use it like unto thusly:1. Press the Start and R keys simultaneously2. In the Run dialog, type

notepad %windir%\windowsupdate.log and hit <Enter>

Update Center Configuration

http://blogs.technet.com/isablog/archive/2009/11/28/using-windows-server-update-service-for-the-tmg-update-center.aspx

Anti-malware

Anti-Malware

DEMO

Firewall Service

Web Proxy Filter

Malware Inspection Filter

502; 12210

• Trickling

• Content-Type Exceptions

Scanning Location

High R/W capacity DO NOT mix with logging or

OS

Cleaning Blocking

Threat level Suspicious Corrupted Unscannable Encrypted Scan Time Archive depth Pre-, Post unpacked size

TMG Log Summary

Log type: Web Proxy (Forward) Status: 12210 An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator. Rule: Allow Web Access for parent Source: Internal (10.10.255.1:49226) Destination: External (188.40.238.250:80) Request: GET http://www.eicar.org/download/eicar.com Filter information: Req ID: 09906bf2; Compression: client=No, server=Yes, compress rate=0% decompress rate=0% Protocol: http User: anonymous

Additional information Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727) Object source: Internet (Source is the Internet. Object was added to the cache.) Cache info: 0x40800000 (Response includes the LAST-MODIFIED header. Response should not be cached.) Processing time: 390MIME type: application/x-msdos-program

Failed Connection Attempt TMG-01 2/3/2010 7:21:23 AM

TMG Log Details

Problem AreasUpdate Center ConfigurationWPS License ExpiredWSUS / MU ConfigurationWinHTTP Auto-DiscoveryWinHTTP Proxy Settings

Users Don’t Read The Error Page (12210.htm, 12210r.htm)No CSS cases (yet)

Summary

Web usage increasingly provides an attack vector into the corporate networkForefront Threat Management Gateway Provides:

Intelligent protection to enable employees to use the Web safely and productivelySimplifies Web security with a single solution that integrates into your Microsoft infrastructure

Troubleshooting WPS is (now) no more difficult than any other Web request

Learn more & try our solutions at: www.microsoft.com/forefront

Related ContentSIA320 |Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint SolutionSIA301 |Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access SolutionSIA308 | Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep DiveSIA309 |Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 - A Deep Dive into the Features and Protection TechnologiesSIA325 | Secure Endpoint: Virtualizing Microsoft Forefront Threat Management Gateway (TMG) SIA02-INT | Secure Endpoint: Planning DirectAccess Deployment with Microsoft Forefront Unified Access GatewaySIA07-INT | Secure Endpoint: Architecting Forefront Endpoint Protection 2010 on Microsoft System Center Configuration Manager

SIA05-HOL | Microsoft Forefront Threat Management Gateway OverviewSIA09-HOL | Secure Endpoint Solution: Business Ready Security with Microsoft Forefront and Active DirectorySIA11-HOL | Microsoft Forefront Unified Access Gateway (UAG) and Direct Access: Better Together

Red SIA-3 | Microsoft Forefront Secure Endpoint Solution

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA