Export (0) Print
Expand All

Reducing the attack surface

To further secure a computer running Microsoft Forefront Threat Management Gateway, apply the principle of reduced attack surface. To reduce the breadth of your attack surface, follow these guidelines:

  • Do not run unnecessary applications and services on the Forefront TMG computer.
  • Disable Forefront TMG features that you do not use. For example, if you do not require caching, disable caching. If you do not require the VPN functionality of Forefront TMG, disable VPN client access.
  • Identify those services and tasks not critical to how you manage your network, and then disable the associated system policy rules.
  • Limit the applicability of the system policy rules to required network entities only. For example, the Active Directory system policy configuration group, which is enabled by default, applies to all computers on the Internal network. You could limit this to apply only to a specific group of computers on the Internal network in Active Directory.

The following sections describe how you can reduce the attack surface of the Forefront TMG computer.

Depending on your specific networking needs, you may not require the entire set of features included in Forefront TMG. You should carefully consider your specific needs and determine whether you need the following:

  • VPN client access
  • Caching
  • Web proxy
  • Add-ins

If you do not require a specific feature, disable that feature.

VPN client access

VPN client access is disabled by default. This means that the relevant system policy rule, named Allow VPN client traffic to Forefront TMG, is also disabled. The default network rule, named VPN Clients to Internal Network, is enabled, even when VPN client access is disabled. If VPN client access is currently enabled, you can disable it, if it is not required.

  1. In the Forefront TMG Management console tree, click the Virtual Private Networks (VPN) node.

  2. In the details pane, click the VPN Clients tab, and then click Verify VPN Properties.

  3. On the General tab, verify that Enable VPN client access is not selected.

Caching is disabled by default. This means that all relevant caching features, including scheduled content download, are disabled. If caching is currently enabled for Forefront TMG, you can disable it.

  1. In the Forefront TMG Management console tree, click the Web Access Policy node.

    In the details pane, if Web Caching is set to Enabled or if you configured a cache drive, do the following:

    1. On the Tasks tab, click Configure Web Caching.
    2. On the Cache Drives tab, select the Forefront TMG computer and click Configure.
    3. Select each drive for which the value in the Cache Size column is not 0 and then click Reset.
    4. Click OK.

The Forefront TMG Web proxy is enabled by default and is the basis of one of the central deployment scenarios of Forefront TMG. We recommend that you disable Web proxy in scenarios in which the Web proxy is not used.

The following is a listing of scenarios in which Forefront TMG does not use the Web proxy:

  • Forefront TMG is used only for VPN connections.
  • There is no requirement for the following additional Forefront TMG features:
    • Caching
    • HTTP compression
    • Application-layer filtering
  • There is another Forefront TMG computer providing Web proxy services.

To disable the Web proxy on a Forefront TMG computer, you need to create a new protocol with TCP port 80 and verify that Web Proxy Filter is not selected for the new protocol. When you create an access rule to allow HTTP traffic with the new protocol, the following applies:

  • Users must have a default gateway properly defined or use the Firewall Client.
  • Name resolution must be properly defined.
  • Web proxy settings must be cleared.

To re-enable the Web proxy, use the original HTTP protocol that Forefront TMG creates during setup in any access rule.

  1. In the Forefront TMG Management console tree, click the Firewall Policy node.

  2. In the details pane, click the Toolbox tab, and then click Protocols.

  3. Click New and select Protocol.

  4. On the Welcome page of the New Protocol Definition Wizard, in Protocol definition name, type HTTP1.

  5. On the Primary Connection Information page, click New, type 80 in the From and To fields, and then click OK.

  6. Do not define any secondary connections.

  7. Click Finish to complete the wizard.

    Cc995072.note(en-us,TechNet.10).gifNote:
    Do not bind the Web Proxy Filter to the protocol created because this will enable the Web proxy.

When you install Forefront TMG, a suite of application filters and Web filters are also installed. You can subsequently install additional add-ins provided by third-party vendors. Follow these security guidelines:

  • Do not install application filters or Web filters that you do not require.
  • Never install a filter from an untrusted source.
  • Save the dynamic-link library (DLL) associated with the add-in in a protected folder (for example, %ProgramFiles%\Microsoft Forefront TMG). Be sure to configure strict access control lists (ACLs) for this folder.
  • Disable application and Web filters that you do not require.

  1. In the Forefront TMG Management console tree, click the System node.

  2. In the details pane, click the Application Filters tab if you want to disable an application filter, or click the Web Filters tab if you want to disable a Web filter.

  3. In the details pane, select the applicable add-in.

  4. On the Tasks tab, click Disable Selected Filters.

Forefront TMG includes a default system policy configuration, which allows use of services commonly required for the network infrastructure to function properly.

In general, from a security perspective, we strongly recommend that you configure the system policy so that access to services that are not required to manage your network is not allowed. After installation, carefully review the system policy rules. Similarly, after you perform major administration tasks, review the system policy configuration again.

The following sections describe services that are enabled by system policy rules.

For more information about system policy configuration, see About system policy.

Network services

When you install Forefront TMG, basic network services are enabled. After installation, Forefront TMG can access name resolution servers and time synchronization services on the Internal network.

If the network services are available on a different network, you should modify the applicable configuration group sources to apply to the specific network. For example, suppose the Dynamic Host Configuration Protocol (DHCP) server is not located on the Internal network, but on a perimeter network. Modify the source for the DHCP configuration group to apply to that perimeter network.

You can modify the system policy so that only particular computers on the Internal network can be accessed. Alternatively, you can add additional networks if the services are found elsewhere.

The following table shows the system policy rules that apply to network services.

Configuration group Rule name Rule description

DHCP

Allow DHCP requests from Forefront TMG to all networks

Allow DHCP replies from DHCP servers to Forefront TMG

Allows the Forefront TMG computer to access any network by using DHCP (reply) and DHCP (request).

DNS

Allow DNS from Forefront TMG to selected servers

Allows the Forefront TMG computer to access all networks by using the Domain Name System (DNS) protocol.

NTP

Allow NTP from Forefront TMG to trusted NTP servers

Allows the Forefront TMG computer to access the Internal network by using the NTP (UDP) protocol.

DHCP

If your DHCP server is not located on the Internal network, you must modify the system policy rule so that it applies to the network on which the DHCP server is located. For example, if the DHCP server is located on the External network, perform the following procedure.

  1. In the Forefront TMG Management console tree, click the Firewall Policy node.

  2. On the Tasks tab, click Edit System Policy.

  3. In System Policy Editor, in the Configuration Groups tree, click DHCP.

  4. On the From tab, click Add, select External, click Add, and then click Close.

  5. Select Internal and then click Remove.

  6. Click OK.

Authentication Services

One of the fundamental capabilities of Forefront TMG is the ability to apply a firewall policy to specific users. When a policy applies to a specific group of users, all users must be authenticated to determine their identity. To authenticate users, however, Forefront TMG must be able to communicate with authentication servers. For this reason, by default, Forefront TMG can communicate with Active Directory servers (for Windows authentication) and with RADIUS servers located on the Internal network.

The following table shows the system policy rules that apply to authentication services. You can disable the rules for types of authentication that are not being used.

Configuration group Rule name Rule description

Active Directory

Allow access to directory services for authentication purposes

Allow RPC from Forefront TMG to trusted servers

Allow Microsoft CIFS from Forefront TMG to trusted servers

Allow Kerberos authentication from Forefront TMG to trusted servers

Allows the Forefront TMG computer to access the Internal network by using various LDAP protocols, the remote procedure call (RPC) (all interfaces) protocol, various Microsoft common Internet file system (CIFS) protocols, and various Kerberos protocols, by using the Active Directory directory service.

RSA SecurID

Allow SecurID authentication from Forefront TMG to trusted servers

Allows the Forefront TMG computer to access the Internal network by using the RSA SecurID protocol.

RADIUS

Allow RADIUS authentication from Forefront TMG to trusted RADIUS servers

Allows the Forefront TMG computer to access servers in the Internal network by using various RADIUS protocols.

Certificate Revocation List (CRL) Download

Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)

Allows all HTTP traffic from Forefront TMG to all networks for downloading updated certificate revocation lists (CRLs).

DCOM

If you require use of the DCOM protocol—for example, to remotely manage the Forefront TMG computer—be sure that you do not select Enforce strict RPC compliance.

  1. In the Forefront TMG Management console tree, click the Firewall Policy node.

  2. content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">

    On the Tasks tab, click Edit System Policy.

  • In System Policy Editor, in the Configuration Groups tree, click Active Directory.

  • Verify that Enforce strict RPC compliance is not selected.

  • Click OK.

  • Cc995072.note(en-us,TechNet.10).gifImportant:
    DCOM is often required for various services, including remote management and certificate auto-enrollment.

    Windows and RADIUS authentication

    If you do not require Windows authentication or RADIUS authentication, you should perform the following steps to disable the applicable system policy configuration groups.

    1. In the Forefront TMG Management console tree, click the Firewall Policy node.

    2. On the Tasks tab, click Edit System Policy.

    3. In System Policy Editor, in the Configuration Groups tree, click Active Directory.

    4. On the General tab, verify that Enable this configuration group is not selected.

      Cc995072.note(en-us,TechNet.10).gifNote:
      When you disable the Active Directory system policy configuration group, access to all LDAP protocols is no longer allowed. If you require the LDAP protocols, create an access rule allowing use of these protocols.
    5. Repeat step 3 and step 4 for the RADIUS configuration group.

    6. Click OK.

      Cc995072.note(en-us,TechNet.10).gifImportant:
      If you require only Windows authentication, be sure to disable the use of all other authentication mechanisms in the system policy.

    RSA SecurID

    Communication with RSA SecurID authentication servers is not enabled by default. If your firewall policy requires RSA SecurID authentication, be sure to enable this configuration group.

    CRL download

    Certificate revocation lists (CRLs) cannot be downloaded by default. This is because the CRL Download configuration group is not enabled by default.

    1. In the Forefront TMG Management console tree, click the Firewall Policy node.

    2. On the Tasks tab, click Edit System Policy.

    3. In System Policy Editor, in the Configuration Groups tree, click CRL Download.

    4. On the General tab, verify that Enable this configuration group is not selected.

    5. On the To tab, select the network entities from which CRLs can be downloaded.

    6. Click OK.

    Cc995072.note(en-us,TechNet.10).gifImportant:
    The most common way to download CRLs is over HTTP. Therefore, when the CRL Download configuration group is enabled, all HTTP requests will be allowed from the Local Host network (the Forefront TMG computer) to network entities listed on the To tab. If your certificates require another protocol to download the CRLs, you need to create an access rule for these protocols.

    Remote management

    Remote logging and monitoring

    Diagnostic services

    Scheduled download jobs

    Allowed sites

    Was this page helpful?
    (1500 characters remaining)
    Thank you for your feedback
    Show:
    © 2014 Microsoft