About system policy
System Policy
Microsoft Forefront Threat Management Gateway includes a system policy, a set of predefined firewall policy rules that control access to and from the Local Host network (the Forefront TMG computer). These rules control how the Forefront TMG firewall enables the infrastructure necessary to manage network security and connectivity. Forefront TMG is installed with a default system policy, designed to address the balance between security and connectivity.
Some system policy rules are enabled upon installation. These are considered the most basic and necessary rules for effectively managing the Forefront TMG environment. You can subsequently identify those services and tasks that you require to manage your network and enable the appropriate system policy rules.
About System Policy Rules
You use the System Policy Editor to configure the system policy rules. Within the System Policy Editor, the system policy is categorized in to a set of configuration groups. The system policy rules are processed first, before any other rule. You cannot modify the order of these rules. Upon installation, the rules apply to specific networks, as listed in the table provided in System policy rules.
Limiting System Policy
After you install Forefront TMG, you can configure the system policy. You cannot delete these rules, but from a security perspective, we recommend you do the following:
- After installation, carefully review the system policy rules configured. After you perform major administrative tasks, review the system policy configuration again.
- Identify those services and tasks not critical to how you manage your network, and then disable the associated system policy rules.
- In addition to disabling unnecessary system policy rules, limit the applicability of the rules to required network entities only. For example, the Active Director directory service system policy configuration group is enabled by default and applies to all computers on the Internal network. You could limit this to apply only to a specific Active Directory group on the Internal network.
Services Enabled by System Policy
By default, the system policy allows the Microsoft Forefront Threat Management Gateway firewall to access network resources critical to the proper functioning of the firewall. Depending on your specific deployment, you may want to lock down access to some of those services.
Depending on your specific deployment and the services that you require, you will determine which system policy configuration groups should be enabled. This section describes some of these deployment considerations.
When you disable a system policy configuration group, you are not necessarily preventing use of a particular protocol. This is because the same protocol may be specified in a different rule, which is enabled by a different configuration group.
This section describes services that are enabled by system policy rules. See the System Policy Rules section for a full list of all the system policy rules.
Network Services
When you install Forefront TMG, basic network services are enabled. After installation, Forefront TMG can access name resolution servers on all networks and time synchronization services on the Internal network.
If the network services are available on a different network, you should modify the applicable configuration group sources (DHCP, DNS, or NTP) to apply to the specific network. For example, suppose the DHCP server is not located on the Internal network, but on a perimeter network. Modify the source for the DHCP configuration group (on the From tab) to apply to that perimeter network.
You can modify the system policy, so that only particular computers on the Internal network can be accessed. Alternatively, you can add additional networks if the services are found elsewhere.
Modify these configuration groups, depending on which network services you require:
- DHCP
- DNS
- NTP
DHCP Services
If your DHCP server is not located on the Internal network, you will have to modify the system policy rule, so that it applies to the network on which the DHCP server is located.
Authentication Services
One of the fundamental capabilities of Forefront TMG is the ability to apply a firewall policy to specific users. To authenticate users, however, Forefront TMG must be able to communicate with the authentication servers. For this reason, by default, Forefront TMG can communicate with Active Directory servers (for Windows authentication) and with RADIUS servers located on the Internal network.
Modify these configuration groups, depending on which authentication services you require:
- Active Directory
- RSA SecurID
- RADIUS
- Certificate Revocation List
Enabling DCOM Traffic
With the Microsoft Management Console (MMC) rules enabled, remote procedure call (RPC) traffic is allowed to the Local Host network. However, by default, DCOM traffic is blocked. If you want to allow DCOM traffic, disable the Allow remote management from selected computers using MMC system policy rule. Then, create a rule allowing RPC traffic. After creating the rule, in the rule properties, configure the RPC protocol and clear the Enforce strict RPC compliance setting.
Windows and RADIUS Authentication Services
If you do not require Windows authentication or RADIUS authentication, disable the applicable system policy configuration groups.
Note
When you disable the Active Directory system policy configuration group, access to all LDAP protocols is effectively disabled. If you require the LDAP protocols, create an access rule allowing use of these protocols.
Tip
If you require only Windows authentication, be sure to configure the system policy, disabling use of all other authentication mechanisms.
RSA SecurID Authentication Services
Communication with RSA SecurID authentication servers is not enabled by default. If your firewall policy requires RSA SecurID authentication, be sure to enable this configuration group.
CRL Authentication Services
Certificate revocation lists (CRLs) cannot be downloaded by default. This is because the CRL Download configuration group is not enabled by default. To enable CRL download, verify that the CRL Download configuration group (under Authentication Services) is enabled. Then, apply this configuration group to the network entities on which the certificate revocation lists are located.
All HTTP traffic will be allowed from the Forefront TMG firewall to network entities listed on the To tab.
Remote Management
Often, you will manage Forefront TMG from a remote computer. Carefully determine which remote computers are allowed to manage and monitor Forefront TMG.
Modify these configuration groups, depending on how you perform remote management:
- Microsoft Management Console
- Terminal Server
- ICMP (Ping)
- Web Management
By default, the system policy rules allowing remote management of Forefront TMG are enabled. Forefront TMG can be managed by running a remote Microsoft Management Console (MMC) snap-in or by using Terminal Services.
By default, these rules apply to the built-in Remote Management Computers computer set. When you install Forefront TMG, this empty computer set is created. Add to this empty computer set all computers that will remotely manage Forefront TMG. Until you do so, remote management is effectively not available from any computer.
Tip
Limit remote management to specific computers by configuring the system policy rules to apply only to specific IP addresses.
Remote Monitoring and Logging
By default, remote logging, remote performance monitoring, and remote monitoring of Microsoft Operations Manager are disabled. The following configuration groups are disabled by default:
- Remote Logging (NetBIOS)
- Remote Logging (SQL)
- Remote Performance Monitoring
- Microsoft Operations Manager
Diagnostic Services
By default, the system policy rules allowing access to diagnostics services are enabled, with the following permissions:
- ICMP. This is allowed to all networks. This service is important for determining connectivity to other computers.
- Windows networking. This allows NetBIOS communication, by default to computers on the Internal network.
- Microsoft error reporting. This allows HTTP access to the Microsoft Error Reporting sites URL set in order to allow reporting of error information. By default, this URL set includes specific Microsoft sites.
- HTTP Connectivity verifiers. This allows the Forefront TMG firewall to use HTTP and HTTPS protocols to check whether a specific computer is responsive.
SMTP
By default, the SMTP configuration group is enabled, allowing SMTP communication from Forefront TMG to computers on the Internal network. This is required, for example, when you want to send alert information in an e-mail message.
Important
We recommend that you do not enable the SMTP configuration group if you do not send alert information in an e-mail message.
Scheduled Download Jobs
By default, the scheduled download jobs feature is disabled. The Scheduled Download Jobs configuration group is disabled so long as this feature is disabled.
When you create a content download job, you will be prompted to enable this system policy rule. Forefront TMG will be able to access the sites specified in the content download job.
Accessing the Microsoft Web Site
The default system policy allows HTTP and HTTPS access from the Local Host network (that is, the Forefront TMG firewall) to the Microsoft.com Web site. This is required for a few reasons:
- Error reporting (as described in the Diagnostic Services section)
- Access to useful documentation on the Forefront TMG Web site and on other related Web sites
By default, the Allowed Sites configuration group is enabled, allowing Forefront TMG to access content on specific sites that belong to the System Policy Allowed Sites domain name set.
This URL set includes various Microsoft Web sites, by default. You can modify the domain name set to include additional Web sites, which Forefront TMG will be allowed to access.
HTTP and HTTPS access will be allowed to the specified Web sites.