Managing NIS signatures

  • Article

Applies To: Forefront Threat Management Gateway (TMG)

The following procedures describe how to manage NIS signatures:

  • Configuring and verifying NIS signature set downloads—Before you can use Forefront TMG to block attacks on known vulnerabilities, you must download the latest NIS signature set.

    Note

    Newly downloaded signatures are applied to new connections only. Cached content, however, is inspected by NIS with the active signature set each time a client requests it.

  • Activating a different signature set—You can use version control to roll back to an earlier signature set, for example, for troubleshooting purposes, or to activate the most up-to-date version.

    Note

    Activating an older NIS signature set may expose your network to recently discovered threats.

  • Modifying NIS response policy—You can change the NIS response policy for an individual signature, for groups of signatures, or for the entire system.

Configuring and verifying NIS signature set downloads

  1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node.

  2. Click the Network Inspection system (NIS) tab, and on the Tasks tab, click Configure Properties.

  3. On the Definition Updates tab, under Automatic definition update action, select one of the following options:

    • Check for and install updates (recommended)—Select this configuration to automatically download and install the latest signature updates.

    • Only check for definitions—Select this configuration to be notified of the availability of new signatures for download.

    • No automatic action—Select this configuration to disable automatic updates.

  4. Under Response policy for new signatures, select one of the following options:

    • Microsoft default policy (recommended)—Select this configuration to accept the Microsoft recommended response policy for newly downloaded signatures.

    • Detect only response—Select this configuration to set all newly downloaded signatures to a log-only mode, where matching traffic is logged but not blocked.

      Tip

      You can configure Forefront TMG to send an e-mail alert when an exploit is found. For information, see Configuring alert actions (https://go.microsoft.com/fwlink/?LinkId=179304).

    • No response (disable signature)—Select this configuration to disable all newly downloaded signatures. In this mode, no action is taken and no record is logged when traffic that matches a new signature is detected.

      Note

      If you later decide to inspect traffic for a disabled signature, you will need to enable it manually.

  5. In the console’s tree, click Update Center.

  6. In the details pane, check to see if the NIS's last update succeeded.

  7. If not, click Network Inspection System, and then in the Tasks pane, click Check for Definitions.

  8. If the system cannot download an NIS update, check your network configuration.

Activating a different signature set

  1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node.

  2. On the Tasks tab, click Configure Properties.

  3. On the Definition Updates tab, click Version Control.

  4. Click Select the NIS signature set you want to activate, then, in the list, select the required signature set according to either version number or date, and then click Activate.

    Note

    Forefront TMG saves a maximum of five signature sets for rollback purposes.

  5. On the Apply Changes bar, click Apply.

Modifying NIS response policy

Modifying response policy for individual signatures

  1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node.

  2. On the details pane of the Network Inspection System (NIS) tab, click the signature that you want to modify, and then in the Tasks tab, click Configure Signature Properties.

  3. On the General tab, you can change the signature's effective configuration. To override the Microsoft default configuration, click Override, click Enable, and then select Block or Detect only from the list.

    Note

    To learn more about this signature, click More information about this signature online.

  4. Click OK, and then on the Apply Changes bar, click Apply.

Modifying response policy for a group of signatures

  1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node.

  2. On the details pane of the Network Inspection System (NIS) tab, in the Group by list, select the category according to which you want to group the relevant signatures.

  3. Right-click the group title of the section you want to modify (for example, if you grouped the signatures by Severity, you can right-click Moderate), or right click a signature or a selection of signatures, and click Enable selected Signatures, Disable Selected Signatures, or Set Response to Microsoft Default.

  4. On the Apply Changes bar, click Apply.

Modifying response policy for the entire system

  1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node.

  2. On the Network Inspection System (NIS) tab, select one of the following from the Tasks pane:

    • Set All Responses to Microsoft Defaults.

    • Set All Responses to Detect Only.

  3. In the Global Response Policy Setting window, select Apply the selected setting to newly downloaded signature sets if you want this setting to apply also to new signatures.

  4. Click OK, and then on the Apply Changes bar, click Apply.

Concepts

Configuring NIS in Forefront TMG secure Web gateway