Security and configuration notices
Applies to: Forefront Security for Exchange Server
Forefront Security for Exchange Server includes many security updates and configuration changes from earlier releases. This section details security and configuration information and is updated as necessary to reflect new changes in Forefront Security for Exchange Server.
Security policy changes
Security has been improved, by reducing the privileges when Forefront Security for Exchange Server services and processes start. This helps prevent malformed data from exploiting any security issues within the Forefront Security for Exchange Server code or the third-party scanning engines. Many services and processes run in the Network Service account; a few run in the Local System account. When FSS services start, Forefront Security for Exchange Server removes all privileges, except those that are required by the services to do their work.
The only privileges enabled are:
SeImpersonatePrivilege
SeChangeNotifyPrivilege
SeSecurityPrivilege
SeIncreaseQuota
SeTCB
SeAssignPrimaryToken
There are now restricted access control lists (ACLs) on resources. The security to Forefront Security for Exchange Server resources has been improved to prevent unauthorized access. With this change, only users who are part of the Administrators group have access to administer Forefront Security for Exchange Server.
The ACLs that are applied to Forefront Security for Exchange Server resources are described in the following table.
| Resource type | Resource | ACL set |
|---|---|---|
File |
<Installation path> |
SYSTEM – Full Access Administrators group – Full Access Network Service - Read |
File |
"Data" folder |
SYSTEM – Full Access Administrators group – Full Access Network Service – Full Access |
Registry |
HKLM/Software/xxxxx/xxxxx |
SYSTEM – Full Access Administrators group – Full Access Network Service - Read |
DCOM |
FSEIMC FSCMonitor FSCController FSCStatisticsService |
SYSTEM – Full Access Administrators group – Full Access Network Service - Read |
General Options changes
The following describes changes to the General Options:
Engine Error Action. The default action for the General Option Engine Error Action has been changed from Skip to Delete. The Delete action logs the error to the program log, delete the file that caused the error, and display an EngineError entry with the state Removed in the Forefront Server Security Administrator.
Transport Scan Timeout Action. The default action for the General Option TransportScanTimeoutAction has been changed from Skip to Delete.
Realtime Scan Timeout Action. The default action for the General Option RealtimeScanTimeoutAction has been changed from Skip to Delete.
Quarantine Timeout. The registry value QuarantineTimeout has been added to override quarantine after a scan job time-out. The value is a DWORD type. If the registry value is not present or it is present and its value is not zero, messages that cause a scan job time-out will be quarantined. If the registry value is present and its value is zero, the message will not be quarantined.
Delete Corrupted Compressed Files. The default setting for the General Option DeleteCorruptedCompressedFiles has been changed from Off to On. Files identified as corrupted are quarantined. If you do not want to quarantine these files, you may create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantine. The DWORD setting must be created and its value set to 0.
Illegal MIME Header Action. The General Option Illegal MIME Header Action has been added. When this option is enabled, Forefront Security for Exchange Server deletes messages that are malformed and multiple headers that cause the interpretation of the message to be ambiguous. Some of the headers checked for multiple headers and malformations include the content-type, content-disposition, and content-transfer-encoding headers. This option is On by default.
Other changes and updates
The following describes other changes and updates:
ScanAllAttachments Registry Setting. The registry setting ScanAllAttachments defaults to 1 for all new installations of Forefront Security for Exchange Server. This configures Forefront Security for Exchange Server to scan all attachments for viruses by default. For more information about this setting, see the "Scanning files by type" sections in Manual Scan Job, Realtime Scan Job, and Transport Scan Job.
Winmail.dat Scanning. The Forefront Security for Exchange Server Transport Scan Job scans Winmail.dat files for viruses. Exchange uses Winmail.dat files for several purposes. One of the uses is to send Winmail.dat files between servers to facilitate replication (IPM replication messages). If Forefront Security for Exchange Server modifies any of these Winmail.dat files, the public folder replication process will fail. To prevent this from happening, you can set a new DWORD registry key named DoNotScanIPMReplicationMessages to 1, and the Transport Scan Job will not scan IPM replication messages.
Note
If a virus is replicated via public folder replication, the Forefront Security for Exchange Server Realtime Scan Job still detects the virus even if this key is set.
FTP Engine Updates. Engine updates via the File Transfer Protocol (FTP) server are no longer supported. Updates must be done using HTTP or locally using a UNC share.