Security Best Practices
Updated: March 10, 2009
The following recommendations may be useful for securing and protecting your Windows EBS network. As with any set of security recommendations, these guidelines are not exhaustive, and they may not apply to all organizations.
Configure client computers as Web proxy and firewall clients
To manage the connections from client computers to the Security Server, it is recommended that you install Microsoft Firewall Client on each domain-joined client computer. Make sure that the firewall client is configured for automatic detection of the Web proxy.
To provide an additional internal defense layer, it is recommended that you enable Windows Firewall on the client computers and other servers in your domain.
For information about installing and configuring Firewall Client, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=128049).
Use Internet Explorer enhanced security configuration
Internet Explorer Enhanced Security Configuration is enabled by default on the servers for Windows EBS. This enhanced level of security can prevent some Web sites from displaying correctly in Internet Explorer. As a security best practice, do not add Web sites to the Trusted sites zone of the Internet Explorer browser on the Windows EBS Management Server. In addition, do not change the default security level on the Management Server for any of the security zones in Internet Explorer.
When you start Internet Explorer from a link in the Windows EBS Administration Console, Internet Explorer runs with domain administrator privileges—not with a least-privileges token. If you browse to a malicious Web site that is trusted by Internet Explorer, it is possible for an attacker to exploit the security vulnerability by executing code with full domain administrative privileges on the Management Server. Your Management Server and other computers in your domain may be compromised.
You should remove all suspected Web sites that you have added to the Trusted sites zone in Internet Explorer on the Management Server. If you changed the security level for a security zone in Internet Explorer on the Management Server, reset the zones to the default level.To reset the Internet Explorer security zones to the default level
In Internet Explorer, click Tools, and then click Internet Options.
Click the Security tab, and then click Reset all zones to default level.
Implement a strong password policy
Password policies that are appropriate for your organization should be enforced on administrative accounts and on domain user accounts. To apply stricter password settings to privileged accounts, you can use password policies that promote strong passwords.
For more information about configuring password policies in Windows Server 2008, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=128039).
Minimize the attack surface for the servers for Windows EBS
The Security Server and the domain controllers for Windows EBS are configured by default to install only the services that are required to provide the functionality for Windows EBS. To minimize the attack surface for these servers, follow these guidelines:
Do not install or run unnecessary applications or services.
Disable features of Forefront TMG or other server technologies in Windows EBS that you do not use.
As a security best practice it is recommended that you install the Security Server and other critical components of your Windows EBS network infrastructure in a physically secure location with restricted access.
Back up network firewall configuration regularly
Windows EBS creates a default network firewall configuration file after installation that you can apply at any time. You should store the configuration by exporting an XML file after you make any major modification to the settings for Forefront TMG (including changing cache size or location, modifying firewall policy, configuring system rules, and creating network definitions or network rules).
If you need to restore the firewall configuration by importing an XML file, only import a configuration file that was stored securely before it was imported or that you receive from a trusted source.
For more information about backing up and restoring Forefront TMG in Windows EBS, including using the Active Directory Application Mode (ADAM) Volume Shadow Copy Service, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=128050).