Reducing the attack surface
To further secure a computer running Microsoft Forefront Threat Management Gateway, apply the principle of reduced attack surface. To reduce the breadth of your attack surface, follow these guidelines:
- Do not run unnecessary applications and services on the Forefront TMG computer.
- Disable Forefront TMG features that you do not use. For example, if you do not require caching, disable caching. If you do not require the VPN functionality of Forefront TMG, disable VPN client access.
- Identify those services and tasks not critical to how you manage your network, and then disable the associated system policy rules.
- Limit the applicability of the system policy rules to required network entities only. For example, the Active Directory system policy configuration group, which is enabled by default, applies to all computers on the Internal network. You could limit this to apply only to a specific group of computers on the Internal network in Active Directory.
The following sections describe how you can reduce the attack surface of the Forefront TMG computer.
Disabling features
Depending on your specific networking needs, you may not require the entire set of features included in Forefront TMG. You should carefully consider your specific needs and determine whether you need the following:
- VPN client access
- Caching
- Web proxy
- Add-ins
If you do not require a specific feature, disable that feature.
VPN client access
VPN client access is disabled by default. This means that the relevant system policy rule, named Allow VPN client traffic to Forefront TMG, is also disabled. The default network rule, named VPN Clients to Internal Network, is enabled, even when VPN client access is disabled. If VPN client access is currently enabled, you can disable it, if it is not required.
To verify that VPN client access is disabled
In the Forefront TMG Management console tree, click the Virtual Private Networks (VPN) node.
In the details pane, click the VPN Clients tab, and then click Verify VPN Properties.
On the General tab, verify that Enable VPN client access is not selected.
Caching
Caching is disabled by default. This means that all relevant caching features, including scheduled content download, are disabled. If caching is currently enabled for Forefront TMG, you can disable it.
To verify that caching is disabled
In the Forefront TMG Management console tree, click the Web Access Policy node.
In the details pane, if Web Caching is set to Enabled or if you configured a cache drive, do the following:
- On the Tasks tab, click Configure Web Caching.
- On the Cache Drives tab, select the Forefront TMG computer and click Configure.
- Select each drive for which the value in the Cache Size column is not 0 and then click Reset.
- Click OK.
Web proxy
The Forefront TMG Web proxy is enabled by default and is the basis of one of the central deployment scenarios of Forefront TMG. We recommend that you disable Web proxy in scenarios in which the Web proxy is not used.
The following is a listing of scenarios in which Forefront TMG does not use the Web proxy:
- Forefront TMG is used only for VPN connections.
- There is no requirement for the following additional Forefront TMG features:
- Caching
- HTTP compression
- Application-layer filtering
- There is another Forefront TMG computer providing Web proxy services.
To disable the Web proxy on a Forefront TMG computer, you need to create a new protocol with TCP port 80 and verify that Web Proxy Filter is not selected for the new protocol. When you create an access rule to allow HTTP traffic with the new protocol, the following applies:
- Users must have a default gateway properly defined or use the Firewall Client.
- Name resolution must be properly defined.
- Web proxy settings must be cleared.
To re-enable the Web proxy, use the original HTTP protocol that Forefront TMG creates during setup in any access rule.
To disable Web proxy
In the Forefront TMG Management console tree, click the Firewall Policy node.
In the details pane, click the Toolbox tab, and then click Protocols.
Click New and select Protocol.
On the Welcome page of the New Protocol Definition Wizard, in Protocol definition name, type HTTP1.
On the Primary Connection Information page, click New, type 80 in the From and To fields, and then click OK.
Do not define any secondary connections.
Click Finish to complete the wizard.
Note
Do not bind the Web Proxy Filter to the protocol created because this will enable the Web proxy.
Add-ins
When you install Forefront TMG, a suite of application filters and Web filters are also installed. You can subsequently install additional add-ins provided by third-party vendors. Follow these security guidelines:
- Do not install application filters or Web filters that you do not require.
- Never install a filter from an untrusted source.
- Save the dynamic-link library (DLL) associated with the add-in in a protected folder (for example, %ProgramFiles%\Microsoft Forefront TMG). Be sure to configure strict access control lists (ACLs) for this folder.
- Disable application and Web filters that you do not require.
To disable an add-in
In the Forefront TMG Management console tree, click the System node.
In the details pane, click the Application Filters tab if you want to disable an application filter, or click the Web Filters tab if you want to disable a Web filter.
In the details pane, select the applicable add-in.
On the Tasks tab, click Disable Selected Filters.
System Policy
Forefront TMG includes a default system policy configuration, which allows use of services commonly required for the network infrastructure to function properly.
In general, from a security perspective, we strongly recommend that you configure the system policy so that access to services that are not required to manage your network is not allowed. After installation, carefully review the system policy rules. Similarly, after you perform major administration tasks, review the system policy configuration again.
The following sections describe services that are enabled by system policy rules.
For more information about system policy configuration, see About system policy.
Network services
When you install Forefront TMG, basic network services are enabled. After installation, Forefront TMG can access name resolution servers and time synchronization services on the Internal network.
If the network services are available on a different network, you should modify the applicable configuration group sources to apply to the specific network. For example, suppose the Dynamic Host Configuration Protocol (DHCP) server is not located on the Internal network, but on a perimeter network. Modify the source for the DHCP configuration group to apply to that perimeter network.
You can modify the system policy so that only particular computers on the Internal network can be accessed. Alternatively, you can add additional networks if the services are found elsewhere.
The following table shows the system policy rules that apply to network services.
| Configuration group | Rule name | Rule description |
|---|---|---|
DHCP |
Allow DHCP requests from Forefront TMG to all networks Allow DHCP replies from DHCP servers to Forefront TMG |
Allows the Forefront TMG computer to access any network by using DHCP (reply) and DHCP (request). |
DNS |
Allow DNS from Forefront TMG to selected servers |
Allows the Forefront TMG computer to access all networks by using the Domain Name System (DNS) protocol. |
NTP |
Allow NTP from Forefront TMG to trusted NTP servers |
Allows the Forefront TMG computer to access the Internal network by using the NTP (UDP) protocol. |
DHCP
If your DHCP server is not located on the Internal network, you must modify the system policy rule so that it applies to the network on which the DHCP server is located. For example, if the DHCP server is located on the External network, perform the following procedure.
To modify the system policy rule for DHCP
In the Forefront TMG Management console tree, click the Firewall Policy node.
On the Tasks tab, click Edit System Policy.
In System Policy Editor, in the Configuration Groups tree, click DHCP.
On the From tab, click Add, select External, click Add, and then click Close.
Select Internal and then click Remove.
Click OK.
Authentication Services
One of the fundamental capabilities of Forefront TMG is the ability to apply a firewall policy to specific users. When a policy applies to a specific group of users, all users must be authenticated to determine their identity. To authenticate users, however, Forefront TMG must be able to communicate with authentication servers. For this reason, by default, Forefront TMG can communicate with Active Directory servers (for Windows authentication) and with RADIUS servers located on the Internal network.
The following table shows the system policy rules that apply to authentication services. You can disable the rules for types of authentication that are not being used.
| Configuration group | Rule name | Rule description |
|---|---|---|
Active Directory |
Allow access to directory services for authentication purposes Allow RPC from Forefront TMG to trusted servers Allow Microsoft CIFS from Forefront TMG to trusted servers Allow Kerberos authentication from Forefront TMG to trusted servers |
Allows the Forefront TMG computer to access the Internal network by using various LDAP protocols, the remote procedure call (RPC) (all interfaces) protocol, various Microsoft common Internet file system (CIFS) protocols, and various Kerberos protocols, by using the Active Directory directory service. |
RSA SecurID |
Allow SecurID authentication from Forefront TMG to trusted servers |
Allows the Forefront TMG computer to access the Internal network by using the RSA SecurID protocol. |
RADIUS |
Allow RADIUS authentication from Forefront TMG to trusted RADIUS servers |
Allows the Forefront TMG computer to access servers in the Internal network by using various RADIUS protocols. |
Certificate Revocation List (CRL) Download |
Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads) |
Allows all HTTP traffic from Forefront TMG to all networks for downloading updated certificate revocation lists (CRLs). |
DCOM
If you require use of the DCOM protocol—for example, to remotely manage the Forefront TMG computer—be sure that you do not select Enforce strict RPC compliance.
To verify that Enforce strict RPC compliance is not selected
In the Forefront TMG Management console tree, click the Firewall Policy node.
content xmlns="https://ddue.schemas.microsoft.com/authoring/2003/5">
On the Tasks tab, click Edit System Policy.
In System Policy Editor, in the Configuration Groups tree, click Active Directory.
Verify that Enforce strict RPC compliance is not selected.
Click OK.
Important
DCOM is often required for various services, including remote management and certificate auto-enrollment.
Windows and RADIUS authentication
If you do not require Windows authentication or RADIUS authentication, you should perform the following steps to disable the applicable system policy configuration groups.
To disable the applicable system policy configuration groups
In the Forefront TMG Management console tree, click the Firewall Policy node.
On the Tasks tab, click Edit System Policy.
In System Policy Editor, in the Configuration Groups tree, click Active Directory.
On the General tab, verify that Enable this configuration group is not selected.
Note
When you disable the Active Directory system policy configuration group, access to all LDAP protocols is no longer allowed. If you require the LDAP protocols, create an access rule allowing use of these protocols.
Repeat step 3 and step 4 for the RADIUS configuration group.
Click OK.
Important
If you require only Windows authentication, be sure to disable the use of all other authentication mechanisms in the system policy.
RSA SecurID
Communication with RSA SecurID authentication servers is not enabled by default. If your firewall policy requires RSA SecurID authentication, be sure to enable this configuration group.
CRL download
Certificate revocation lists (CRLs) cannot be downloaded by default. This is because the CRL Download configuration group is not enabled by default.
To enable CRL download
In the Forefront TMG Management console tree, click the Firewall Policy node.
On the Tasks tab, click Edit System Policy.
In System Policy Editor, in the Configuration Groups tree, click CRL Download.
On the General tab, verify that Enable this configuration group is not selected.
On the To tab, select the network entities from which CRLs can be downloaded.
Click OK.
Important
The most common way to download CRLs is over HTTP. Therefore, when the CRL Download configuration group is enabled, all HTTP requests will be allowed from the Local Host network (the Forefront TMG computer) to network entities listed on the To tab. If your certificates require another protocol to download the CRLs, you need to create an access rule for these protocols.