Microsoft Forefront Server Security

Microsoft Forefront Server Security Tony Clarke Technical Specialist - Security Microsoft UK

The Interconnected World

Communication Collaboration Business productivity gains

Worms and Viruses Evolving threats to Collaboration Spam

Security Issues Today Messaging and collaboration systems are easy targets for malicious code and distribution of undesirable content: Viruses Worms Bot-nets Trojans Spam Phishing Profanity / offensive content

E-mail Antivirus Approaches Internet

Single Vendor Solution Multi-vendor Solution

Viruses Worms Spam

• Same scan • Different heuristics scanengine, engines, heuristics technologyand andsignature signature files fileson on technologies

AV AV ISA Servers

Windows SMTP Servers

AV AV

AV AV Exchange

AV AV

AVAV

Exchange

Exchange

AV AV AV AV

AV AV

all server and client platforms server and client platforms • Dependent • High onand one AV lab acquisition for scan engine maintenance cost updates • Added during virus or worm filtering complexity • Added outbreaks signature update • Queuing and delay during complexity • Risk engine updates mission of failure and on queuing still critical (i.e. exists on servers mission-critical Exchange) servers

Problem:

Single Point of Failure Management/Cost

Defense-in-Depth for Exchange Server

Internet

EHS

ISA Server

Exchange

Mail flow EHS Service • Eliminate spam and viruses before they reach your network

ISA Server 2004/6 • Securely enable remote access to Exchange email

Rapid identification and quickest response to latest threats

• Enhance server protection with preauthentication of users

Unparalleled reliability and scalability

Improve security of OWA sessions from unmanaged clients

Antigen On-Premise Software • Protect against internal threats Enforce content policies in e-mail Provide additional layer of defense against the latest viruses, worms and spam

The Ideal Solution Use a single vendor solution that integrates antivirus engines from top worldwide virus labs and provides all updates from a single source Manages multiple antivirus scan engines on all mission critical messaging and collaboration servers

AV

AV

AV AV AV

Exchange Server/ Windows SMTP Server

AV

Central Mgt

Includes anti-spam, policy and content filtering for complete protection and hygiene Anti-spam Antivirus Policy Mgt

E-mail and Collaboration Server Security Live Communications Server

ISA Server

SharePoint

Collaboration SMTP Server

Exchange Server

Internet

Users Viruses Worms Spam

Edge

Antigen Enterprise Manager

E-mail Microsoft Operations Manager w/ Antigen Management Pack

Management

Viruses Worms Inapp. Content

Layered Defenses Protection at multiple points in the network Edge: Antigen for SMTP, Advanced Spam Manager E-Mail server: Antigen for Exchange, Advanced Spam Manager Microsoft SharePoint® Portal Server (SPS): Antigen for SharePoint Live Communication Server: Antigen for Instant Messaging

Multiple engine management Up to eight engines available Advanced Spam Manager integration with Microsoft® Intelligent Message Filter

Content and Document filtering Block mail according to file type Scan file names, text within documents, and e-mail subject and body for administrator-defined keywords

Antigen for Exchange Scans all messages routed through SMTP transport stack and Exchange Message Transfer Agent Connectors Real-time, on-demand, on-access, and manual (scheduled) scanning of Information Store for back-end Exchange servers Microsoft-approved virus scanning application programming interface integration for Exchange 2000 and 2003 Full protection of Outlook® Web Access

Internet

ISA Server

Exchange Site 1

Antigen

Exchange Front End

Exchange Site 2 Antigen

Antigen

Exchange Public Folder Server

Exchange Mailbox Server

Antigen for SMTP Gateways Protects SMTP traffic thru ISA and Windows SMTP servers Scans SMTP stack to disable threats within a message during the routing process Message body scanning enabled by default to detect embedded viruses (eg. HTML viruses in MIME format) Integrates scanning techniques (keyword filtering, antispam, and others) during routing process Proactively notifies administrators of virus incidents and scan events by e-mail or event log

Firewall

ISA or SMTP

Antige Gateway n

Server/Routing Server Exchange Servers

Users

ASM & IMF Together On the same server, IMF scans before ASM Each applies an SCL rating – the higher the rating always wins (i.e. has more confidence) Mail that is rejected , deleted or archived by IFM will NOT make it to ASM Example: IMF archived SCL 7,8 & 9 IMF Scan

ASM Scan

ASM Spam set to 9 IMF SCL of 0-6

Mail Store

If SCL is 7,8,9 Archive Folder

Pickup Folder If Admin moves

Junk EMail

Inbox

Antigen Enterprise Manager Configuration and Upgrade Deployment Centralized Scan Engine Updates Management Reporting and Alerts

MOM MP for Antigen Over 100 Events, Performance Counters and Services Monitored Monitors the state of Antigen and its key components Collects statistical data on scanning, detection and removal of messages and attachments 5 Antigen Services Polled - Provides timed events to poll systems for critical process health

Key Tasks: Trigger Scan Engine updates Centralized storage and deployment of License files Import, export and deploy changes for key settings Immediate and/or scheduling of Manual Scan Jobs. Start/Stop control of Antigen services

Competitive Advantages Key Points: Single Points of Failure One Engine throughout antivirus suite on all platform

Single Layer of Scanning on Exchange Server Different products for different version of Exchange poor migration support

Limited Notifications No disclaimers Limited File and Content Filtering PSS Support

Q&A

© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.