adwait joshijim harrison sr. product managerprogram manager microsoft corporation session code:...
TRANSCRIPT
Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep Dive
Adwait Joshi Jim HarrisonSr. Product Manager Program Manager
Microsoft Corporation
SESSION CODE: SIA308
Agenda
Business Ready SecurityTMG New Features - overviewDeep Dives with Troubleshooting
URL Filtering Malware Inspection
Summary
Across on-premises & cloud
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Integrate and extend securityacross the enterprise
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Simplify the security experience, manage compliance
Protect everywhere,access anywhere
Highly Secure & Interoperable Platform
Identity
PROTECT everywhere ACCESS anywhere
SIMPLIFY security,MANAGE compliance
Protect endpoints from emerging threats and information loss, while enabling more secure access from virtually anywhere
INTEGRATE and EXTEND security
Secure Endpoint Solution
• Provides unified administration for desktop management and protection
• Increases visibility of potentially vulnerable desktops
• Uses existing System Center Configuration Manager infrastructure
• Builds on and extends Windows security
• Enables multi-layered antimalware protection
• Protects critical data wherever it resides
• Provides more secure always-on access
New Forefront Threat Management Gateway 2010
• Enables employees to safely use the Internet without worrying about malware and other threats.
Comprehensive Web Security
• Includes and improves proven network protection technologies of ISA 2006
Next Generation of
ISA Server
TMG Enhancements• HTTP
Anti-virus/spyware• URL Filtering• HTTPS forward
inspection
Secure Web Access
• VoIP traversal (SIP)• Enhanced NAT• ISP Link Redundancy• Logging Improvements• Updated firewall client• NDIS Filter (Layer-2)
Firewall
• Exchange Edge/FPE integration• Anti-Virus• Anti-spam• Array-based Mgmt
E-mail Protection
• Network Inspection System (GAPA)
• Flood Mitigation
Intrusion Prevention
• NAP integration with VPN role
• Supports SSTP VPN
Remote Access
• Scenario UI & Wizards• Mixed Arrays• Enhanced reporting• W2K8 R1 SP2 or R2,
native 64-bit
Deployment & Management
• Subscription Svcs:• HTTP: AV+URL
Filtering• Email: AV+Anti-Spam
• NIS signatures
Web Protection
7
TMG Deployment Scenarios
•Authenticating proxy with security•Web Anti Malware and URL filtering•Inspection of HTTP and HTTPS traffic
Secure Web Gateway
•All-in-one solution for medium businesses and for branch offices•Firewall, Proxy, VPN, IPS, Email relay in a single box
Unified Threat Management (UTM)
•Dial-in VPN•Site to site VPN•Secure Web Publishing
Remote Access Gateway
•Anti Spam•Anti Virus•Email Filtering
Secure Email Relay Management
Firewall Service
MRSCache
1
2
3
4
5
67
12
MRS
11
Web Proxy Engine
10.10.0.1:8080
127.0.0.1:8080
WebSvr
10
89
WWSAPI
WinHTTP
X
SOAP Req to HTTPS://10.ds.mrs.microsoft.com
GET HTTP://my.kitty.cat.com/calico?gimmenow
HTTP://my.kitty.cat.com/calico?gimmenowHTTP://kitty.cat.com/calico?gimmenowHTTP://cat.com/calico?gimmenowHTTP://com/calico?gimmenow
In MRS Cache?
WWSAPI
MRSCacheNope…
WinHTTP
CONNECT 10.ds.mrs.microsoft.com:443
POST HTTPS://10.ds.mrs.microsoft.com
WinHTTP
WWSAPI
SOAP Response
SOAP Request
WinHTTP SSL Tunnel
WinHTTPSOAP ResponseWWSAPI
200 OK
Problem AreasFirewall Policies (rule ordering)
WPS License Expired
Users Don’t Read The Error Page (12233.htm, 12233r.htm)
CRL Validation Name ResolutionNetwork WPAD ConfigurationWinHTTP Auto-DiscoveryWinHTTP Proxy Settings
First TMG RFC was for URL Filtering (MRS Queries)
What Did We Know?TMG logs verify the complaintLOTS of failed attempts to communicate with MRSLOTS of WPAD requests from TMG itself
TMG tells WWSAPI to use localhost:8080
WWSAPI tells WinHTTP to use localhost:8080
SOAP Req to HTTPS://10.ds.mrs.microsoft.com
GET HTTP://my.kitty.cat.com/calico?gimmenow
WWSAPI
WinHTTP
POST HTTPS://10.ds.mrs.microsoft.com
POST HTTPS://10.ds.mrs.microsoft.com
WinHTTP
WWSAPI
What Did We Need?Web Services behavioral data (tracing)
WinHTTP Proxy configuration (netsh winhttp sho pro)Behavioral data (tracing)
NetCaps
Web Services Tracing
Requires Windows SDK: http://www.microsoft.com/downloads/details.aspx?FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505
Use it like unto thusly:1. Click Start, All Programs, Microsoft Windows SDK v7.02. R-click CMD Shell and select “Run as Administrator” (elevated).3. Run the following sequence of commands:
1. wstrace.bat create verbose2. wstrace.bat on3. create the repro4. wstrace.bat dump > C:\Temp\wwstraces.csv
WinHTTP Tracing
Requires Nothing Extra..so we have no link; sorry…
Use it like unto thusly:1. Click Start, All Programs, Accessories2. R-click Command Prompt and select “Run as Administrator” (elevated).3. Run the following command:
1. netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled2. create the repro3. netsh winhttp set tracing state=disabled
Do It All Together1. Click Start, All Programs, Microsoft Windows SDK v7.02. R-click CMD Shell and select “Run as Administrator” (elevated).3. Run the following commands:
netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled wstrace.bat create verbose wstrace.bat on
4. Create the repro5. Run the following commands:
netsh winhttp set tracing state=disabled wstrace.bat dump > C:\Temp\wwstraces.csv
TelemetryAnother MRS Request
Same mechanism as MRS LookupsFQDN is 10. s.mrs.microsoft.comAmount of data sent depends on participationSame problem areas as URLF except not (entirely) user-drivenNeed to scan logs for problems
t
What Do We Need?Windows Automatic Update Agent
Configuration (MSKB 328010)Behavioral data (logging)
WinHTTP Configuration (netsh winhttp sho pro)Behavioral data (tracing)
WinHTTP Tracing
Requires Nothing Extra..so we have no link; sorry…
Use it like unto thusly:1. Click Start, All Programs, Accessories2. R-click Command Prompt and select “Run as Administrator” (elevated).3. Run the following command:
1. netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled2. create the repro3. netsh winhttp set tracing state=disabled
WAUA Logging / Configuration
Requires Nothing ExtraMSKB 902093 describes it
Use it like unto thusly:1. Press the Start and R keys simultaneously2. In the Run dialog, type
notepad %windir%\windowsupdate.log and hit <Enter>
Update Center Configuration
http://blogs.technet.com/isablog/archive/2009/11/28/using-windows-server-update-service-for-the-tmg-update-center.aspx
Cleaning Blocking
Threat level Suspicious Corrupted Unscannable Encrypted Scan Time Archive depth Pre-, Post unpacked size
TMG Log Summary
Log type: Web Proxy (Forward) Status: 12210 An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator. Rule: Allow Web Access for parent Source: Internal (10.10.255.1:49226) Destination: External (188.40.238.250:80) Request: GET http://www.eicar.org/download/eicar.com Filter information: Req ID: 09906bf2; Compression: client=No, server=Yes, compress rate=0% decompress rate=0% Protocol: http User: anonymous
Additional information Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727) Object source: Internet (Source is the Internet. Object was added to the cache.) Cache info: 0x40800000 (Response includes the LAST-MODIFIED header. Response should not be cached.) Processing time: 390MIME type: application/x-msdos-program
Failed Connection Attempt TMG-01 2/3/2010 7:21:23 AM
Problem AreasUpdate Center ConfigurationWPS License ExpiredWSUS / MU ConfigurationWinHTTP Auto-DiscoveryWinHTTP Proxy Settings
Users Don’t Read The Error Page (12210.htm, 12210r.htm)No CSS cases (yet)
Summary
Web usage increasingly provides an attack vector into the corporate networkForefront Threat Management Gateway Provides:
Intelligent protection to enable employees to use the Web safely and productivelySimplifies Web security with a single solution that integrates into your Microsoft infrastructure
Troubleshooting WPS is (now) no more difficult than any other Web request
Learn more & try our solutions at: www.microsoft.com/forefront
Related ContentSIA320 |Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint SolutionSIA301 |Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access SolutionSIA308 | Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep DiveSIA309 |Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 - A Deep Dive into the Features and Protection TechnologiesSIA325 | Secure Endpoint: Virtualizing Microsoft Forefront Threat Management Gateway (TMG) SIA02-INT | Secure Endpoint: Planning DirectAccess Deployment with Microsoft Forefront Unified Access GatewaySIA07-INT | Secure Endpoint: Architecting Forefront Endpoint Protection 2010 on Microsoft System Center Configuration Manager
SIA05-HOL | Microsoft Forefront Threat Management Gateway OverviewSIA09-HOL | Secure Endpoint Solution: Business Ready Security with Microsoft Forefront and Active DirectorySIA11-HOL | Microsoft Forefront Unified Access Gateway (UAG) and Direct Access: Better Together
Red SIA-3 | Microsoft Forefront Secure Endpoint Solution
Track Resources
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:http://www.microsoft.com/forefront/trial
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.