The Forefront Client Security Team writes:
Today we published another Security State Assessment (SSA) definition update on Microsoft Update!
Included in this release is a new check that will provide visibility into end-user configuration of the Windows Firewall. When used with Group Policy, this new functionality aids in firewall management.
The Windows Firewall check reports on:
· Firewall status (on/off)
· User-defined exceptions
· Applicability to each network interface
Determining firewall status:
· If Windows Firewall is disabled on any network interface, the score is “High”
· If Windows Firewall is configured by Group Policy, the score is “Informational
Visibility into firewall exceptions:
· Enumerates each port and application exception
· Any exception not configured via Group Policy, the score is “Medium”
· If configured by Group Policy, the score is “Informational”
For those of you who read my standalone blog, you already know that I'm a huge fan of the Windows Firewall with Advanced Security.
You can do bunch with this firewall functionality, including some hugely intelligent authenticating firewall rules.
That is, you can not only create your traditional inbound and outbound allow or block filters. You also have the ability to create "Allow if secure" rules that combines IPsec authentication (known as Connection Security in the Windows Firewall) with Inbound filters.
This results in the ability to only allow the traffic through, say to your critical business server, if the connecting host and/or the user on that host can be successfully authenticated at the network layer via IPsec.
I demonstrated how this works with Network Access Protection (aka NAP) and Forefront Client Security at my "Enabling Policy-Driven Network Access" session at TechEd SEA this last September.
Now, thanks to the great work from our bud's over in the Windows Server User Assistance team, we've got even more stuff to help you get most out of this neat Windows Server 2008 (and Windows Vista) technology:
Step-by-Step Guide to Deploying Policies for Windows Firewall with Advanced Security
Check this stuff out!
Really...I mean it...it's worth the read.
When used in combination with FCS, the Windows Firewall really enables you to implement a powerful a proactive defense-in-depth approach, i.e. NAP + Windows Firewall with Advanced Security + FCS.
Nice review at InfoWorld of our IAG SSL VPN appliance. Here’s the summary:
Microsoft Internet Application Gateway 2007
Microsoft's IAG 2007 is a full-featured SSL VPN solution available only as part of an OEM/appliance bundle. IAG sits on top of Microsoft ISA Server, providing multiple layers of security. The end point inspection is close to perfect, but only if you run Windows and Internet Explorer. IAG's policy engine is very robust and includes a wide range of predefined applications to make policy definition easier. >> Full review
Want to evaluate the IAG, but don’t want to order an appliance? Check out the Forefront Edge Security and Access Demonstration Toolkit
This demonstration toolkit comprises virtual machine-based demonstrations of ISA Server 2006 and IAG 2007. The virtual machines and the accompanying demonstration script show how ISA Server 2006 and IAG 2007 work with Windows Server 2003 R2, Microsoft Exchange Server, Windows SharePoint Services, Windows Rights Management Services, Terminal Services, and also Dynamics CRM 3.0 to address customer needs in different scenarios.
The Forefront Client Security team writes:
While you’ve always had the ability to use MOM 2005 to monitor things like IIS and SQL for your Client Security servers, this management pack gives you the additional ability to monitor some key FCS services:
· Definition Import Failure
· Microsoft Client Security Update Assistant service—That’s the service that allows WSUS 2.0 to be configured to receive updates every hour rather than just once a day. For those of you running WSUS 2.0, you’ll be glad to have the ability to monitor this!
· Forefront Client Security Management service—This service is important because it parses antimalware definitions and adds the information to the collection database table fcs_Threat_Metadata_tbl. And that table is not only read by the management console when you set overrides based on threat, it’s also used by FCS reporting for information about specific threats.
There's more on the FCS blog...
It's my turn to throw my hat into the Forefront Team Blog ring!
Okay...I'm not 100% what that means.
My name is Ian Hameroff, and I'm one of the many bloggers you'll see up here on the Forefront blog-o-rama. If that's not a stellar enough intro, check out this video we filmed last week at Microsoft's illustrious studio - Conference Room 27/1545 (please note: this "studio" is not affiliated with the really cool Microsoft Studios in building 127):
So, if you've stuck with me this far, thanks!
Let's get to the reason for my post: the upcoming birthday for Windows Networking.
Fifteen years ago this Saturday, on October 27, 1992, Microsoft shipped Windows for Workgroups (aka WfW for those who had dial-up Internet access back in the day that charged by the character) v3.1.
One of the major selling points of this release/update was the inclusion of "built in networking functionality" that would help make sharing files, sending electronic mails and "surfing" those Gopher sites -- that is, if you installed that pesky TCP/IP update -- that much easier.
Granted, these networking features were basically NetBIOS, but that didn't stop us from saying proudly on the product box: "Windows for Workgroups: Operating System with Integrated Networking."
While WfW Networking was still a leap forward, you'd have to wait until Windows 95 to get the complete "Internets" ready experience out of the box with Windows.
So, what the devil does have to do with Forefront or security Hameroff?
Clearly, integrated networking (or at the very least the more seamless integration of networking as with WfW 3.1) changed the rules of the game for Windows users. While it opened up new opportunities for collaboration and communication, it also introduced the newly connected world to the potential risks of malicious abuse.
Over these 15 years, we've (the industry, not just Microsoft) have learned a ton about how to balance greater access with increased security. This sometimes paradoxical acrobatic act of striking this balance is something I've spoken on for a bunch of years (both at events -- like TechEd -- and on my blog: http://blogs.technet.com/ianhamer), and I'm excited about the fact we're getting closer to another Windows networking birthday which will help us inch closer to the realization of the promise of policy-driven network access.
For me, that's all about the upcoming release of Windows Server 2008 and the Network Access Protection features found within.
NAP enables IT administrators to set policies that determine the minimum requirements for gaining network access to the corporate network - like making sure that Forefront Client Security is both enabled and up to date.
You can check out a killer demo of this in action (okay, get ready to watch this shameless plug, but bear with me) with FCS from my demo in BillG's recent keynote address at WinHEC 2007.
An absolutely shameless plug.
As you'll see in the demo, or if you've already played with the technology in Beta or RC, the ability to set, validate and enforce access policies based on the health of the connecting client helps further reduce the risk of malicious abuse of networked resources. I like to think of NAP as a catalyst for getting even more value of out the investments you've made in your security controls, because it helps make sure it is used properly by your end-users, with the reward of network access for those "up to snuff." This is a platform that will work closely with the Forefront product line -- even more so with the release of "Stirling" -- but also with the wide range of eco-system partners that have signed up to plug into our NAP platform.
So, if you're thinking about one of the Forefront products for your environment, or already have some of this stuff in place, I encourage you to check out the added value NAP can bring to these investments.
Also, don't forget to send Windows networking your birthday wishes this Saturday!