At my first 1-on-1 this year with Lee Nackman, the Identity and Security Division's Corporate Vice President, he asked me how something could possibly work. While on vacation on the east coast Lee had changed his password to Microsoft's corporate network using Outlook Web Access from a family computer. When he returned to his home near Redmond a week later he turned on his laptop and, since he hadn't yet been to the office, thought he would need his old (cached on the laptop) password to login. Lee was trying to recall the old password when he discovered he was able to login using the new password. How, he wondered, had the laptop been able to pick up the new password without having been inside the corporate network? Lee had experienced one of the benefits of DirectAccess being "always on". His Windows 7 laptop had, immediately after boot, established connectivity to the corporate network allowing the use of the new password rather than the old cached password. Not only was Lee delighted, but security was improved by rapid invalidation of the old credentials for accessing his laptop. Lee is one of over 10,000 users inside Microsoft currently enjoying the benefits of DirectAccess deployed using Forefront UAG.
I'm another of the DirectAccess users inside of Microsoft. I used to dread receiving requests to approve expense reports and purchase orders while I was out of the office because of the time and "clunkiness" of using VPN to connect to the corporate network. I admit to it being painful enough that sometimes I made employees wait until I returned to the office to do approvals. With DirectAccess though I approve them as quickly when I'm on the road as I do when I'm in the office. I just click on the approval link in an email and am immediately launched into the appropriate intranet site. There is no need for me to explicitly go run a VPN client and wait to be connected to the corporate network just so I can access the approval site. The experience is so much better that after using DirectAccess for just a short while I knew I could never go back to using a VPN.
What I like about Lee's experience in particular is it really helps demonstrate the core difference between DirectAccess and traditional VPNs. Where a VPN allows the creation of a temporary bridge from a PC outside of the corporate network to corporate resources, DirectAccess effectively keeps PCs that are part of your corporate network (that is, domain-joined machines) on the corporate network even when they aren't physically connected to it. From the standpoint of the administrator, you maintain control over the PC (Group Policy changes, patch management, health monitoring, etc.) anytime it is connected to the Internet anywhere in the world. From the end user standpoint, corporate resources such as Sharepoint sites, intranet sites, and file shares are accessible on the road exactly as they are when sitting in the office. How often does IT have an opportunity to increase control while improving the end user's experience and productivity? These are usually positioned as conflicting goals, but with DirectAccess there is no conflict.
One thing I hope to do in this blog is show that security and identity can be business enablers, rather than a tax a business pays to protect their assets. With DirectAccess, that is easy.
Hi, my name is Hal Berenson. I'm a Distinguished Engineer in Microsoft's Identity and Security Division where I lead our central architecture team (a.k.a, "ICA Architecture"). I'm also the General Manager of the Anywhere Access Group, which creates and delivers our Forefront Unified Access Gateway and Forefront Threat Management Gateway products. Those of you who know me from the Microsoft SQL Server world won't find the idea of my being both an architect and general manager all that unusual, for everyone who doesn't know me let's just say that I still can't decide what I want to be when I grow up.
I earned my first paycheck for writing software in 1972 and have been in the industry full-time since 1975, but I was actually born into it. My father was an IBM Systems Engineer who annoyed my mother by insisting my birth announcement go out on 80-column punch cards. He went on to become VP of IT for a Fortune 50 retailer, leading me to be exposed to computing in the Enterprise at a very early age. For my first act I wrote a program that asked the operator questions on the console of a S/360. Major panic ensued as they had never seen anything on that console other than "mount tape foo on drive 2" before. My first hack. A couple of years later I would go on to show the resident IBM systems programmer just how easy it was to break the security of the then-new TSO environment the shop had installed. At about the same time a couple of friends and I were breaking into the DEC TOPS-10 timesharing service used by our high school, and then were hired to harden it against the constant stream of attacks from clever high school students across the county. So I began my career in security, and in today's vernacular I started out as a Black Hat and moved to being a White Hat. While my career would continue to touch on security from time to time (including serving in the CISO/security engineering/security operations role for a startup) I really set my sights on displacing IBM (or, as my father put it, biting the hand that fed me) as the dominant provider of computers in the Enterprise. That lead me to Digital Equipment Corporation and a career focused on Database and Transaction Processing software, a focus I continued when I joined Microsoft in 1994. At DEC I lead projects such as DBMS-20 and DEC Rdb. Here at Microsoft I was a developer on Microsoft SQL Server 6.5, Product Unit Manager for SQL Server 7.0's Relational Engine, and General Manager for SQL Server 2000. I also lead Microsoft's corporate technical strategy ("Quests") and an enterprise strategy program for a few years. Along the way I've been involved in storage, office automation systems, systems management, performance analysis and other areas of computing critical to the Enterprise. Last summer I decided to return to the area where my career in computing began and joined the Identity and Security Division.
If one looks back on the SQL Server newsgroups and other forums of the late 90s and early 00s you'll find I was an active participant answering questions, explaining how SQL Server worked, and commenting on the database industry and products as a whole. If blogs had been common at the time I would have undoubtedly had an active one. Now I hope to be a very active blogger in the security and identity space. The Because It’s Everybody’s Business (BIEB) initiative's Forefront Experts blog is the perfect host since it lets me combine my passions for computing in the Enterprise with that of Identity and Security. And that is what Forefront is all about.
Many great things have happened this year with the Forefront team, so we’d
like to have a quick recap in case you missed any of it. Overall, Forefront
helps companies save money through improving security, increasing productivity,
and reducing their costs. Below are the list of products which have been
released with a short description of what they do to help achieve these goals.
Newly Released Products in 2009:
Products which will release in 2010, but had pre-release versions in
Some Customer Highlights:
more Forefront customer highlights
Since I'll be coming here regularly, it seems fitting to share with you a bit about my background and what my plans are for this blog.
I've spent a long time in the security industry. In the early nineties I co-founded an endpoint-to-endpoint VPN company. CA bought it, and I stayed on as their security architect for eight years. Then I came to Microsoft two years ago, and I'm currently an architect in the Identity and Security Division. I spend most of my time thinking about our next wave of Forefront security management products, our protection technologies, and how Microsoft can do its part to help transform the security industry.
Transform's a big word. And it's not really very precise, so I need to elaborate a bit.
I believe we expect our customers to think and know too much about security. Whether our customers are consumers, information workers, IT professionals, risk officers, or security experts, we ask them to make limited-context security decisions; to understand the current threats and attacks on their identities, information, and infrastructure; to know the security ramifications of each action they take; and to use the tools we provide to build their own safe and secure environments.
Basically, the security industry builds products that work best when they are consumed by security experts. Which isn't bad, because security experts need tools to do their jobs, and because most security capabilities aren't operationalized to the point where it's easy to hand the reins over to non-experts.
But there aren't enough security experts in the world to go around. Experts are under incredibly high cost, compliance, and complexity pressures. And, frankly, most of the security experts I know wish we'd hurry up and operationalize larger chunks of security so they can enlist others to get the job done.
When we buy a car, security comes built-in. The seat belts, air bags, alarm system, even tracking systems are part of the car's infrastructure. True, there's an aftermarket for advanced security features if we want bulletproof windshields or five point harnesses, but by and large, the security we get with our cars (a) doesn't require us to be security experts, and (b) meets most of our needs.
More importantly, when we buy a car, security usually isn't top of mind. We're buying the car to be productive. Or efficient. Or maybe even noticeable. Yes, we want security baked into the car, and it's a consideration as we make our choice, but unless we're buying a presidential limo or an armored truck, it's won't be the driving factor.
My own personal vision of a utopian IT world has almost no standalone security products in it. Security services come inside applications and as part of the IT dial tone, and what little is exposed is consumable by non-experts. This is the world I see when I close my eyes, sit back, and dream of how Microsoft can help make the world a safer place.
To transform the security industry, we need to do two things: operationalize more and more of security, and bake it deeper into our applications. We'll need to ship more expertise like best practices and automatic responses, and we'll need to shift the security story to one about risk management. This will be quite a challenge, and we sure don't have all the answers yet, but this is going to be the main thrust of what I'll be blogging about.
I hope that this blog turns into a dialog. Please feel free to leave comments, questions, and criticisms. Let's work together and nail this transformation!
As the Product Unit Manager, I oversaw the
design, engineering and release process for the TMG release. Being a long time security
professional, I am impressed with how Forefront TMG provides value to the
network security marketplace by integrating multiple web security technologies
into a single, comprehensive solution. As a secure web gateway, TMG enables safer
Internet access for users through comprehensive protection techniques against
malware, malicious web sites and vulnerabilities.
Today's information workers, guest users and
partners require web access to do their jobs, but web-based threats continue to
rise. For example, the recent Microsoft Security Intelligence Report
indicated that phishing rose significantly in the first half of 2009,
quadrupling in May, and that social networking sites accounted for 76% of all
phishing impressions. Protecting both managed and unmanaged user web
access and usage is traditionally challenging for security administrators. Many solutions only offer protection
for domain-joined, homogenous desktop environments. TMG helps protect all users whether they are managed or
despite the operating system or browser they are using to access the Internet.
In addition, multiple products and vendors create high costs and management
difficulty through "security sprawl." TMG is designed to address both the
protection as well as the management and costs challenges faced by enterprise
IT professionals, as well as small business IT managers.
TMG is a unique release from Microsoft with a
unique value proposition to both existing ISA 2006 customers, as well as new
customers looking for a SWG solution. As a SWG, TMG provides web access
and protection by integrating multiple detection technologies such as URL
filtering, Anti Malware, and intrusion prevention into a single, easy-to-manage
As part of the URL filtering solution for
TMG, one of the most exciting capabilities of the solution is the integration
of Microsoft Reputation Services. MRS is a cloud-based system hosted by
Microsoft that maintains a centralized database of in excess of 45 million web
domains and billions of web pages, aggregated from multiple sources to identify
and block malicious web sites. It utilizes the same technology that helps
protect Internet Explorer 8 users against malware and phishing sites. The
TMG/ISA blog provides a great
overview of TMG and its URL filtering capabilities.
second advanced capability of TMG is the Microsoft anti-malware engine
integration. Detecting, cleaning and /or blocking malware on the edge
significantly decreases the possibility that malware, Trojans or viruses will
decrease productivity of end users and create risk for the enterprise. TMG has
integrated the Microsoft Anti Malware engine to provide excellent scanning and blocking capability
at the network edge to enable productivity without compromising security.
third pillar of the new TMG solution for advanced web access and protection is
the Forefront Network Inspection System (NIS). NIS is a generic
application protocol decode-based traffic inspection system that uses
signatures of known vulnerabilities to detect and potentially block attacks on
network resources. NIS provides comprehensive protection for Microsoft network
vulnerabilities. It was researched
and developed by the Microsoft Malware Protection Center
through the NIS Response Team, as well as an operational signature distribution
channel which enables dynamic signature snapshot distribution. The unique value
proposition of NIS is how it helps to close the vulnerability window between
vulnerability disclosures and patch deployment from weeks to few hours. This
gives IT professionals the flexibility, as well as the peace of mind in their
environment, that may not have existed previously.
Last, but not least, TMG is built upon the
proven Windows Server 2008 and Server 2008 R2 platforms as a native 64-bit
application firewall, providing not only enhanced security and reliability, but
a hardened platform with network protection at the edge. In each of these
advanced defense-in-depth technologies, TMG also introduces HTTPS (SSL/TLS)
scanning to enable inspection of encrypted sessions, easing deployment and
management with a set of easy to use wizards and significantly improved logging
and reporting. These provide full visibility into how users are accessing the
web and whether those users are compliant with local security policies.
This is an exciting announcement and
development for the network security community. For more details, check
out my TechNet interview on TMG.
Based on the overwhelming positive community response and feedback through the
extensive beta cycle of TMG, I encourage the community needing a solution to
help protect and enable secure web access for users to download Forefront TMG 2010 today
to try it out!
David B. CrossProduct Unit Manager
If you're like most companies, you have a solution to block or log employee access to websites. You also might have some form of network intrusion detection system (NIS) to help prevent unwanted attacks. Additionally, your company probably only relies upon the client AV software to detect malware when someone wants to download something from the web. With the release of Forefront Threat Management Gateway (TMG) you can improve upon all of the above situations to "modernize your web security" while reducing your risk and saving money.
TMG was rightfully renamed from ISA server because of all of the new capabilities it brings to the table in addition to the old functionality of ISA. TMG can now filter URLs utilizing a well-known reputation service, block malware from people trying to download files from the web over HTTP or SSL, and prevent zero-day attacks through it's own NIS.
What are some of the key reasons why you would want to switch from your existing solution(s) and/or upgrade from ISA 2006?
Reduce your Risk
For additional information, you can watch this video interview I had with David Cross:
Today we tend to take it for granted that somehow SPAM email is being blocked inside our company. You probably still get some SPAM messages but to an extent, your current solution seems to do its job. So, why do anything different? Here are some reasons why you might consider change and how Forefront Protection 2010 for Exchange (FPE) helps:
Reduced Carbon Footprint – occurs when you get rid of a piece of SPAM email as early as possible, hence decreasing the utilization of the machine’s resources freeing it up to do other things or process more mail. This in turn might help to reduce the number of servers required in your organization. FPE has a significant enhancement over Forefront Security for Exchange and competitor solutions as it has a dynamic DNS block list (DNSBL). The block list is continually updated automatically which enables SPAM to be rejected early on in the process. The ideal situation is to also have it blocked in the cloud before it gets to your organization, but each step counts even blocking spam within your organization. Microsoft’s cloud spam solution is our Forefront Online Protection for Exchange (FOPE) which can also work in conjunction with FPE.
Less email Administrator time required – FPE has been designed with a “set it and forget it” mindset for an administrator in regards to SPAM. The DNSBL and Cloudmark content filtering engines are automatically updated, unlike other competitor solutions.
User productivity – gains are seen when a user doesn’t have to spend time deleting SPAM or hopefully not, clicking on links inside of SPAM. FPE offers numerous features and functionality to remove 99% of all spam which comes into your organization.
Better Security – would happen if a user never gets spam mail to prevent clicking on potentially malicious links inside spam email. The less spam a user gets, the less chance there is for a potential security threat.
To see what I mean about how FPE can reduce your bacon, you’ll find this towards the end of the video. View the original post for this video to get a breakdown for a list of what topics are being covered at what time.
To learn more about how FPE and Forefront Online Protection for Exchange (FOPE) work with Exchange 2010 for protection of SPAM and anti-virus, including further stats, check out this video with PM Mike Chan.
Many organizations are faced with making decisions on how to keep their communications secure. Some of these decisions are how do I keep from receiving spam or how do I make sure my sensitive company information doesn't leak? Microsoft's secure messaging solution helps make these decisions easier in large part due to the nature of bringing protection capabilities from multiple products together. For instance, Active Directory Rights Management Services (ADRMS) works with Exchange 2010 and Forefront Protection 2010 for Exchange (FPE) to ensure confidential messages automatically get protected with ADRMS and eliminate potential SPAM and viruses.
The following video explains more about the secure messaging solution and demonstrates the technologies.
You can download or comment on this video at: http://edge.technet.com/Media/Forefront-Secure-Messaging-screencast-and-interview/
Windows 7 and Windows Server 2008 R2 change the game with how we
communicate and collaborate when travelling, working remotely or needing to
collaborate from home. It changes the game through a technology known as DirectAccess. More specifically,
DirectAccess is a new feature in the Windows 7 client and the Windows Server
2008 R2 operating systems that enables users to be seamlessly connected to
their resources, data and applications through the Internet. DirectAccess
eliminates the need for cumbersome VPN connections or software to get
connected. Collaboration and communication becomes easier than ever before.
You can learn more about the Windows 7 solution through an upcoming TechNet Webcast next month.
Forefront comes into play to help make this even easier
and more widely deployable through the Forefront Unified Access Gateway (UAG) product which is built on
the Forefront Threat Management Gateway (TMG) platform for protection and
firewall capabilities. Both products build upon the DirectAccess
technology built into Windows 7 and Windows Server 2008 R2 and extend it by
providing enterprise management, flexibility and transitional
capabilities. In short, UAG enables DirectAccess capabilities to all
servers - especially those that are still running or limited to IPv4 addresses.
This effectively provides a DirectAccess experience to legacy applications,
servers and resources. Now, to provide my personal experience in using
the beta internally, it changes the way I do work every day. I have the
freedom to work from anywhere with my laptop and smartcard, I can get access to
data and applications within seconds. I no longer have to spend
time with a VPN connection or worry about unreliable Internet links. I
can feel comfortable going to home or traveling on the road as I know I will
have access to the resources I need wherever I go.
Forefront and Windows have already made my interaction
with colleagues and my team easier than ever before. I predict in the not
too distant future it will change the way businesses communicate and
collaborate in the future. In my mind, this is what Business Ready
Security is all about - productivity without security comprises.
David B. Cross
Product Unit Manager
Direct Access (DA) is a game-changing technology for remote access in your company; removing the need for a VPN all together. Within Microsoft, we've seen great productivity benefits to end users. We surveyed users from our DA pilot and over 87% saw instant productivity gains, overall resulting in net benefit of ~1 hour each day for users. Furthermore, Microsoft operations is saving costs by things such as not having to convert internet connected sites to dedicated lines. For more information on the business value of DA and Microsoft's implementation, watch the Direct Access MSIT video.
Ok, you know you want to implement the DA functionality which comes with Windows Server 2008 R2 and Windows 7 - but now why would you want to have Unified Access Gateway (UAG) along with it?
As discussed in the video below, here are some of the key reasons you would want to run UAG with DA:
To hear more about the business value for UAG with DA and to learn the technical information behind how DA and UAG work, watch this video:
You can also see the breakdown of what is played when by going to the original post on TechNet Edge.