We've just had a reorganization in  Microsoft's Server & Tools Business (STB) that combines the engineering and marketing of the Identity team with the Security products team to form the new Identity & Security Division.  We've got a lot of cool products under our new umbrella, including:

• Identity: Identity Lifecycle Manager (beta), Active Directory, Rights Management Services (RMS), Active Directory Federation Services (ADFS), Windows Cardspace
• Security: Forefront Client Security, Forefront Security for Exchange Server, Forefront Security for SharePoint, Forefront Security for Office Communications Server (beta), Forefront Server Security Management Console, Internet Security & Acceleration Server, Intelligent Application Gateway, Forefront Codenamed "Stirling" (beta)

Microsoft is combining the two groups because of the increasing overlap and dependencies of identity and security in a changing IT environment where establishing and security identity is crucial to securing appropriate access, protecting information, and securing vital resources.  

Doug Leland will become the General Manager of the new Identity & Security Division business and marketing group.  Ryan Hamlin,  General Manager heads the overall product development efforts.  The division includes the Forefront portfolio of products, Identity Lifecycle Manager, Rights Management Services, Active Directory, Federated Identity and Windows CardSpace. These changes take effect on July 1, 2008.

More to come in the future...

• FCS Virtualization Security
  Microsoft will provide support for virtualization with the Forefront line of security products, which includes Forefront Client Security support for Hyper-V upon its release. The FCS agent will be installable on Windows Server 2008 host and virtualized operating systems to protect against malicious threats. The FCS Management Server roles can also be installed on Hyper-V virtualized machines to consolidate management server roles.
  
  And there's more to come. Forefront "Stirling" protection technologies will share and use security information to dynamically respond to threats across physical or virtual environments. For example, if a user's virtual machine is offline and it's brought back online, Stirling will be able to identify that it is out of compliance and automatically trigger remediation. "Stirling" is targeted for release to market in the first half of 2009.
  
  
• NAP-FCS integration Kit
  It's finally here. The NAP-FCS Integration Kit provides customers with health policy enforcement for Forefront Client Security. The kit includes a System Health Agent (SHA) and System Health Validator (SHV) which are key services used to enforce a health policy. In addition to the SHA and SHV, this free kit provides tested guidance to quickly and easily integrate NAP and FCS. The kit will help strengthen defenses against malware by providing a means to enforce a health policy that requires FCS to be installed, functioning, and up-to-date. If this health standard is not met, NAP can deny access to network resources until FCS is updated, remediation occurs, and the client is returned to a healthy state. Get it here now!
  
  
• Windows Server Support
  Starting now, Forefront Client Security Agent as well as the Forefront Client Security Management Console will both support Windows Server 2008. The FCS agent also protects Windows Server Core, as well as supporting Microsoft Cluster Services. Customers can install the FCS agent to protect operating systems that are running Microsoft Clusters Services.

Today at the Tech Ed IT Professional Conference, Microsoft announced the availability of the first public beta of Forefront Security for Office Communications Server, the latest addition to the Forefront line of enterprise security products.  Forefront Security for Office Communications Server provides anti-malware scanning, keyword filtering, and file blocking for Office Communications Server 2007, and will be generally available in the second half of 2008.

You can download the beta here.

Forefront Security for Office Communications Server has some nice features, including:

• Multiple anti-malware scanning engines provide better protection: Microsoft Forefront Security for Office Communications Server provides enhanced protection against IM-based malware by including multiple scanning engines from industry-leading security partners. As tests we published on this blog last year showed, Multiple scanning engines increase the chances that emerging threats will be quickly caught.
  
  
• Keyword filtering and file blocking reduce liability: Microsoft Forefront Security for Office Communications Server helps reduce corporate liability by blocking IM messaging containing inappropriate content, while file and keyword filtering technologies prevent the sharing of out-of-policy files, unauthorized corporate confidential information or offensive language in IM conversations.
  
  
• Integration with Office Communications Server: Forefront Security for Office Communications Server protections are integrated with Microsoft Office Communications Server to provide high performance malware scanning optimized for enterprise instant messaging environments. Forefront Security for Office Communications Server includes automated signature updating, IM notification alerts, and built-in management controls to simplify administration.
  
  
• Integration with multiple server roles: Forefront Security for Office Communications Server integrates with the Access Edge, Director and Front End server roles in Office Communications Server 2007 Enterprise Edition, as well as the Office Communications Server Standard Edition Server role.
  
  
• Provides protection for federated connections and public IM users: By integrating with Office Communications Server Access Edge, Forefront Security for Office Communications Server ensures that all external communications - including those to and from external public IM clients or federated networks - are secure.
  
  
• Localization: Forefront Security for Office Communications Server will be localized into eleven languages.

Prism Consulting has released a new Total Cost of Ownership (TCO) analysis of desktop anti-malware.  The summary of the 21- page report states:

Value Prism Consulting, a management consulting and financial analysis firm, conducted a survey, measuring TCO changes with eight organizations that switched to Forefront Client Security.  Survey participants estimated an average of $24.00 in savings per desktop based on reduced IT security response time. Although not quantified, significant end-user productivity gains have also been realized by several organizations. Overall, participants experienced 85% fewer security issues after installing the solution. Several of the participating organizations encountered significant IT administration benefits of an additional $7.50 per desktop.  In addition, participants expect significant benefits from Forefront Client Security's unique reporting and control features. Initial investment costs for the companies averaged $16.50 per desktop. These Forefront Client Security deployment costs included deployment effort as well as additional software and hardware costs incurred.

Enterprise users interviewed for the report cited FCS's superior protection as a key reason for the improved TCO:

"We were not well-protected against spyware or malware," said Markus Kleinen, Managing Director at Konnex.  Performance problems were another issue. "The [previous] solution took a lot of time to scan computers, which slowed things down for employees."

Forefront Client Security provides an integrated solution. "As a financial institution, we have a need for machines to be 'well protected' for our own business, as well as for government compliance," said Ken Ong Kok Keng, System Engineer at PhillipCapital, a financial services firm in Singapore. "Forefront Client Security will help protect our desktop PCs from viruses and spyware."  

Companies interviewed experienced significant cost savings in security response management - based on both reduced issues and reduced cost handling for each issue. Right away, customers started seeing improved security - several participants commented on the number of issues undetected by the previous security software that were identified during the first Forefront Client Security scan.

Download the whole report here.

There is a fascinating 33-page paper on the underground economy of stolen data by Kimberly Kiefer Peretti of the  U.S. Department of Justice, Computer Crime and Intellectual Property Section.  The report explores the practice of "carding" - how credit card data is stolen and sold through a global network of criminals using online forums:

This article first provides a brief background on large scale data breaches and the criminal "carding" organizations that are responsible for exploiting the stolen data. Second, the article provides an in-depth examination of the process by which large volumes of data are stolen, resold, and ultimately used by criminals to commit financial fraud in the underground carding world. Third, this article discusses how carding activity is linked to other crimes, including terrorism and potentially drug trafficking. Fourth, this article outlines several recent investigations and prosecutions of carding organizations and the individual carders themselves. Fifth, this article examines the responses by the credit card industry and state legislatures to the recent increase in reported data breaches. Finally, this article outlines several recommendations to enhance the government's ability to continue to successfully prosecute carders and carding organizations.

The full paper is here.

This summer, we will be releasing Microsoft Internet Security and Acceleration (ISA) Server 2006 Service Pack (SP) 1.    This Service Pack introduces new features and improved functionality for ISA Server 2006 Enterprise and Standard Editions. The new features focus primarily on enhanced troubleshooting mechanisms designed to help you identify and resolve ISA Server configuration issues.  

 ISA Server 2006 SP1 includes the following new features:

• Configuration Change Tracking - logs all configuration changes applied to ISA Server configuration to help you backtrack through your change history.
• Web Publishing Rule Test Button - helps you verify that the rule configuration agrees with what is set at the published web server and provides specific suggestions when they disagree.
• Traffic Simulator - simulates network traffic as it would be seen by the ISA rules engine and gives you specific information about traffic processing along the way.
• Diagnostic Logging Query - an extension to the Diagnostic Logging feature provided in the Supportability Pack, this feature makes it much easier to see only the data that is relevant to the current troubleshooting effort.
• Support for Network Load Balancing (NLB) multicast and multicast with IGMP operations.
• Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers.
• Kerberos Constrained Delegation (KCD) authentication supports trusted-domain user accounts.

There's lots more detail here, including screenshots:

Microsoft support engineer Yuri Diogenes really digs into the Threat Management Gateway (TMG) beta.  TMG is the next version of ISA server that will be released with Stirling: 

There are many things that you will notice and see that it is different from ISA Server 2006. As far as installation is concern there are some things that you need to remember:

·         IIS will be installed:  that’s correct; IIS now will be installed by TMG. You might be thinking: “I remember that we have issues with IIS and ISA in the same box…”.  You are right for ISA Server, but for TMG we need IIS because TMG needs SQL Reporting Services 2005 and SQL Reporting Services 2005 needs IIS. It is important to emphasize that IIS is not removed if you uninstall TMG.

·         64 bits System: although the final version of TMG requires a 64-bit processor and Windows Server 2008 64-bit, this beta version can be installed in a 32-bit system with Windows Server 2008.

·         WEBS: the TMG beta version that we have available for download it will be part of the Windows Essential Business Server. TMG will be available through WEBS Standard and Premium Edition.

There's lots more, including a bunch of screen shots here.

Citrix has announced the availability of the new Citrix Branch Repeater, an "all-in-one" device for delivering applications to branch offices.   The Citrix Branch Repeater was developed jointly with Microsoft, and  uses Microsoft ISA Server 2006 Web caching to accelerate delivery of web content to the branch.  ISA Server 2006  helps branch office users easily and securely access the Internet or corporate-based resources. More on ISA's use in the new Citrix Branch Repeater on  Thomas Shinder's ISAServer.org blog here.

Internet Security & Acceleration (ISA) Server,  first launched in 1997 as the Microsoft Proxy Server, is a very versatile product with a great many uses, including as a VPN, a Firewall, a URL filtering proxy, and with Citrix, a Web caching device.   In addition to Citrix, ISA has a rich partner ecosystem that includes providers of URL filters, Anti-Virus, Reporting, User Authentication, and more on our partner page here.

Microsoft Forefront code-named "Stirling" is our new integrated security solution.  We launched the first beta at RSA last month, and now there is a new Stirling team blog.  The Stirling team has released these new resources:

Greetings from Redmond!

Now that Stirling's been out for a while, it's time to make sure you know the resources available to you when testing Stirling in your lab environment.

TechNet: Stirling information can be accessed from the Stirling TechNet Web site.

Deployment: The Stirling Deployment Guide steps you through installing Stirling and deploying the Stirling client software to the client computers in your lab environment.

Operations: The Stirling Operations Guide has documentation on day-to-day management tasks, as well as feature walkthroughs that you can use in your lab to explore the Stirling features. 

Stirling and PowerShell: Stirling utilizes PowerShell for its features, and the cmdlets available with Beta 1 are documented in the PowerShell console and on TechNet. Also - a brief introduction on how Stirling uses PowerShell is included in the Operations guide.

Newsgroups: You can post questions and get more information about Stirling on the Stirling TechNet Community Forums.

Can't emphasize this last one enough - let us know your questions, and what you think!

Thanks!

Yesterday's patches included a vulnerability in the Microsoft Malware Protection Engine, which is used by Forefront Client Security, Forefront Security for Exchange Server, and Forefront Security for SharePoint.  We recommend our customers immediately ensure that they have the latest Microsoft Malware Protection Engine update. The affected software provides built-in mechanisms for the automatic detection and deployment of this update.

More details on Technet:

This security update resolves two privately reported vulnerabilities in the Microsoft Malware Protection Engine. An attacker could exploit either of the vulnerabilities by constructing a specially crafted file that could allow denial of service when received by the target computer system and scanned by the Microsoft Malware Protection Engine. An attacker who successfully exploited either vulnerability could cause the Microsoft Malware Protection Engine to stop responding and automatically restart.

The Microsoft Malware Protection Engine is a part of several Microsoft products. Depending upon which product is installed, this security update has different severity ratings. This security update is rated Moderate for Windows Live OneCare, Microsoft Antigen for Exchange, Microsoft Antigen for SMTP Gateway, Microsoft Windows Defender, Microsoft Forefront Client Security, Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint. This security update is rated Low for Standalone System Sweeper located in Diagnostics and Recovery Toolset 6. For more information, see the subsection, Affected and Non-Affected Software, in this section.  The security update addresses the vulnerability by modifying the way that the Malware Protection Engine processes files. For more information about this vulnerability, see the Frequently Asked Questions (FAQ) subsection under the next section, Vulnerability Information.

From the popular Gadgetell website:

Microsoft Forefront brings some humor to security

by JG Mason on May 6, 2008 at 01:53 AM

If you like the color orange and like to see IT geeks beating up on zombies, secret agents, ninjas and aliens, head on over the Forefront site.  There you’ll find a free public beta download of the integrated security software that was released quietly last month.

Code-named “Stirling”, this public beta secures clients, server and networks.  “Our goal with Stirling is an integrated client, server and network edge, all managed through a simple intuitive console,” said Ryan Hamlin, GM of Microsoft’s Access and Security Division.

Microsoft touts the beta as comprehensive, integrated and simplified.  The site works hard to demonstrate “normal” IT employees defending their systems.  Kinda cute and clever; with funky music to boot.

Microsoft expect the full bells and whisltes version to be released in the first half of next year.

LAS VEGAS, Nevada.  - April 29, 2008 --  At the Interop conference today, Microsoft announced its next-generation secure remote access gateway product, Forefront Unified Access Gateway (UAG), available in the first half of 2009. Forefront Unified Access Gateway is the evolution of Microsoft's current solution, Intelligent Application Gateway (IAG 2007), and moves the successful product under the Forefront brand.  UAG will bring new features and functionality to make remote access easier than ever for all users and IT professionals.          
In addition to investing strongly in its next-generation solutions, Microsoft is continuing to provide increased customer value with the products in the market today by launching an updated SharePoint Optimizer, providing enhanced functionality and manageability for secure remote access to SharePoint by all mobile users.

Built on Windows Server 2008, UAG is designed to offer one solution to fit all remote access needs through centralized management and policy control across all users, devices, and network resources.  More details about the features in Forefront UAG will be available with a public beta scheduled for later this calendar year.  Microsoft will provide an easy product and licensing upgrade path from IAG 2007 or customers using ISA 2006 for remote access to Forefront UAG, and IAG customers that have or buy Microsoft Software Assurance can be confident of receiving strong value with Forefront UAG. 

Forefront UAG will add further features to a comprehensive end point security assessment and cache cleanup, which is tailored to the specific application and access environment.  Tightly integrated with Microsoft Network Access Protection, this ensures only secure devices and authenticated users can access network resources and that no data is compromised during or after the sessions.

 Forefront UAG adds more ease of use with wizard driven configuration, easy to use policies and highly intuitive user experience.  This solution ensures a fast and easy deployment allowing employees, partners and vendors simple and secure access, via customized and dynamic user portals.  Ongoing management and control is simplified via updates to application and endpoint policies.

The IAG pioneered the concept of Application Intelligence, or the ability to control what resources are presented to the user, and transparently enforcing policies based on a deep understanding of how an application functions.  Forefront UAG builds on the current competitive differentiation around application intelligence, with broad application support for Microsoft and third party applications, granular access controls, and customizable application protection through Application Optimizers.

Microsoft latest Application Optimizers is an updated SharePoint Optimizer for the IAG 2007, providing enhanced functionality and performance for remote access to SharePoint by all mobile users.  The updated IAG 2007 SharePoint Optimizer leverages SharePoint Alternate Access Mapping (AAM) to provide an easier, more secure and productive user experience when accessing SharePoint remotely.

With this new Optimizer, IAG provides more seamless access to the complete functionality of SharePoint, including Explorer View, Datasheet View, integrating InfoPath forms and access to multiple office documents from multiple server locations, without the overhead and security risks associated with tunneling and application rewriting.

Microsoft's IAG 2007 already provides the easiest to use and manage remote access to SharePoint today, as it is the only complete remote access solution to integrate its user experience into SharePoint, allowing organizations to keep a simple, one-portal, user experience for employees accessing applications internally or externally. The IAG 2007 SharePoint Optimizer will be available for download in May.

Our Microsoft Malware Protection Center (MMPC) has just released the latest Security Intelligence Report for July through December.  The report has a number of interesting findings, but the most eye-popping is a 300 percent increase in Trojans, using our enormous sample size of 450 million computers:

During the second half of 2007 there was a 300% increase in the number of Trojan downloaders and droppers detected and removed. The increase observed in 2H07 is vastly larger than the already large increase observed between 2H06 and 1H07. Clearly this category of malware has become a tool of choice for some attackers. IT Professionals and Security Professionals alike should become familiar with this type of malware so that they can better protect their networks from attacks that leverage it.

We're sure glad we have some of the best anti-malware researchers in the world building our anti-malware engine for Forefront Client Security.