Forefront Team Blog : ID and Security Partners

Microsoft to acquire Sentillion for improved healthcare through streamlined identity and access

Forefront Blogger — Thu, 10 Dec 2009 17:20:00 GMT

Today Microsoft's Health Solutions Group announced the acquisition of Sentillion, a company based in Andover, MA which provides healthcare industry solutions for context management, user provisioning and single sign-on (SSO).

The primary goal of the acquisition is to make it easier for healthcare professionals to deliver better patient care by streamlining access to multiple IT applications and patient data. By combining Sentillion’s technologies with Microsoft Amalga UIS, Microsoft aims to give clinicians new insight about patients in real time and enable them to perform the appropriate task with unprecedented speed.

This ties to our efforts in identity & access management - part of the Business Ready Security strategy - to deliver capabilities in the Active Directory platform, and through next-generation products, such as the Microsoft Forefront Identity Manager 2010.

The acquisition brings complementary assets to Microsoft in the areas of single sign-on (SSO), user provisioning and context management that are focused on the healthcare industry. As we integrate Sentillion into Microsoft in the coming months, we will further explore synergies with Microsoft’s identity and access management solutions, such as our Forefront products.

Dark Reading, customers and analysts on TMG

Forefront Blogger — Mon, 07 Dec 2009 21:17:00 GMT

Leading security news site Dark Reading reports on the release of Forefront Threat Management Gateway - including some insightful quotes:

Analyst Rob Enderle: "By focusing on the employee, Microsoft is beginning to address what I believe are some of the most vulnerable parts of the current enterprise. With this, Microsoft is beginning to transition from a company trying to catch up to the market to one that is trying to lead it."

Analyst Chenxi Wang, principal analyst for security and risk management at Forrester. "This is a major step up from what ISA could do in securing Web access. If Microsoft wants to play more in the enterprise security game, it needs to add more functionality to it, and they did in this release."

Customer George Podolak of Architectural firm Pei Cobb Freed & Partners, a TMG customer, uses the gateway to protect both its end users and the business from malware when its users visit social networking or other sites. "I'm not against Facebook [and we allow our users to access it], but when you're using it, we don't want you to wander off to a malware site."

David Cross on TMG

Forefront Blogger — Fri, 04 Dec 2009 18:51:00 GMT

For more about Forefront Threat Management Gateway 2010, check out David Cross' blog on the Microsoft Because It's Everybody's Business site. As product unit manager, David oversaw the development and release of TMG. He discussed the solution in-depth in a TechNet Edge video here, too.

And there's a good Edge video here about migrating from ISA 2006 to TMG.

New Forefront enterprise security solutions for safe, productive web surfing and remote access

Forefront Blogger — Thu, 03 Dec 2009 09:00:00 GMT

Following the last month’s launch of Forefront Protection for Exchange, today we are announcing more progress for our Business Ready Security strategy with the release of two new solutions: Forefront Threat Management Gateway 2010 (TMG) and Forefront Unified Access Gateway 2010 (UAG.)

These solutions address two key endpoint security challenges. TMG, available for evaluation and purchase now, helps companies provide safe employee web browsing. UAG, which will release to manufacturing in mid December and be generally available shortly thereafter, enables organizations to give employees (and trusted partners and vendors) secure remote access to corporate resources.

Forefront Threat Management Gateway 2010

Today’s information workers require web access to do their jobs, but web-based threats continue to rise. For example, the recent Microsoft Security Intelligence Report indicated that phishing rose significantly in the first half of 2009, quadrupling in May, and that social networking sites accounted for 76% of all phishing impressions. Securing web use is traditionally challenging for security administrators. Multiple products and vendors create high costs and management difficulty through “security sprawl.”

TMG is a secure web gateway that enables safe employee web use through comprehensive protection against malware, malicious web sites and vulnerabilities. Building on its predecessor, ISA Server 2006, TMG provides new URL filtering, anti-malware, and intrusion-prevention technologies to protect businesses against the latest web-based threats. These technologies are integrated with core network protection features such as firewall and VPN to create a unified, easy-to-manage gateway.

One of the most exciting features of TMG is its use of Microsoft Reputation Services – a new cloud-based system hosted by Microsoft which maintains a centralized database of 45 million (and growing!) web domains and billions of web pages to help customers identify and block malicious web sites. It pulls data from multiple sources, such as Hotmail, the same technology that powers SmartScreen in Internet Explorer 8, the Windows Live Security Platform, and more than 10 partners, such as Brightcloud, M8e6 and FutureSoft. The TMG/ISA blog provides a great overview of TMG and its URL filtering capabilities.

Forefront Unified Access Gateway 2010

Building on its predecessor, Intelligent Application Gateway, UAG enables remote access via managed and unmanaged PCs and mobile devices. Integrating a deep understanding of applications, the health state of end user devices, and the user’s identity – UAG enforces granular access controls, ensures security, and reduces management costs and complexity.

While UAG provides a variety of connectivity options such web publishing and SSL VPN tunnels, one of the best new features is UAG’s support and enhancements for Windows DirectAccess (DA). DA is the future of remote access allowing for seamless, always-on connectivity. Always-on keeps users happy as they are continually productive, but it also keeps administrators content as users are “always-managed.” UAG helps make DA deployments simpler, more extensible and easier to scale.

New release of Forefront Online Protection for Exchange

Forefront Blogger — Fri, 20 Nov 2009 19:46:00 GMT

This week we released an update to Forefront Online Protection for Exchange (FOPE) - our hosted service providing anti-malware and anti-spam for both on-premises Exchange and Exchange Online. FOPE can be used as an alternative to the new Forefront Protection 2010 for Exchange Server, or in tandem with it for messaging defense-in-depth.

The new release of Forefront Online Protection for Exchange offers enhanced policy control capabilities (such as enhanced regular expressions support, custom dictionaries) for IT admins to more effectively adhere to compliance needs. In addition, it supports advanced globalization/localization by supporting 13 languages in the Admin Console, in documentation and via telephone support. These enhancements were a direct result of feedback from Forefront Online Protection for Exchange customers, who expressed a need for more options when they created custom company policy rules for filtering, and more flexibility to manage these rules.

Additional enhancements with the new release:

· Policy rule syntax options: The new release provides the option to use either a basic syntax, which is a mixture of comma-separated values (CSV) and simple string-wildcard syntax or Regular Expressions.

· New Policy Rules e-mail header match option: FOPE now allows you to match e-mails based on e-mail header name and value.

· More flexibility for outbound forced TLS rules: The Policy Rules editor now offers a check box to enable Opportunistic TLS for recipients not specifically identified by the policy rule. Custom policy rules filters now feature the following enhancements:

The ability to upload dictionaries of custom-created lists or content for use in policy rules

The ability to apply the dictionaries across multiple rules and domains

Available now: Windows Identity Foundation for building more secure, simplified access to cloud applications

Forefront Blogger — Tue, 17 Nov 2009 16:35:00 GMT

Today at our Professional Developers Conference Microsoft announced the availability of Windows Identity Foundation (WIF), a new extension to the .NET Framework that makes it easier for developers to create more secure applications with interoperable, identity-based access.

The software and documentation are available here. You can watch a video discussion about WIF on Channel 9 here.

WIF is ideal for both on-premises and cloud apps, and it ties closely to today’s launch of the Windows Azure, Microsoft’s cloud services platform. As part of our open platform for simplified access to both on-premises and cloud applications (formerly known as codename “Geneva”,) WIF is a key element of how Microsoft is addressing customer needs around cloud security. It also represents more progress for our Business Ready Security strategy.

Extending single sign-on from on-premises infrastructure to cloud applications is an important customer need, to simplify user login and ensure productivity. But the complexities of identity and access often block developers from quickly delivering this capability. There are too many identity technologies to choose from. Custom development of identity functionality is slow, expensive and requires developers to be identity and security experts.

WIF changes this, by providing developers with a standard approach to building identity-based access into on-premises and cloud applications using the claims-based architecture. It boosts developer productivity through a single, simplified identity model within familiar tools, such as .NET and Visual Studio.

For example, Quest Software says it was able to reduce authentication/authorization development time by 80% using WIF for its new OnDemand IT management solution hosted on Windows Azure – announced today. Quest OnDemand relies on ADFS 2.0 (beta) for authentication, too.

Online travel service leader Hogg Robinson in the UK is using WIF and ADFS 2.0, as well. Lead architect Jon Simpson said the technologies "masked many complexities, yet offered extension points throughout the solution such that we could implement all of our requirements. We welcome this new, open approach from Microsoft. We didn't have to compromise our solution anywhere!"

WIF enhances application security because it provides consistent, proven means for single sign on, federation, strong authentication and identity delegation. With WIF developers don’t have to continually re-build authentication logic, and applications can call each other securely. And, because WIF allows developers to externalize identity logic from applications, re-coding is less likely to be required as identity needs change.

Additionally, WIF is based on industry standard protocols for interoperability across heterogeneous cloud and enterprise environments.

Complementing WIF are the upcoming Active Directory Federation Services 2.0 – a role in Windows Server that allows customers to extend their existing investment in identity infrastructure to cloud applications – and Windows CardSpace 2.0, which helps end users easily navigate multiple logins and manage different personas.

Forefront Protection 2010 for Exchange Server launches

Forefront Blogger — Mon, 09 Nov 2009 04:56:00 GMT

Today at the TechEd Europe conference, in conjunction with the launch of Exchange Server 2010, Microsoft launched Forefront Protection 2010 for Exchange Server. The product and evaluation software is available now.

Part of our Business Ready Security strategy, Forefront Protection for Exchange (FPE) offers multiple anti-malware engines for 38 times faster detection than single engine solutions, and 99% guaranteed spam protection with only one in 250,000 spam false positives. Customers also have the choice of using the hosted Forefront Online Protection for Exchange service, or both offerings together for defense-in-depth.

Like all of our Forefront solutions, FPE is designed to help companies balance the needs of business with security requirements. Email is an extremely critical application, of course, and it presents challenges to both businesspeople and IT managers. Employees (and non-employees) needs secure access to messaging and documents from anywhere, as well as a spam-free inbox and protection from malware. On the other hand, IT must manage multiple sites and devices, ensure information protection and compliance, and ward off financially-motivated threats.

Combined with Exchange 2010 and other Microsoft identity and security technologies, FPE is part of Microsoft’s comprehensive solution for secure messaging. (It’s worth watching a video presentation on the whole solution here, in fact.)

New features in Forefront Protection 2010 for Exchange Server include:

· Premium antispam protection, with 99% detection rate, less than 1 in 250,000 false positives, and backscatter filtering

· New user interface with dashboard view of detection statistics and health monitoring

· Antispyware scanning provided by the Microsoft Antimalware Engine

· Support for Exchange 2010, Windows PowerShell, and Hyper-V

· Standardized installation using MSI installer

Already a number of customers have deployed FPE with success. Quotes from two:

“Forefront Protection 2010 for Exchange Server goes hand-in-hand with Exchange Server 2010. We wouldn’t put anything else for e-mail security on our Exchange Server 2010.” Jonathan Wynn, IT Manager– Del Monte Foods.

“Implementing Forefront Protection 2010 for Exchange Server was an easy decision for us following the success of our previous Forefront Security for Exchange Server implementation.” George Podolak, Director of IT, Pei Cobb Freed & Partners

Developers: Try out the Windows Identity Foundation Release Candidate

Forefront Blogger — Fri, 06 Nov 2009 17:46:00 GMT

Windows Identity Foundation (formerly called code name Geneva framework) is a new Microsoft .NET Framework technology that gives developers a programming model and SDK to create new advanced identity capabilities in .NET applications. It provides developers pre-built .NET security logic for building claims-aware applications, enhancing either ASP.NET or WCF applications. Windows Identity Foundation makes it easeir to build richer, more secure applications (cloud and on-premise) without being a security and identity expert. It will boost developer productivity, as a result, and enhance app security through a standard approach to federation, strong authentication and identity delegation.

The RC is available here.

Look for more information about "WIF" coming out of Microsoft's Professional Developer Conference, the week of Nov 16.

Action by Dec 1 - keep your protection current!

Forefront Blogger — Wed, 04 Nov 2009 23:08:00 GMT

A reminder from the Forefront Server Security blog.

As we announced on July 1, 2009, Microsoft is revising its engine mix on Dec. 1, 2009 for the Forefront and Antigen products. This change will allow customers to utilize a set of engines that help optimize detection, while also allowing us to invest in new areas for increasing overall protection for customers.

Antimalware Protection

The AhnLab, CA, and Sophos engines will be retired on Dec. 1, 2009. After December 1^st, customers will not receive any updates for these retired engines. In order to make sure your Antigen and Forefront products continue to scan efficiently and effectively for malware, any customers running the AhnLab, CA, or Sophos engines must DISABLE these engines before Dec. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman, and VirusBuster.

SPECIAL NOTE: Antigen for SharePoint 8.0 and Antigen for Instant Messaging 8.0 customers – In order to gain access to the new engine set and provide optimal protection for your messaging and collaboration environments, please download the Service Pack 1 releases of these products on the MVLS or VLSC site prior to Dec. 1, 2009. The updates for the new engine set will use a new update infrastructure as of Dec. 31, 2009 – the Service Pack 1 releases will allow you to continue to receive updates correctly from their new location.

For more information about Service Pack 1 for Antigen for SharePoint and Antigen for IM, see the following KB article:

http://support.microsoft.com/kb/975850/

- SPECIAL NOTE: Antigen for Exchange 8.0 and Antigen for SMTP Gateways 8.0 customers –These products will end of life on Dec. 31, 2009. Customers must upgrade to Antigen 9.0 SP2 for Exchange before this date, as the product will no longer continue to receive anti-malware updates starting Jan. 1, 2010. With the retirement of the CA, Sophos, and AhnLab engines on Dec. 1, customers running Antigen for Exchange 8.0 or Antigen SMTP Gateways 8.0 will only be protected by the Norman engine. For customers who need to continue using this product between Dec. 1, 2009 and the end-of-life date of Dec. 31, 2009, please contact Forefront Contract Administration for access to the revised engine set.

For more information on upgrading your Antigen for Exchange 8.0 or Antigen for SMTP Gateways 8.0 to Antigen 9.0, see the following KB article:

http://support.microsoft.com/kb/932396/

Antispam Protection

One of the most important changes in our engine revision strategy is moving to the Cloudmark antispam engine*, which provides 99%+ detection rate and less than 1 in 250,000 false positives (West Coast Labs).

The Mail-Filters SpamCure antispam engine will be retired on Dec. 1, 2009. Customers using Antigen products for antispam protection must upgrade to the latest service pack releases listed below BEFORE DEC. 1, 2009 to maintain their antispam defenses. This is the only way to gain access to the new Cloudmark engine. The service packs can be accessed on the Microsoft MVLS and VLSC sites:

- Antigen for Exchange Server with Antigen Spam Manager 9.0 with SP2

- Antigen for SMTP Gateways with Antigen Spam Manager 9.0 with SP2

For more information on the engine revision strategy, see the Antimalware Engine Notifications and Developments Web page or contact Forefront Contract Administration . Again, we strongly urge all customers to update to the newest service packs before Dec. 1, 2009 to get the full protection benefits of the Forefront and Antigen server products.

*Please note: Customers using Forefront Security for Exchange Server will get access to the Cloudmark engine in the next version release – Forefront Protection 2010 for Exchange Server – scheduled to be available in Q4 CY09.

Brita Jenquin

Sr. Product Manager

Forefront secure messaging screencast & interview

Forefront Blogger — Wed, 04 Nov 2009 00:15:00 GMT

Cristian Mora Aguilar, Forefront Technical PM, starts off by briefly telling us about Microsoft's secure messaging solution and what business problems it resolves. He then gives us a screencast / demo of some of the cool scenarios enabled and problems solved with the secure messaging solution. Find out how Microsoft products help secure Microsoft Exchange Server.

http://edge.technet.com/Media/Forefront-Secure-Messaging-screencast-and-interview/

Microsoft Security Intelligence Report

Forefront Blogger — Mon, 02 Nov 2009 17:01:00 GMT

The 7^th volume of the Microsoft Security Intelligence Report (SIR) was released today. The top finding is that worms infections in the enterprise rose by nearly 100 percent during the first half of 2009.

According to the report, rogue security software remained the single largest threat category for the first half of 2009. Microsoft products and services removed such malware from more than 13 million computers worldwide, down from 16.8 million in the second half of 2008.

The SIR provides a deep, accurate view of the threat landscape country-by-country and, for the first time, the SIR includes security best practices from countries that have consistently exhibited low malware infection, such as Japan, German and Austria.

Data for the SIR is collected through a wide variety of means, including but not limited to: Microsoft’s Malicious Software Removal Tool, Bing, Windows Live OneCare, Windows Defender and, of course, Forefront solutions.

The full SIR, guidance and other resources are available here.

Direct Access and UAG video - Deep dive with a Program Manager

Forefront Blogger — Tue, 27 Oct 2009 16:15:00 GMT

Ben Bernstein and Stephen Bowie tell us what the value is for Forefront Unified Access Gateway (UAG) with Direct Access (DA).

After this, we do a whiteboard of UAG + DA architecture, including explaining how it works with multiple UAG servers. Here's how the rest of the interview breaks down:

How UAG supports legacy IPv4 clients (Marker 3 @ 8:02)

How does the client know to connect to the proper DNS server and not the one from the local ISP? (Marker 4 @ 13:17)

How do we know it's securely talking to the proper DNS server? (Marker 5 @ 15:01)

What other components on UAG enable DA? (Marker 6 @ 16:10)

Additional value add for UAG with DA (Marker 7 @ 17:55)

http://edge.technet.com/Media/Direct-Access-and-UAG-video-Deep-dive-with-a-Program-Manager/

Forefront scores in VB100

Forefront Blogger — Tue, 13 Oct 2009 21:04:00 GMT

Forefront Client Security (FCS) received its 10th consecutive VB100 award in the October 2009 Edition of Virus Bulletin. In order for a product to be awarded the VB100 award, it must detect 100% of the WildList malware samples and must not have any false positives (FP) on the Virus Bulletin clean file collection.

FCS received one of the highest scores overall – and the highest among major competitors - in both the proactive and reactive aspects of the new VB RAP (Reactive and Proactive) test, reaffirming the strong result shown in August VB edition and in the May 2009 report from AV-Comparative.org.

Schedule and Strategy Update for Forefront Endpoint Protection

Forefront Blogger — Thu, 08 Oct 2009 11:00:00 GMT

Today we are announcing a schedule and strategy update for Forefront Endpoint Protection 2010, a component of the upcoming Forefront Protection Suite (previously codenamed “Stirling.”)

We are delaying the release Forefront Endpoint Protection 2010 - anti-malware for Windows desktops and servers - until the second half of 2010. Based on customer feedback and market trends, we have made the strategic decision to build Forefront Endpoint Protection (FEP) on System Center Configuration Manager, Microsoft’s solution to comprehensively assess, deploy, and update servers, clients, and devices. This approach better aligns our customers’ client management and security infrastructure, helping simplify deployment and reduce costs.

We are confident this is the right decision for our customers. In the interim, we will continue to offer our current Forefront Client Security (FCS) solution, which supports and protects both Windows 7 and Windows Server 2008 R2. We are developing the necessary tools and guidance to facilitate the future upgrade from Forefront Client Security to Forefront Endpoint Protection and will help customers with the migration process.

We also remain committed to providing integrated management for the Forefront Protection Suite. We will release Forefront Protection Manager in the first half of 2010, as scheduled, providing multi-server management for Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint. We will provide information about endpoint security management in Forefront Protection Manager at a later time.

We are on track to release all other Forefront products on schedule, as part of our Business Ready Security strategy:

o Fourth quarter 2009: Forefront Protection 2010 for Exchange Server, Forefront Online Protection for Exchange, Forefront Threat Management Gateway 2010 and Forefront Unified Access Gateway 2010

o First half 2010: Forefront Protection 2010 for SharePoint, Forefront Identity Manager 2010.

The Forefront team

MSFT Identity and Access news: Forefront Identity Manager RC1 and ADFS 2.0 SAML interoperability

Forefront Blogger — Wed, 30 Sep 2009 16:00:00 GMT

The RC1 release of Forefront Identity Manager 2010 (FIM) is available today here. The next version of Identity Lifecycle Manager 2007, FIM 2010 dramatically improves enterprise identity management by delivering powerful self-service capabilities for Office end-users, rich administrative tools and enhanced automation for IT professionals, and .NET and WS-* based extensibility for developers. The final release is slated for the first quarter of 2010.

What’s new in FIM RC1:

· Significant performance and scalability improvements across the product.

· Key feature enhancements, including management policy rule (MPR) explorer and capability to enable/disable MPR’s, usability improvements in the portal and ability to disable batch approve/reject of membership requests if needed. Also, a System Center Operations Manager (SCOM) management pack and configuration migration tools are new for RC1.

· The FIM 2010 user interface has enhanced usability and layout in many areas, resulting directly from RC0 customer feedback.

· The product is now rebranded as Forefront Identity Manager 2010, with a few exceptions, replacing the old “ILM 2” codename.

FIM is part of Microsoft’s continued, far-reaching commitment to enabling more secure, identity-based access to applications - on-premises and in the cloud, from virtually any location or device.

This commitment includes other solutions, such as Forefront Unified Access Gateway, and capabilities in the Windows platform, such as Active Directory Federation Services 2.0 (formerly known by codename “Geneva.”) ADFS 2.0 uses identity federation to extend Active Directory authentication and single sign-on to cloud-based services, hosted by Microsoft or others, so IT can gain flexibility and cost savings but avoid managing extra user accounts and passwords.

Another key part of our efforts in identity and access management is work across the industry to ensure interoperability. Today, for example, Microsoft was part of a Kantara Initiative and Liberty Alliance announcement. ADFS passed SAML 2.0 interoperability testing, meaning it will interoperate with heterogeneous environments and provide federation.

And, also, this week the Organization for the Advancement of Structured Information Standards (OASIS) is holding its Identity Management 2009 conference. Microsoft is a sponsor and participating in sessions and discussion around helping governments transparently manage citizens' identities and access to information. Lee Nackman, Microsoft vice president of the Identity and Security Division, is quoted in the OASIS press release.

"Promoting widespread use of secure and trustworthy digital identities, while preserving personal privacy and protecting civil liberties, is a critical challenge for governments and the technology industry. Working with government leaders, industry partners and consortia like OASIS, Microsoft is committed to the technical and policy innovation needed to provide citizens with safe access to resources and services, in both the public and private sectors. Identity Management 2009 will provide an ideal forum for knowledge sharing and collaboration in this area."