Академический Документы
Профессиональный Документы
Культура Документы
Abstract
This document is the Guidance Documentation Addendum of Forefront TMG Standard Edition and Enterprise Edition.
Keywords
CC, TMG, Common Criteria, Firewall, Guidance Documentation Addendum
Page 2/79
Page 3/79
Table of Contents
Page
INTRODUCTION TO THE GUIDANCE ADDENDUM ....................................................... 6 1.1 Scope ......................................................................................................................... 6 1.2 Security functionalities and Associated Chapters ....................................................... 7 1.3 Warnings about Functions and Privileges ................................................................... 8 1.4 Installation of the evaluated TMG 2010 Standard Edition ........................................... 8 1.4.1 Installation Requirements ....................................................................................... 8 1.4.2 Installation Procedures ........................................................................................... 9 1.5 Installation of the evaluated TMG 2010 Enterprise Edition ....................................... 26 1.5.1 Installation Requirements ..................................................................................... 26 1.5.2 Installation Procedures ......................................................................................... 27 2 SECURITY FUNCTIONALITIES ..................................................................................... 45 2.1 SF1 - Web Identification and Authentication ............................................................. 45 2.2 SF2 - Information Flow Control ................................................................................. 47 2.3 SF3 - Audit ............................................................................................................... 47 2.4 Administration-Related Interfaces............................................................................. 48 2.5 TOE User Interfaces................................................................................................. 48 3 OPERATIONAL ENVIRONMENT ................................................................................... 49 3.1 Assumptions ............................................................................................................ 49 3.2 Organizational Security Policies ............................................................................... 50 3.3 Security Objectives for the Environment ................................................................... 50 3.4 Requirements for the Operational Environment ........................................................ 51 4 SECURITY-RELEVANT EVENTS ................................................................................... 57 5 TOE INTEGRITY ............................................................................................................. 58 5.1 Integrity of the DVD-ROM content and ISO image ................................................... 58 5.1.1 Steps in order to ensure the integrity of Forefront TMG 2010 (Volume Licensing Standard Edition and Enterprise Edition) .......................................................................... 58 5.1.2 Steps in order to ensure the integrity of Forefront TMG 2010 (Boxed version Standard Edition only) ....................................................................................................... 59 5.2 Integrity of the Package ............................................................................................ 61 5.3 Version Number for the TOE .................................................................................... 62 6 ANNOTATIONS .............................................................................................................. 64 6.1 Authentication methods ............................................................................................ 64 6.1.1 Single Sign On...................................................................................................... 64 6.1.2 Authentication Process ......................................................................................... 65 6.1.3 Client Authentication Methods for Receipt of Client Credentials............................ 66 6.1.4 Methods for Validation of Client Credentials ......................................................... 67 6.1.5 Authentication Delegation ..................................................................................... 68 6.2 Lockdown Mode ....................................................................................................... 69 6.2.1 Affected functionality............................................................................................. 70 6.2.2 Leaving lockdown mode ....................................................................................... 70
Page 4/79
6.3 Configure RPC Filtering ........................................................................................... 70 6.4 Configure FTP Filtering ............................................................................................ 71 6.5 Configure SMTP Filtering ......................................................................................... 71 7 FLAW REMEDIATION GUIDANCE ................................................................................ 73 7.1 How to report detected security flaws to Microsoft .................................................... 73 7.2 How to get informed about Security Flaws and Flaw Remediation ........................... 74 7.3 Installing a remedy ................................................................................................... 75 7.4 Authentication of a Fix .............................................................................................. 76 8 REFERENCES AND GLOSSARY .................................................................................. 77 8.1 References............................................................................................................... 77 8.2 Acronyms ................................................................................................................. 78 8.3 Glossary ................................................................................................................... 78
Page 5/79
List of Tables
Page
Table 1.1 Security functionalities and associated chapters .................................................... 7 Table 1.2 Warnings about functions and privileges ................................................................ 8 Table 3.1 Assumptions for the IT environment and intended usage..................................... 49 Table 3.2 Security policies addressed by the TOE .............................................................. 50 Table 3.3 Security objectives for the operational environment ............................................. 50 Table 4.1 Security-relevant events ...................................................................................... 57
List of Figures
Page
Figure 2.1 Error messages .................................................................................................. 46 Figure 5.1 Example of Integrity check I (successful) ............................................................ 61 Figure 5.2 TMG 2010 Standard Edition (Box) ...................................................................... 61 Figure 5.3 Version number of TMG 2010 Standard Edition.................................................. 62 Figure 5.4 Version number of TMG 2010 Enterprise Edition ................................................ 62 Figure 5.5 Identifying TMG 2010 Enterprise Edition ............................................................ 63 Figure 7.1 Installation Instructions for Security Bulletin (example) ....................................... 75
Page 6/79
1.1 Scope
This document extends the TMG 2010 manual [MSTMG] and provides required information for the TMG 2010 common criteria evaluation. The evaluated Guidance Documentation ([MSTMG] and this document) is valid for TMG 2010 Standard Edition and TMG 2010 Enterprise Edition. Its software version is for both evaluated configurations 7.0.7734.100.
1 2
short: TMG TMG 2010 references both configurations TMG 2010 Standard Edition and TMG 2010 Enterprise Edition.
Page 7/79
Page 8/79
A personal computer with a 64bit dual core processor. Microsoft Windows Server 2008 R2 Standard Edition (English). Also, ensure that no additional software products have been installed on this computer. 2 gigabytes (GB) of memory. 2500 MB of available hard disk space. This is exclusive of hard disk space you want to use for caching. One network adapter that is compatible with the computer's operating system, for communication with the internal network. One network adapter that is compatible with the computer's operating system, for each network connected to the TMG Server computer. One local hard disk partition that is formatted with the NTFS file system.
Please also check Section 3.4 Requirements for the Operational Environment.
Page 9/79
To install the evaluated version, the administrator must install TMG Services and TMG Management. The following pictures show the step-by-step installation process for TMG 2010 Standard Edition.
Start screen
Page 10/79
Page 11/79
Wait until TMG 2010 has checked the prerequisites on your computer
Page 12/79
After the Preparation Tool has finished call the TMG Installation Wizard
Page 13/79
Enter your user credentials and the product serial number (example)
Page 14/79
Page 15/79
Click on Next
Page 16/79
Click on Install
Page 17/79
After the installation has been finished start the TMG Management wizard
Page 18/79
Click on Next
Page 19/79
Page 20/79
Page 21/79
Click on Next
Page 22/79
Page 23/79
Click on Next
Page 24/79
Click on Next
Page 25/79
Page 26/79
A personal computer with a 64bit dual core processor. Microsoft Windows Server 2008 R2 Standard Edition (English). Also, ensure that no additional software products have been installed on this computer. 2 gigabytes (GB) of memory. 2500 MB of available hard disk space. This is exclusive of hard disk space you want to use for caching. One network adapter that is compatible with the computer's operating system, for communication with the internal network. One network adapter that is compatible with the computer's operating system, for each network connected to the TMG Server computer. One local hard disk partition that is formatted with the NTFS file system. Please also check Section 3.4 Requirements for the Operational Environment.
Page 27/79
To install the evaluated version, the administrator must install TMG Services and TMG Management. The following pictures show the step-by-step installation process for TMG 2010 Enterprise Edition.
Start screen
Page 28/79
Page 29/79
Wait until TMG 2010 has checked the prerequisites on your computer
Page 30/79
After the Preparation Tool has finished call the TMG Installation Wizard
Page 31/79
Enter your user credentials and the product serial number (example)
Page 32/79
Page 33/79
Click on Next
Page 34/79
Click on Install
Page 35/79
After the installation has been finished start the TMG Management wizard
Page 36/79
Click on Next
Page 37/79
Page 38/79
Page 39/79
Click on Next
Page 40/79
Page 41/79
Click on Next
Page 42/79
Click on Next
Page 43/79
Page 44/79
Page 45/79
2 Security functionalities
This chapter identifies all security functionalities available to the administrator. The security functionalities are derived from the TMG 2010 security functionalities described in the TMG 2010 Security Target (ST). For administration, TMG 2010 includes graphical taskpads and wizards. These simplify navigation and configuration for common tasks. These features are embedded in the Microsoft Management Console and do not belong to the TOE. They are provided by the environment. Warnings The administrator must ensure that TMG 2010 is installed and used with Windows Server 2008 R2 Standard Edition (English). More details can be found in the Security Target of TMG 2010 [ST]. The administrator has to observe the Security Bulletins, to ensure that all possible countermeasures are used. The administrator should check http://www.microsoft.com/security/ regularly for the latest TMG 2010 service packs and hotfixes. The administrator should only use programs that are required to administer and operate the firewall. The administrator should not install additional software which may compromise the security of the TOE or the underlying operating system.
Page 46/79
Important When trying to connect to a Web site via HTTP (not HTTPS) that is published using TMG 2010, you receive an error message (see Figure 2.1), when all the following conditions are true: The Web listener has any one of the following authentication methods enabled: o Basic authentication o Radius authentication o Forms-Based authentication The Web listener is configured to listen for HTTP traffic. The Require all users to authenticate check box is selected for the Web listener or the Web publishing rules apply to a user set other than the default All users user set. You connect to the published Web site by using HTTP instead of by using HTTPS. Figure 2.1 Error messages
If the TMG Web listener has Basic authentication enabled, you receive the following error message: Error Code: 403 Forbidden. The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12311) If the TMG Web listener has RADIUS authentication or Microsoft Outlook Web Access FormsBased authentication (Cookie-auth) enabled, you receive the following error message: Error Code: 403 Forbidden. The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12311)
When you use HTTP-to-HTTP bridging, TMG 2010 does not enable traffic on the external HTTP port if the Web listener is configured to request one or more of the following kinds of credentials: Basic authentication Radius authentication Forms-based authentication This behavior occurs because these kinds of credentials should be encrypted. These credentials should not be sent in plaintext over HTTP. TMG 2010 prevents you from entering credentials in plaintext. When you try to do this, you receive an error message.
Page 47/79
Warnings When using Forms-based authentication, depending on the application on the computer which could "cache" the password, the user must ensure that the environment is locked, when it is unattended.
Page 48/79
Page 49/79
3 Operational Environment
The security environment of the evaluated configurations of TMG 2010 is described in the TMG 2010 Security Target [ST] and identifies the threats to be countered by TMG 2010, the organizational security policies, and the usage assumptions as they relate to TMG 2010. The administrator should ensure that the environment meets the organizational policies and assumptions. They are restated here from the Security Target.
3.1 Assumptions
Table 3.1 lists the TOE Secure Usage Assumptions for the IT environment and intended usage. Table 3.1 Assumptions for the IT environment and intended usage
# 1 Assumption name A.DIRECT Description The TOE is available to authorized administrators only. A personnel who has physical access to the TOE and can log in the operating system is assumed to act as an authorized TOE administrator. The TOE stores and executes security-relevant applications only. It stores only data required for its secure operation. Nevertheless the underlying operating system may provide additional applications required for administrating the TOE or the operating system. Authorized administrators are non-hostile and follow all administrator guidance. The operating system implements following functionality: Local identification and authentication of user credentials used for web publishing (see A.WEBI&A for Radius identification and authentication; in case of a successful authentication the TOE analyses the returned value and allows or denies the access to network resources depending on that value), reliable time stamp (log file audit), file protection (for log file access protection, registry protection, and ADAM protection), cryptographic support (for SSL encryption), administration access control, reliable ADAM implementation (for EE configuration only), Network Load Balancing (for EE configuration only, disabled by default). 5 6 7 8 A.PHYSEC A.SECINST A.SINGEN A.WEBI&A The TOE is physically secure. Only authorized personal has physical access to the system which hosts the TOE. Required certificates and user identities are installed using a confidential path. Information cannot flow among the internal and external networks unless it passes through the TOE. User credentials are verified optionally by a Radius Server. The Radius Server returns a value if a valid account exists or not. Web Identification & Authentication with a Radius Server requires that the Radius server is placed on the internal network, so that data (user credentials and return values) transferred to and from the Radius Server is secured by the TOE from external entities. 9 A.SSL All web publishing rules which support Form-based authentication have to be configured by the administrator so that a secure connection is enforced.
A.GENPUR
3 4
A.NOEVIL A.ENV
Page 50/79
TMG queries the remotely hosted Microsoft Reputation Service to determine the categorization of the Web site. The download of the Reputation Service data is appropriately secured with respect to the integrity and authenticity.
OE.SINGEN
Page 51/79
Optionally a Radius Server should verify provided user credentials and return if a valid account exists or not. Data (user credentials and return values) between TOE and the Radius Server should be transferred in the TOE secured environment, which means that the Radius Server should be placed on the internal network for Web Identification & Authentication.
OE.SSL
All web publishing rules which support Form-based authentication should be configured by the administrator so that a secure connection is enforced. TMG queries the remotely hosted Microsoft Reputation Service to determine the categorization of the Web site. The download of the Reputation Service data is appropriately secured with respect to the integrity and authenticity.
10 OE.URLFILTER
see http://technet.microsoft.com/en-us/library/cc995076.aspx
Page 52/79
Service Name AppMgmt AudioEndpointBuilder Audiosrv BFE BITS Browser CertPropSvc COMSysApp CryptSvc CscService DcomLaunch Dhcp Dnscache dot3svc DPS EapHost Eventlog EventSystem FCRegSvc fdPHost FDResPub gpsvc hidserv hkmsvc IKEEXT IPBusEnum iphlpsvc KeyIso KtmRm LanmanServer LanmanWorkstation lltdsvc
Startup Type Manual Disabled Disabled Automatic Automatic Automatic Manual Manual Automatic Disabled Automatic Automatic Automatic Manual Automatic Manual Automatic Automatic Manual Manual Manual Automatic Disabled Manual Automatic Disabled Automatic Manual Automatic Automatic Automatic Manual
clr_optimization_v2.0.50727_32 Manual
Page 53/79
Service Name lmhosts MMCSS MpsSvc MSDTC MSiSCSI msiserver napagent Netman netprofm NlaSvc nsi pla PlugPlay PolicyAgent ProfSvc ProtectedStorage RasAuto RasMan RemoteAccess RemoteRegistry RpcLocator RpcSs RSoPProv sacsvr SamSs SCardSvr Schedule SCPolicySvc seclogon SENS SessionEnv SharedAccess ShellHWDetection
Startup Type Automatic Manual Automatic Automatic Manual Manual Manual Manual Automatic Automatic Automatic Manual Automatic Disabled Automatic Manual Disabled Manual Ignored Disabled Manual Automatic Manual Manual Automatic Disabled Automatic Disabled Automatic Automatic Manual Disabled Automatic
Page 54/79
Service Name slsvc SLUINotify SNMPTRAP SSDPSRV SstpSvc swprv SysMain TapiSrv TBS TermService Themes THREADORDER TrkWks TrustedInstaller UI0Detect UmRdpService upnphost UxSms vds VSS W32Time WcsPlugInService WdiServiceHost WdiSystemHost Wecsvc wercplsupport WerSvc WinHttpAutoProxySvc Winmgmt WinRM wmiApSrv WPDBusEnum wuauserv
Startup Type Automatic Manual Manual Disabled Ignored Manual Manual Manual Manual Automatic Disabled Manual Automatic Manual Manual Manual Disabled Automatic Manual Manual Automatic Manual Manual Manual Manual Manual Automatic Manual Automatic Automatic Manual Manual Automatic
Page 55/79
Service Name wudfsvc DNS nfssvc nfsclnt ADAM_ISASTGCTRL AppHostSvc aspnet_state fwsrv IAS IISADMIN isactrl isasched ISASTG MDM MSSQL$ISARS MSSQL$MSFW MSSQLServerADHelper ose ReportServer$ISARS Rqs SQLBrowser SQLWriter W3SVC WAS WMSvc xmonitor
Startup Type Manual Disabled Disabled Disabled Automatic Automatic Manual Automatic Automatic Automatic Automatic Automatic Automatic Manual Automatic Automatic Disabled Manual Automatic Manual Automatic Automatic Automatic Manual Manual Automatic
clr_optimization_v2.0.50727_64 Manual
The security policy defined in the file Isa_harden.xml also configures your Forefront TMG computer as a client of other servers. The following client features are enabled:
Page 56/79
The remaining sections of this topic assume that you have applied the configurations recommended in the "Windows Server 2008 Security Guide" on the computer running Forefront TMG. Specifically, you should apply the Microsoft Baseline Security Policy security template. However, do not implement the IPsec filters or any of the server role policies. In addition, you should consider Forefront TMG functionality and consider performing manual hardening of the operating system accordingly. Warning The administrator should check http://www.microsoft.com/security/ regularly for the latest Windows Server 2008 R2 hotfixes.
Page 57/79
4 Security-Relevant Events
This subsection describes all types of security-relevant events and what administrator action (if any) to take to maintain security. Security-relevant events that may occur during operation of TMG 2010 must be adequately defined to allow administrator intervention to maintain secure operation. Security-relevant events are defined as events that signify a security related change in the system or environment. These changes can be grouped as routine or abnormal. The routine events are already addressed in subsection Security functionalities. Table 4.1 Security-relevant events
Security function Web Identification and Authentication Security-relevant event Configure Forms-based authentication. The user has a missing permission to access the Internet. A user is leaving the company, so his or her rights have to be withdrawn. Relevant chapters see Chapter 6.1 [MSTMG] Forefront TMG Planning and Design > Access design guide for Forefront TMG > Planning for publishing > About publishing Web servers > About authentication in Web publishing [MSTMG] Forefront TMG Operations > Administering Forefront TMG > Monitoring Forefront TMG > Configuring Forefront TMG logs Information Flow Control An alert occurs, so the administrator has to monitor the alert. [MSTMG] Forefront TMG Operations > Administering Forefront TMG > Configuring alerts > Configuring alert actions
Audit
Log file overflow. If the TMG 2010 Server computer runs out of disk space, the administrator has to configure the maximum number of log files.
[MSTMG] Forefront TMG Operations > Administering Forefront TMG > Monitoring Forefront TMG > Configuring Forefront TMG logs
Page 58/79
5 TOE Integrity
This chapter describes how the administrator can verify that the evaluated version of the TOE is used.
The corresponding hash files are available from the Microsoft corporate Web site, as well as a batch file that runs the tool and a Readme file that explains the usage for users that do not have access to this document. The hash file contains SHA-1 values for each of the relevant files that must be verified and is downloadable from the TMG common criteria Web page [WEBTMG]. The FCIV is a command-prompt utility that computes and verifies cryptographic hash values of files (MD5 and SHA-1 cryptographic hash values are possible). To use, the user opens a Command Prompt window and changes to the folder into which the validation files were downloaded.
5.1.1 Steps in order to ensure the integrity of Forefront TMG 2010 (Volume Licensing - Standard Edition and Enterprise Edition)
Please perform the following steps in order to ensure the integrity of your downloads (if not stated the hash values can be found on [WEBTMG]): 1. Download the FCIV tool (see [WEBTMG]) from Microsoft. The SHA1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the downloaded file. This can be done using any tool capable of calculating SHA-1 values. While running the file you have to enter a destination folder where the FCIV executable should be extracted to. 2. Download the CC Guidance Addendum (see [WEBTMG]) to the directory where FCIV has been extracted. Check the integrity of "MS_TMG_ADD_1.1.pdf" by executing the command fciv "MS_TMG_ADD_1.1.pdf" -sha1
Page 59/79
and verify that the result is <SHA1 hash> MS_TMG_ADD_1.1.pdf 3. Depending on the downloaded version:
o
If you received TMG 2010 Standard Edition via Web download, type the following fciv.exe -sha1 X16-23051.iso and verify that the result is daae6ed2f61b6474b9f2dfc9bad5e9bf75420295 x16-23051.iso If you received TMG 2010 Enterprise Edition via Web download, type the following fciv.exe -sha1 X16-23004.iso and verify that the result is 5b4c04c4e4eff29e95ed46ff24b9f35802fe1158 X16-23004.iso
4. After the final verification steps have been finished follow the Forefront TMG 2010 CC Guidance Addendum for the installation and configuration of the TOE (Target of Evaluation; for details see Security Target). Important The hash value of the FCIV tool is published on the TMG common criteria web page and should be verified by the customer using a 3rd party tool of his choice.
5.1.2 Steps in order to ensure the integrity of Forefront TMG 2010 (Boxed version - Standard Edition only)
Please perform the following steps in order to ensure the integrity of your downloads (if not stated the hash values can be found on [WEBTMG]): 1. Download the FCIV tool (see [WEBTMG]) from Microsoft. The SHA1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the downloaded file. This can be done using any tool capable of calculating SHA-1 values. While running the file you have to enter a destination folder where the FCIV executable should be extracted to. Download the 3. Integrity Check Validation Data (see [WEBTMG]) and "CC Guidance Documentation Addendum" (see [WEBTMG])
2.
to the directory where FCIV has been extracted. Check the integrity of "MS_TMG_ADD_1.1.pdf" by executing the command fciv "MS_TMG_ADD_1.1.pdf" sha1
Page 60/79
and verify that the result is <SHA1 hash> MS_TMG_ADD_1.1.pdf 4. Check the integrity of "IntegrityCheckTMG2010.zip" by executing the command fciv "IntegrityCheckTMG2010.zip" -sha1 and verify that the result is <SHA1 hash> IntegrityCheckTMG2010.zip Verify that the folder contains the following files: 6. 7. TMGFPPENUSE.xml readme.htm integritycheck_se_ENU.cmd fciv.exe
5.
Insert the Exchange Server DVD that requires validation into the DVD Drive X: (where X: is your DVD-ROM drive). Open a command window and change to the folder where the validation files are located. Then, type the following to validate TMG 2010 Standard Edition (boxed version only): integritycheck_se_ENU.cmd X: If the DVD cannot be validated as an authentic DVD, a message will be displayed, indicating that the DVD is not authentic. The integritycheck.log file, listing the failure details, will be created in the folder with the original files. If the DVD is correctly validated, the following message will be displayed: The ... is an authentic <product name> After the final verification steps have been finished follow the TMG 2010 CC Guidance Addendum for the installation and configuration of the TOE (Target of Evaluation; for details see Security Target).
8.
9.
Important The hash value of the FCIV tool is published on the TMG common criteria web page and should be verified by the customer using a 3rd party tool of his choice.
Page 61/79
Page 62/79
Page 63/79
Page 64/79
6 Annotations
6.1 Authentication methods
This chapter describes how TMG manages authentication. It provides information about authentication and delegation methods supported by the TOE, and how the authentication process is handled.
Page 65/79
Receipt of client credentials. Validation of client credentials against an authentication provider. Delegation of authentication to Web servers that are behind the TOE, such as servers running SharePoint Portal Server. Note The first two components are configured on the Web listener that receives client requests. The third is configured on the publishing rule. This means that you can use the same listener for different rules, and have different types of delegation.
The authentication process for forms-based authentication is demonstrated in the following figure. Note that this is a simplified description of the process, presented to describe the primary steps involved.
Step 1, receipt of client credentials: The client sends a request to connect to the corporate Outlook Web Access server in the Internal network. The client provides the credentials in an HTML form (Frontend authentication). Steps 2 and 3, sending credentials: The TOE sends the credentials to the authentication provider, such as a domain controller for Integrated Windows authentication, or a RADIUS server, and receives acknowledgment from the authentication provider that the user is authenticated (Gateway authentication). Step 4, authentication delegation: The TOE forwards the client's request to the Outlook Web Access server, and authenticates itself to the Outlook Web Access server using the client's credentials. The Outlook Web Access server will revalidate those credentials, typically using the same authentication provider (Backend authentication). Note The Web server must be configured to use the authentication scheme that matches the delegation method used by the TOE. Step 5, server response: The Outlook Web Access server sends a response to the client, which is intercepted by the TOE.
Page 66/79
Step 6, forwarding the response: The TOE forwards the response to the client. Note
If you do not limit access to authenticated users, as in the case when a rule allowing access is applied to all users, the TOE will not validate the user's credentials. The TOE will use the user's credentials to authenticate to the Web server according to the configured delegation method. We recommend that you apply each publishing rule to all authenticated users or a specific user set, rather than selecting Require all users to authenticate on the Web listener, which requires any user connecting through the listener to authenticate.
6.1.3.1 No Authentication
You can select to require no authentication. If you do so, you will not be able to configure a delegation method on rules that use this Web listener.
Password form. The user enters a user name and password on the form. This is the type of credentials needed for Integrated and RADIUS credential validation. Notes
The HTML forms for forms-based authentication can be fully customized. When the TOE is configured to require authentication, because a publishing rule applies to a specific user set or All Authenticated Users, or a Web listener is configured to Require all users to authenticate, the TOE validates the credentials before forwarding the request. By default, the language setting of the client's browser determines the language of the form that the TOE provides. The TOE provides forms in 26 languages. The TOE can also be configured to serve forms in a specific language regardless of the browser's language. When you configure a time-out for forms-based authentication, we recommend that the timeout be shorter than that imposed by the published server. If the published server times out before the TOE, the user may mistakenly think that the session ended. This could allow attackers to use the session, which remains open until actively closed by the user or timed out by the TOE as configured on the form setting.
Page 67/79
You should ensure that your Web application is designed to resist session riding attacks (also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before publishing it using the TOE. This is particularly important for Web servers published through the TOE, because clients must use the same trust level for all of the Web sites they access through the publishing TMG firewall.
6.1.4.2 Integrated
The TOE checks if the user is a member of the local user database.
Page 68/79
6.1.4.3.1 Configuring the TOE for RADIUS authentication When you configure the Web listener on TMG, select RADIUS Authentication as the authentication provider. When you add a RADIUS server, you must configure the following: Server name. The host name or IP address of the RADIUS server. Secret. The RADIUS client and the RADIUS server share a secret that is used to encrypt messages sent between them. You must configure the same shared secret on TMG and on the Radius server. Authentication port. TMG sends its authentication requests using a User Datagram Protocol (UDP) port on which the RADIUS server is listening. The default value of 1812 does not need to be changed when you are using the default installation of TMG as a RADIUS server. 6.1.4.3.2 Security considerations The RADIUS User-Password hiding mechanism might not provide sufficient security for passwords. The RADIUS hiding mechanism uses the RADIUS shared secret, the Request Authenticator, and the use of the MD5 hashing algorithm to encrypt the User-Password and other attributes, such as Tunnel-Password and MS-CHAP-MPPE-Keys. RFC 2865 notes the potential need for evaluating the threat environment and determining whether additional security should be used. You can provide additional protection for hidden attributes by using Internet Protocol security (IPsec) with Encapsulating Security Payload (ESP) and an encryption algorithm, such as Triple DES (3DES), to provide data confidentiality for the entire RADIUS message. Follow these guidelines: Use IPsec to provide additional security for RADIUS clients and servers. Require the use of strong user passwords. Use authentication counting and account lockout to help prevent a dictionary attack against a user password. Use a long shared secret with a random sequence of letters, numbers, and punctuation. Change it often to help protect your TMG. When you use password-based authentication, enforce strong password policies on your network to make dictionary attacks more difficult.
Page 69/79
Page 70/79
Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response, on the same connection. No incoming traffic is allowed, unless a system policy rule (listed previously) that specifically allows the traffic is enabled. The one exception is DHCP traffic, which is allowed by default system policy rules. The UDP Send protocol on port 68 is allowed from all networks to the Local Host network. The corresponding UDP Receive protocol on port 67 is allowed. VPN remote access clients cannot access TMG. Similarly, access is denied to remote site networks in site-to-site VPN scenarios. Any changes to the network configuration while in lockdown mode are applied only after the Firewall service restarts and TMG exits lockdown mode. For example, if you physically move a network segment and reconfigure TMG to match the physical changes, the new topology is in effect only after TMG exits lockdown mode. TMG does not trigger any alerts.
Page 71/79
3. On the Tasks tab, click Edit Selected Rule. 4. On the Protocols tab (for an access rule), click Filtering, and then click Configure RPC protocol. 5. On the Protocol tab, select Enforce strict RPC compliance, if no RPC protocols should be allowed. Important
When you publish an RPC interface where there is a route network relationship between networks, port overriding is ignored. The publishing rule will use the original IP address or port. When you disable the Enforce strict RPC compliance option, DCOM traffic and other RPC protocols will be allowed. After you click Apply in the details pane, the policy is updated. The new policy applies only to new connections.
You cannot upload FTP content from a Web Proxy client. Remote directory and file management actions also fail. After you click Apply in the details pane, the policy is updated. The new policy applies only to new connections.
Page 72/79
6. In Maximum Length, type the maximum length of the command line for the commands. Important
To add a new command, click Add and type the command name in SMTP Command Rule. When a client uses a command that is defined but disabled, the filter closes that connection. When a client uses a command that is unrecognized by the SMTP filter, no filtering is performed on that message. Only commands on incoming traffic are filtered by the SMTP filter. Only simple SMTP commands can be added. If a client uses the TURN command, all e-mail messages will be dropped by the filter. The RFC considers the AUTH command as part of the MAIL FROM command. For this reason, the SMTP filter blocks MAIL FROM commands only when they exceed the length of the MAIL FROM and AUTH commands issued (when AUTH is enabled). For example, if you specify a maximum length of MAIL FROM as 266 bytes and AUTH as 1,024 bytes, the message will be blocked only if the MAIL FROM command exceeds 1,290 bytes.
Page 73/79
Data submitted via this page is encrypted using the Secure Sockets Layer protocol. 2. Alternatively, an email address, secure@microsoft.com can also be used. Mail to this address can be encrypted using PGP5. 3. The customer can contact Microsoft Services for additional (http://www.microsoft.com/services/microsoftservices/default.mspx ). support
Regardless of the method used to initially contact the MSRC or Microsoft Services, subsequent communications typically take place via email, using the secure@microsoft.com email address. When requested, MSRC can also conduct these communications via telephone or other methods.
Page 74/79
7.2 How to get informed about Security Flaws and Flaw Remediation
A security update that is issued by the MSRC is always accompanied with a bulletin. The bulletin contains the information that Microsoft makes available for the customers so that they can take a decision whether to install the fix and on what systems. Every bulletin comes with a rating to reflect its criticality (four levels). A KB is also provided but it is mostly a pointer to the bulletin article. The public page with Microsoft bulletins is located at http://www.microsoft.com/security/bulletins/default.mspx The original finder of the problem is kept in the picture throughout the process, if he chooses. MSRC manages the communication with the reporter throughout the process. Security updates typically can be installed on the current service pack and the previous one. However, this is only a general rule. If the previous service pack is more than two years old, the patch may be limited to only the current service pack. Conversely, if several service packs have been released in short order, the patch may install on additional ones. The security patch will be included automatically in the next service pack. Service packs, and patches, are generally available for the previously released service pack. The security bulletin will always provide specific information on the service pack requirements for the patch. All security bulletins for Microsoft products are available at http://www.microsoft.com/technet/security/current.aspx , and newly released bulletins are highlighted on http://www.microsoft.com/security , http://www.microsoft.com/technet/security , and http://www.microsoft.com/isaserver Web sites. In addition, Microsoft offers a free service through which customers can receive a technical or non-technical bulletin synopsis by email. Customers can sign up for mailer at https://www.microsoft.com/technet/security/bulletin/notify.mspx. Microsoft digitally signs the technical synopsis, and the PGP key located at http://www.microsoft.com/technet/security/MSRC.asc can be used to validate the signature. Microsoft security bulletins always discuss the risk the vulnerability poses, the software it affects, and the steps customers can take to eliminate it including, in the case of patches, specific locations for obtaining them. In addition, security bulletins also frequently include a public thank-you to the Finder, subject to the qualification criteria discussed at http://www.microsoft.comtechnet/security/bulletin/policy.mspx . Microsoft strongly encourages customers to sign up for the security bulletins. So the steps to be always informed of security flaws and how to install them are: 1. Signing up for security bulletins (registering for receiving bulletins by email) 2. Checking for security bulletins (if not registered) 3. Deciding, whether to download and install a remedy 4. Downloading the fix, authentication of the fix 5. Installing the fix/remedy (follow bulletin description, see above)
Page 75/79
Page 76/79
Page 77/79
8.1 References
General Common Criteria Documents [CC] Common Criteria for Information Technology Security Evaluation, version 3.1, revision 3, July 2009 Part 1: Introduction and general model, CCMB-2009-07-001, Part 2: Security functional requirements, CCMB-2009-07-002, Part 3: Security Assurance Requirements, CCMB-2009-07-003
TMG 2010 Administrator Guidance and Publicly Available Evaluation Developer Documents [MSTMG] Microsoft Forefront Threat Management Gateway Help, Microsoft Corp., Version 2010 Standard Edition / Enterprise Edition This help file is installed during TMG 2010 setup (isa.chm). TMG 2010 SE/EE Common Criteria Evaluation - Security Target, Microsoft Corp. Website: Microsoft Forefront TMG - Common Criteria Evaluation,
[ST] [WEBTMG]
http://go.microsoft.com/fwlink/?linkid=49507
Page 78/79
8.2 Acronyms
CC EAL FCIV PP SFP SSL ST TOE Common Criteria Evaluation Assurance Level File Checksum Integrity Verifier Protection Profile Security Function Policy Secure Sockets Layer Security Target Target of Evaluation
8.3 Glossary
application filters Application filters can access the data stream or datagrams associated with a session within the Microsoft Firewall service and work with some or all application-level protocols. Authentication is "A positive identification, with a degree of certainty sufficient for permitting certain rights or privileges to the person or thing positively identified." In simpler terms, it is "The act of verifying the claimed identity of an individual, station or originator" [Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)]. Basic authentication is the standard authentication method for Hypertext Transfer Protocol (HTTP). Although user information is encoded, no encryption is used with Basic authentication. A feature pack contains new product functionality that is distributed outside the context of a product release, and usually is included in the next full product release. A firewall service log contains entries with connection establishments and terminations. Identification, according to a current compilation of information security terms, is "the process that enables recognition of a user described to an automated data processing system. This is generally by the use of unique machine-readable names" (Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)). The Microsoft Management Console is a configuration management tool supplied with Windows that can be extended with snap-ins. NTLM is an authentication scheme used by Microsoft browsers, proxies, and servers (Microsoft Internet Explorer, Internet Information Services, and others). This scheme is also sometimes referred to as the Windows NT Challenge/Response authentication scheme or Integrated Windows authentication. A packet filter log file contains records of packets that were dropped or allowed.
authentication
Basic authentication
feature pack
Page 79/79
A port number identifies a certain Internet application with a specific connection. Using publishing rules, you can publish virtually any computer on an internal network to the Internet (see Web publishing and server publishing). SSL is a protocol that supplies secure data communication through data encryption and decryption. SSL enables communications privacy over networks. Server publishing allows virtually any computer on an internal network to publish to the Internet. A service pack contains a cumulative set of all hotfixes, security updates, critical updates, and updates created and fixes for defects found by Microsoft since the release of the product. Service packs may also contain a limited number of customer requested design changes or features. In this document, TMG Server refers to Microsoft Forefront Threat Management Gateway, except where it explicitly states otherwise. Web publishing publishes Web content to the Internet. W3C develops interoperable technologies (specifications, guidelines, software, and tools) concerning Web technology (http://www.w3c.org).