Administration Best Practices for the Forefront Threat Management Gateway (TMG) 2010 Firewall
Historically, some believed that a firewall based on a general purpose operating system like Microsoft Windows couldn’t be secure. With a mature Security Development Lifecycle (SDL) in place, a well-defined vulnerability notification and patch management process, and Microsoft ISA Server and Forefront Threat Management Gateway’s (TMG) long track record of security and reliability, this theory has been conclusively disproven. The Forefront TMG firewall running on Windows Server 2008 R2 is arguably more secure than many of its competitors today.
The overall security of the solution can be enhanced and the TMG firewall’s attack surface further reduced by adhering to some common administrative best practices. Following them will ensure the highest level of security for the TMG firewall. When establishing a management policy for your TMG firewalls, it is best to enforce the principle of least privilege as much as possible. The following is a list of recommendations that will be helpful in accomplishing this:
Administrative Best Practices
Restrict assignment of the Forefront TMG Array Administratorrole –The TMG Array Administrator role grants full administrative rights for the array to any user and/or group to which it is assigned. When TMG is installed, the built-in Windows Local Administrators group is assigned this role by default (along with the user who installed the TMG software).
It is common for the Domain Administrators global group to be a member of the Local Administrators group, which means they will all inherit full administrative rights on your TMG firewall. Not exactly a good idea. For optimum security, the Local Administrators group should be removed from the Forefront TMG Array Administrators role. Members of this role should be explicitly defined using individual ActiveDirectory user accounts instead of groups. Why individual users and not groups? Because this gives TMG firewall administrators explicit control over who has full administrative access on the TMG firewall. By defining Array Administrators by user instead of by group, it prevents a domain administrator from adding a user to a domain global group with the Array Administrator role and gaining access to your TMG firewall. If you must use domain groups to define your TMG administrators, consider using restricted groups.
Restrict assignment of the Forefront TMG Enterprise Administrator role – The TMG Enterprise Administrator role grants full administrative rights to the entire enterprise, including all arrays within the enterprise, to any user and/or group to which it is assigned. When the TMG EMS is installed, the built-in Windows Local Administrators group is assigned this role by default (along with the user who installed the TMG EMS software).
It is recommended that the built-in administrators group be removed from this role for the same reasons mentioned previously for the TMG Array Administrators.
Use dedicated administrative accounts – It is best to use ActiveDirectory accounts that are dedicated exclusively to administering the TMG firewall. Avoid using these accounts to administer other systems. These accounts should have strict password policies that enforce long, complex passwordswith a short lifetime. If your domain functional level is Windows Server 2008, fine-grained password policies can be enabled to enforce these policies automatically.
Manage the TMG firewall using a dedicated, isolated workstation – Configure a dedicated workstation to use for TMG firewall management. Install the TMG admin console on this machine and manage your TMG firewalls from it remotely. Log on to this workstation with your dedicated TMG administrative account only. Local security policy should prevent logging on with other accounts. This workstation should be locked down and not be remotely accessible or have access to the Internet. Preferably, multi-factor authentication (smartcard or token) will be required to access this management system.
Restrict membership of the Remote Management Computers network object – Limiting members of the Remote Management Computers network object is essential to reducing the attack surface of the TMG firewall. By default, hosts included in the Remote Management Computers object have access to many services running on the TMG firewall, including RDP, NetBIOS, RPC, Ping, and more. Exposing these services presents a level of risk that can be significantly reduced by restricting access to this group. Ideally this group will only include your dedicated administrative workstation.
Limit network access for management agents – Often the TMG firewall will require the installation of Microsoft or third-party system management agents. Avoid creating overly broad access policies that allow agent communication to or from entire networks or subnets. Firewall policy should restrict agent communication to only those systems required.
Things to Avoid
Do not use the TMG firewall as a workstation – Avoid using the web browser on TMG for general Internet browsing, conducting Internet searches, or downloading hotfixes and/or updates. Hotfixes/updates or any other software to be installed on the TMG firewall should be downloaded from a regular workstation (not your management workstation – it shouldn’t have access to the Internet!) where the files can be scanned before uploading and installing on the TMG firewall.
Do not use the TMG firewall for day-to-day management and operation – It is best to install the TMG management console on a dedicated administration workstation, as mentioned earlier. In general, it is a good idea to limit interactive console logons on the TMG firewall as much as possible.
Do not install third-party administration tools on the TMG firewall – Many third-party integration components for the TMG firewall include their own management software, sometimes implemented using an HTTP server such as IIS, Apache, or other proprietary software. Software such as this is particularly troublesome, as it increases the attack surface on the TMG firewall and introduces an additional potential attack vector. If possible, third-party administration software should not be installed on the TMG firewall itself. Itshould be installed on an external system, preferably your dedicated management workstation.
Do not create file shares on the TMG firewall – In previous versions of ISA server, the product installation would automatically create a file share for Firewall Client distribution. Thankfully this option was later removed from the product to discourage this poor security practice. The TMG firewall is just that – a firewall. It should not be used as a file server under any circumstances. If remote access to the file system is required, for example to retrieve text file logs, this should be done using a third-party logging utility such as Epilog, ArcSight, or Splunk.
Do not install infrastructure services on the TMG firewall – It is never a good idea to install infrastructure services such as DNS, DHCP, Certificate Services, etc. on the TMG firewall. In many cases, installing these services will result in a configuration that is unsupported. Even if supported, having them running on the TMG firewall increases the overall attack surface and introduces additional attack vectors. They will require updating much more than a dedicated TMG firewall, resulting in increased system downtime. They will also require additional system resources (CPU, memory, network, and disk) and can potentially reduce the overall stability and performance of the firewall.
A properly configured Forefront TMG firewall, running the latest Windows network operating system with system hardening and attack surface reductionimplemented, is a secure, effective, and reliable firewall and secure web gateway. The overall security of the solution can further be improved by following the administrative best practices outlined in this article. Diligently enforcing the principle of least privilege by restricting the assignment of the TMG array and enterprise administrator roles, using dedicated administrative accounts on isolated management workstations, restricting membership of the remote management computers network object, and limiting network access for TMG management agents will further reduce the TMG firewall’s attack surface. In addition, avoiding poor security practices such as using the TMG firewall as a workstation, installing third-party administration tools, creating file shares, or installing infrastructure services on the TMG firewall will provide even more security benefits.