If you would like to read the next part in this article series please go to An Introduction to Microsoft Forefront (Part 2).
Microsoft has decided to take a proactive security approach for some time now and after much criticism and condemnation from the IT security fraternity, the organization has once again come out with a suite of products that will evolve into day facto standard in most enterprises that already run other Microsoft products. Some of the security products that Microsoft have in the security suite like Microsoft ISA 2006 we are already familiar with, however a new wave of server and client security software is promised later in 2006 and early in 2007.
Microsoft has re-branded its security portfolio to Forefront, this includes ISA 2006, Antigen Antivirus and anti-spam solution as well as the client security offering. Forefront has particular focus on Edge security, server security, client security and access control, included in this is the identity management product that will incorporate into Active directory MIIS (Microsoft Identity Integration Server). This product not only controls user access but applications developed by the organization can also be controlled like users.
Forefront was designed to simplify the security deployment and to consolidate management of security products all under one console and reporting using one backend MS SQL.
Threat Matrix
Because threats have become profit motivated, it is time organizations take their security more seriously. Many people think that organizations and in the frame of reference banks and financial institutions come to mind, when in actual fact all organizations that deal with customers should take security seriously as customer data and information regarding the customer can be used against the customer or the organization.
For example when a customer buys a car from Dealer X, all the client information is captured into the client database at Dealer X. Dealer X decides to get a wireless access point for internet access, a passerby discovers the access point and that no security has been used in the implementation of the solution. The passerby has an agenda and would like to get information that is stored on the database. With a free sniffer, downloaded off the internet, the passerby discovers that information flowing on the LAN is in clear text, combine with that, the username and password to the database. The passerby connects to the database, copies it for later access and the clients’ details are now on the passerby’s computer. Unlikely you may think, but I have known of such companies in the local market that I am part of. All of which can be remedied by Forefront, technology this organization already owns.
(Courtesy of Microsoft)
Figure 1: Depicts how Forefront, depicted in BLUE, fits into the Microsoft product portfolio
Microsoft asks the consumer for feature set
After much analysis it seems that Microsoft have innovated a suite of products that fit the requirements of most organizations that require protection for their Microsoft environments. From unified security view of the network to a common security vulnerability checker for Microsoft products.
Addressing the CIA
Confidentiality, integrity and availability: the three security pillars. How does Forefront fit into CIA? In terms of confidentiality, encryption will be the method that will be used to keep files confidential. This is possible with EFS (Encryption file system) using certificates that you need to make a backup of in case you lose the certificate that you initially used. For more information about this, visit http://support.microsoft.com/kb/307877, http://support.microsoft.com/kb/223316/en-us.
There are more articles about encryption to be found on our site http://www.windowsecurity.com/articles_tutorials/authentication_and_encryption/
In terms of integrity, the security professional will need to ensure that access to information is controlled and regulated. Periodic monitoring of file and data access is important as this ensures that the data is not tampered with. Strict access control and data classification can help with this. With Microsoft’s authentication technologies, strong authentication mechanism can be achieved and centrally controlled. Included in this approach, the security professional can use windows rights management services to ensure that only users with rights can manipulate files implicitly allowed.
Availability is imposed by implementing strong monitoring mechanisms like MOM that notify the security professionals of downtime and factors like events that may cause downtime like disc space utilization and firewall service availability. If your systems are unavailable due to uncontrolled factors like unplanned downtime because of issues like hacking, defacement, power interruption etc… they are not secured. Downtime can impact customer relationships and can negatively impact productivity.
How do they do it
Beta testing, surveys and HoneyMonkeys are the answer. HoneyMonkeys? You say this, precisely what the strider project is about down at the Microsoft researcher labs? HoneyMonkeys are virtual machines that have been setup by researches at the labs that have different patch levels on them and that interact automatically with the websites hosting malicious code simulating user activity. This is similar to a honeypot but more interactive, thus called a HoneyMonkey. More on Honeymonkeys in future articles. Visit http://research.microsoft.com/HoneyMonkey/ for more information on HoneyMonkeys.
Microsoft reported at Tech-Ed 2006 that there were 2.7 billion executions of the newly released malware detection product. Seems like this anti-malware product is popular. Included in this is a EULA (End User License Agreement) that the user accepts and after which, no user identifiable information is sent back to Microsoft except information about the malware detected and the locale of where this happened. This information transaction has to comply with strict privacy policies and the information is analyzed and reported on to produce as statistical reference that helps in combating future infections of such outbreaks. More information and a video can be viewed at the website link below:
New problems old solutions?
By now I am sure you are asking what the benefits are of the Forefront. Forefront promises to centrally manage Microsoft security with a dashboard type view. This will include information like patching level of client machines as well as information of the security or lack of security configuration of each client machine. Unified reporting and console management for glance view control seems to be the order of the day with Forefront.
What about MOM?
There are certain key elements that a security professional needs to monitor on an ongoing basis to ensure that the network is running free of compromises. Intruders often target the log files and audit logs because they know that, if an experienced security professional reads the logs, they might be suspected or even traced. Most of the time it is a tedious process to read the logs as they are not central and spread over many computers. This can take a considerable amount of time especially when filtering out the noise. Furthermore, if there is no record that a specific action took place it becomes incredibly challenging to prove that the action in fact took place. It is important to establish key security trends.
Looking for a monitoring application that has customizable log consolidation capabilities is important as this will help the security professional consolidate the logs on a daily basis to get the exact information that you will be looking for. The world of software automation has saved security administrators millions of hours. Reporting regularly should highlight the events that pertain to your specific network environment. Failed logons, bad user names or passwords, account lockouts, logon after certain typical periods (like in the middle of the night), and failed resource access events all point to potential security risks and these events should be investigated and validated with the users concerned. Products like MOM from the Microsoft Forefront security suite help in this regard.
Management packs for ISA 2006, antigen and Forefront are included for monitoring using MOM. As MOM becomes more and more scalable, Microsoft provides management packs for different software. This is the case for the security software that forms part of the Forefront Security Suite. These management packs help when monitoring environment variables but, be warned, special attention needs to be paid to configuring MOM correctly to achieve the results you want when monitoring your organization. There are no silver bullets or holy grails, it’s more a combination of strategies and security systems that help with defense in-depth.
Malware, spyware, greyware
With signature updates and new alerting functionality, Microsoft has a new system that can inform the security professional of potential issues. Included in the suite is the long awaited malware, spyware remover. Because Microsoft built the OS, the new removal tool knows what should be installed and what should not so restoration of normality is promised to be a click away.
Summary
As security gets built into the technology solutions IT professionals provide, it becomes important to find ways to consolidate and to innovate time saving administration options. This is what Microsoft is promising to do with Forefront in the next few years starting with products they already have that integrate security into your environment. In this part one of Microsoft Forefront, we looked at some of the products like MOM that form part of the new, consolidated, simple to implement security suite from Microsoft. In the second article we will take a look at the remaining products that complete the security suite.
If you would like to read the next part in this article series please go to An Introduction to Microsoft Forefront (Part 2).
