TMG Runs IIS 7 -- Is This a Security Issue?
Tarek Majdalani (who runs the great http://www.elmajdal.net/ Web site) brought up an interesting question today regarding the next version of the ISA Firewall, the Forefront Threat Management Gateway (Forefront TMG). He mentioned whether we were going to have problems with the fact that IIS 7 is installed on the TMG, given that we've been so vehement on ISAserver.org that you should never install the WWW service on the ISA Firewall.
The reason why we so strongly recommend that you don't place the WWW service on the firewall is that in the past, the only reason to do so was to run a Web site on the firewall. Since the ISA firewall security model is broken when you install extraneous services on the firewall, we recommended that you never do so. Exposing the ISA firewall via a Web site that's accessible to connections from clients on any network significantly increases the attack surface.
The reason why IIS is installed on the TMG firewall is that it's required to support SQL reporting services, which is what the TMG firewall uses to create the TMG firewall reports. However, if you look at the IIS configuration, you'll see that the only binding is for TCP port 8008 which is used for local access to the SQL reports.
More importantly, there are no rules that allow connections to the local IIS Web server, so the Web server is not exposed to external (non-local host) connections. So, for all practical purposes, the Web server is not accessible except to the TMG Firewall and locally logged on users. This means there is no practical increase in the attack surface on the TMG due to the IIS 7 installation.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)