ms_tmg_add_1.1

79
Forefront TMG 2010 Common Criteria Evaluation Guidance Documentation Addendum Microsoft Forefront Threat Management Gateway Team Author: Vladimir Holostov, Microsoft Corp. Nady Gorodetsky, Microsoft Corp. Stephan Slabihoud, TÜViT GmbH Version: 1.1 Last Saved: 2010-12-13 File Name: MS_TMG_ADD_1.1.docx Abstract This document is the Guidance Documentation Addendum of Forefront TMG Standard Edition and Enterprise Edition. Keywords CC, TMG, Common Criteria, Firewall, Guidance Documentation Addendum

Upload: ecodelta

Post on 01-Dec-2015

29 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: MS_TMG_ADD_1.1

Forefront TMG 2010 Common Criteria Evaluation Guidance Documentation Addendum

Microsoft Forefront Threat Management Gateway Team

Author: Vladimir Holostov, Microsoft Corp.

Nady Gorodetsky, Microsoft Corp.

Stephan Slabihoud, TÜViT GmbH

Version: 1.1

Last Saved: 2010-12-13

File Name: MS_TMG_ADD_1.1.docx

Abstract This document is the Guidance Documentation Addendum of Forefront TMG Standard Edition and Enterprise Edition.

Keywords

CC, TMG, Common Criteria, Firewall, Guidance Documentation Addendum

Page 2: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 2/79

This page intentionally left blank

Page 3: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 3/79

Table of Contents

Page

1 INTRODUCTION TO THE GUIDANCE ADDENDUM ....................................................... 6

1.1 Scope ......................................................................................................................... 6

1.2 Security functionalities and Associated Chapters ....................................................... 7

1.3 Warnings about Functions and Privileges ................................................................... 8

1.4 Installation of the evaluated TMG 2010 Standard Edition ........................................... 8

1.4.1 Installation Requirements ....................................................................................... 8

1.4.2 Installation Procedures ........................................................................................... 9

1.5 Installation of the evaluated TMG 2010 Enterprise Edition ....................................... 26

1.5.1 Installation Requirements ..................................................................................... 26

1.5.2 Installation Procedures ......................................................................................... 27

2 SECURITY FUNCTIONALITIES ..................................................................................... 45

2.1 SF1 - Web Identification and Authentication ............................................................. 45

2.2 SF2 - Information Flow Control ................................................................................. 47

2.3 SF3 - Audit ............................................................................................................... 47

2.4 Administration-Related Interfaces ............................................................................. 48

2.5 TOE User Interfaces ................................................................................................. 48

3 OPERATIONAL ENVIRONMENT ................................................................................... 49

3.1 Assumptions ............................................................................................................ 49

3.2 Organizational Security Policies ............................................................................... 50

3.3 Security Objectives for the Environment ................................................................... 50

3.4 Requirements for the Operational Environment ........................................................ 51

4 SECURITY-RELEVANT EVENTS ................................................................................... 57

5 TOE INTEGRITY ............................................................................................................. 58

5.1 Integrity of the DVD-ROM content and ISO image ................................................... 58

5.1.1 Steps in order to ensure the integrity of Forefront TMG 2010 (Volume Licensing -

Standard Edition and Enterprise Edition) .......................................................................... 58

5.1.2 Steps in order to ensure the integrity of Forefront TMG 2010 (Boxed version -

Standard Edition only) ....................................................................................................... 59

5.2 Integrity of the Package ............................................................................................ 61

5.3 Version Number for the TOE .................................................................................... 62

6 ANNOTATIONS .............................................................................................................. 64

6.1 Authentication methods ............................................................................................ 64

6.1.1 Single Sign On ...................................................................................................... 64

6.1.2 Authentication Process ......................................................................................... 65

6.1.3 Client Authentication Methods for Receipt of Client Credentials ............................ 66

6.1.4 Methods for Validation of Client Credentials ......................................................... 67

6.1.5 Authentication Delegation ..................................................................................... 68

6.2 Lockdown Mode ....................................................................................................... 69

6.2.1 Affected functionality ............................................................................................. 70

6.2.2 Leaving lockdown mode ....................................................................................... 70

Page 4: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 4/79

6.3 Configure RPC Filtering ........................................................................................... 70

6.4 Configure FTP Filtering ............................................................................................ 71

6.5 Configure SMTP Filtering ......................................................................................... 71

7 FLAW REMEDIATION GUIDANCE ................................................................................ 73

7.1 How to report detected security flaws to Microsoft .................................................... 73

7.2 How to get informed about Security Flaws and Flaw Remediation ........................... 74

7.3 Installing a remedy ................................................................................................... 75

7.4 Authentication of a Fix .............................................................................................. 76

8 REFERENCES AND GLOSSARY .................................................................................. 77

8.1 References ............................................................................................................... 77

8.2 Acronyms ................................................................................................................. 78

8.3 Glossary ................................................................................................................... 78

Page 5: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 5/79

List of Tables Page

Table 1.1 – Security functionalities and associated chapters .................................................... 7

Table 1.2 – Warnings about functions and privileges ................................................................ 8

Table 3.1 – Assumptions for the IT environment and intended usage ..................................... 49

Table 3.2 – Security policies addressed by the TOE .............................................................. 50

Table 3.3 – Security objectives for the operational environment ............................................. 50

Table 4.1 – Security-relevant events ...................................................................................... 57

List of Figures Page

Figure 2.1 – Error messages .................................................................................................. 46

Figure 5.1 – Example of Integrity check I (successful) ............................................................ 61

Figure 5.2 – TMG 2010 Standard Edition (Box) ...................................................................... 61

Figure 5.3 – Version number of TMG 2010 Standard Edition.................................................. 62

Figure 5.4 – Version number of TMG 2010 Enterprise Edition ................................................ 62

Figure 5.5 – Identifying TMG 2010 Enterprise Edition ............................................................ 63

Figure 7.1 – Installation Instructions for Security Bulletin (example) ....................................... 75

Page 6: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 6/79

1 Introduction to the Guidance Addendum

This document is required by Common Criteria for the Microsoft® Forefront Threat

Management Gateway (TMG)1 Standard Edition and Enterprise Edition evaluation. The

document should be used by any administrator who wants to ensure that the deployed TMG

20102 is the evaluated version (see [ST]). It is an addendum to the manual [MSTMG] which is

delivered with TMG 2010.

1.1 Scope

This document extends the TMG 2010 manual [MSTMG] and provides required information for

the TMG 2010 common criteria evaluation.

The evaluated Guidance Documentation ([MSTMG] and this document) is valid for TMG 2010

Standard Edition and TMG 2010 Enterprise Edition. Its software version is for both evaluated

configurations 7.0.7734.100.

1 short: „TMG“

2 „TMG 2010“ references both configurations „TMG 2010 Standard Edition“ and „TMG 2010 Enterprise Edition“.

Page 7: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 7/79

1.2 Security functionalities and Associated Chapters

The relevant chapters of the security functionality are summarized in the following table.

Table 1.1 – Security functionalities and associated chapters

Security functionality (see

[ST])

Relevant chapters

SF1 – Web Identification and Authentication

[MSTMG] Forefront TMG Planning and Design > Access design guide for Forefront TMG > Planning for publishing > About publishing Web servers > About authentication in Web publishing

see Chapter 6.1

SF2 - Information Flow Control Access Rules:

[MSTMG] Forefront TMG Operations > Setting up access to the Internet and corporate resources > Configuring firewall policy > Creating an access rule

(Mail) Server Publishing Rules:

[MSTMG] Forefront TMG Operations > Setting up access to the Internet and corporate resources > Configuring firewall policy > Creating a firewall policy

Web Publishing Rules:

[MSTMG] Forefront TMG Operations > Setting up access to the Internet and corporate resources > Configuring firewall policy > Creating a firewall policy

System Policy:

[MSTMG] Forefront TMG Planning and Design > Access design guide for Forefront TMG > Planning to control network access > About system policy

Application Filter:

Configure RPC Filtering > see Chapter 6.3

Configure FTP filtering > see Chapter 6.4

Configure SMTP filter buffer overflow thresholds > see Chapter 6.5

Web Application Filter:

[MSTMG] Forefront TMG Operations > Protecting your networks > Configuring protection from Web-based threats > Configuring HTTP filtering

[MSTMG] Forefront TMG Planning and Design > Protection design guide for Forefront TMG > Planning to protect against Web browsing threats > Planning for HTTP filtering

URL filtering:

[MSTMG] Forefront TMG Planning and Design > Protection design guide for Forefront TMG > Planning to protect against Web browsing threats > Planning for URL filtering

SF3 - Audit [MSTMG] Forefront TMG Operations > Administering Forefront TMG > Monitoring Forefront TMG > Configuring Forefront TMG logs

[MSTMG] Forefront TMG Operations > Administering Forefront TMG > Monitoring Forefront TMG > Configuring Forefront TMG logs > Querying the Forefront TMG logs

[MSTMG] Forefront TMG Operations > Administering Forefront TMG > Monitoring Forefront TMG > Configuring Forefront TMG logs > Selecting log fields

Page 8: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 8/79

1.3 Warnings about Functions and Privileges

The administrator guidance contains warnings about functions and privileges that should be

controlled in a secure processing environment. These are listed in following table.

Table 1.2 – Warnings about functions and privileges

Aspect Relevant chapters

Warnings Each chapter identifies and describes the warnings, the assumptions and the security parameters related to that SF when necessary. The identification and description are made in a complete and consistent way.

Examples for chapters that contain additional hints:

Important ( marked with a blue sign)

Caution ( marked with a red flag)

Warning ( marked with a yellow sign)

1.4 Installation of the evaluated TMG 2010 Standard Edition

This document provides detailed installation instructions for Microsoft® Forefront Thread

Management Server 2010 Standard Edition. After installation the server is fully operational.

1.4.1 Installation Requirements

To use TMG Server, you need at least:

A personal computer with a 64bit dual core processor.

Microsoft Windows Server® 2008 R2 Standard Edition (English). Also, ensure that no

additional software products have been installed on this computer.

2 gigabytes (GB) of memory.

2500 MB of available hard disk space. This is exclusive of hard disk space you want to

use for caching.

One network adapter that is compatible with the computer's operating system, for

communication with the internal network.

One network adapter that is compatible with the computer's operating system, for each

network connected to the TMG Server computer.

One local hard disk partition that is formatted with the NTFS file system.

Please also check Section 3.4 “Requirements for the Operational Environment”.

Page 9: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 9/79

1.4.2 Installation Procedures

TMG 2010 Standard Edition is composed of the following components:

TMG Management. The console through which the administrator manages the

enterprise.

TMG Services. This is the computer that runs the firewall. The computer running TMG

services is connected to a Configuration Storage server, which stores the configuration

information.

To install the evaluated version, the administrator must install TMG Services and TMG

Management. The following pictures show the step-by-step installation process for TMG 2010

Standard Edition.

Start screen

Page 10: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 10/79

Starting the TMG 2010 Preparation Tool

Accept the license agreement

Page 11: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 11/79

Choose “Forefront TMG services and Management”

Wait until TMG 2010 has checked the prerequisites on your computer

Page 12: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 12/79

After the Preparation Tool has finished call the TMG Installation Wizard

Starting the TMG installation wizard

Page 13: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 13/79

Accept the license agreement

Enter your user credentials and the product serial number (example)

Page 14: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 14/79

Install “Forefront TMG services and Management”

Choose the installation path

Page 15: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 15/79

Specify the address ranges of your internal network (example)

Click on “Next”

Page 16: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 16/79

Click on “Install”

Wait until TMG 2010 has been installed

Page 17: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 17/79

After the installation has been finished start the TMG Management wizard

Step 1: Configure your network settings

Page 18: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 18/79

Click on “Next”

Choose your firewall template (e.g. Edge Firewall)

Page 19: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 19/79

Configure your internal network adapter (values shown are examples)

Configure your external network adapter (values shown are examples)

Page 20: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 20/79

Step 1 has finished

Step 2: Configure your system settings

Page 21: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 21/79

Click on “Next”

Change your host configuration if required

Page 22: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 22/79

Step 2 has finished

Step 3: Define your deployment options

Page 23: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 23/79

Click on “Next”

Choose to use the Microsoft Update Service

Page 24: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 24/79

Click on “Next”

Choose “Customer Feedback” settings

Page 25: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 25/79

Choose “Telemetry Reporting Service”

Step 3 has finished

Page 26: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 26/79

Ready to use TMG 2010

1.5 Installation of the evaluated TMG 2010 Enterprise Edition

This document provides detailed installation instructions for Microsoft® Forefront Thread

Management Server 2010 Enterprise Edition. After installation the server is fully operational.

1.5.1 Installation Requirements

To use TMG Server, you need at least:

A personal computer with a 64bit dual core processor.

Microsoft Windows Server® 2008 R2 Standard Edition (English). Also, ensure that no

additional software products have been installed on this computer.

2 gigabytes (GB) of memory.

2500 MB of available hard disk space. This is exclusive of hard disk space you want to

use for caching.

One network adapter that is compatible with the computer's operating system, for

communication with the internal network.

One network adapter that is compatible with the computer's operating system, for each

network connected to the TMG Server computer.

One local hard disk partition that is formatted with the NTFS file system.

Please also check Section 3.4 “Requirements for the Operational Environment”.

Page 27: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 27/79

1.5.2 Installation Procedures

TMG 2010 Enterprise Edition is composed of the following components:

TMG Management. The console through which the administrator manages the

enterprise.

TMG Services. This is the computer that runs the firewall. The computer running TMG

services is connected to a Configuration Storage server, which stores the configuration

information.

Enterprise Management Server. The computer will be used for the centralized

management of Forefront TMG arrays.

To install the evaluated version, the administrator must install TMG Services and TMG

Management. The following pictures show the step-by-step installation process for TMG 2010

Enterprise Edition.

Start screen

Page 28: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 28/79

Starting the TMG 2010 Preparation Tool

Accept the license agreement

Page 29: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 29/79

Choose “Forefront TMG services and Management”

Wait until TMG 2010 has checked the prerequisites on your computer

Page 30: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 30/79

After the Preparation Tool has finished call the TMG Installation Wizard

Starting the TMG installation wizard

Page 31: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 31/79

Accept the license agreement

Enter your user credentials and the product serial number (example)

Page 32: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 32/79

Install “Forefront TMG services and Management”

Choose the installation path

Page 33: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 33/79

Specify the address ranges of your internal network (example)

Click on “Next”

Page 34: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 34/79

Click on “Install”

Wait until TMG 2010 has been installed

Page 35: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 35/79

After the installation has been finished start the TMG Management wizard

Step 1: Configure your network settings

Page 36: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 36/79

Click on “Next”

Choose your firewall template (e.g. Edge Firewall)

Page 37: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 37/79

Configure your internal network adapter (values shown are examples)

Configure your external network adapter (values shown are examples)

Page 38: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 38/79

Step 1 has finished

Step 2: Configure your system settings

Page 39: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 39/79

Click on “Next”

Change your host configuration if required

Page 40: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 40/79

Step 2 has finished

Step 3: Define your deployment options

Page 41: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 41/79

Click on “Next”

Choose to use the Microsoft Update Service

Page 42: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 42/79

Click on “Next”

Choose “Customer Feedback” settings

Page 43: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 43/79

Choose “Telemetry Reporting Service”

Step 3 has finished

Page 44: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 44/79

Ready to use TMG 2010

Page 45: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 45/79

2 Security functionalities

This chapter identifies all security functionalities available to the administrator. The security

functionalities are derived from the TMG 2010 security functionalities described in the TMG

2010 Security Target (ST).

For administration, TMG 2010 includes graphical taskpads and wizards. These simplify

navigation and configuration for common tasks. These features are embedded in the Microsoft

Management Console and do not belong to the TOE. They are provided by the environment.

Warnings

The administrator must ensure that TMG 2010 is installed and used with Windows

Server 2008 R2 Standard Edition (English). More details can be found in the Security

Target of TMG 2010 [ST].

The administrator has to observe the Security Bulletins, to ensure that all possible

countermeasures are used.

The administrator should check http://www.microsoft.com/security/ regularly for the

latest TMG 2010 service packs and hotfixes.

The administrator should only use programs that are required to administer and

operate the firewall. The administrator should not install additional software which may

compromise the security of the TOE or the underlying operating system.

2.1 SF1 - Web Identification and Authentication

The TOE can be configured that only particular users are allowed to access the networks

through the TOE after being authenticated by configured front end authentication (e.g. Forms

based authentication).

Forms-based authentication is one of the standard methods of authentication for Hypertext

Transfer Protocol (HTTP) transmissions for incoming and outgoing requests. Forms-based

authentication sends and receives user information in plaintext. No encryption is used with

Forms-based authentication.

Secure Sockets Layer (SSL) encryption has to be used to secure the transferred user

identification and authentication credentials, so these credentials cannot be monitored during

transmission to the TOE.

The TOE has been evaluated using Forms-based authentication with SSL encryption for

incoming HTTP connections. The TOE verifies if the user credentials comply with data stored

in the local user database or a remote authentication server using Remote Authentication Dial-

In User Service (RADIUS).

Page 46: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 46/79

Important

When trying to connect to a Web site via HTTP (not HTTPS) that is published using TMG

2010, you receive an error message (see Figure 2.1), when all the following conditions are

true:

The Web listener has any one of the following authentication methods enabled:

o Basic authentication

o Radius authentication

o Forms-Based authentication

The Web listener is configured to listen for HTTP traffic.

The “Require all users to authenticate” check box is selected for the Web listener or the Web publishing rules apply to a user set other than the default All users user set.

You connect to the published Web site by using HTTP instead of by using HTTPS.

Figure 2.1 – Error messages

When you use HTTP-to-HTTP bridging, TMG 2010 does not enable traffic on the external

HTTP port if the Web listener is configured to request one or more of the following kinds of

credentials:

Basic authentication

Radius authentication

Forms-based authentication

This behavior occurs because these kinds of credentials should be encrypted. These

credentials should not be sent in plaintext over HTTP.

TMG 2010 prevents you from entering credentials in plaintext. When you try to do this, you

receive an error message.

If the TMG Web listener has Basic authentication enabled, you receive the following error

message:

Error Code: 403 Forbidden.

The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server

administrator. (12311)

If the TMG Web listener has RADIUS authentication or Microsoft Outlook Web Access Forms-

Based authentication (Cookie-auth) enabled, you receive the following error message:

Error Code: 403 Forbidden.

The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server

administrator. (12311)

Page 47: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 47/79

Warnings

When using Forms-based authentication, depending on the application on the

computer which could "cache" the password, the user must ensure that the

environment is locked, when it is unattended.

2.2 SF2 - Information Flow Control

The TOE combines several security mechanisms to enforce the security policies at different

network layers: a rule base for incoming and outgoing requests, Web and application filters,

and system security configuration options.

The TOE controls the flow of incoming and outgoing packets and controls information flow on

protocol level. This control has to be active before any information can be transmitted through

the TOE. Information flow control is subdivided into firewall policy rules that consist of access

rules, server publishing rules, mail server publishing rules, Web publishing rules, system

policy, Web application filters, Application filters, and URL filtering.

2.3 SF3 - Audit

The TOE stores logging information in different log files which are stored in a SQL Server

Express database:

Firewall service log

The Firewall log contains records of packets that were dropped in the packet filter level

as well as connections that were allowed. It is possible to turn on logging for packets

that were permitted to traverse the firewall. Access rules can be configured selectively

to create or not to create a log file entry when a packet has been blocked or permitted.

Web proxy service log

The Web Proxy log stores a line per HTTP request that it gets. Each request (incoming

and outgoing) is always logged.

Windows application event log

The Windows application event log stores important system events and failures.

Warning

It should be assured that there is always enough free disk space. Choosing the right

resource and the right parameters for logging is mandatory. Creating logs that are too

large or creating too many files can lead to problems. Nevertheless, it is possible to

create an alert, which will move or delete old or unneeded log files.

Page 48: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 48/79

2.4 Administration-Related Interfaces

The administrator interacts with the TOE via a Microsoft Management Console snap-in. (The

Microsoft Management Console is provided by the IT environment.) The application interacts

with the local registry and local file system of the operating system (Windows Server 2008 R2)

and finally with the TOE.

The TMG configuration which is stored in the local registry or the file system (TMG 2010 SE)

or stored in ADAM and synchronized with the local registry and file system (TMG 2010 EE) is

configured with the MMC.

Warning

By default, policy changes are applied within a time frame of a few seconds since the relevant

configuration data has to be polled. In the Monitoring tab you can check if the configuration

has already been synced.

2.5 TOE User Interfaces

There are no user-related manuals provided. (Due to the nature of a firewall product, the

filtering process is transparent to the user.)

The network interface is the only external interface available for the user. To protect

communication between networks, the TOE has an interface to the network layer of the

operating system. Traffic from one network to another network is always passed though the

TOE using this interface. All network traffic generated by users has to pass this interface.

Page 49: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 49/79

3 Operational Environment

The security environment of the evaluated configurations of TMG 2010 is described in the

TMG 2010 Security Target [ST] and identifies the threats to be countered by TMG 2010, the

organizational security policies, and the usage assumptions as they relate to TMG 2010. The

administrator should ensure that the environment meets the organizational policies and

assumptions. They are restated here from the Security Target.

3.1 Assumptions

Table 3.1 lists the TOE Secure Usage Assumptions for the IT environment and intended

usage.

Table 3.1 – Assumptions for the IT environment and intended usage

# Assumption name Description

1 A.DIRECT The TOE is available to authorized administrators only. A personnel who has physical access to the TOE and can log in the operating system is assumed to act as an authorized TOE administrator.

2 A.GENPUR The TOE stores and executes security-relevant applications only. It stores only data required for its secure operation. Nevertheless the underlying operating system may provide additional applications required for administrating the TOE or the operating system.

3 A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance.

4 A.ENV The operating system implements following functionality:

Local identification and authentication of user credentials used for web publishing (see A.WEBI&A for Radius identification and authentication; in case of a successful authentication the TOE analyses the returned value and allows or denies the access to network resources depending on that value), reliable time stamp (log file audit), file protection (for log file access protection, registry protection, and ADAM protection), cryptographic support (for SSL encryption), administration access control, reliable ADAM implementation (for EE configuration only), Network Load Balancing (for EE configuration only, disabled by default).

5 A.PHYSEC The TOE is physically secure. Only authorized personal has physical access to the system which hosts the TOE.

6 A.SECINST Required certificates and user identities are installed using a confidential path.

7 A.SINGEN Information cannot flow among the internal and external networks unless it passes through the TOE.

8 A.WEBI&A User credentials are verified optionally by a Radius Server. The Radius Server returns a value if a valid account exists or not.

Web Identification & Authentication with a Radius Server requires that the Radius server is placed on the internal network, so that data (user credentials and return values) transferred to and from the Radius Server is secured by the TOE from external entities.

9 A.SSL All web publishing rules which support Form-based authentication have to be configured by the administrator so that a secure connection is enforced.

Page 50: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 50/79

# Assumption name Description

10 A.URLFILTER TMG queries the remotely hosted Microsoft Reputation Service to determine the categorization of the Web site.

The download of the Reputation Service data is appropriately secured with respect to the integrity and authenticity.

3.2 Organizational Security Policies

Security policies to be fulfilled by the TOE are defined in Table 3.2.

Table 3.2 – Security policies addressed by the TOE

# Policy name Description

1 P.AUDACC Persons must be accountable for the actions that they conduct. Therefore, audit records must contain sufficient information to prevent an attacker to escape detection.

3.3 Security Objectives for the Environment

Table 3.3 lists the security objectives for the operational environment.

Table 3.3 – Security objectives for the operational environment

# Objective Name Objective Description

1 OE.DIRECT The TOE should be available to authorized administrators only.

2 OE.GENPUR The environment should store and execute security-relevant applications only and should store only data required for its secure operation.

3 OE.NOEVIL Authorized administrators should be non-hostile and should follow all administrator guidance.

4 OE.ENV The operating system should implement following functionality:

local identification and authentication of user credentials used for web publishing (see OE.WEBI&A for Radius identification and authentication; in case of a successful authentication the TOE analyses the returned value and allows or denies the access to network resources depending on that value), reliable time stamp (log file audit), file protection (for log file access protection, registry protection, and ADAM protection), cryptographic support (for SSL encryption), administration access control, reliable ADAM implementation (for EE configuration only), Network Load Balancing (for EE configuration only, disabled by default).

5 OE.PHYSEC The system which hosts the TOE should be physically secure.

6 OE.SECINST The required user identities (used for user authentication) and required SSL certificates for server authentication (HTTPS encryption) should be stored using a confidential path. That means that created certificates and user passwords should not be available to unauthorized persons (OE.DIRECT ensures that unauthorized persons cannot get these information by accessing the TOE).

7 OE.SINGEN Information should not flow among the internal and external networks unless it passes through the TOE. Thereby the TOE administrator has to guarantee an adequate integration of the TOE into the environment.

Page 51: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 51/79

# Objective Name Objective Description

8 OE.WEBI&A Optionally a Radius Server should verify provided user credentials and return if a valid account exists or not.

Data (user credentials and return values) between TOE and the Radius Server should be transferred in the TOE secured environment, which means that the Radius Server should be placed on the internal network for Web Identification & Authentication.

9 OE.SSL All web publishing rules which support Form-based authentication should be configured by the administrator so that a secure connection is enforced.

10 OE.URLFILTER TMG queries the remotely hosted Microsoft Reputation Service to determine the categorization of the Web site.

The download of the Reputation Service data is appropriately secured with respect to the integrity and authenticity.

3.4 Requirements for the Operational Environment

The operational environment is a Windows Server 2008 R2 Standard Edition (English).

When you scan your computer for available updates, through the Windows Update Web site,

the Windows Update Web site displays a number along with the title of the update, for

example, "Update for <title> (KBnnnnnn)." This KB number is included in the security bulletin

to help identify the corresponding KB article in the Microsoft Knowledge Base.

Hardening the Microsoft Windows Server 2008 R2 operating system reduces the attack

surface by disabling functionality that is not required while maintaining the minimum

functionality that is required. When you install Microsoft Forefront Threat Management

Gateway as part of the installation of Essential Business Server, the setup program

automatically hardens the Windows Server 2008 R2 operating system running on the Forefront

TMG computer after the installation of Forefront TMG is completed by launching the

Scwcmd.exe command-line tool with the following command3:

scwcmd.exe configure /p:isa_harden.xml

This command applies the security policy defined in the file Isa_harden.xml, which is

supplied with Forefront TMG. When this security policy is applied, the startup type of numerous

services is configured.

The following table lists the services whose startup type is set by the security policy defined in

Isa_harden.xml.

Service Name Startup Type

AeLookupSvc Automatic

ALG Manual

Appinfo Manual

3 see http://technet.microsoft.com/en-us/library/cc995076.aspx

Page 52: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 52/79

Service Name Startup Type

AppMgmt Manual

AudioEndpointBuilder Disabled

Audiosrv Disabled

BFE Automatic

BITS Automatic

Browser Automatic

CertPropSvc Manual

clr_optimization_v2.0.50727_32 Manual

COMSysApp Manual

CryptSvc Automatic

CscService Disabled

DcomLaunch Automatic

Dhcp Automatic

Dnscache Automatic

dot3svc Manual

DPS Automatic

EapHost Manual

Eventlog Automatic

EventSystem Automatic

FCRegSvc Manual

fdPHost Manual

FDResPub Manual

gpsvc Automatic

hidserv Disabled

hkmsvc Manual

IKEEXT Automatic

IPBusEnum Disabled

iphlpsvc Automatic

KeyIso Manual

KtmRm Automatic

LanmanServer Automatic

LanmanWorkstation Automatic

lltdsvc Manual

Page 53: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 53/79

Service Name Startup Type

lmhosts Automatic

MMCSS Manual

MpsSvc Automatic

MSDTC Automatic

MSiSCSI Manual

msiserver Manual

napagent Manual

Netman Manual

netprofm Automatic

NlaSvc Automatic

nsi Automatic

pla Manual

PlugPlay Automatic

PolicyAgent Disabled

ProfSvc Automatic

ProtectedStorage Manual

RasAuto Disabled

RasMan Manual

RemoteAccess Ignored

RemoteRegistry Disabled

RpcLocator Manual

RpcSs Automatic

RSoPProv Manual

sacsvr Manual

SamSs Automatic

SCardSvr Disabled

Schedule Automatic

SCPolicySvc Disabled

seclogon Automatic

SENS Automatic

SessionEnv Manual

SharedAccess Disabled

ShellHWDetection Automatic

Page 54: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 54/79

Service Name Startup Type

slsvc Automatic

SLUINotify Manual

SNMPTRAP Manual

SSDPSRV Disabled

SstpSvc Ignored

swprv Manual

SysMain Manual

TapiSrv Manual

TBS Manual

TermService Automatic

Themes Disabled

THREADORDER Manual

TrkWks Automatic

TrustedInstaller Manual

UI0Detect Manual

UmRdpService Manual

upnphost Disabled

UxSms Automatic

vds Manual

VSS Manual

W32Time Automatic

WcsPlugInService Manual

WdiServiceHost Manual

WdiSystemHost Manual

Wecsvc Manual

wercplsupport Manual

WerSvc Automatic

WinHttpAutoProxySvc Manual

Winmgmt Automatic

WinRM Automatic

wmiApSrv Manual

WPDBusEnum Manual

wuauserv Automatic

Page 55: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 55/79

Service Name Startup Type

wudfsvc Manual

DNS Disabled

nfssvc Disabled

nfsclnt Disabled

ADAM_ISASTGCTRL Automatic

AppHostSvc Automatic

aspnet_state Manual

clr_optimization_v2.0.50727_64 Manual

fwsrv Automatic

IAS Automatic

IISADMIN Automatic

isactrl Automatic

isasched Automatic

ISASTG Automatic

MDM Manual

MSSQL$ISARS Automatic

MSSQL$MSFW Automatic

MSSQLServerADHelper Disabled

ose Manual

ReportServer$ISARS Automatic

Rqs Manual

SQLBrowser Automatic

SQLWriter Automatic

W3SVC Automatic

WAS Manual

WMSvc Manual

xmonitor Automatic

The security policy defined in the file Isa_harden.xml also configures your Forefront

TMG computer as a client of other servers. The following client features are enabled:

MSClient

TimeSync

DHCPClient

DNSClient

DynamicDNS

Page 56: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 56/79

The remaining sections of this topic assume that you have applied the configurations

recommended in the "Windows Server 2008 Security Guide" on the computer running

Forefront TMG. Specifically, you should apply the Microsoft Baseline Security Policy security

template. However, do not implement the IPsec filters or any of the server role policies.

In addition, you should consider Forefront TMG functionality and consider performing

manual hardening of the operating system accordingly.

Warning

The administrator should check http://www.microsoft.com/security/ regularly for the latest

Windows Server 2008 R2 hotfixes.

Page 57: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 57/79

4 Security-Relevant Events

This subsection describes all types of security-relevant events and what administrator action (if

any) to take to maintain security. Security-relevant events that may occur during operation of

TMG 2010 must be adequately defined to allow administrator intervention to maintain secure

operation. Security-relevant events are defined as events that signify a security related change

in the system or environment. These changes can be grouped as routine or abnormal. The

routine events are already addressed in subsection Security functionalities.

Table 4.1 – Security-relevant events

Security function Security-relevant event Relevant chapters

Web Identification and Authentication

Configure Forms-based authentication.

The user has a missing permission to access the Internet.

A user is leaving the company, so his or her rights have to be withdrawn.

see Chapter 6.1

[MSTMG] Forefront TMG Planning and Design > Access design guide for Forefront TMG > Planning for publishing > About publishing Web servers > About authentication in Web publishing

[MSTMG] Forefront TMG Operations > Administering Forefront TMG > Monitoring Forefront TMG > Configuring Forefront TMG logs

Information Flow Control

An alert occurs, so the administrator has to monitor the alert.

[MSTMG] Forefront TMG Operations > Administering Forefront TMG > Configuring alerts > Configuring alert actions

Audit Log file overflow. If the TMG 2010 Server computer runs out of disk space, the administrator has to configure the maximum number of log files.

[MSTMG] Forefront TMG Operations > Administering Forefront TMG > Monitoring Forefront TMG > Configuring Forefront TMG logs

Page 58: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 58/79

5 TOE Integrity

This chapter describes how the administrator can verify that the evaluated version of the TOE

is used.

5.1 Integrity of the DVD-ROM content and ISO image

Customers can check the DVD content and ISO image by using the publicly available

Microsoft File Checksum Integrity Verifier (FCIV) tool4.

This tool uses SHA-1 hash values to verify the integrity of the:

TMG 2010 Standard Edition (available on DVD-ROM (boxed) and via Web download)

TMG 2010 Enterprise Edition (available via Web download only)

The corresponding hash files are available from the Microsoft corporate Web site, as well as a

batch file that runs the tool and a Readme file that explains the usage for users that do not

have access to this document. The hash file contains SHA-1 values for each of the relevant

files that must be verified and is downloadable from the TMG common criteria Web page

[WEBTMG].

The FCIV is a command-prompt utility that computes and verifies cryptographic hash values of

files (MD5 and SHA-1 cryptographic hash values are possible). To use, the user opens a

Command Prompt window and changes to the folder into which the validation files were

downloaded.

5.1.1 Steps in order to ensure the integrity of Forefront TMG 2010 (Volume

Licensing - Standard Edition and Enterprise Edition)

Please perform the following steps in order to ensure the integrity of your downloads (if not

stated the hash values can be found on [WEBTMG]):

1. Download the FCIV tool (see [WEBTMG]) from Microsoft. The SHA1 value of this

download is

99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex)

and shall be verified before executing the downloaded file. This can be done using any

tool capable of calculating SHA-1 values. While running the file you have to enter a

destination folder where the FCIV executable should be extracted to.

2. Download the CC Guidance Addendum (see [WEBTMG]) to the directory where FCIV

has been extracted. Check the integrity of "MS_TMG_ADD_1.1.pdf" by executing the

command

fciv "MS_TMG_ADD_1.1.pdf" -sha1

4 Installation instruction and download link on following Web page: http://support.microsoft.com/kb/841290

Page 59: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 59/79

and verify that the result is

<SHA1 hash> MS_TMG_ADD_1.1.pdf

3. Depending on the downloaded version:

o If you received TMG 2010 Standard Edition via Web download, type the

following

fciv.exe -sha1 X16-23051.iso

and verify that the result is

daae6ed2f61b6474b9f2dfc9bad5e9bf75420295 x16-23051.iso

o If you received TMG 2010 Enterprise Edition via Web download, type the

following

fciv.exe -sha1 X16-23004.iso

and verify that the result is

5b4c04c4e4eff29e95ed46ff24b9f35802fe1158 X16-23004.iso

4. After the final verification steps have been finished follow the Forefront TMG 2010 CC

Guidance Addendum for the installation and configuration of the TOE (Target of

Evaluation; for details see Security Target).

Important

The hash value of the FCIV tool is published on the TMG common criteria web page and

should be verified by the customer using a 3rd party tool of his choice.

5.1.2 Steps in order to ensure the integrity of Forefront TMG 2010 (Boxed

version - Standard Edition only)

Please perform the following steps in order to ensure the integrity of your downloads (if not

stated the hash values can be found on [WEBTMG]):

1. Download the FCIV tool (see [WEBTMG]) from Microsoft. The SHA1 value of this

download is

99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex)

and shall be verified before executing the downloaded file. This can be done using

any tool capable of calculating SHA-1 values. While running the file you have to

enter a destination folder where the FCIV executable should be extracted to.

2. Download the

“Integrity Check Validation Data” (see [WEBTMG]) and

"CC Guidance Documentation Addendum" (see [WEBTMG])

to the directory where FCIV has been extracted.

3. Check the integrity of "MS_TMG_ADD_1.1.pdf" by executing the command

fciv "MS_TMG_ADD_1.1.pdf" –sha1

Page 60: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 60/79

and verify that the result is

<SHA1 hash> MS_TMG_ADD_1.1.pdf

4. Check the integrity of "IntegrityCheckTMG2010.zip" by executing the command

fciv "IntegrityCheckTMG2010.zip" -sha1

and verify that the result is

<SHA1 hash> IntegrityCheckTMG2010.zip

5. Verify that the folder contains the following files:

TMGFPPENUSE.xml

readme.htm

integritycheck_se_ENU.cmd

fciv.exe

6. Insert the Exchange Server DVD that requires validation into the DVD Drive X:

(where X: is your DVD-ROM drive).

7. Open a command window and change to the folder where the validation files are

located. Then, type the following to validate TMG 2010 Standard Edition (boxed

version only):

integritycheck_se_ENU.cmd X:

8. If the DVD cannot be validated as an authentic DVD, a message will be displayed,

indicating that the DVD is not authentic. The integritycheck.log file, listing the failure

details, will be created in the folder with the original files.

If the DVD is correctly validated, the following message will be displayed:

The ... is an authentic <product name>

9. After the final verification steps have been finished follow the TMG 2010 CC

Guidance Addendum for the installation and configuration of the TOE (Target of

Evaluation; for details see Security Target).

Important

The hash value of the FCIV tool is published on the TMG common criteria web page and

should be verified by the customer using a 3rd party tool of his choice.

Page 61: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 61/79

Figure 5.1 – Example of Integrity check I (successful)

5.2 Integrity of the Package

TMG 2010 Enterprise Edition is available in a volume license only, there is no retail box with

certificate of authenticity (COA) label on a box like for TMG 2010 Standard Edition (see Figure

5.2). Nevertheless the end user should check the integrity as described in chapter 5.1 for TMG

2010 Standard Edition respectively TMG 2010 Enterprise Edition.

Figure 5.2 – TMG 2010 Standard Edition (Box)

Page 62: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 62/79

5.3 Version Number for the TOE

The method to examine the TMG version number is included in the Microsoft Management

Console. The user can identify the version of the TOE in the Help menu (HelpAbout TMG

2010; see Figure 5.4). The version number presented in the Microsoft Management Console is

7.0.7734.100. That version corresponds to the evaluated version named in the ST which is

TMG 2010. From the about boxes it is not obvious which configuration of TMG 2010 is

installed. When on the right side of the management console the branch “Enterprise” is

displayed you have installed TMG 2010 EE (see Figure 5.5).

Figure 5.3 – Version number of TMG 2010 Standard Edition

Figure 5.4 – Version number of TMG 2010 Enterprise Edition

Page 63: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 63/79

Figure 5.5 – Identifying TMG 2010 Enterprise Edition

Page 64: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 64/79

6 Annotations

6.1 Authentication methods

This chapter describes how TMG manages authentication. It provides information about

authentication and delegation methods supported by the TOE, and how the authentication

process is handled.

6.1.1 Single Sign On

Single sign on (SSO) enables users to authenticate once to the TOE, and then access all of

the Web servers with the same domain suffix that the TOE is publishing on a specific listener,

without re-authenticating. Web servers can include Microsoft Outlook Web Access servers and

servers running Microsoft Office SharePoint Portal Server , as well as standard servers

running Internet Information Services (IIS).

A typical example of SSO is a user who logs on to Outlook Web Access, providing credentials

on a form. In one of the e-mail messages that the user receives is a link to a document that is

stored in SharePoint Portal Server. The user clicks the link, and the document opens, without

an additional request for authentication.

Security Notes

• As long as a user's browser process is still running, that user is logged on. For example, a

user logs on to Outlook Web Access. From the Microsoft Internet Explorer menu, the user

opens a new browser window, and then navigates to another site. Closing the Outlook Web

Access window does not end the session, and the user is still logged on.

• When enabling SSO, be sure to provide a specific SSO domain. Providing a generic domain,

such as .co.uk, will allow the Web browser to send the TMG SSO cookie to any Web site in

that domain, creating a security risk.

Note

There is no support for SSO between different Web listeners. Published servers must share

the same Domain Name System (DNS) suffix. For example, you can configure SSO when

publishing mail.fabrikam.com and team.fabrikam.com. You cannot configure SSO when

publishing mail.fabrikam.com and mail.contoso.com. The DNS suffix consists of the entire

string that follows the first dot. For example, to configure SSO between

mail.detroit.contoso.com and mail.cleveland.contoso.com, you would use the DNS suffix

contoso.com.

Page 65: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 65/79

6.1.2 Authentication Process

There are three components of the authentication process in the TOE:

• Receipt of client credentials.

• Validation of client credentials against an authentication provider.

• Delegation of authentication to Web servers that are behind the TOE, such as servers

running SharePoint Portal Server.

Note

The first two components are configured on the Web listener that receives client requests.

The third is configured on the publishing rule. This means that you can use the same listener

for different rules, and have different types of delegation.

The authentication process for forms-based authentication is demonstrated in the following

figure. Note that this is a simplified description of the process, presented to describe the

primary steps involved.

Step 1, receipt of client credentials: The client sends a request to connect to the corporate

Outlook Web Access server in the Internal network. The client provides the credentials in an

HTML form (Frontend authentication).

Steps 2 and 3, sending credentials: The TOE sends the credentials to the authentication

provider, such as a domain controller for Integrated Windows authentication, or a RADIUS

server, and receives acknowledgment from the authentication provider that the user is

authenticated (Gateway authentication).

Step 4, authentication delegation: The TOE forwards the client's request to the Outlook Web

Access server, and authenticates itself to the Outlook Web Access server using the client's

credentials. The Outlook Web Access server will revalidate those credentials, typically using

the same authentication provider (Backend authentication).

Note

The Web server must be configured to use the authentication scheme that matches the

delegation method used by the TOE.

Step 5, server response: The Outlook Web Access server sends a response to the client,

which is intercepted by the TOE.

Page 66: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 66/79

Step 6, forwarding the response: The TOE forwards the response to the client.

Note

• If you do not limit access to authenticated users, as in the case when a rule allowing access

is applied to all users, the TOE will not validate the user's credentials. The TOE will use the

user's credentials to authenticate to the Web server according to the configured delegation

method.

• We recommend that you apply each publishing rule to all authenticated users or a specific

user set, rather than selecting Require all users to authenticate on the Web listener, which

requires any user connecting through the listener to authenticate.

6.1.3 Client Authentication Methods for Receipt of Client Credentials

The TOE Web listeners accept the following types of authentication from clients:

• No authentication

• Forms-based authentication

6.1.3.1 No Authentication

You can select to require no authentication. If you do so, you will not be able to configure a

delegation method on rules that use this Web listener.

6.1.3.2 Forms-Based Authentication

Forms-based authentication in TMG 2010 can be used for publishing any Web server. One

type of forms-based authentication is available in the TOE (Passcode form and

Passcode/Password form have not been evaluated):

• Password form. The user enters a user name and password on the form. This is the type of

credentials needed for Integrated and RADIUS credential validation.

Notes

• The HTML forms for forms-based authentication can be fully customized.

• When the TOE is configured to require authentication, because a publishing rule applies to a

specific user set or All Authenticated Users, or a Web listener is configured to Require all

users to authenticate, the TOE validates the credentials before forwarding the request.

• By default, the language setting of the client's browser determines the language of the form

that the TOE provides. The TOE provides forms in 26 languages. The TOE can also be

configured to serve forms in a specific language regardless of the browser's language.

• When you configure a time-out for forms-based authentication, we recommend that the time-

out be shorter than that imposed by the published server. If the published server times out

before the TOE, the user may mistakenly think that the session ended. This could allow

attackers to use the session, which remains open until actively closed by the user or timed

out by the TOE as configured on the form setting.

Page 67: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 67/79

• You should ensure that your Web application is designed to resist session riding attacks

(also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before

publishing it using the TOE. This is particularly important for Web servers published through

the TOE, because clients must use the same trust level for all of the Web sites they access

through the publishing TMG firewall.

6.1.4 Methods for Validation of Client Credentials

You can configure how the TOE validates client credentials. The TOE supports these providers

and protocols:

• No authentication (allows the internal servers to handle authentication)

• Local user database

• RADIUS

Note

A publishing rule with a Web listener that uses a specific form of credential validation must use

a user set that is consistent with that form of validation. For example, a publishing rule with a

Web listener that uses LDAP credential validation must also use a user set that consists of

LDAP users.

6.1.4.1 Configuring Receipt and Validation of Client Credentials

You can configure the receipt and validation of client credentials on the Web listener for a

publishing rule.

In the New Web Listener Definition Wizard, use the Authentication Settings page, and in the

Web listener properties, use the Authentication tab.

Important

When you use the same Web listener to publish more than one application in the same

domain, a user who is authenticated for one application will also be able to access the others,

even if single sign on is not enabled.

6.1.4.2 Integrated

The TOE checks if the user is a member of the local user database.

6.1.4.3 Radius authentication

RADIUS is used to provide credentials validation. When TMG is acting as a RADIUS client, it

sends user credentials and connection parameter information in the form of a RADIUS

message to a RADIUS server. The RADIUS server authenticates the RADIUS client request,

and sends back a RADIUS message response.

Because RADIUS servers authorize client credentials in addition to authenticating them, the

response that TMG receives from the RADIUS server indicating that the client credentials are

not approved might actually indicate that the RADIUS server does not authorize the client.

Even if the credentials have been authenticated, TMG may reject the client request, based on

the RADIUS server authorization policy.

Page 68: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 68/79

6.1.4.3.1 Configuring the TOE for RADIUS authentication

When you configure the Web listener on TMG, select RADIUS Authentication as the

authentication provider. When you add a RADIUS server, you must configure the following:

• Server name. The host name or IP address of the RADIUS server.

• Secret. The RADIUS client and the RADIUS server share a secret that is used to encrypt

messages sent between them. You must configure the same shared secret on TMG and on

the Radius server.

• Authentication port. TMG sends its authentication requests using a User Datagram

Protocol (UDP) port on which the RADIUS server is listening. The default value of 1812 does

not need to be changed when you are using the default installation of TMG as a RADIUS

server.

6.1.4.3.2 Security considerations

The RADIUS User-Password hiding mechanism might not provide sufficient security for

passwords. The RADIUS hiding mechanism uses the RADIUS shared secret, the Request

Authenticator, and the use of the MD5 hashing algorithm to encrypt the User-Password and

other attributes, such as Tunnel-Password and MS-CHAP-MPPE-Keys. RFC 2865 notes the

potential need for evaluating the threat environment and determining whether additional

security should be used.

You can provide additional protection for hidden attributes by using Internet Protocol security

(IPsec) with Encapsulating Security Payload (ESP) and an encryption algorithm, such as Triple

DES (3DES), to provide data confidentiality for the entire RADIUS message. Follow these

guidelines:

• Use IPsec to provide additional security for RADIUS clients and servers.

• Require the use of strong user passwords.

• Use authentication counting and account lockout to help prevent a dictionary attack against a

user password.

• Use a long shared secret with a random sequence of letters, numbers, and punctuation.

Change it often to help protect your TMG.

• When you use password-based authentication, enforce strong password policies on your

network to make dictionary attacks more difficult.

6.1.5 Authentication Delegation

After validating the credentials, you can configure publishing rules to use one of the following

methods to delegate the credentials to the published servers:

• No delegation, and client cannot authenticate directly

• No delegation, but client may authenticate directly

• Basic

Page 69: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 69/79

6.1.5.1 Configuring Authentication Delegation

Delegation of client credentials is configured on the publishing rule. In the Publishing Rule

Wizard, configure this on the Authentication Delegation page. In the publishing rule

properties, the authentication settings are on the Authentication Delegation tab.

6.1.5.2 No Delegation, and Client Cannot Authenticate Directly

Credentials are not delegated. This is intended to prevent the unintentional delegation of

credentials into the organization, where they might be sniffed. This is the default setting in

some TMG publishing wizards, so that if you want to delegate credentials, you must change

the default.

6.1.5.3 No Delegation, but Client May Authenticate Directly

When you select the delegation method No Delegation, but client may authenticate

directly, the user's credentials are passed to the destination server without any additional

action on the part of TMG. The client and the destination server then negotiate the

authentication.

6.1.5.4 Basic delegation

In Basic delegation, credentials are forwarded in plaintext to the server that requires

credentials. If authentication fails, TMG replaces the delegation with the authentication type

used by the Web listener. If the server requires a different type of credentials, an TMG alert is

triggered.

6.2 Lockdown Mode

A critical function of a firewall is to react to an attack. When an attack occurs, it may seem that

the first line of defense is to disconnect from the Internet, isolating the compromised network

from malicious outsiders. However, this is not the recommended approach. Although the attack

must be handled, normal network connectivity must be resumed as quickly as possible, and

the source of the attack must be identified.

The lockdown feature introduced with TMG combines the need for isolation with the need to

stay connected. Whenever a situation occurs that causes the Microsoft Firewall service to shut

down, TMG enters the lockdown mode. This occurs when:

An event triggers the Firewall service to shut down. When you configure alert definitions,

you decide which events will cause the Firewall service to shut down. Essentially, you

configure when TMG enters lockdown mode.

The Firewall service is manually shut down. If you become aware of malicious attacks, you

can shut down the Firewall service, while configuring the TMG computer and the network

to handle the attacks.

Page 70: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 70/79

6.2.1 Affected functionality

When in lockdown mode, the following functionality applies:

The packet filter driver applies the firewall policy.

The following system policy rules are still applicable:

Allow ICMP from trusted servers to the local host.

Allow remote management of the firewall using MMC (RPC through port 3847).

Allow remote management of the firewall using RDP.

Allow access from trusted servers to the local Configuration Storage server

This system policy rule allows the use of Microsoft CIFS (TCP), Microsoft CIFS

(UDP), MS Firewall Control and MS Firewall Storage protocols from all array

members and Remote Management hosts to the Local Host.

Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing

connection is established, that connection can be used to respond to incoming traffic. For

example, a DNS query can receive a DNS response, on the same connection.

No incoming traffic is allowed, unless a system policy rule (listed previously) that

specifically allows the traffic is enabled. The one exception is DHCP traffic, which is

allowed by default system policy rules. The UDP Send protocol on port 68 is allowed from

all networks to the Local Host network. The corresponding UDP Receive protocol on port

67 is allowed.

VPN remote access clients cannot access TMG. Similarly, access is denied to remote site

networks in site-to-site VPN scenarios.

Any changes to the network configuration while in lockdown mode are applied only after

the Firewall service restarts and TMG exits lockdown mode. For example, if you physically

move a network segment and reconfigure TMG to match the physical changes, the new

topology is in effect only after TMG exits lockdown mode.

TMG does not trigger any alerts.

6.2.2 Leaving lockdown mode

When the Firewall service restarts, TMG exits lockdown mode and continues functioning, as

previously. Any changes made to the TMG configuration are applied after TMG exits lockdown

mode.

6.3 Configure RPC Filtering

To configure RPC filtering

1. In the console tree of TMG Server Management, click Firewall Policy.

2. In the details pane, click any access rule that applies to remote procedure call (RPC)

traffic.

Page 71: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 71/79

3. On the Tasks tab, click Edit Selected Rule.

4. On the Protocols tab (for an access rule), click Filtering, and then click Configure

RPC protocol.

5. On the Protocol tab, select Enforce strict RPC compliance, if no RPC protocols

should be allowed.

Important

When you publish an RPC interface where there is a route network relationship

between networks, port overriding is ignored. The publishing rule will use the original IP

address or port.

When you disable the Enforce strict RPC compliance option, DCOM traffic and other

RPC protocols will be allowed.

After you click Apply in the details pane, the policy is updated. The new policy applies

only to new connections.

6.4 Configure FTP Filtering

To configure FTP filtering

1. In the console tree of TMG Server Management, click Firewall Policy.

2. In the details pane, click a server publishing rule or access rule that applies to FTP

traffic.

3. On the Tasks tab, click Edit Selected Rule.

4. On the Traffic tab (for a server publishing rule) or on the Protocols tab (for an access

rule), click Filtering, and then click Configure FTP.

5. On the Protocol tab, select Read Only, if FTP uploads should be blocked.

Important

You cannot upload FTP content from a Web Proxy client. Remote directory and file

management actions also fail.

After you click Apply in the details pane, the policy is updated. The new policy applies

only to new connections.

6.5 Configure SMTP Filtering

To configure SMTP filter buffer overflow thresholds

1. In the console tree of TMG Server Management, click Add-ins.

2. In the details pane, on the Application Filters tab, click SMTP Filter.

3. On the Tasks tab, click Configure Selected Filter.

4. On the SMTP Commands tab, click the applicable command, and then click Edit.

5. In SMTP Command Rule, select Enable SMTP command.

Page 72: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 72/79

6. In Maximum Length, type the maximum length of the command line for the

commands.

Important

To add a new command, click Add and type the command name in SMTP Command

Rule.

When a client uses a command that is defined but disabled, the filter closes that

connection.

When a client uses a command that is unrecognized by the SMTP filter, no filtering is

performed on that message.

Only commands on incoming traffic are filtered by the SMTP filter.

Only simple SMTP commands can be added.

If a client uses the TURN command, all e-mail messages will be dropped by the filter.

The RFC considers the AUTH command as part of the MAIL FROM command. For this

reason, the SMTP filter blocks MAIL FROM commands only when they exceed the

length of the MAIL FROM and AUTH commands issued (when AUTH is enabled). For

example, if you specify a maximum length of MAIL FROM as 266 bytes and AUTH as

1,024 bytes, the message will be blocked only if the MAIL FROM command exceeds

1,290 bytes.

Page 73: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 73/79

7 Flaw Remediation Guidance

7.1 How to report detected security flaws to Microsoft

Microsoft has established a single internal organization, the Microsoft Security Response

Center (MSRC), to investigate and remedy security vulnerabilities involving Microsoft software

or services. The MSRC is staffed 7 days a week, and investigates every report it receives of

suspected security vulnerabilities in Microsoft Products.

There are three ways for a Finder to contact the Microsoft Response Center (MSRC) to report

a detected or assumed security flaw.

1. A web page, located at https://www.microsoft.com/technet/security/bulletin/alertus.aspx

provides an easy way to provide all the information needed to begin the investigation.

The form requests information about:

Reporter contact information (name and email; optionally)

Information about the reporter’s computer (manufacturer and model, additional

hardware, operating system, system service packs, operating system security

patches)

Affected product information (product name, product version, service packs for the

product, security patches for the product, vulnerability information)

Description of the flaw in the product (general description)

Product configuration (default/customized, required settings to make the flaw

appear)

Description how to reproduce the problem (step-by-step instructions that

demonstrate the flaw, program that demonstrates the flaw)

Description how someone might mount an attack via the flaw

Additional information that might be helpful in investigating this issue.

Data submitted via this page is encrypted using the Secure Sockets Layer protocol.

2. Alternatively, an email address, [email protected] can also be used. Mail to this

address can be encrypted using PGP5.

3. The customer can contact Microsoft Services for additional support

(http://www.microsoft.com/services/microsoftservices/default.mspx ).

Regardless of the method used to initially contact the MSRC or Microsoft Services,

subsequent communications typically take place via email, using the [email protected]

email address. When requested, MSRC can also conduct these communications via telephone

or other methods.

5 The MSRC's PGP key is available at http://www.microsoft.com/technet/security/MSRC.asc

Page 74: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 74/79

7.2 How to get informed about Security Flaws and Flaw Remediation

A security update that is issued by the MSRC is always accompanied with a bulletin. The

bulletin contains the information that Microsoft makes available for the customers so that they

can take a decision whether to install the fix and on what systems. Every bulletin comes with a

rating to reflect its criticality (four levels). A KB is also provided but it is mostly a pointer to the

bulletin article.

The public page with Microsoft bulletins is located at

http://www.microsoft.com/security/bulletins/default.mspx

The original finder of the problem is kept in the picture throughout the process, if he chooses.

MSRC manages the communication with the reporter throughout the process.

Security updates typically can be installed on the current service pack and the previous one.

However, this is only a general rule. If the previous service pack is more than two years old,

the patch may be limited to only the current service pack. Conversely, if several service packs

have been released in short order, the patch may install on additional ones. The security patch

will be included automatically in the next service pack. Service packs, and patches, are

generally available for the previously released service pack. The security bulletin will always

provide specific information on the service pack requirements for the patch.

All security bulletins for Microsoft products are available at

http://www.microsoft.com/technet/security/current.aspx , and newly released bulletins are

highlighted on http://www.microsoft.com/security , http://www.microsoft.com/technet/security ,

and http://www.microsoft.com/isaserver Web sites.

In addition, Microsoft offers a free service through which customers can receive a technical or

non-technical bulletin synopsis by email. Customers can sign up for mailer at

https://www.microsoft.com/technet/security/bulletin/notify.mspx. Microsoft digitally signs the

technical synopsis, and the PGP key located at

http://www.microsoft.com/technet/security/MSRC.asc can be used to validate the signature.

Microsoft security bulletins always discuss the risk the vulnerability poses, the software it

affects, and the steps customers can take to eliminate it – including, in the case of patches,

specific locations for obtaining them. In addition, security bulletins also frequently include a

public thank-you to the Finder, subject to the qualification criteria discussed at

http://www.microsoft.comtechnet/security/bulletin/policy.mspx .

Microsoft strongly encourages customers to sign up for the security bulletins.

So the steps to be always informed of security flaws and how to install them are:

1. Signing up for security bulletins (registering for receiving bulletins by email)

2. Checking for security bulletins (if not registered)

3. Deciding, whether to download and install a remedy

4. Downloading the fix, authentication of the fix

5. Installing the fix/remedy (follow bulletin description, see above)

Page 75: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 75/79

7.3 Installing a remedy

The security bulletins contain the affected product versions, links to download the security

patch, and guidance for manual (as well as automated) installation of the patch.

As an example (see Figure 7.1) from a security bulletin called “MS04-035” that contains

installation instructions. The bulletin itself is at

http://www.microsoft.com/technet/security/Bulletin/MS04-035.mspx and not TOE relevant.

Figure 7.1 – Installation Instructions for Security Bulletin (example)

Page 76: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 76/79

7.4 Authentication of a Fix

For a product released via the web, digital signatures are used to identify the source download

as coming from Microsoft.

When files are downloaded from the web using Internet Explorer (or another browser), the

Authenticode™ mechanism is used to inform users of whether the download did indeed come

from Microsoft. Authenticode™, the formal name for the encryption technology Microsoft uses

for digital code signing, is based upon an encryption algorithm called “public key technology”.

Authenticode is based upon specifications that have been used successfully in the industry for

some time, including CMS (Cryptographic Message Syntax), PKCS #10 (certificate request

formats), X.509 (certificate specification), and SHA-1. Authenticode provides two important

features: time stamping and the ability to revoke a publisher’s digital certificate.

When a user downloads the code from the Internet, the browser uses a Win32 function called

WinVerifyTrust. If the user does not already trust the publisher, it displays certificate

information, such as the name included in the digital signature, an indication of whether it is a

commercial or personal certificate, and the date when the certificate expires. If the piece of

software has been digitally signed, it can verify that the software originated from the named

software publisher and that no one has tampered with it. A verification certificate is displayed if

the software meets these criteria. The user should confirm the source of the certificate to be

the Microsoft Corporation.

When a digital signature fails the verification process, the browser will report the failure,

indicate why the signature is invalid, and prompt the user about whether to proceed with the

download (only in the cases the user does not trust the publisher or trusts only the certifier of

the publisher).

Page 77: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 77/79

8 References and Glossary

This section provides references and a glossary.

8.1 References

General Common Criteria Documents

[CC] Common Criteria for Information Technology Security Evaluation, version 3.1,

revision 3, July 2009

Part 1: Introduction and general model, CCMB-2009-07-001,

Part 2: Security functional requirements, CCMB-2009-07-002,

Part 3: Security Assurance Requirements, CCMB-2009-07-003

TMG 2010 Administrator Guidance and Publicly Available Evaluation Developer Documents

[MSTMG] Microsoft Forefront Threat Management Gateway Help, Microsoft Corp., Version

2010 Standard Edition / Enterprise Edition

This help file is installed during TMG 2010 setup (isa.chm).

[ST] TMG 2010 SE/EE Common Criteria Evaluation - Security Target, Microsoft Corp.

[WEBTMG] Website: Microsoft Forefront TMG - Common Criteria Evaluation,

http://go.microsoft.com/fwlink/?linkid=49507

Page 78: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 78/79

8.2 Acronyms

CC Common Criteria

EAL Evaluation Assurance Level

FCIV File Checksum Integrity Verifier

PP Protection Profile

SFP Security Function Policy

SSL Secure Sockets Layer

ST Security Target

TOE Target of Evaluation

8.3 Glossary

application filters Application filters can access the data stream or datagrams associated with a session within the Microsoft Firewall service and work with some or all application-level protocols.

authentication Authentication is "A positive identification, with a degree of certainty sufficient for permitting certain rights or privileges to the person or thing positively identified." In simpler terms, it is "The act of verifying the claimed identity of an individual, station or originator" [Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)].

Basic authentication Basic authentication is the standard authentication method for Hypertext Transfer Protocol (HTTP). Although user information is encoded, no encryption is used with Basic authentication.

feature pack A feature pack contains new product functionality that is distributed outside the context of a product release, and usually is included in the next full product release.

Firewall service log A firewall service log contains entries with connection establishments and terminations.

identification Identification, according to a current compilation of information security terms, is "the process that enables recognition of a user described to an automated data processing system. This is generally by the use of unique machine-readable names" (Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)).

Microsoft Management Console

The Microsoft Management Console is a configuration management tool supplied with Windows that can be extended with snap-ins.

NTLM NTLM is an authentication scheme used by Microsoft browsers, proxies, and servers (Microsoft Internet Explorer®, Internet Information Services, and others). This scheme is also sometimes referred to as the Windows NT Challenge/Response authentication scheme or Integrated Windows authentication.

packet filter log file A packet filter log file contains records of packets that were dropped or allowed.

Page 79: MS_TMG_ADD_1.1

Guidance Documentation Addendum Page 79/79

port number A port number identifies a certain Internet application with a specific connection.

publishing rules Using publishing rules, you can publish virtually any computer on an internal network to the Internet (see Web publishing and server publishing).

Secure Sockets Layer (SSL)

SSL is a protocol that supplies secure data communication through data encryption and decryption. SSL enables communications privacy over networks.

server publishing Server publishing allows virtually any computer on an internal network to publish to the Internet.

service pack A service pack contains a cumulative set of all hotfixes, security updates, critical updates, and updates created and fixes for defects found by Microsoft since the release of the product. Service packs may also contain a limited number of customer requested design changes or features.

TMG Server In this document, TMG Server refers to Microsoft® Forefront Threat Management Gateway, except where it explicitly states otherwise.

Web publishing Web publishing publishes Web content to the Internet.

World Wide Web Consortium (W3C)

W3C develops interoperable technologies (specifications, guidelines, software, and tools) concerning Web technology (http://www.w3c.org).