Sometimes we want to reduce the attack surface area of the operating system where we deploy Forefront TMG. We will see on this article how to proceed without impacting Forefront TMG. All these steps must be done after installing Forefront TMG.
- Forefront TMG in standalone mode
- Forefront TMG in array standalone mode
I will show the main steps of the settings, for the other ones the default settings will be fine.
First of all we download the Forefront TMG template available at http://download.microsoft.com/download/D/A/4/DA48B499-D681-4493-AB83-0EDA4789F412/TMGRolesForSCW.exe and we copy the SCW_TMG_W2K8R2_SP0.xml file on the following folder C:\Windows\security\msscw\kbs.
Attention: to make the template compatible with Windows 2008 R2 SP1, the updates described at http://security.sakuranohana.fr/2011/07/uag-hardening-hresult-0x80070057-issue.html must be done.
scwcmd.exe register /kbname:TMG /kbfiles:C:\Windows\security\msscw\kbs\SCW_TMG_W2K8R2_SP0.xml
1/ Server functionalities
- Microsoft Forefront Threat Management Gateway (TMG)
- Remote access/VPN server
- Windows Remote Management (WS-Management)
- Network Load Balancing Administration
- Remote Access Auto Connection Manager
- Remote Desktop
- Windows Internal Database VSS Writer
2/ Registry settings
- All computers that connect to it satisfy the following minimum operating system requirements
- It has surplus processor capacity that can be used to sign file and print traffic
3/ Audit settings
4/ Go further: applying the hardening through GPOIn order to avoid making all these steps on each Forefront TMG server, it's possible to deploy the hardening policy through GPO. Indeed we will used the command line scwcmd transform /p:<xml file> /g:”<GPO>” where:
- xml file is the policy generated by the Security Configuration Wizard
- GPO is the name of the generated GPO