mardi 15 octobre 2013

[TMG] OS hardening for Forefront TMG


Sometimes we want to reduce the attack surface area of the operating system where we deploy Forefront TMG. We will see on this article how to proceed without impacting Forefront TMG. All these steps must be done after installing Forefront TMG.

This article could be used on the following scenarios:
  • Forefront TMG in standalone mode
  • Forefront TMG in array standalone mode

I will show the main steps of the settings, for the other ones the default settings will be fine.

First of all we download the Forefront TMG template available at http://download.microsoft.com/download/D/A/4/DA48B499-D681-4493-AB83-0EDA4789F412/TMGRolesForSCW.exe and we copy the SCW_TMG_W2K8R2_SP0.xml file on the following folder C:\Windows\security\msscw\kbs.

Attention: to make the template compatible with Windows 2008 R2 SP1, the updates described at http://security.sakuranohana.fr/2011/07/uag-hardening-hresult-0x80070057-issue.html must be done.

On a command line with high privileges we execute:
scwcmd.exe register /kbname:TMG /kbfiles:C:\Windows\security\msscw\kbs\SCW_TMG_W2K8R2_SP0.xml

1/ Server functionalities

Then we will used the tools provided with Windows Server 2008R2 to make the hardening, you could find it on Start > Administrative Tools > Security Configuration Wizard.

We see that the tool recognize Microsoft Forefront Threat Management Gateway (TMG) located on the Server node, on his database.

On the Select Server Roles step, select:
  • Microsoft Forefront Threat Management Gateway (TMG)
  • Remote access/VPN server
  • Windows Remote Management (WS-Management)
On the Select Client Features step, add the Remote Access Client, which is a prerequisite for Forefront TMG.

On the Select Administration and Other Options step, add the following, which are prerequisites for Forefront TMG:
  • Network Load Balancing Administration
  • Remote Access Auto Connection Manager
  • Remote Desktop
  • Windows Internal Database VSS Writer

On the Handling Unspecified Services step, it's recommended to not modify the services by choosing Do not change the startup mode of the service.

2/ Registry settings

On the Require SMB Security Signatures step, select:
  • All computers that connect to it satisfy the following minimum operating system requirements
  • It has surplus processor capacity that can be used to sign file and print traffic

On the Outbound Authentication Methods step, in order to only use domain account select Domain Accounts.

On the Outbound Authentication using Domain Accounts step, select Windows NT 4.0 Service Pack 6a or later operating systems.

3/ Audit settings

If we would go further on the security we could choose to enable the audit functionality depending on your policies. On this step you will be free to choose which one fit to your policy, but keep in mind that it generates entries and data on your server.

4/ Go further: applying the hardening through GPO

In order to avoid making all these steps on each Forefront TMG server, it's possible to deploy the hardening policy through GPO. Indeed we will used the command line scwcmd transform /p:<xml file> /g:”<GPO> where:
  • xml file is the policy generated by the Security Configuration Wizard
  • GPO is the name of the generated GPO
 After you could link and apply it to the right target and modify the GPO ACL.

Aucun commentaire:

Publier un commentaire