Hi,

 

whow!! What a great begining of week! This news is for you guys who were anxious for TMG (like myself). It has been released as RTM, so the wait is over get it now!!

 

Forefront TMG team blog has also released a post about the TMG and a summary of the new features.

 

For a complete list of TMG features, visit Microsoft TMG web site.

 

Regards,

Paulo Oliveira.

Hi,

 

if you are like me, anxious for the Threat Management Gateway Release (TMG), then you have to know the new Windows Server 2008 R2 features. As is well-know, TMG can only be installed on Windows Server 2008.

 

So, if you still didn´t played with Windows 2008 it is time to! Microsoft gives you a hand on this releasing  Introducing Windows Server 2008 R2 e-book. Get yours from here!

 

Regards,

Paulo Oliveira.

Hi,

 

most of Exchange administrators are aware of a great tool that helps to test if your Exchange publishing is working as expected. That´s what Exchange Connectivity Analyzer does and the good news is that Microsoft Exchange team released a new version of this tool.

 

Take some time to check out the improvements made by them: http://msexchangeteam.com/archive/2009/10/19/452905.aspx

 

Regards,

Paulo Oliveira.

Hi,

 

it´s been a while since my last post. I promise I´ll start to put more news and tips.

 

I´m back today with REALLY good news!! Threat Management Gateway Release Candidate is available for download! Get your copy now here.

 

System Requirements

 

• Supported Operating Systems: Windows Server 2008

Minimum system requirements:
o Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2
o A computer with 2 core (1 CPU x dual core) 64-bit processor
o 2 gigabytes (GB) or more of memory
o 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection
o One local hard disk partition that is formatted with the NTFS file system
One network adapter that is compatible with the computer's operating system, for communication with the Internal network
o An additional network adapter for each network connected to the Forefront TMG server

Recommended system requirements:
o Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2
o A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
o 4 gigabytes (GB) or more of memory
o 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection
o Two disk for system and TMG logging, and one for caching and malware inspection
o One network adapter that is compatible with the computer's operating system, for communication with the Internal network
o An additional network adapter for each network connected to the Forefront TMG server

 

Hi,

 

got some news for today about myself. Just created a Twitter account, if anyone is interesting on following me, here is my twitter: twitter.com/poliveirasilva.

 

And you? What´s your twitter?

 

See you guys there!

 

 

 

Regards,

Paulo Oliveira.

Hi,

 

Microsoft is about to release TMG RC (Release Candidate) to public. But, it needs us to help them to make this great firewall even better!

 

Of course, they doing their part "eating their own dog food". Since no one goes anywhere alone, it is very important that we provide feedbacks about TMG product. That´s the reason I come here today asking you to install URL Filtering Telemetry package to help improve MRS (Microsoft Reputation Services) used on TMG web filtering.

 

Read the full post from TMG team blog: http://blogs.technet.com/isablog/archive/2009/09/14/the-road-to-rc-needs-telemetry.aspx

 

Regards,

Paulo Oliveira.

Hi,

 

if you reading my blog lately or news about new Microsoft firewall software (Threat Management Gateway), you know that TMG will bring new defenses mechanisms to help improve security on your network.

 

To say some: Web Filtering, outbound HTTPS inspection, e-mail security, enhanced NAT, NIS, etc. For a comprehensive list of TMG features click here.

 

Recently Microsoft released a 0-day security advisory refering to SMB2 protocol, that affects some versions of Windows Vista ,Windows 2008 and Windows 7.

 

OK, what does it has to do with new TMG features? Everything!! TMG comes with Network Inspection System (NIS) out-of-box. So, TMG team quickly updated NIS signature to detect this new vulnerability and block any attempt to compromise an affected system. Isn´t that great!?

 

If you want to know more about NIS, check these:

 

 

Regards,

Paulo Oliveira.

Hi,

 

after Brazil´s indepence day, I´m back to work! It´s good to relax one day more after weekend. :)

 

today I was reading about Microsoft FTP server service vulnerability pointed by a friend of mine (Kaio Rafael, thanks!). He provided me a link from ZD Net. After reading it, I went direct to the source for more details.

 

According to Microsoft´s security advisory these two vulnerability´s affects the following Windows OS, in summary:

 

Windows 2000, XP, 2003 Vista and 2008.

 

The non-affected softwares section have only:

 

Windows 7 and Windows 2008 R2.

 

One of them allow remote code execution and the other causes system DoS (Denial of Service).

 

The risk for IIS 5.1 (Windows XP) and IIS 6.0 (Windows 2003) be successed exploited by the first vulnerability is reduced, because a /GS protection that comes built-in for those versions.

 

Besides the detailed Microsoft security advisory, I also recommend read Security Research & Defense blog post about the issue.

 

However, I did not start this blog post to repeat what is said already. What cames to my attention when I was testing the vulnerability with an exploit published on milw0rm web site was the fact that none of the links mentioned above, informed the behaviour when Microsoft FTP Service brokes down by DoS attack. You start to think: "Hey, what are you talking about? Do you know DoS means: no service will be available??"

 

Yes, I do know. But, IIS Admin Service is configured by default to recover when a fail occurs.

 

Fig 01 - Windows Server 2003 IIS Admin Service Properties page

 

"OK, what´s the point?!"

 

 

The point is if the System Administrator don´t check System event viewer regularly, he won´t be able to know if his FTP Server is/was under DoS attack! The event is registered as an Error under Service Control Manager source.

 

This is an alert for those admins who doesn´t do a event check on their servers. As Metallica uses to say "...sleep with one eye open..."

 

Hope this was useful! Till next post!!

 

Regards,

Paulo Oliveira.

Hi,

 

this month MMPC released interesting posts about threats. I recommend reading the following:

 

 

Using their words, be safe!

 

Regards,

Paulo Oliveira.

Hi,

 

I´ve seen a lot of threads on www.isaserver.org web boards regarding ISA firewall issues like:

 

- ISA is taking forever to display web pages;

- I´m using ISA server and it is not using whole bandwidth;

- My publishing web site is very slow to open;

 

Well, I usually respond to those threads using a simple formula: ISA + Misconfigured DNS = Slowness.

 

ISA server requires a well-configured DNS server for it to work.

 

Yuri Diogenes did it better. He wrote a post at ISA/TMG team blog about ISA connection time out duo a misconfigured DNS and dug into it!

 

Check it out the full details of this great post here.

 

For more information about

 

How to configure DNS for ISA server

 

And how to configure ISA NICs:

 

 

 

Regards,

Paulo Oliveira.

Hi,

 

the ISA admins knows there are two ways for configuring ISA VPN remote clients. The first is manually using windows wizard, which gives us an incredible overhead (depending on how many VPN users will use it).

 

The second is using CMAK to customize the wizard and deploy it to VPN users with a standard configuration.

 

Hi,

many discussions exists on the internet about the forever battle between Internet Explorer and Firefox.

Last week, surfing on the internet I found something very interesting about these browsers. Each manufactures web sites has a browser comparative.

 

Mozilla give us a little chart talking about why Mozilla Firefox is faster, safer, smarter and better than Internet Explorer. The comparison is related only to Internet Explorer, no other browser involved.

Also, you can notice this is ONLY their opinion´s, there is no evidence about these affirmations.

See for yourself: http://www.mozilla.com/en-US/firefox/ie.html#feature-vsie

In the other hand, Microsoft gives us a full comparison chart about 3 different web browsers: Internet Explorer, Firefox and Chrome.

 

 

And it gets better! Microsoft also provides you links for the features they claim to be better or not, against the competitors. Isn´t great!? Is this transparency or what!?

There´s no discussion when you present facts!!

For sure it´s worth to take a look at Microsoft comparison chart and the links it provides about Security, Accelerators and Performance.

You can also see for yourself: http://www.microsoft.com/windows/internet-explorer/get-the-facts/browser-comparison.aspx

It does not stop there! Microsoft continues the hard working to better protect your computer against Internet threats:

 

Read more about at Internet Explorer´s team blog: http://blogs.msdn.com/ie/archive/2009/08/13/real-world-protection-with-ie8-s-smartscreen-filter.aspx

 

Lesson learned today: Trust in facts, not only words!

 

Regards,

Paulo Oliveira.

Hi,

 

Jim Harrison from Microsoft Forefront TMG/ISA Server team announced new articles on Tales From the Edge. It talks about CSS role, Firewall client and E-mail protection. It worth take a look at it!!

 

 

Regards,

Paulo Oliveira.

Hi,

 

quick post!

 

Last month I blogged about a vulnerability found on OWC ActiveX components that affects ISA Server and how you can check if your system is vulnerable. On this month´s security bulletins Microsoft releases a security patch to solve this issue.

 

Altough ISA Server is not compromised, unless the firewall administrator uses ISA as a workstation (i.e. accessing internet web sites from the firewall). It is always good to keep the system up to date.

 

For more information about this month´s security updates, read August Security Bulletin Summary.

 

If you want to download the patch check MS09-043 bulletin.

 

Regards,

Paulo Oliveira.

 

 

Hi,

today I´ll post an article about an application that gives a lot of headaches for system administrators in Brazil. This is not exclusive for ISA firewalls administrator, but other systems either. Since this blog is intend to talk about Microsoft products, I will show how it´s done in ISA firewall. ;)

The name of this application is Conectividade Social -Conexão Segura (Secure Connection).

Although, this is most intended to Brazil´s ISA firewall administrators, it has some tips to configure ISA firewall for likely applications around the world. Don´t stop here continue reading. J

Background

Conectividade Social is an application that allows Brazil´s companies to exchange employees’ related information with a federal bank in Brazil (Caixa Econômica Federal - CEF).

How the application works?

There is two ways to access the application:

The first one, you have to install a program on the user´s desktop.

The second one, you “just” have to access the URL http://cmt.caixa.gov.br/ search for the digital certificate provided by CEF, insert password and voilà (well, at least it was mean to be like that, I think!).

Setup the client-side application

The first access method

It is very easy to configure, once the application is installed you just have to create a custom protocol in ISA firewall allowing the port TCP Outbound 2631.

The second access method

It is a nightmare!! Besides the firewall (server-side) configurations, you still have to do A LOT OF client-side changes! Argh!! You need to allow TCP Outbound 80.

Let´s start on client-side. The link below provides a step-by-step procedure to configure the client machine:

From a very interesting blog post: http://blog.escritoriobrum.com.br/2009/01/07/erro-conectividade-social/ (portuguese)

I couldn´t find on the CEF web site. Maybe they removed from there, because it was very old.

You must install MSJVM for the application works. Note that MSJVM has been discontinued years ago!!

After all steps accomplished, it´s time to access the application. Okay, you open Internet Explorer web browser, go to http://cmt.caixa.gov.br/, you prompted to install an ActiveX control to encrypt the connection between your browser and CEF web application (Conexão Segura). When you install it, fill the form requirements and click on Login button.

After sometime, you receive an error message:

“Failed to exchange keys with the Gateway”

You question yourself – “What!? Why!? The TCP Outbound 80 port is allowed!”

The problem here is not about ports or protocols, it all about ISA Server Web Proxy Filter. The web application MUST have no intervention when exchanging keys with Conexão Segura web application. The connection is encrypted using an ActiveX control that requires a direct connection, no proxy (no intermediation). Since every web request is intercepted by Web Proxy filter for inspection, the connection fails.

Setup the server-side

The Common Solution

Most of the web sites about ISA firewall recommend (disable) unbind the Web Proxy filter from HTTP protocol. This setting allows the client machine bypass the Web Proxy filter, clearing the connection until Conexão Segura application server.

The solution works, but have some disadvantages:

-          You cannot use Configure HTTP option for access rules or web publishing rules anymore. Although, this does not affect the behavior of HTTP Filter application inspection;

-          You cannot benefit from caching.

The Real Solution

There´s other ways to bypass the Web Proxy filter without need to unbind it from HTTP protocol. ISA firewall has a feature called DirectAccess.

Assuming you already published Automatic Discovery information for Internal Network.

Open the ISA firewall console and go to Configuration node – Networks node – Networks tab.

Right click on Internal Network and select properties. Configure you Web Browser tab like the following:

Now go to Firewall Policy node and create the following access rules:

Protocols:

Port 80 No Filter – TCP Outbound 80. Don´t select Web Proxy filter and select NO on Secondary Connections page.

Conn_Social – TCP Outbound 2631.

Computer objects:

The computer object cmt.caixa.gov.br is the IP (200.201.173.68) of CEF web site (For some reason it does not work with URL set, I think it is because the Web Proxy filter is disabled on this protocol, thus ISA does not perform reverse DNS).

The computer object Conectividade Social is the IP (200.201.174.207) of Conexão Segura application.

The computer object Conectividade Social2 is the old IP (200.201.174.204) of Conexão Segura application. I put it there in case they change it back.

Note that you need to create new protocol, Port 80 No Filter, to allow direct access to web application.

Now you ready to go!

Access the Conexão Segura web application and enjoy it!

References:

http://technet.microsoft.com/en-us/library/cc302564.aspx

http://blogs.technet.com/yuridiogenes/archive/2009/07/19/error-64-the-specified-network-name-is-no-longer-available-while-using-a-custom-application-through-isa-server-2006.aspx

http://blogs.technet.com/isablog/archive/2006/09/25/why-do-i-need-a-deny-rule-to-make-an-allow-rule-for-a-custom-protocol-work-correctly.aspx

http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-access-these-servers-or-domains-issue-in-isa-server-2004-sp2/

http://support.microsoft.com/kb/920715/

 

Conclusion

Today I presented how to configure the client and server to access Conexão Segura web application through ISA firewall. The most important was that we did not disable any ISA feature, instead used a nice one!

I hope this was great reading for you and make your life easier about this particular CEF application or other related.

 

Regards,

Paulo Oliveira.

Hi,

 

two days ago I blogged about a Vulnerability in Microsoft Office Web Components ActiveX that affects ISA Server 2006. I also provided a workaround found at Security Research & Defense team blog.

 

Yesterday I received a comment about this blog entry asking me how to check if the ISA Server been used is vulnerable. The comment also mentioned that could not found the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046} on the ISA Server computer. So, I decided to check on my ISA Server and for my surprise, it wasn´t there either!! I thought then "what the heck!!??".

 

I started to investigate a little more about this "issue" and found great answers that I´ll share with you guys.

 

First, I read again the blog post of Microsoft Security Research & Defense team blog on how to workaround the vulnerability. When I was reading, I encountered a reference to another blog entry discussing on how to tell if the ActiveX vulnerabilities are exploitable in Internet Explorer.

 

On the second blog entry, at the end of the blog post, there´s a C# source code (ClassId.cs) to check if the ActiveX is exploitable. Nice! Here comes the question: "What am I supposed to do with it??". After all, I´m no developer...

 

Next step was try to find the ClassId.exe used in the first MS SRD blog entry. I checked at www.microsoft.com/downloads and found nothing! Then, I tried to go to this link INFO: How Internet Explorer Determines If ActiveX Controls Are Safe provided on the second blog post, however, the page was not found.

 

Then I had the idea to ask one of the developers here at the company to build an executable file from the ClassId.cs file. He said OK to me!

 

He built the executable file and I tested on my ISA firewall. The result was:

 

C:\Tools\ClassId>ClassId.exe {0002E559-0000-0000-C000-000000000046}
Clsid: {0002E559-0000-0000-C000-000000000046}
Progid: OWC11.Spreadsheet.11
Binary Path: C:\Program Files\Microsoft ISA Server\OWC11.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
KillBitted: False  --> this means that my Internet Explorer is loading this control, making my ISA Firewall vulnerable.

 

Oh! But how could it check if in the start of this blog post I told that there was no registry key on the location indicated on MS SRD blog??

 

Well, I don´t know the answer for this question... I have to review the code and see if I can find anything useful. Like I said before, I´m no developer.

 

But, how can I make sure if the output is telling the truth? I asked myself the same question. To make sure about it, I applied the workaround of the MS SRD team blog and the output is this:

 

C:\Tools\ClassId>ClassId.exe {0002E559-0000-0000-C000-000000000046}
Clsid: {0002E559-0000-0000-C000-000000000046}
Progid: OWC11.Spreadsheet.11
Binary Path: C:\Program Files\Microsoft ISA Server\OWC11.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
KillBitted: True

 

 

It seems OK!! However, not enough to me. Looking at Microsoft Support web site I found the following article: How to stop an ActiveX control from running in Internet Explorer.

Something really interesting was written in there about the misterious registry key:

 

 

Aha! It seems now we have part of the mistery solved!

 

Well, I couldn´t end this post without thanks the developer who helped me:

 

Thanks Fabricio Izumi, nice work!!

 

If you want the executable file, you can send me an e-mail.

 

 

Regards,

Paulo Oliveira.

Hi,

 

days ago I blogged about the ISA Server support Lifecycle. As remembered on a blog post of ISA/TMG team, ISA Server 2006 RTM and SU support has ended yesterday (07/14/2009).

 

If for some reason you did not update your ISA Server 2006 to the latest service pack, now it is the time, if you still want to be supportable by Microsoft and get the latest updates for the product.

 

Download ISA SP1 from here.

 

 

Regards,

Paulo Oliveira.

Hi,

 

altough this vulnerability is intended to Microsoft Office Web Components, it can affect ISA Server as well. This component is not installed by default on any Windows version.

 

However, when you install ISA Server this component is also installed. At ISAserver.org message boards, ISA admins always states that ISA Server can not be treated as a workstation or a commom server, but a Firewall.

 

If you are one of those admins, then congratulations to you! This vulnerability will not affect you, because it is the type of "browse and get owned" scenario.

 

 

In order to prevent against this vulnerability, follow these steps:

 

In order to protect your system you can issue the killbit for the two classids by adding the following value in the registry following these steps:

1) Use Registry Editor to view the data value of the Compatibility Flags DWORD in the following two registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}

 

2) Change or add the value of the Compatibility Flags DWORD value to 0x00000400.

 

PS: {0002E559-0000-0000-C000-000000000046} = OWC11

     {0002E541-0000-0000-C000-000000000046} = OWC10

 

 

For more information, read these links:

 

 

You can also follow this thread about the issue: http://forums.isaserver.org/fb.aspx?m=2002089656

 

 

Regards,

Paulo Oliveira.

Hi,

 

Microsoft has just released a security bulletin about a new vulnerability in ISA Server 2006. This bulletin is rated as Important and could allow elevation of privilege if an attacker successfully exploit it.

 

 

This vulnerability affects all ISA Server 2006 versions (SE/EE) in RTM (Release To Manufacturing), SU (Supportability Update) or SP1 (Service Pack 1) that are using Forms-Based authentication validated against a Radius OTP (One Time Password) server and using Kerberos Constrained Delegation.

 

The attacker who successfully exploit this vulnerability may be able to impersonate user accounts. If that happens, then the attacker will be able to access the same content the impersonated user has.

 

 

By default, when forms-based authentication cannot be used with a specific client, ISA requires basic authentication instead. This was one of the new features

introduced on ISA Server 2006. For more information, see Authentication in ISA Server 2006 technet article.

 

 

To workaround this vulnerability you can run the script provided on the KB938966. The script will disable the fall-back mechanism in the web listener configured with RADIUS OTP.

 

If the ISA Server is not set up with RADIUS OTP and authentication delegation with KCD, then it is not vulnerable.

 

 

Download the ISA Server software update for your appropriate version:

 

 

 

Regards,

Paulo Oliveira.

Hi,

 

if you´re an ISA administrator is much likely you heard about Thomas Shinder. He´s one of the masters of ISA/TMG firewall universe. Some of his contributions for ISA/TMG world are: www.isaserver.org web site, which contains a lot of articles about configuring, securing, administering, etc, ISA Firewall. Most of them are wrote by him, of course. He also have published a lots of books desmistifying the different ISA Firewall versions along the years.

 

Now, the mission he and other ISA/TMG firewall gurus have is to release Threat Management Gateway (TMG) Administrator´s Companion book(http://www.mstmgbook.org/).

 

I have great respect for Tom Shinder as he is a knowledgeable guy and for my surprise he mentioned my blog on his.

 

Thanks very much Tom, we´re exciting waiting for the TMG Book!

 

Regards,

Paulo Oliveira.