After the Service Packs are finally out, here are a few lines about their content and a few notes gathered:
• DO NOT install SP1 for exchange before installing SP1 for Forefront for Exchange. this would cause your Forefront Installation to stop functioning properly and other unexplained phenomenons.
• The standard Forefront Security for Exchange Server license includes the following antivirus scan engines: Microsoft , Norman , Sophos , Command , Kaspersky , VBuster, AhnLab, Computer Associates.
After a fresh installation, five engines are randomly selected for scanning. As soon as the product is installed, you can use Forefront Server Security Administrator to change the engine selection. You can select a maximum of five engines per scan job.
• After a fresh installation, new signature files must be downloaded to make sure that the most up-to-date protection is used. An hourly scanner update for each licensed engine is scheduled. These updates start five minutes after Forefront Security for Exchange Server services are started.
However, if a proxy is being used for scanner updates, these scheduled updates will fail until all the proxy information has been entered. To enter the proxy information, use Forefront Server Security Administrator. To do this, follow these steps:
1. In the General Options work panel, click Scanner Updates.
2. In the Proxy Username and Proxy Password boxes, type the appropriate information.
3. In the Scanner Updates work panel, click Update Now to perform an immediate scanner update for each engine.
• We recommend that you successfully update at least one engine before you consider the installation to be complete.
• Errors may appear in the ProgramLog.txt file until all the licensed engines have been successfully downloaded. For example, you may receive an error message that resembles the following error message: "ERROR: Could not create mapper object "
• To verify that Forefront Security for Exchange Server has been installed correctly together with default protection enabled, click Operate in Shuttle Navigator, and then click Run Job. You should see the following items:
• On a server that contains a Mailbox role, a Realtime Scan Job should be enabled, and there should be a Manual Scan Job.
• On a server that includes a Transport role (such as a Hub Transport server, an Edge server, or a Mailbox/Hub Transport server), a Transport Scan Job should be enabled.
• Forefront Security for Exchange Server sets an optimization tag on Mailbox servers to skip the scan at the store if mail is to be sent to a Hub Transport server. When you use this configuration, Forefront Security for Exchange Server must also be installed on Hub Transport servers. Otherwise, outgoing mail will not be scanned.
• To enable scheduled background scanning, follow these steps:
1. In Shuttle Navigator, click OPERATE, and then click Schedule Job.
The Schedule Job panel appears on the right side. The top section of the Schedule Job panel shows the background scan job, and it indicates whether the Scheduler is enabled or disabled.
2. If you select the background scan job, the bottom part of the Schedule Job panel shows scheduling and configuration information.
3. To schedule a background scan, select the date, the time, and the frequency, and then click Save. Click Enable if the Scheduler is not already enabled.
4. Background Scanning now supports additional scoping options that determine which messages are scanned whenever a background scan is started. To modify these options, follow these steps:
a. In Shuttle Navigator, click SETTINGS, and then click General Options. The General Options settings appear in the right panel.
b. Under Background Scanning, select the scan scoping options that you want.
5. By default, Realtime Mailbox server scanning does not include message body scanning. To include message body scanning, follow these steps:
a. In Shuttle Navigator, click SETTINGS, and then click General Options.
b. In the Scanning area, click to select the Body Scanning - Realtime check box.
c. In the OPERATE/Run Job panel, verify that the Realtime Scan Job is enabled.
• Forefront Server Security Administrator cannot be used to manage servers that are running versions of Forefront Security that are earlier than version 10.0.
• Forefront Security for Exchange Server is not supported on two-node active/active Exchange Server cluster configurations.
• If the SharePoint Portal Alert service is running on the server, you might have to restart the computer after you upgrade or uninstall Forefront Security for Exchange Server.
• To enable Forefront Server Security Administrator to connect to a remote Forefront Server server, you must grant remote access permissions to the "Anonymous Logon" group.
To do this, follow these steps:
1. At a command prompt, type dcomcnfg.
2. Expand Component Services, right-click My Computer, and then click Properties.
3. Click the COM Security tab.
4. Click Edit Limits, and then add remote access to the Anonymous Logon user.
Note To enable the Forefront Server Security Administrator application on a computer that is running Windows XP Service Pack 2 (SP2), you must also follow these steps:
5. In Control Panel, click Security Center.
6. Click Windows Firewall, and then click the Exceptions tab.
7. Click Add Program.
8. In the list, select Forefront Server Security Administrator, and then click OK to return to the Exceptions tab.
9. Click to select the Forefront Server Security Administrator check box, and then click Add port.
10. Type a name for the port, type 135 in the Port number box, and then select TCP as the protocol to use. Click OK two times.
Note If you are concerned about opening port 135 to all computers, you can open the port for the Forefront Server servers only. To do this, follow these steps:
a. When you add port 135, click Change Scope, and then click Custom List.
b. Type the IP addresses of all Forefront Server servers to which you want to connect.
• When you install an antivirus solution by using VSAPI2, the VirusScan registry key is created to save information about the VSAPI library.
If this key is present when you try to install Forefront Security for Exchange Server, the installation will fail. You must delete the key before you try to reinstall Forefront Security for Exchange Server. To do this, follow these steps.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan
3. Press DELETE, and then click Yes.
4. Exit Registry Editor.
• VSAPI will not let you run multiple antivirus software solutions at the same time.
• Files that are compressed into multipart RAR volumes are subject to the uncompressed file size limit that is specified by the MaxUncompressedFileSize registry subkey.
The default value of this limit is 100 MB. If any file exceeds the limit, any multipart RAR volume that contains the whole file or a part of the file is deleted.
For more information about the MaxUncompressedFileSize setting, see the following topics in the "Forefront Security for Exchange Server User's Guide":
• "Registry Keys"
• The "Treat Multipart RAR Archives as Corrupted Compressed" topic in the "Forefront Server Security Administrator" section
• You can prevent Forefront Security for Exchange Server from requiring a restart during an upgrade or an uninstallation. To do this, follow these steps:
1. Stop the MOM agent or any other monitoring software.
2. Make sure that the Forefront Security installation folder or its subfolders are not open in any command prompts or Windows Explorer windows.
3. After the upgrade or uninstallation is complete, start the MOM agent again.
• Forefront Security for Exchange Server does not support customers who use their own procedure to download engine updates from the Microsoft Web sites. Forefront Security lets a server be used as a redistribution server. However, this server must use Forefront Security to obtain the updates from Microsoft.
• Forefront Security for Exchange Server database paths have a maximum size of 216 characters. The database paths are configured in the DatabasePath registry entry.
• If you change the installation path, the new path must have fewer than 170 characters.
• UNC paths that are specified for engine updates must not end with a backslash (\).
• When Forefront Security for Exchange Server is installed on an Edge Transport server that is not a member of a domain, the InternalAddress setting is empty.
• If the server is a domain controller, and if Forefront Security for Exchange Server is installed on a Mailbox Only role, notifications and "Deliver from Quarantine Security" functionality will not work.
• Importing filter lists from a UTF-8-formatted file is not supported.
• We recommend that you use the Transport Scan Job to perform file filtering. This is because Transport can retrieve mail from the store before it is scanned by the Realtime Scan Job. Because all mail must use the Hub Transport role, the same filters would be applied to all messages.
• You can install and run Forefront Security only with the default setting of "Remote Signed" that Exchange Server adds to the PowerShell execution policy. Changing the default setting to a more restrictive policy such as "Restricted" or "AllSigned" is not supported by Forefront Security.
• To help you filter for profanity by using keywords, we have included sample lists in various languages. These lists are an optional component of Forefront Security for Exchange Server, and they must be installed separately.
• Single-node management of Forefront Security for Exchange Server is available by using Forefront Server Security Administrator. Multi-server management of Forefront Security for Exchange Server is available by using Forefront Security Management Console.
• To provide a consistent user experience in the Forefront Server Security Administrator Client, the servers should be configured to use uniform locale settings.
Specifically, the System Locale settings of the computer where the server is being run should match the User Locale settings of the computer where the client is being run. If these two locales do not match, connection will not be enabled.
• When you install Forefront Security for Exchange Server on a cluster continuous replication (CCR) cluster, the installation path must be the same for both nodes.
• In the General Options work panel, the Internal Address setting is limited to 64-kilobyte (KB) characters.
• By default, when you run Forefront Security for Exchange Server on a CCR cluster, the Redistribution Server option is selected in the General Options work panel after installation. This option must remain selected for correct engine replication.
• When you uninstall Forefront Security for Exchange Server, the Active Directory directory service must be available for the uninstallation process to work correctly.
• When you install Forefront Security for Exchange Server on a computer that is running Windows Server 2008, an error message that resembles the following error message may be logged in the event log:
"Faulting application setup.exe_InstallShield "
You can safely ignore this message. This is an InstallShield error that does not affect the system.
• The CA InoculateIT scan engine is no longer available as a separate engine. This engine and its functionality have been merged with the CA Vet engine.
New features that are included in the service pack
• Support has been added for Windows Server 2008.
• Support has been added for Microsoft Exchange Server 2007 Service Pack 1 (SP1).
• Support has been added for IPv6.
• A new option that is named Treat multipart RAR archives as corrupted compressed has been added to the General Options work panel.
By default, this option is enabled. When this option is enabled, files that Forefront Security determines to be multipart RAR are treated as "corrupted compressed" files. Then, these files are acted on according to the Delete Corrupted Compressed Files setting.
When this option is disabled, Forefront Security for Exchange Server passes each file in the RAR volume to the scan engines.
Note If a file spans RAR volumes, Forefront Security for Exchange Server can pass only the partial file to the scan engines. Therefore, file type filtering may not work.
• A new option that is named Treat high compression ZIP files as corrupted compressed has been added to the General Options work panel.
By default, this option is enabled. When this option is enabled, if a zip archive is found to contain one or more highly compressed files, the zip archive is treated as "corrupted compressed." Then, the zip archive is acted on according to the Delete Corrupted Compressed Files setting.
When this option is disabled, Forefront Security for Exchange Server passes each file in a zip archive that is highly compressed to the scan engines in its compressed form. Forefront Security for Exchange Server does this by using the Deflated64, the Bzip2, or the PPMD algorithm. In this case, the whole zip archive will not be treated as "corrupted compressed" as long as no other files are compressed by using other high-compression algorithms.
• If Microsoft Updates has not already been enabled for the server, an option to opt in to the Microsoft Updates program is presented during the installation.
• Forefront Security scheduled tasks are now handled by using Task Scheduler. Each repeated task will now be shown as one scheduled task in the Scheduled Tasks user interface.
• A Profanity Keyword Setup package is now distributed as part of the Forefront Security for Exchange Server installation. When you run this package, localized profanity keyword lists are extracted and can be imported into Forefront Server Security Administrator to be used for keyword filtering.
• New Health State Monitoring event log entries have been added to give administrators a higher-level view of the system and to enable them to do proactive monitoring. The Forefront Security MOM pack has been improved to use these log entries to generate MOM alerts.
• A new Product Licensing Agreement and Expiration dialog box has been added. After you activate the product, you should enter the licensing information that you obtained from Microsoft Sales.
If you license the product, you can align your product expiration date with your license agreement. Otherwise, the expiration date is three years from the installation date. Also, you can easily renew your license by entering a new expiration date.
To license Forefront Security for Exchange Server, follow these steps:
1.On the Help menu, click Register Forefront Server. If you have not already activated the product, the Product Activation dialog box appears.
2. Enter your product activation information. When you do this, the Product Licensing Agreement and Expiration dialog box appears.
Note If you have activated Forefront Security for Exchange Server, only the Product License Agreement and Expiration dialog box appears.
3. Type your seven-digit License Agreement Number and an expiration date. You should type a date that corresponds to the expiration of your license agreement. When you do this, the expiration dates of the license agreement and of the product are coordinated.
When the product nears its expiration date, you should renew your license agreement and then enter the new license information in the Product Licensing Agreement and Expiration dialog box.
Software fixes that are included in the service pack
• The service pack resolves a problem in which Forefront Security for Exchange Server prevents Exchange Server from starting correctly if Windows SharePoint Services 3.0 is installed on the same server.
• The service pack resolves a problem in which Forefront Security for Exchange Server fails in a single copy cluster environment. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base: 939365 (http://support.microsoft.com/kb/939365/) Forefront Security for Exchange Server fails in a single copy cluster environment
• The service pack includes Hotfix Rollup 1 for Microsoft Forefront Security for Exchange Server. This hotfix rollup includes the following fixes:
• The hotfix rollup resolves a problem in which Exchange Server services do not start after you install Windows Server 2003 Service Pack 2. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
936541 (http://support.microsoft.com/kb/936541/) Exchange services do not start after you install Windows Server 2003 Service Pack 2
• The hotfix rollup resolves a problem in which Forefront Security for Exchange Server notifications stop working if you change the Exchange Pickup folder path. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 937542 (http://support.microsoft.com/kb/937542/) Forefront Security for Exchange Server notifications stop working if you change the Exchange Pickup folder path
• The hotfix rollup resolves a problem in which Forefront Security for Exchange Server incorrectly identifies a message as a "CorruptedCompressedFile virus" and then blocks the message. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 937543 (http://support.microsoft.com/kb/937543/) Forefront Security for Exchange Server processes a message that contains invalid uuencode header information as a CorruptedCompressedFile virus
For more information about Hotfix Rollup 1 for Microsoft Forefront Security for Exchange Server, click the following article number to view the article in the Microsoft Knowledge Base: 936831 (http://support.microsoft.com/kb/936831/) Description of Hotfix Rollup 1 for Microsoft Forefront Security for Exchange Server
the page is based on KB Article: 945572
10things blog's Konnie Care writes about the 10 ways to reduce Security reisks in your organization...
Insiders pose the top corporate security threat today. Recent reports indicate that insider breaches have risen from 80% to 86% of all incidents, with more than half occurring after employee termination. Not surprisingly, internal employees who are authorized to access company systems are most likely to be linked to fraud or a security breach — and of all employees, IT staff members have the most resources to do so. Accordingly, IT audits focus on several areas to identify risks.Employee fraud is built on a triangle — opportunity, motive, and rationalization. Effective controls require attention to all three angles. Here are some ways to implement these controls and reduce the opportunities your staff has to defraud you.
Note: This information is also available as a PDF download.
#1: IT security policies
Review IT security policies that address accounts and users with privileged access, such domain administrators, application administrators, and DBAs. Ensure that policies exist and are clear on how access is requested, justified, and approved, and make sure they’re regularly reviewed. Without this, there is little basis for management of privileged access. Policies for managing privileged accounts aren’t complete without related reporting. Audit reports for privileged passwords often cover such topics as when passwords are updated, any update failures, and which individual identities performed tasks under a shared account.
Policies should have the goal of being able to stop user activities that are clearly indefensible. Ensure that all employees, contractors, and other users are aware of their responsibility to comply with the IT security policies, practices, and relevant guidance that is appropriate to their role.
#2: “Super user” accounts and access
It is important to know the level of exposure your organization has related to access. Determine the population of accounts and users with privileged access. Obtain a list of all accounts with elevated access to networks, applications, data, and admin functions. Include all computer (machine to machine) accounts, which are often overlooked. With this, ensure access is reviewed and deemed appropriate with proper approvals. A good practice is to review access on a regular basis and determine that the “owners” of the data and systems have been explicitly approved.
#3: Account and password configuration standards
Ensure that all administrative accounts are updated according to policy. Default password settings on a specific device should not exist. There is ample information available to those who are resourceful enough about default account names and their default passwords. Some security accounts are created with the password the same as the account name. This is an area of really low-hanging fruit. Password expiration is important, but it’s also wise to disable certain accounts that are known to be temporary. Contractors’ and consultants’ accounts are often available long after their work is complete.
#4: Controlled access to passwords
Manage access to passwords whose accounts have elevated and administrative access. This may sound like stating the obvious, but sharing access to, and communication of, passwords is not always controlled. Offline records or open access, such as e-mails containing passwords, should not exist. Even an encrypted file of passwords is not recommended. In the worst case, the password to the file of passwords is not controlled.
#5: Service accounts, aka “machine” accounts
Service accounts can be implemented with elevated access and used in nefarious ways. These accounts are not typically assigned to human users and not included in traditional approval or password management processes. These accounts can be easier to hide than non-human access tracking. Ensure all service accounts have only necessary access. These accounts should also be reviewed on a periodic basis, as they often have super user capabilities. There are often too many of them; accounts exist that are not being used.
#6: High risk users and roles
Some organizations actively monitor certain roles where business risks are higher to identify potentially “unacceptable” behavior. Many businesses have critical roles where risks of crime are higher. For example, a purchasing manager may have access to sensitive data that he or she is planning to take to a new job with a competitor. In this case, access is authorized, but there may be misuse. Rotating jobs and duties and mandating time off is often a solution in high risk areas. IT security pros often meet the high risk criteria.
#7: Security awareness program
Any employee or user can pose a threat. It is imperative to implement a security awareness program that addresses all of the above topics and that it is enforceable. Many simple solutions exist for ensuring all users have read and consented to policies. A tool for this is a sign-on message that is presented at login, requiring the user to confirm his or her consent in the form of an Accept check box. Ongoing awareness activities help enforce policies.
#8: Background screening
Background screeners ask carefully worded questions to reveal red flags about specific behaviors and attitudes such as:
- Irregular work history — Questionable reasons for leaving jobs, long periods of unemployment
- Dishonesty — Misrepresentations in facts, such as education, licensure, or previous employment
- Character/attitude problems — Poor relationships with coworkers and/or supervisors
- Behaviors such as frustration, problems with authority, suspicion or paranoia, or inability to accept change
#9: Event logging
Security event management (SEM) provides significant real-time visibility of use and activities. Accurate and complete records of users and their activities are essential for incident analysis and development of additional security measures. Of key importance are the methods used to gain access, the extent of access, and past activities. To ensure that adequate records exist, consider improving logging usage information for higher risk areas and services.
#10: Evidence
Managers should be familiar with the different storage devices used and also have an adequate level of knowledge of “fingerprints” if there is any suspicion. These can be headers, cookie data, usage data, hidden OS data, etc. It is easy to acquire confidential files from company systems and place them on flash drives, which can be disguised as a normal fountain pen, digital watch, digital camera, personal digital assistant (PDA), or cell phone. Some investigators do nothing but collect and analyze information from cell phones, since they contain voice mail, text messages, address files, phone numbers, and a log of calls missed, received, and made. If there is any suspicion of criminal activity, evidence should be preserved and guarded until its fate is determined.
Additional resources
Managing
Monitoring
Auditing and controls
View article...