Archive

Archive for the ‘Security’ Category

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

December 27, 2016 Comments off

When performing SSL and TLS hardening on Microsoft Forefront Threat Management Gateway (TMG) 2010 or Forefront Unified Access Gateway (UAG) 2010 servers, disabling SSL 3.0 and TLS 1.0 is often required to meet regulatory and compliance guidelines for security. However, disabling SSL 3.0 and TLS 1.0 causes the SQL Server (ISARS) and SQL Server Express services to fail on start up.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

Switching from SQL logging to text file logging can be employed as a workaround. However, when using text file logging, generating historical reports in the TMG management console is no longer supported.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

To restore full functionality for SQL logging and reporting when SSL 3.0 and TLS 1.0 are both disabled, an update to the local security policy of the server is required. Open the Local Security Policy editor by clicking on the Start button and navigating to Administrative Tools and Local Security Policy. Expand Local Policies and click on Security Options. Double-click on System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Click Enabled and then click OK.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

Restart the computer for the changes to take effect. Once complete, all SQL services should start and run without issue.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010


Note: If Remote Desktop Services (RDS) is used to manage the Forefront TMG firewall it will be necessary to install update KB3080079.


 

Fastvue TMG Reporter 3.0 Beta Now Available

March 4, 2015 Comments off

Fastvue TMG Reporter Advanced Reporting Solution for Microsoft Forefront TMG 2010I’m a huge fan of the Fastvue TMG Reporter advanced reporting solution. If you’ve spent any time at all with the native Forefront TMG 2010 reporting tools, you know they are, as my British friends say, “rubbish”. While it is possible to configure Forefront TMG 2010 to log to an external SQL server and create your own reports, a better alternative is to use Fastvue TMG Reporter. They’ve already done all the hard work for you! Also, TMG Reporter from Fastvue works with TMG when configured to use an external SQL server, so you get the best of both worlds!

Recently the fine folks at Fastvue announced a sneak peak at their latest update to TMG Reporter in v3.0 Beta. This latest release includes a bunch of great new features, including the following:

  • Site Clean – This provides a way to clean up a lot of noise from your activity reports by consolidating related requests (e.g. analytics and CDN requests).
  • Private Report Sharing – Create a report for an individual or group and prevent them from accessing any other report data.
  • AD Security Group Filtering – A must have for searching activity reports!
  • Export to CSV for Reports and Report Tables – Great feature for detailed, granular data analysis offline.
  • Filter by Firewall Server Name or IP Address – This is essential for enterprise customers managing multiple TMG firewalls across the organization.

The latest release also includes Gantt Bars for Activity Reports, changes to the Productivity Dashboard, inclusion of search terms in User Overview reports, an updated Alerts interface, and improved data visibility. In addition, v3.0 includes memory usage improvements and the usual bug fixes and miscellaneous minor improvements.

Be sure to download Fastvue TMG Report v3.0 Beta today!

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

November 20, 2014 5 comments

When performing POODLE attack mitigation on the Forefront TMG 2010 firewall by disabling SSL 3.0, you may encounter a scenario in which TMG’s SQL services fail to start after a reboot.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Looking through the Windows system event log you may see an error message logged by the Service Control Manager with event ID 36871 which states:

A fatal error occurred while creating an SSL server credential.
The internal error state is 10013.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

In addition you may also see an error message logged by the Service Control Manager with event ID 7024 which states:

The SQL Server (ISARS) service terminated with service-specific
error %%-2146893007.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

This can occur when SSL 3.0 is disabled at the same time that TLS 1.0 is also disabled. Even though TLS 1.1 and 1.2 might be enabled, TMG requires that TLS 1.0 specifically be enabled for SQL server services to function properly when SSL 3.0 is disabled.

To resolve this issue, enable TLS 1.0 Server in the registry by changing the value of Enabled to 1, as shown here. If these registry keys do not exist, create them.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Restart the server for the change to take effect.

Mitigating the POODLE SSL 3 Vulnerability on Forefront TMG 2010

October 21, 2014 20 comments

Recently a new and very serious vulnerability in the SSL 3.0 protocol has been discovered that allows an attacker to recover sensitive information for an encrypted session. The Qualys SSL Labs server test has been updated to identify and warn about this issue.

Mitigating the POODLE SSL 3.0 Vulnerability on Forefront TMG 2010

Figure 1 – Qualys SSL Labs Server Test Score for TMG Published Secure Web Site

On a Forefront TMG server with SSL hardening implemented as I’ve outlined here and here, the POODLE attack is mitigated, but it is still recommended that you disable SSL 3.0 altogether. SSL 3.0 is an old, outdated protocol that is no longer widely used, and disabling it should have minimal impact on clients connecting to secure web sites published by the Forefront TMG 2010 firewall.

To disable SSL 3.0 on the TMG firewall, open an elevated PowerShell window and execute the following commands:

New-Item -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” -Force

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” -PropertyType dword -Value 0 -Name Enabled

Note: Use caution when copying/pasting the above commands as wrapping of the text has occurred.

A restart of the server is required for the change to take effect.

Recommended Forefront TMG 2010 SSL and TLS Configuration

September 8, 2014 6 comments

Last year I wrote an article for ISAserver.org that provided detailed guidance for improving security for SSL and TLS protected web sites using Forefront TMG 2010. Many people have reached out to me recently to ask about enabling forward secrecy, which my original article did not include because, at the time, it was not recommended to enable it. However, as times have changed, it is now recommended to enable forward secrecy so I recently wrote a short post with guidance on how to do that. The post was written with a very narrow scope and addressed only the enabling of forward secrecy for TLS. Many of you have since asked for guidance on overall security best practices with regard to SSL and TLS along with adding support for forward secrecy. In addition to the configuration changes detailed in my original ISAserver.org article, I also recommend the following list of SSL and TLS cipher suites be explicitly enforced using the method outlined here.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Using this configuration, the Forefront TMG 2010 firewall should receive an A rating from the SSL Labs test site (at the time of this writing).

Forefront TMG 2010 SSL Security Configuration

Enabling and supporting the above list of cipher suites will provide the best overall protection and performance for your SSL protected web sites. Note that the list above does not include support for SSL 3.0. If you need to support SSL 3.0 you should add the following cipher suites to the end of the list.

TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

Please note that this configuration may not work with older browsers on old, unsupported operating systems, for example Internet Explorer 6 on Windows XP. Before deploying this configuration in production I would encourage you to conduct some testing with your supported clients to ensure operability.

Enable TLS Forward Secrecy for Forefront TMG 2010 Published Web Sites

August 28, 2014 3 comments

Last year I wrote an article for ISAserver.org that outlined in detail how to improve SSL and TLS security for web sites published using Forefront TMG 2010. In its default configuration, Windows Server 2008 R2 and Forefront TMG leave quite a bit to be desired in terms of SSL and TLS security. In the article I demonstrated how to dramatically improve the security posture of TMG when publishing web sites that use SSL and TLS. At the time I wrote the article it was not recommended to enable forward secrecy, so the changes I originally proposed resulted in an “A” score from the Qualys SSL Labs test site. However, times have changed since then, and with the recent revelations of wide spread government spying, it is now recommended to enable forward secrecy by default. Sites that don’t support forward secrecy will now receive a reduced grade.

Enable TLS Forward Secrecy for Forefront TMG 2010 Published Web Sites

To accomplish this on the Forefront TMG 2010 firewall, open the Local Group Policy Editor (gpedit.msc) and navigate to Computer Configuration, Administrative Templates, Network, SSL Configuration Settings. Double-click SSL Cipher Suite Order and choose Enabled. Copy the list of SSL cipher suites to a blank notepad document and then move all of the cipher suites that begin with TLS_ECDHE_RSA_WITH_AES_ to the front of the list. Use caution here because the list cannot have any extra commas, line breaks, or spaces at all. Paste the updated list back in to the SSL Cipher Suites box and click Ok.

Enable TLS Forward Secrecy for Forefront TMG 2010 Published Web Sites

The server will have to be restarted for the changes to take effect. Once complete, forward secrecy will now be used by modern browsers and you should once again receive an “A” grade from SSL Labs.

Enable TLS Forward Secrecy for Forefront TMG 2010 Published Web Sites

Forefront TMG 2010 Computer Certificate Request or Renewal Fails

April 21, 2014 2 comments

When attempting to request or renew a computer certificate on the Forefront TMG 2010 firewall, you may receive the following error message:

Status: Failed
The RPC server is unavailable.

 

forefront_tmg_2010_certificate_01

This occurs because the Forefront TMG 2010 firewall does not, by default, allow the protocols and ports required to request or renew a certificate from a Certificate Authority (CA). Common workarounds suggest stopping the firewall completely or creating a rule allowing all protocols and ports from the TMG firewall to the CA. However, both of these workarounds are problematic. Stopping the firewall is a manual process that will cause a service disruption. It also leaves the firewall in an unprotected state. For edge deployment scenarios, the underlying operating system will be exposed directly to untrusted networks, which is a serious security risk. Creating an open access rule is not desirable because it violates the basic security principle of least privilege by allowing more access than is required.

To properly address this issue and allow for the secure request and renewal of certificates without disruption and with the least exposure, it will be necessary to create an access rule on the Forefront TMG 2010 firewall to allow all dynamic ports (TCP 49152-65535) from the local host network to the IP address of the CA for all users.

forefront_tmg_2010_certificate_02

Note: Allowing all dynamic ports (TCP 49152-65535) might also be considered too much access from the Forefront TMG 2010 firewall to the CA. It is possible to restrict the dynamic ports used by TMG and further tighten the access rule, if required. For information about restricting dynamic ports, click here.

In addition to the access rule allowing all dynamic ports, it will also be necessary to make a change to a system policy rule. To do this, right-click the Firewall Policy node in the navigation tree and choose All Tasks, System Policy, and then Edit System Policy. In the Authentication Services group highlight Active Directory and clear the checkbox next to Enforce strict RPC compliance.

forefront_tmg_2010_certificate_03

Once these changes have been made you can now request or renew a computer certificate on the Forefront TMG 2010 firewall successfully.

forefront_tmg_2010_certificate_04