Category: Security

#Exchange2007

Just seen this: http://www.microsoft.com/technet/security/bulletin/MS10-106.mspx

This security update resolves a privately reported vulnerability in Microsoft Exchange Server. The vulnerability could allow denial of service if an authenticated attacker sent a specially crafted network message to a computer running the Exchange service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

This security update is rated Moderate for Microsoft Exchange Server 2007 Service Pack 2 for x64-based Systems.

---

Non-Affected Software

• Microsoft Exchange Server 2000 Service Pack 3
• Microsoft Exchange Server 2003 Service Pack 2
• Microsoft Exchange Server 2007 Service Pack 3
• Microsoft Exchange Server 2010
• Microsoft Exchange Server 2010 Service Pack 1

Ohhh

---

Source: http://www.microsoft.com/downloads/details.aspx?FamilyID=b8a7d36f-cc8d-4335-ae60-8f27c48f3a37&displayLang=en

Microsoft Forefront Security 2010 for Exchange Server provides fast and effective protection against malware and spam by including multiple scanning engines from industry-leading security partners. It also integrates with Forefront Online Security for Exchange to provide the defense-in-depth benefits of hosted and on-premise filtering in a single solution.

Just install forefront and here are the new cmdlets

Name	Synopsis
Add-FSSFilterListEntry	Adds items to an existing filter list.
Clear-FSEReport	Resets a report about FSE activities.
Clear-FSSFilterList	Clears a filter list. The filter list may still be associated with scan jobs.
Export-FseQuarantine	Saves quarantined items to disk.
Export-FSESettings	Exports the configuration settings.
Get-FSEAdvancedOptions	Retrieves the advanced options.
Get-FseIncident	Retrieve records from the incident database.
Get-FseIncidentOptions	Gets the incident database options.
Get-FSELoggingOptions	Retrieves logging options.
Get-FSENotification	Retrieve settings for e-mail notifications.
Get-FSEOnDemandFilter	Retrieves the configuration of all filter lists of a particular type enabled for the on-demand scan.
Get-FSEOnDemandScan	Retrieves the configuration for the on-demand scan.
Get-FSEProductInfo	Retrieves server and product information.
Get-FseQuarantine	Retrieve records from the quarantine database.
Get-FseQuarantineOptions	Retrieves the quarantine options.
Get-FSERealtimeFilter	Retrieves the configuration of all filter lists of a particular type enabled for the realtime scan.
Get-FSERealtimeScan	Retrieves configuration settings for the Realtime scan.
Get-FSEReport	Retrieves statistical reports about FSE activities.
Get-FSEScheduledFilter	Retrieves the configuration of all filter lists of a particular type enabled for the scheduled scan.
Get-FSEScheduledScan	Retrieves the configuration for the scheduled scan.
Get-FSESpamConnectionFilter	Retrieve configuration options for the Forefront DNS Block List (DNSBL).
Get-FSESpamContentFilter	Retrieves the settings for the spam content filter.
Get-FSESpamFiltering	Retrieve the status of spam filtering.
Get-FSESpamReport	Retrieves a spam blocking report.
Get-FSETransportFilter	Retrieves the configuration of all filter lists of a particular type enabled for the transport scan.
Get-FSETransportScan	Retrieves configuration options for the transport scan.
Get-FSSExtendedOption	Get an extended option.
Get-FSSFilterList	Retrieves filter lists.
Get-FSSSignatureOptions	Retrieves engine definition update settings.
Get-FSSSignatureUpdate	Retrieves the schedules for updating engine definitions.
Get-FSSTracing	Retrieves trace settings.
Import-FSESettings	Imports the configuration settings.
New-FSSExtendedOption	Create an extended option.
New-FSSFilterList	Creates a new filter list.
Remove-FseIncident	Removes an item from the incident database.
Remove-FseQuarantine	Removes an item from quarantine.
Remove-FSSExtendedOption	Remove an extended option.
Remove-FSSFilterList	Deletes a filter list.
Remove-FSSFilterListEntry	Removes one or more items from a filter list.
Resume-FSEOnDemandScan	Resumes a suspended on-demand scan.
Send-FseQuarantine	Delivers an item that has been quarantined to the specified recipients.
Set-FSEAdvancedOptions	Sets advanced scan options.
Set-FseIncidentOptions	Sets the incident database options.
Set-FSELoggingOptions	Sets logging options.
Set-FSENotification	Configure settings for e-mail notifications.
Set-FSEOnDemandFilter	Configures a filter list for use with the on-demand scan.
Set-FSEOnDemandScan	Sets configuration options for the on-demand scan.
Set-FseQuarantineOptions	Sets the quarantine options.
Set-FSERealtimeFilter	Configures a Realtime filter list.
Set-FSERealtimeScan	Configures the realtime scan
Set-FSEScheduledFilter	Associates a filter to the scheduled scan and enables it
Set-FSEScheduledScan	Configures the scheduled scan.
Set-FSESpamConnectionFilter	Sets configuration options for the Forefront DNS Block List (DNSBL).
Set-FSESpamContentFilter	Sets the configuration options for the spam content filter.
Set-FSESpamFiltering	Enables or disables Forefront antispam filtering.
Set-FSETransportFilter	Configures a filter list for use with the transport scan.
Set-FSETransportScan	Configures the transport scan.
Set-FSSExtendedOption	Set an extended option.
Set-FSSFilterList	Replaces all the values in a filter list.
Set-FSSSignatureOptions	Sets engine and definition updating options.
Set-FSSSignatureUpdate	Sets the schedule for updating engine definitions.
Set-FSSTracing	Sets trace settings.
Start-FSEOnDemandScan	Starts the on-demand scan.
Start-FSEScheduledScan	Starts a background scan.
Start-FSSSignatureUpdate	Starts engine updating.
Stop-FSEOnDemandScan	Stops the on-demand scan.
Stop-FSEScheduledScan	Stops a currently-running scheduled scan.
Suspend-FSEOnDemandScan	Suspends the on-demand scan.

Source: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=522da65d-5263-4f5d-b929-8428a394b9af

The new Forefront Security for Exchange Server SP1 capacity planning tool helps customers understand what hardware, architecture, and configuration settings will produce recommended system performance and message throughput results for comprehensive protection of their Exchange Servers. This tool, an excel spreadsheet with built in workflow, applies to the Forefront Security for Exchange Server SP1 product. The user will be able to plan the details for a new deployment or understand the impact of adding security protection to an existing deployment. In short, the user will choose their CPU and memory tolerances for deployment, their target reference architecture, their desired protection settings, and their targeted supported user load. Once this is defined, the tool will either recommend scaling up or out on the base recommended hardware for each server role.

For additional details, please read the “Directions” and “Readme” tabs. A “Resource” tab is also provided with links to obtain additional data to help make an informed decision during the planning stage.

---

This tool has a specific purpose and a limited scope. Please carefully read this entire page to understand the data output by this tool and how to use it properly.

Description: The Microsoft Forefront Security for Exchange Server (FSE) capacity planning tool acts as a complement to a Microsoft Exchange Server capacity plan to help you understand the additional computing power required to add Forefront Security for Exchange Server to an Exchange Server environment. Whether you are planning an Exchange deployment or you are adding Forefront Security for Exchange Server to your existing Exchange environment, you can use this tool to estimate the total hardware required to run Forefront Security for Exchange Server on your Microsoft Exchange Server infrastructure. Based on knowledge of your unique environment and requirements, you can use the information from this tool to help make decisions about scaling your infrastructure to maximize performance without over-allocating server hardware when you deploy Forefront Security for Exchange Server.

NOTE: This capacity planning tool is not a replacement for thorough Exchange capacity planning. It should not be used to create an Exchange capacity plan, nor should you base hardware purchase decisions exclusively on the information gleaned from this tool. Rather, this tool should be used to help further inform a detailed Exchange capacity plan.

MICROSOFT PROVIDES THE CAPACITY PLANNING TOOL “AS IS” TO END USERS AND WITHOUT SUPPORT.

The Capacity Planning Tool is designed to help you estimate your Microsoft Exchange capacity needs, and is intended to assist but not replace your complete Microsoft Exchange capacity planning. Network configurations vary, so you may need more software and/or hardware than that which the Capacity Planning Tool estimates in order to effectively deploy Microsoft Exchange Server and/or Microsoft Forefront Security for Exchange Server on your network.

You may use the Capacity Planning Tool only to estimate the Microsoft Exchange Server capacity needs for your network and not for any other purpose.

All organizations are unique, and they have requirements, policies, behaviors, and cultures that guide the specification of requirements and inform hardware purchase decisions. The output from this tool gives you an idea of the additional load created by Forefront Security for Exchange Server on sample server environments created for each of the reference architectures. You can use the data we collected from the sample environments to understand how Forefront Security for Exchange Server impacts utilization and performance, and that understanding can be combined with the Exchange capacity plan and your knowledge about the organization and its IT landscape to help guide decisions. Exchange capacity plan and your knowledge about the organization and its IT landscape to help guide decisions.

Background: It is not logistically feasible to test every possible combination of deployment scenario, application configuration, and user load profile. Therefore, Microsoft established a baseline for each reference architecture using FSE Service Pack 1 (SP1) and then identified a total of 80 different test scenarios to run the reference architectures, plus an additional 30 scenarios to run specifically against the edge. Details about baseline settings and hardware specifications are below. The data collected from the test environments enabled us to predict the additional computing resources consumed based on the various settings, message rates, and so forth.

FSE Settings: Forefront Security for Exchange Server (FSE) is highly configurable and has many settings. In this tool, you are using settings that have a practical impact on performance. There are a number of other settings that have minimal or no performance impact and are not included in the tool.

This tool refers to user load profiles, which characterize the e-mail usage patterns across an organization. The profiles correspond to specific data as follows:

User Load Profile	Send/Receive Messages per day	Database cache/user	Estimated IOPS/user	Logs Generated / mailbox
Light	5 sent/20 received	2 MB	0.11	6
Average	10 sent/40 received	3.5 MB	0.18	12
Heavy	20 sent/80 received	5 MB	0.32	24
Very Heavy	30 sent/120 received	5 MB	0.48	36

Note these values, and then select the user load profile that corresponds most closely to the e-mail usage patterns in your organization.

Reference Architectures:  The results used to create this capacity planning tool were derived from two reference architectures for Forefront Security for Exchange Server: Standard and Enterprise.

Standard Reference Architecture (SRA): The SRA combines the hub and mailbox roles on a multi-role server.  In our environment, the SRA was deployed with 1,600 users with an “average” user load profile.
Enterprise Reference Architecture (ERA): The ERA breaks out roles for the hub and mailbox servers. In our environment, the ERA was deployed with two mailbox servers. Each mailbox server had 1,000 users with a “heavy” user load profile.

Recommended Hardware: In line with Microsoft Exchange Server 2007 hardware recommendations, we recommend that you use an enterprise-class server device with:

• Processor – 4 cores
• Memory – 4 GB RAM

Hardware recommendations output by the tool use this as the baseline.

Hardware Utilized:

In this study, servers were configured as follows:

• Edge and hub servers – HP DL380G4, 2 Intel Xeon 3-GHz hyper-threaded processors, 4 GB RAM, connected to an HP Storage Area Network (SAN) via Fibre Channel
• Multi-role server – HP DL380G4, 2 Intel Xeon 3-GHz hyper-threaded processors, 10 GB RAM, connected to a HP SAN via Fibre
• Mailbox servers – HP DL380G4, 2 Intel Xeon 3-GHz hyper-threaded processors, 8 GB RAM, connected to a HP SAN via Fibre
• Domain Controller (DC), clients – Hyper-V virtual machines running on a HP DL380G5 with 2 Intel Xeon 3-GHz quad-core processors and 14 GB RAM. Each virtual machine was allocated 100% of 1 processor core and 2 GB RAM.

It took ages to find some decent information, so this is what I found out ..

---

Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from:

Figure 1: Forefront for Exchange Antivirus Engines

Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously

Figure 2: Multiple Engines

Why Multiple Engines

One of the most important factors in the successful protection of your network against viruses is how fast you get new virus engine signature files. Email allows viruses to be spread in a matter of hours, and a single email virus is enough to infect your whole network. So a critical factor is how fast the signature files of your anti-virus solution are updated when a new virus emerges.

Every anti-virus vendor in the market claims to have a fast response time. Anti-virus labs produce updates for virus and worm outbreaks at different intervals. For example, the same lab may produce an update for one virus within six hours, yet take 18 hours for the next one.

The problems with a single antivirus engine approach originate from having only one system in place to identify threats – no engine is immune to vulnerability. Although the signature files used by an engine to identify viruses are generally updated several times a day, they are often released after a new virus has already hit and damage has been done. Even if an engine is 99.9 percent effective, it only takes one infection to cost an organization hundreds of thousands of dollars in lost productivity and downtime.

The Forefront Security for Exchange provides the capability to use multiple anti-virus engines and allows you to concurrently run up to 5 of the included Microsoft and third-party anti-malware engines. Using multiple scan engines delivers several critical advantages:

• It increases the chances that emerging threats will be quickly caught.
• It provides redundancy to help protect against scan failures or defects in individual engines; if an engine fails, other engines continue scanning messages.
• It gives administrators an effective way to choose the most appropriate level of protection for their environment given their security needs and server performance capabilities.
• It allows engines to be taken offline for updates or reconfiguration without forcing messages to be queued.

A recent set of tests performed by the independent AV-Test.org group found some surprising differences in signature update times from various vendors.

The tests compared AV lab response times were tested for 68 “In the Wild” viruses and variants that appeared from April – June 2007. (The tests used five randomly chosen Forefront engines versus three single-engine vendors.)

The results showed that 37 viruses were proactively detected by all labs, while 23 viruses showed significant variations in detection times

Forefront engine sets performed much better when compared to the three leading competitors tested – both the competitors’ release and beta engines (the data in this table include beta engines’ times).

Figure 3: Multiple Antivirus Engines

All the scan engines that FSE integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.

Bias

When using Multiple Antivirus engines with Forefront for Exchange, you can control how many engines are needed to provide an acceptable probability that the system is protected.

The Forefront for Exchange Server Multiple Engine Manager (MEM) controls the selected engines during the scan job. It ranks each engine based on its past performance and its age, and uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSE considers the item infected and has the MEM deal with it accordingly.

The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance. Microsoft recommends FAVOR CERTAINTY, which is the default setting, and MAX CERTAINTY where possible.

Bias Setting	Description
Max Certainty	Each item is virus-scanned by all five of the selected engines
Favor Certainty	Fluctuates between virus scanning each item with three and five engines
Neutral	Each item is virus-scanned by at least three engines
Favor Performance	Fluctuates between virus scanning each item with one and three engines
Max Performance	Each item is virus-scanned by only one of the selected engines