Share via

Forefront Protection for Exchange Best Practices

  • Article

Overview of Forefront for Exchange

 

Microsoft Forefront delivers comprehensive, end-to-end solutions, both on-premises and in the cloud, to help protect users and enable secure access virtually anywhere. With our integrated portfolio of protection, identity, and access products, you can help secure your environment and manage access across data, users, and systems.

Forefront delivers malware protection solutions across endpoints, messaging and collaboration application servers, and the network edge.

 

Best Practices configuration for Forefront for Exchange

The following table presents the best practices configuration for  Forefront:

#

Recommendation

Deployment


For baseline protection throughout the enterprise, it is recommended that Forefront Security for Exchange Server be deployed on all Edge and Hub servers.


For global protection throughout the enterprise, we recommend that Forefront Security for Exchange Server be deployed on all Edge, Hub, and Mailbox servers.


To obtain optimal performance, all servers should have identical protection settings.


By default, messages are scanned only once by Forefront, however, it is a best practice to schedule background scanning on the Mailbox server to periodically rescan messages using the latest available signatures.

General Options


Configuration data (such as ScanJobs.fdb and Notifications.fdb) is associated with a Clustered Mailbox Server (CMS) so each node does not need to be configured separately


Scanner signature files are associated with a CMS, so both active and passive nodes will always be up to date.


Configuration data kept in the registry is replicated, on a CMS basis, when the CMS moves from one computer to another during a failover event.


Failovers must be to the passive node.


Each node can only run one Clustered Mailbox Server (CMS) at a time.


The Forefront Server Security Administrator should be connected to the Virtual Machine when connecting to FSE on a cluster server.

General Options

Any time a server attempts to download and update a scan engine, it is a good idea to send an update notification.

Select the option Delete Corrupted Compressed Files.

Select the option Delete Corrupted Uuencode Files.

Select the option Scan Doc Files As Containers, since viruses and worms can be embedded into container files (such as .doc, .xls, .ppt, and .shs). Also enable the equivalent setting for the Transport and Realtime scan jobs.

Select the option Delete Encrypted Compressed Files.

It is recommended that you change the Max Container File Size value to match your email policy concerning the largest permissible file attachment size.

Optimize for performance by not rescanning messages already virus scanned, this option should be selected to obtain the performance enhancements provided by the AV stamp.

Select the critical notification list option, If Forefront stops working on the server, or there is a serious issue with scanning, Forefront will send critical notifications, which can be vital to maintaining a stable and secure environment.

Updating Engines

Use the UNC method of updating your engines.

Updates should be staggered across an environment so that the Edge layer does the updating first, then the back end later in the hour.

The update schedule for any engine that updates more frequently than others should be set accordingly.

Even if a particular engine it is not being used, it should be updated once a day so that if you need to activate it the signatures will be up to date.

Bias Setting


We recommend using the same engines and bias settings on all Edge Transport and Hub Transport servers

We recommend that you set the bias level to Favor Certainty, this setting will ensure that all the available engines are utilized and that no e-mail can be opened without having passed through the maximum number of engine scans.

It is recommended that you use Inbound, Outbound, and Internal Scanning on all servers.

It is recommended that the bias setting for the Manual Scan Job be the same as that selected for the Realtime Scan Job.

Filtering Files

Create a * file filter and select the specific File Types (for example, DOC) you want filtered.

Create a generic filter for the extension (for example, *.exe*) and set File Types to All Types.

Create a generic filter for the extension (for example, *.exe*) and set File Types to a specific type. Note that this is the riskiest method since you must be sure of the file type and file extension when creating such a filter.

It is recommended that you set up a filter list for the Transport Scan Job that contains the file types most likely to be infected.

Action

It is recommended that you set the Action to Delete; remove infection for all scan jobs.

Block attachments known as typical malicious code vectors. Refer to Appendix A for a list of file extensions.

References

The recommendations presented above were taken from the Microsoft Forefront, available at http://www.microsoft.com/en-us/server-cloud/forefront/default.aspx (last visited September 20, 2011). Please refer to this document for further configuration instructions.

The recommendations presented above were taken from the Tech Center do Microsoft Forefront: Forefront Security for Exchange Server Best Practices Guide, available at http://technet.microsoft.com/en-us/library/bb795206.aspx (last visited September 20, 2011). Please refer to this document for further configuration instructions.

The recommendations presented above were taken from the Forefront Security for Exchange Server Best Practices: Microsoft® Forefront™ Server Security for Microsoft Exchange Server 2007, available at http://download.microsoft.com/download/a/8/6/a86c15fa-3431-48e1-a264-f53f72baf840/best_practices.doc (last visited September 20, 2011). Please refer to this document for further configuration instructions.

Appendix A – Attachment Blocking

  • .386 Windows Enhanced Mode Driver or Swap File
  • .ACM Audio Compression Manager Driver (Windows) and Windows System File
  • .ASP Active Server Page
  • .AVB Innoculan Anti-Virus Virus Infected File
  • .BAT Batch Processing
  • .BIN Binary File
  • .CLA Java Class File (usually .CLASS but can be shortened)
  • .CLASS Java Class File
  • .CMD OS/2®, WinNT Command File, DOS CP/M Command File, dBase II Program File
  • .CNV MS Word Data Conversion File
  • .COM Executable File
  • .CS* Corel Script
  • .DLL Dynamic Link Library
  • .DRV Device Driver
  • .EXE Executable File
  • .GMS Corel Global Macro Storage
  • .HLP Windows Help File
  • .HTA Hypertext Application (run apps from HTML doc)
  • .HTM,.HTML Hypertext Markup Language (HTML)
  • .HTT Hypertext Template
  • .INF Information or Setup File
  • .INI Initialization file (many)
  • .JS*, JS, JSE JavaScript Source Code
  • .LNK Linker File, Windows Shortcut File
  • .MHT* MS MHTML Document (Archived Web Page)
  • .MPD Mini Port Driver
  • .OCX Object Linking and Embedding (OLE) Control Extension
  • .OV* Program Overlay File (.OVL)
  • .PIF Windows Program Information File
  • .SCR Screen Saver Script
  • .SHS Shell Scrap Object File
  • .SYS System Device Driver
  • .TLB Remote Automation Truelib Files
  • .TSP Windows Telephony Service Provider
  • .VBS Visual Basic Script
  • .VBE Visual Basic Script Encrypted
  • .VXD Virtual Device Driver
  • .WBT WinBatch Script
  • .WIZ Wizard File
  • .WSH Windows Script Host Settings File