Dana Epp's ramblings at the Sanctuary: Should Microsoft Forefront work with SBS?


« Dan Geer on Silver Bullet \| Main \| Integrating strong authentication into Microsoft technologies » June 13, 2006 Should Microsoft Forefront work with SBS? With the recent announcement of Microsoft Forefront, I have had a few people now ask if this will be available for SBS. To be honest, I don't know the answer, and I don't believe Microsoft does either. Those pesky SBS devs stay very tight lipped about such things. Could Forefront work on SBS? Of course. Although Forefront is presented as "enterprise security" bits, the core pieces all exist or can play with the SBS platform: Forefront Client Security (formerly called Microsoft Client Protection) Forefront Security for Exchange Server (currently called Microsoft Antigen for Exchange) Forefront Security for SharePoint (currently called Antigen for SharePoint) Antigen for Instant Messaging Microsoft Internet Security and Acceleration Server 2006 Release Candidate The ISA 2006 piece isn't something we will be getting ever. In Cougar (Longhorn Server version of SBS) though, we should be getting ISA 2007. So, what does that mean for Forefront? Let's take a look at the ForeFront roadmap: As you can see, Forefront is also going to be adding ISA 2007. So theoretically, that might be a time frame where integration with ForeFront might make sense. But here is the kicker, when weighing features vs cost, it is highly unlikely that most SBSers would embrace a higher priced SBS platform to get the Forefront bits. We already see an unprecendented unbalance between SBS Standard and Premium... where so many people are missing out on the benefits of ISA 2004. Adding the rest of this is probably just not in the cards. A heterogeneous solution with Forefront on SBS for security all tied into Active Directory makes a lot of sense... but its a solution most small businesses just won't understand... yet. And if they can't see the value proposition in the offering, it makes it extremely difficult for resellers to position it. So SHOULD Forefront work with SBS. Yes. Will it? Doubtful. Posted by SilverStr at June 13, 2006 08:40 AM \| TrackBack Comments Disclaimer: I don't know anything about this Forefront stuff Can you explain to me what the integration point is between Forefront and AD? While I don't know anything about Forefront, I do know something about the other products mentioned, and none of them have anything above what I'd consider a "normal" AD relationship. Is there a potential integration point that I'm missing? Posted by: Eric Fleischman at June 13, 2006 10:47 AM Hey Eric, There isn't any magic pixie dust that makes any amazing integration points past the way you can control everything through group policy and the normality that IS 'AD'. What Forefront does well is ensure that authentication, authorization and auditing all work seamlessly across the board in all products. Take Forefront Client Security as an example. Depending on the role a subject (user) may have to an object (asset), you can create quarantine and security policies to ensure that the appropriate safeguards are in place. Imagine if you will, that only those clients connecting with the latest patched Vista can access a new Longhorn server. Or that the latest Antigen AV signatures are up to date before the VPN will even be established. Further to this, you can not only validate and verify software versioning and control, you can create policies to ensure that based on the subject's role AND location, only certain assets can be accessed in certain ways. This isn't really new stuff. But it finally has been integrated together under one umbrella. When you tie Rights Management Server on top of that.. holy cow can you really start to offer more fine grained access control. With SBS in the picture, the issue is that everything in the SBS world has to be "wizarded". This makes it a bit more difficult to deploy since now new assertions need to be made on how that is not only deployed, but configured. Hence why the default ISA 2004 rulesets on SBS have something to be desired for those who are intimate with what ISA can really do. Posted by: Dana Epp at June 13, 2006 01:25 PM i c. FYI, group policy != AD. In fact, the AD team doesn't own GP at all. GP is, to AD, just another AD client. It just so happens that an aspect of AD uses policy output, but that's almost incidental. Posted by: Eric Fleischman at June 13, 2006 02:50 PM		My 5 Favorite Books Writing Secure Code Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind My 5 Favorite Papers Smashing the Stack Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides Archives June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL

June 13, 2006

Should Microsoft Forefront work with SBS?