Tightening up SSL security in Microsoft Forefront TMG 2010

I manage a number of networks which use Microsoft Forefront TMG 2010 as the primary firewall and reverse proxy. Recently, I noticed that up-to-date versions of several browsers (especially Chrome) were flagging HTTPS URLs from those sites as having questionable security.  I verified that the certificates were valid, CRLs were accessible, Forefront TMG was working without errors, etc… but the warnings still persisted.

I utilized the outstanding SSL Server Test page hosted at Qualys SSL Labs (https://www.ssllabs.com/ssltest/index.html) to diagnose the issue.  I was somewhat taken aback to see that my SSL sites were receiving “F” grades!

After a little digging, I determined that the root cause of the safety warnings was not my certificates or the configuration of Forefront TMG, but rather the significantly outdated security settings in use by Windows Server 2008 R2 (the most recent version of Windows Server on which Forefront TMG 2010 was supported).  So the key was to secure Windows and IIS, and then Forefront TMG would inherit the benefits of the increased security.

Many Google-hours later, I came up with my laundry list of things to fix:

  • Disable SSL 2.0 and SSL 3.0
  • Enable TLS 1.1 and TLS 1.2
  • Disable RC4
  • Prevent client SSL renegotiation
  • Reorder SSL cryptography providers to support Forward Secrecy

All of these behaviors are controlled via Registry settings, so I managed to capture the relevant keys from a working configuration into a single .REG file that can be applied to make all of the changes in one fell swoop.

If you’d like to secure your Forefront TMG 2010 server, you can follow this procedure…

  1. Make sure you are running Forefront TMG 2010 on top of Windows Server 2008 R2 with SP1.  TMG and Windows should be completely up to date with updates and fixes.  THIS IS IMPORTANT!
  2. Grab a copy of my .REG file from this link and put it on your TMG system.
  3. Double-click the .REG file to import the changes into the Registry.
  4. Reboot your server (this is REQUIRED).

After the system has rebooted, test your server using the SSL Server Test Page.  My sites went from a score of “F” to a score of “A”!

HOWTO: Build a nebulizer chamber for your asthmatic pet

One of our cats has a periodic coughing issue similar to asthma. There are multiple medication options for treating these symptoms, including pills and mist inhalation. Now, I don’t know about YOUR cats, but MINE are none too fond of taking pills, and the ailing cat in question is a large male who has left us with battle scars from pill-related skirmishes over the years. So I voted for the inhalation method.

Our vet prescribed albuterol sulfate for use in a nebulizer. When humans require these types of treatments, the nebulizer is attached to a mask or mouthpiece which the patient uses and inhales the mist for a few minutes. Companies actually DO produce small masks for this purpose for use on a dog or cat, but once again, I laughed at the low probability of success we anticipated in holding a plastic mask on the face of a 13-year-old tomcat for five minutes straight.

Then I thought:

  • Cats love to be in boxes
  • Boxes can be filled with medicinal mist
  • A cat in an enclosed box filled with medicinal mist will necessarily breathe it in

And thus, the cat nebulizer chamber project was born.  This project is so simple that almost anyone can complete it successfully.  If you’d like to make one yourself, here’s what you’ll need… Continue reading

Technorati claim

This post is merely to claim this blog via Technorati.

Claim token 758DBX4MRYSV

A new beginning…

I’ll admit it: when it comes to blogging, I’m a slacker.  I’ve had blogs on various sites for many years, and I never seemed to post to them consistently.  Now that I have my company web site functioning properly under WordPress, I hope to make posting a more regular activity.

June 2024