Tightening up SSL security in Microsoft Forefront TMG 2010
I manage a number of networks which use Microsoft Forefront TMG 2010 as the primary firewall and reverse proxy. Recently, I noticed that up-to-date versions of several browsers (especially Chrome) were flagging HTTPS URLs from those sites as having questionable security. I verified that the certificates were valid, CRLs were accessible, Forefront TMG was working without errors, etc… but the warnings still persisted.
I utilized the outstanding SSL Server Test page hosted at Qualys SSL Labs (https://www.ssllabs.com/ssltest/index.html) to diagnose the issue. I was somewhat taken aback to see that my SSL sites were receiving “F” grades!
After a little digging, I determined that the root cause of the safety warnings was not my certificates or the configuration of Forefront TMG, but rather the significantly outdated security settings in use by Windows Server 2008 R2 (the most recent version of Windows Server on which Forefront TMG 2010 was supported). So the key was to secure Windows and IIS, and then Forefront TMG would inherit the benefits of the increased security.
Many Google-hours later, I came up with my laundry list of things to fix:
- Disable SSL 2.0 and SSL 3.0
- Enable TLS 1.1 and TLS 1.2
- Disable RC4
- Prevent client SSL renegotiation
- Reorder SSL cryptography providers to support Forward Secrecy
All of these behaviors are controlled via Registry settings, so I managed to capture the relevant keys from a working configuration into a single .REG file that can be applied to make all of the changes in one fell swoop.
If you’d like to secure your Forefront TMG 2010 server, you can follow this procedure…
- Make sure you are running Forefront TMG 2010 on top of Windows Server 2008 R2 with SP1. TMG and Windows should be completely up to date with updates and fixes. THIS IS IMPORTANT!
- Grab a copy of my .REG file from this link and put it on your TMG system.
- Double-click the .REG file to import the changes into the Registry.
- Reboot your server (this is REQUIRED).
After the system has rebooted, test your server using the SSL Server Test Page. My sites went from a score of “F” to a score of “A”!