TMG Rollup 3 out now; so’s Mod_Security for IIS

TMG SP2 Update Rollup 3

As the ISA Blog mentions, Rollup 3 for TMG Service Pack 2 is now available:

We are happy to announce the availability of Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 3 is available for download here: Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Please see KB Article ID: 2735208 for details of the fixes included in this rollup.

The Build Number for this update is: 7.0.9193.575

Fair number of new fixes included and it looks like a worthwhile update. I’m putting it on my home TMG box tonight. As a reminder, the hotfix rollups are cumulative for a given Service Pack, so if you’re already at Service Pack 2 (and you should be) you just need SP2UR3 if you skipped UR1 or UR2.

Mod_Security for IIS

In other security-related news, mod_security for IIS hit a stable release at 2.7.2, as the SRD blog notes:

We are pleased to announce the release of a stable version of the open source web application firewall module ModSecurity IIS 2.7.2 . Since the announcement of availability of the beta version in July 2012 , we have been working very hard to bring the quality of the module to meet the enterprise class product requirements. In addition to numerous reliability improvements, we have introduced following changes since the first beta version was released:

  • optimized performance of request and response body handling
  • added “Include” directive, relative path and wildcard options to the configuration files
  • re-written installer code to avoid .NET Framework dependency and added installation error messages to system event log
  • integrated OWASP Core Rule Set in the MSI installer with IIS-specific configuration
  • fixed about 10 functional bugs reported by ModSecurity IIS users.

Microsoft also released recently a TechNet article entitled " Security Best Practices to Protect Internet Facing Web Servers ", which explains in details benefits of deploying a WAF module on a web server.

The Technet article referenced above is worth a read if you’re charged with delivering IIS web server security for random applications!


Where’s Waldo?

I’m spending more time editing the MSPFE blog than here at the moment, so if you’re missing my quippy, irreverent style… tough! (But I still love you. Happy Valentine’s day! (No gifts for you this year.))