Overview of Security and Protection
This document explains the configuration of the security components in Windows® Essential Business Server, describes common security operations in Windows EBS, and provides guidance to help you make your Windows EBS network more secure. You may find it helpful to review this information when you plan to develop or modify your organization’s network security strategy or documentation.
This document provides guidance about only the security features that are configured by default during the deployment of Windows EBS. It does not provide guidance about using other security products that are published by Microsoft® or non-Microsoft publishers.
This document does not provide detailed information about securing the related server technologies in Windows EBS, such as Exchange Server 2007 or specific server roles in Windows Server® 2008. For related security resources that are available from Microsoft, see Additional Security Resources. For information about securing applications and services in your environment that are not part of the Windows EBS server technologies, see the documentation for those products.
In Windows EBS, the Security Server is configured as a security device for your domain. (Depending on your needs, you may have deployed the Security Server behind an additional gateway device or firewall.) The Security Server installs and configures Microsoft® Forefront™ Threat Management Gateway (TMG), which integrates with other server technologies and security components in Windows EBS to perform the following functions by default:
Inspect and filter all traffic that enters your network, including HTTP and SMTP packets. Forefront TMG and other technologies in Windows EBS scan for spam and malware and help detect common spoofs, intrusions, and attacks. This stops extraneous traffic at the perimeter of your network so that the traffic inside the network is directed only to the servers inside.
Direct e-mail traffic to Exchange Server.
Configure remote access to secure Web services such as Outlook® Web Access, Microsoft Outlook Anywhere, Terminal Services Gateway, Microsoft Exchange Active Sync, and Remote Web Workplace.
Enforce policies on the traffic such as outbound and inbound access and mail attachment size. This involves multiple products that apply a variety of rules and policies.
Provide Internet access to all domain users.
Log events and activity to provide auditing and troubleshooting information.
If configured to do so, Forefront TMG also provides routing to network subnets and connections to virtual private network (VPNs).
In the Windows EBS Administration Console, you can manage and monitor the following security components to help you protect your network from external or internal malicious software, assist in keeping your protection updated, and simplify your security management duties. On the Security tab, the Components page shows the following security components:
Network firewall Forefront TMG, which is installed on the Security Server, provides a firewall between your internal network and the Internet.
E-mail anti-spam and e-mail anti-malware Exchange Server and Forefront Security for Exchange Server are installed with Windows EBS. They include several components that filter incoming and internal e-mail for spam, viruses, and other malicious software.
Update management The update-management capabilities of System Center Essentials 2007 (which manages Windows Server Update Services) enables you to automate the downloading and deployment of updates from Microsoft Update. This helps ensure that your system software (including your security components) and the client computers in your domain are always current with recent Microsoft updates.
The Components page also displays add-in security components (published by Microsoft or non-Microsoft developers) that you have installed.
Additional information about the architecture, administration, monitoring, and maintenance of the security components in Windows EBS is provided on the Microsoft Web site: