Forefront Client Security. Ronald Beekelaar Beekelaar Consultancy

Transcription

1 Forefront Client Security Ronald Beekelaar Beekelaar Consultancy

2 Introductions Presenter Ronald Beekelaar MVP Windows Security MVP Virtual Machine Technology Work Beekelaar Consultancy Security consultancy Forefront, IPSec, PKI Virtualization consultancy Create many VM-based labs and demos 2

3 Agenda - FCS Architecture ** Deployment FCS server roles FCS client FCS policies FCS definition updates (signatures and engines) Scans and engine Reports & Alerts 3

4 Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control One solution for virus and spyware protection Uses advanced malware protection technologies Backed by global malware research & response One console for simplified security administration Deploy signatures and software quickly Integrates with your existing infrastructure One dashboard for real-time visibility into threats and vulnerabilities View insightful reports Stay informed with state assessment scans 4

5 Client-Server Terminology Forefront Client Security (FCS) Not the same as Forefront Server Security FCS protects clients (desktop, notebooks) and servers (file servers, Web servers, etc) Consists of: FCS server components (management, reporting) FCS client software 5

6 6 Architecture

7 Architecture MOM agent reads events from logs Host MOM agent sends events to MOM server, downloads rules, tasks Source for reports on last 24 hours and current status MOM Server MOM Console Events Tasks Alerts State The MOM console is used for manipulation of alerts and investigation MOM Agent System Log Rules, Tasks XML File MOM DB Event table Alerts table State table Mgmt Pack MOM Web UI Application Web Browser Alerts, State, Events The MOM Web UI is pointed to from alert notification AM Service Registry SSA Service Policy MOM DWH Event table Alert table SQL Reporting Services Report RDL File Rendered Report Rendered reports are viewed in a web browser but also through subscriptions AM and VA services write events to system log MOM agent reads event from log Policy is deployed via GP. One of the policy settings is the alert level. Source for reports on historic data FCS Reports are XML (.rdl) files driving a set of stored procedures SQL queries Source table definitions Rendering directives Report Processor FCS Console UI Controls UI Controls are based on data from the MOM operational DB The console launches MOM tasks 7

8 FCS Enterprise Manager FCS Enterprise Manager Reporting (live) MOM Agent SQL query MOM Server SQL Database MOM-to-MOM Connector FCS Server MOM Server FCS Server FCS Client MOM Agent FCS Client (x 10K) 8

9 Deployment Deploy FCS server Multiple server roles Deploy FCS client to client computes Client scanning and user interface Deploy FCS policy Configuration settings Deploy FCS definition updates Signatures and engine 9

10 Operating System Windows Server 2003 Standard, Enterprise SP1 + Windows Server 2003 R2 + Windows Server 2003 SP1/R2 x64 editions Windows Server 2008 Windows 2003 and R2 Datacenter Editions Windows 2003 Web editions Windows 2003 SBS FCS Server Supported Supported Not supported Supported (at Win2008 RTM) Not supported Not supported Not supported 10

11 FCS Server SQL 2005 SP1 SQL 2005 Reporting SP1 WSUS 2.0 SP1 or later GPMC Ships with FCS: MOM 2005 FCS Client Ships with FCS: MOM agent 11

12 FCS Server Roles Management Server FCS Management Console FCS Client MOM 2005 SP1 GPMC FCS functional management pack Collection Server MOM 2005 SP1 Server MOM 2005 SP1 Console Reporting Server MOM 2005 SP1 Reporting IIS 6.0 Reporting Server Database SQL Server Reporting Service 2005 SP1 SQL Server 2005 SP1 MOM 2005 SP1 Data Warehouse Collection Server Database SQL Server 2005 SP1 MOM 2005 SP1 Operational Database Configuration Repository Distribution Server WSUS 2.0 SP1 or later FCS Update Assistant 12

13 FCS Server Deployment - Topologies FCS supports the following topologies Topology Role Distribution Recommended For 1 Server All roles on a single server 2 Server 3 Server Distribution role separated from other roles Distribution and SystemCenterReporting DB separated 4 Server All 4 roles separated, DB s local 5 Server All 4 roles separated, both DB s offbox (same server) Pilot deployments or small sites seats seats Large Deployments (>5k) Large Deployments (>5k) 6 Server All 6 roles on separate servers Large Deployments (>5k) 13

14 Challenges: Desktop Management Focus Collection Scalability Cross Machine Alerts Specialized Views on Live Data Application vs. Platform Solutions: A Dedicated MOM 2005 Installation Reduced Event Stream Special Configuration and Base MOM Pack Custom Schema Multi-homing (deployment and versions) Server Based Analysis Reporting Against The Operational Database Auto Approval for New Agents + Flood resiliency Future: System Center Operation Manager 14

15 FCS Client - Support Operating System Windows 2000 SP4 + Security Rollup and GDI+ hotfix Windows XP SP2 (with Filter Manager hotfix) Windows XP Media Center edition Client Security Agent Supported Supported Not supported Windows Server 2003/R2 x64 SP1 + Supported Windows XP Tablet editions Windows Server 2003 X86 SP1 + Windows Server 2003 R2 + Windows Vista Business, Enterprise, and Ultimate Supported Supported Supported Supported 15

16 FCS Client - Setup 16 No UI (command line) Example syntax: clientsetup.exe /MS momserver3 /CG fcsgroup clientsetup.exe /nomom Install Tasks: Pre-req checking Installing MOM agent, FCS SSA agent and FCS AM agent logging actions and errors to a file How to deploy the client software Group Policy SMS Other third party distribution tool Login scripts WSUS

17 Deploy FCS agent with WSUS Step 1 - In WSUS: Approve FCS package 17

18 Deploy FCS agent with WSUS Recommended way to deploy FCS agent Step 0 - Remove existing antivirus software For scripts, see Step 1 - In WSUS: Approve FCS package Step 2 - On server: Create and deploy FCS policy Step 3 - Client: will install FCS agent from WSUS Speed up (after uninstall existing anti-virus): Step 2: gpupdate.exe /force Step 3: wuauclt.exe /detectnow 18

19 FCS Policy Settings FCS policy manages the following Antimalware and Security State Assessment scan settings Signature override settings Alert levels and reporting Advanced settings Signature check frequency Path and file extension exclusions Client UI options 19

20 Profile Deployment Options FCS Console GPMC Existing SW Dist System Infrastructure used AD/GP AD/GP SW dist system Policy distribution via Console GPMC (no ADM file) Exported files Targeting granularity OU-level Single machine Single machine Policy exceptions Security Groups Unlimited Unlimited Enables policy compliance report Yes Yes* Yes* 20 *Agents deployed via existing software distribution system

21 Deploying a FCS Policy to a File Ability to deploy and report on a policy distributed outside of Group Policy Exports the policy to a.reg file Import on the client using FCSLocalPolicyTool.exe Question: Why can t I just double-click the.reg file and import? A1: Service is listening for an update via GP, and this won t raise the proper event policy won t be picked up until you stop/start the service A2: The tool creates the proper local GPO object, which is the prescribed method to update policy Can be used to distribute policy to non-ad machines (via scripts or other distribution tool) 21

22 Operation FCS Console GPMC/.adm Maintain policy deployment state for FCS reporting Yes No Configure Overrides Yes No Changes made to a deployed policy via GPMC reflected in the FCS console N/A No 22

23 Keep Systems Up-to-date Signature deployment optimized for Windows Server Update Services (WSUS) Can use any software distribution system Microsoft Update Malware Research Auto and manual approval of definitions Sync Client Security installs an Update Assistant service to: Increase sync frequency between WSUS and Microsoft Update (MU) for definitions WSUS + Update Assistant Support for roaming users Sync Failover from WSUS to Microsoft Update Desktops, Laptops and Servers 23

24 Signature Distribution Channels Microsoft Update - Windows Server Update Services (WSUS) Supports WSUS 2.0 SP1 and 3.0 Manual download and distribution via other software (SMS, login script, etc) Through signature download site 24

25 FCS Distribution Server WSUS WSUS assistant (if WSUS 2.0) Force WSUS 2.0 to sync up with Microsoft Update hourly Not needed in WSUS 3.0 Auto-approval rules for FCS definition updates Subscribe to FCS product category and definition update classification 25

26 Signature Details On client machine installed at: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates 26 26

27 Signature Details Item mpengine.dll Description The antivirus engine mpavbase.vdm mpavdlta.vdm mpasbase.vdm mpasdlta.vdm The AV signature database containing most of the signatures The AV signature database containing the most recent signature additions The spyware signature database containing most of the signatures The spyware signature database containing the most recent signature additions 27

28 Signature Package Overview See mpam-fe.exe Antimalware Full + Engine package (for x86, amd64, ia64) Contains engine (mpengine.dll), mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlt.vdm, mpsigstub.exe. Size of 11M mpam-d.exe: Antimalware Delta package contains AV and AS signatures. Contains mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlta.vdm, mpsigstub.exe. Size < 0.5M 28

29 Scans Quick scan Full scan Custom scan Not: Removable disk Network disk Single folder 29

30 Engine Real-time protection Uses kernel-mode mini-filter Static analysis Emulation Executes in sandbox - to unpack Heuristics Detects user-mode rootkits Checks API detouring (= tunneling signatures) 30

31 FCS monitoring options Enterprise Security Dashboard High level view of the Organization Security State Alerts Actionable Immediate Alerts on Security Incidents 31 Reports Investigation of Security Issues Through Security State Visualization of Both Online and Historical Data

32 Enterprise Security Dashboard Dashboard The Security State in a Glance Switchboard Access the Different Views Reports Alerts Configuration Live Data Change Indication 32

33 Reports Security Focused Allow Investigation Drill Down Current vs. Historical Adjusting Subscriptions Limited Extensibility in V1.0 Filtering, Grouping, Aggregation Focus Performance Live Dashboard Investigation Tool Activity Static Security Summary Incident Summary Value 33

34 Main Report Security Summary 34

35 Reports Deployment Summary Alert Summary Computer Summary Threat Summary Security Summary Vulnerability Summary 35

36 Signature Deployment Details Deployment Summary Alert Detail Alert Summary Computer Detail Security Summary Computer Summary Threat Summary Threat Detail Vulnerability Detail 36 Vulnerability Summary

37 Deployment Summary Signature Deployment Details Alert Instance Alert Summary Alert Detail Security Summary Computer Summary Computer Detail Malware Instance Malware Summary Malware Detail 37 Vulnerability Summary Vulnerability Detail Vulnerability Instance

38 Alert Types Malware Activity Computer Infected / Malware On Network Successful / Failed Response Repeated Malware Infections Malware Outbreak Protection Agent Protection Turned Off Scanning Failed Signature Update Failed FCS Server Security Impact Flooding Detected Evaluation Product Expiration FCS Failures 38

39 Alert Levels Malware detected Malware failed to remove Malware outbreak Malware protection disabled Alert configuration is policy specific Alerts notify admin of high-value incidents, including: Alert levels control type & volume of alerts generated Critical Issues Only, Low Value Assets Rich Data, High Value Assets Outbreak Malware removal failed Signature update failed Malware detected and removed Signature update failed (per min) 39

40 FCS Alert Levels Pre-canned Configuration for Management Attention Asset Value 5 Levels of Attention Detailed alerts for operational servers Low sensitivity for desktops Even less attention to Kiosk machines Set via FCS Policies 40

41 Alert Design Guidelines Important Only significant security incidents Actionable Each alert represent a work item Timely Relevant for immediate action Few No more then few events per day Correct Minimize false positives 41

42 alerts and reports Alerts In MOM 2005 Admin Console Define server (SMTP) Add "operator" to Client Security Notification Group Reports In SQL Server 2005 Reporting Services Define settings (SMTP) In Create report subscription 42

43 FCS Alerts What is an alert Kinds of alerts we have Criteria for a good alert Why alerts Security operator productive A list of actionable things How to use and configure alerts Alert Levels The MOM operator console 43

44 Alert Design Guidelines Important Only significant security incidents Actionable Each alert represent a work item Timely Relevant for immediate action Few No more then few events per day 44 Correct Minimize false positives

45 FCS Alert Level Pre-scanned Configuration for Management attention Asset value 5 Levels of Attention Detailed alerts for operational servers Low sensitivity for desktops Even less attention to Kiosk machines Set via FCS Policies 45

46 Security State Assessment Checks Evaluation Process Retrieve machine settings from available sources E.g. Registry, WMI, File System, WUA, Firewall Evaluate configuration against known criteria Assign score based on compliance with security best practices High, Medium, Low, or Informational Aggregate and report on results across multiple machines 46

47 Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control Effective Malware Protection supported by Microsoft Malware Response Center Integration with the existing environment makes FCS easier to manage Visibility over vulnerabilities helps proactively secure the environment against upcoming attacks An integral part of Microsoft Forefront 47 Download free evaluation software:

48 48