Forefront Client Security. Ronald Beekelaar Beekelaar Consultancy ronald@beekelaar.com

Similar documents
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide

Forefront Endpoint Protection. Jack Cobben

Keeping Up To Date with Windows Server Update Services. Bob McCoy, CISSP, MCSE Technical Account Manager Microsoft Corporation

SCCM How to guide deploying SCCM Client, setting up SUP and SCEP. Hans Chr. Andersen

Total Defense Endpoint Premium r12

Small Office Administration Console

Ad-Aware Management Server Installed together with Ad-Aware Business Client Ad-Aware Update Server Before You Start the Deployment...

Release Notes for Websense Security v7.2

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

Comodo Endpoint Security Manager SME Software Version 2.1

Maintaining, Updating, and Protecting Windows 7

Pearl Echo Installation Checklist

AirWatch Solution Overview

MOC 10964C: Cloud and Datacenter Monitoring with System Center Operations Manager

Symantec Endpoint Protection Small Business Edition Getting Started Guide

End-user Security Analytics Strengthens Protection with ArcSight

F-Secure Client Security. Administrator's Guide

1. Server Microsoft FEP Instalation

OfficeScan. Client/Server Edition 8 for Enterprise and Medium Business

Microsoft Windows Intune: Cloud-based solution

System Center Configuration Manager

Client Server Messaging Security3

Spyware Doctor Enterprise Technical Data Sheet

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

How To Install Powerpoint 6 On A Windows Server With A Powerpoint 2.5 (Powerpoint) And Powerpoint On A Microsoft Powerpoint 4.5 Powerpoint (Powerpoints) And A Powerpoints 2

User manual of the Work Examiner Contents

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers

Sophos Computer Security Scan startup guide

Data Igloo User Guide

6445A - Implementing and Administering Small Business Server 2008

Charter Business Desktop Security Administrator's Guide

Using Microsoft Operations Manager To Monitor And Maintain Your Farm. Michael Noel.

GFI Product Manual. Web security, monitoring and Internet access control. Administrator Guide

Quick Installation Guide

CYCLOPE let s talk productivity

Information Technology Solutions

QUICK START GUIDE FOR CORE AND SELECT SECURITY CENTER 10 ENDPOINT SECURITY 10

avast! Administration console Admnistrator Guide

K7 Business Lite User Manual

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Torgeir Bergsvik Solution Specialist Security & Management Microsoft

GFI Product Manual. Deployment Guide

FEATURE COMPARISON BETWEEN WINDOWS SERVER UPDATE SERVICES AND SHAVLIK HFNETCHKPRO

Complete Patch Management

Quick Heal Exchange Protection 4.0

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

avast! Endpoint Protection (Plus) and avast! Endpoint Protection Suite (Plus)

Kaseya IT Automation Framework

OfficeScan. Client/Server Edition 8 for Enterprise and Medium Business

Symantec Protection Suite Small Business Edition

Best Practices & Deployment SurfControl Mobile Filter v

Deploy Auto Shutdown Manager via Windows Group Policy

System Administration Training Guide. S100 Installation and Site Management

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

LT Auditor+ for Windows

70-685: Enterprise Desktop Support Technician

Protection against viruses, spyware, rootkits, and network vulnerabilities. Productivity-oriented default configuration

escan Corporate Edition User Guide

6445A - Implementing and Administering Windows Small Business Server 2008

Windows 7, Enterprise Desktop Support Technician

Managing and Monitoring Windows 7 Performance Lesson 8

Citrix EdgeSight Installation Guide. Citrix EdgeSight for Endpoints 5.3 Citrix EdgeSight for XenApp 5.3

LabTech Integration Instructions

BitDefender Security for Exchange

McAfee Endpoint Security Software

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Kaspersky Endpoint Security 10 for Windows. Deployment guide

Best Practices. Understanding BeyondTrust Patch Management

Sophos for Microsoft SharePoint startup guide

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Convergence of Desktop Security and Management: System Center 2012 Endpoint Protection and System Center 2012 Configuration Manager

Symantec Endpoint Protection Getting Started Guide

Providing Patch Management With N-central. Version 7.2

KofaxExpress. Installation Guide

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Net Protector Admin Console

KASPERSKY LAB. Kaspersky Administration Kit version 6.0. Administrator s manual

Contents. Platform Compatibility. GMS SonicWALL Global Management System 5.0

Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager

Symantec Protection Suite Small Business Edition

Installation Instructions Release Version 15.0 January 30 th, 2011

NETWRIX WINDOWS SERVER CHANGE REPORTER

The Challenge of a Comprehensive Network Protection. Introduction

McAfee Security Information Event Management (SIEM) Administration Course 101

F-Secure Anti-Virus for Windows Servers. Administrator's Guide

for Small and Medium Business Quick Start Guide

Product Guide. McAfee Endpoint Security 10

Desktop Surveillance Help

Transcription:

Forefront Client Security Ronald Beekelaar Beekelaar Consultancy ronald@beekelaar.com

Introductions Presenter Ronald Beekelaar MVP Windows Security MVP Virtual Machine Technology E-mail: ronald@beekelaar.com Work Beekelaar Consultancy Security consultancy Forefront, IPSec, PKI Virtualization consultancy Create many VM-based labs and demos 2

Agenda - FCS Architecture ** Deployment FCS server roles FCS client FCS policies FCS definition updates (signatures and engines) Scans and engine Reports & Alerts 3

Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control One solution for virus and spyware protection Uses advanced malware protection technologies Backed by global malware research & response One console for simplified security administration Deploy signatures and software quickly Integrates with your existing infrastructure One dashboard for real-time visibility into threats and vulnerabilities View insightful reports Stay informed with state assessment scans 4

Client-Server Terminology Forefront Client Security (FCS) Not the same as Forefront Server Security FCS protects clients (desktop, notebooks) and servers (file servers, Web servers, etc) Consists of: FCS server components (management, reporting) FCS client software 5

6 Architecture

Architecture MOM agent reads events from logs Host MOM agent sends events to MOM server, downloads rules, tasks Source for reports on last 24 hours and current status MOM Server MOM Console Events Tasks Alerts State The MOM console is used for manipulation of alerts and investigation MOM Agent System Log Rules, Tasks XML File MOM DB Event table Alerts table State table Mgmt Pack MOM Web UI Application Web Browser Alerts, State, Events The MOM Web UI is pointed to from alert notification AM Service Registry SSA Service Policy MOM DWH Event table Alert table SQL Reporting Services Report RDL File Rendered Report Rendered reports are viewed in a web browser but also through email subscriptions AM and VA services write events to system log MOM agent reads event from log Policy is deployed via GP. One of the policy settings is the alert level. Source for reports on historic data FCS Reports are XML (.rdl) files driving a set of stored procedures SQL queries Source table definitions Rendering directives Report Processor FCS Console UI Controls UI Controls are based on data from the MOM operational DB The console launches MOM tasks 7

FCS Enterprise Manager FCS Enterprise Manager Reporting (live) MOM Agent SQL query MOM Server SQL Database MOM-to-MOM Connector FCS Server MOM Server FCS Server FCS Client MOM Agent FCS Client (x 10K) 8

Deployment Deploy FCS server Multiple server roles Deploy FCS client to client computes Client scanning and user interface Deploy FCS policy Configuration settings Deploy FCS definition updates Signatures and engine 9

Operating System Windows Server 2003 Standard, Enterprise SP1 + Windows Server 2003 R2 + Windows Server 2003 SP1/R2 x64 editions Windows Server 2008 Windows 2003 and R2 Datacenter Editions Windows 2003 Web editions Windows 2003 SBS FCS Server Supported Supported Not supported Supported (at Win2008 RTM) Not supported Not supported Not supported 10

FCS Server SQL 2005 SP1 SQL 2005 Reporting SP1 WSUS 2.0 SP1 or later GPMC Ships with FCS: MOM 2005 FCS Client Ships with FCS: MOM agent 11

FCS Server Roles Management Server FCS Management Console FCS Client MOM 2005 SP1 GPMC FCS functional management pack Collection Server MOM 2005 SP1 Server MOM 2005 SP1 Console Reporting Server MOM 2005 SP1 Reporting IIS 6.0 Reporting Server Database SQL Server Reporting Service 2005 SP1 SQL Server 2005 SP1 MOM 2005 SP1 Data Warehouse Collection Server Database SQL Server 2005 SP1 MOM 2005 SP1 Operational Database Configuration Repository Distribution Server WSUS 2.0 SP1 or later FCS Update Assistant 12

FCS Server Deployment - Topologies FCS supports the following topologies Topology Role Distribution Recommended For 1 Server All roles on a single server 2 Server 3 Server Distribution role separated from other roles Distribution and SystemCenterReporting DB separated 4 Server All 4 roles separated, DB s local 5 Server All 4 roles separated, both DB s offbox (same server) Pilot deployments or small sites 1000-2500 seats 2500-5000 seats Large Deployments (>5k) Large Deployments (>5k) 6 Server All 6 roles on separate servers Large Deployments (>5k) 13

Challenges: Desktop Management Focus Collection Scalability Cross Machine Alerts Specialized Views on Live Data Application vs. Platform Solutions: A Dedicated MOM 2005 Installation Reduced Event Stream Special Configuration and Base MOM Pack Custom Schema Multi-homing (deployment and versions) Server Based Analysis Reporting Against The Operational Database Auto Approval for New Agents + Flood resiliency Future: System Center Operation Manager 14

FCS Client - Support Operating System Windows 2000 SP4 + Security Rollup and GDI+ hotfix Windows XP SP2 (with Filter Manager hotfix) Windows XP Media Center edition Client Security Agent Supported Supported Not supported Windows Server 2003/R2 x64 SP1 + Supported Windows XP Tablet editions Windows Server 2003 X86 SP1 + Windows Server 2003 R2 + Windows Vista Business, Enterprise, and Ultimate Supported Supported Supported Supported 15

FCS Client - Setup 16 No UI (command line) Example syntax: clientsetup.exe /MS momserver3 /CG fcsgroup clientsetup.exe /nomom Install Tasks: Pre-req checking Installing MOM agent, FCS SSA agent and FCS AM agent logging actions and errors to a file How to deploy the client software Group Policy SMS Other third party distribution tool Login scripts WSUS

Deploy FCS agent with WSUS Step 1 - In WSUS: Approve FCS package 17

Deploy FCS agent with WSUS Recommended way to deploy FCS agent Step 0 - Remove existing antivirus software For scripts, see www.codeplex.com/fcscompete Step 1 - In WSUS: Approve FCS package Step 2 - On server: Create and deploy FCS policy Step 3 - Client: will install FCS agent from WSUS Speed up (after uninstall existing anti-virus): Step 2: gpupdate.exe /force Step 3: wuauclt.exe /detectnow 18

FCS Policy Settings FCS policy manages the following Antimalware and Security State Assessment scan settings Signature override settings Alert levels and reporting Advanced settings Signature check frequency Path and file extension exclusions Client UI options 19

Profile Deployment Options FCS Console GPMC Existing SW Dist System Infrastructure used AD/GP AD/GP SW dist system Policy distribution via Console GPMC (no ADM file) Exported files Targeting granularity OU-level Single machine Single machine Policy exceptions Security Groups Unlimited Unlimited Enables policy compliance report Yes Yes* Yes* 20 *Agents deployed via existing software distribution system

Deploying a FCS Policy to a File Ability to deploy and report on a policy distributed outside of Group Policy Exports the policy to a.reg file Import on the client using FCSLocalPolicyTool.exe Question: Why can t I just double-click the.reg file and import? A1: Service is listening for an update via GP, and this won t raise the proper event policy won t be picked up until you stop/start the service A2: The tool creates the proper local GPO object, which is the prescribed method to update policy Can be used to distribute policy to non-ad machines (via scripts or other distribution tool) 21

Operation FCS Console GPMC/.adm Maintain policy deployment state for FCS reporting Yes No Configure Overrides Yes No Changes made to a deployed policy via GPMC reflected in the FCS console N/A No 22

Keep Systems Up-to-date Signature deployment optimized for Windows Server Update Services (WSUS) Can use any software distribution system Microsoft Update Malware Research Auto and manual approval of definitions Sync Client Security installs an Update Assistant service to: Increase sync frequency between WSUS and Microsoft Update (MU) for definitions WSUS + Update Assistant Support for roaming users Sync Failover from WSUS to Microsoft Update Desktops, Laptops and Servers 23

Signature Distribution Channels Microsoft Update - http://update.microsoft.com Windows Server Update Services (WSUS) Supports WSUS 2.0 SP1 and 3.0 Manual download and distribution via other software (SMS, login script, etc) Through signature download site 24

FCS Distribution Server WSUS WSUS assistant (if WSUS 2.0) Force WSUS 2.0 to sync up with Microsoft Update hourly Not needed in WSUS 3.0 Auto-approval rules for FCS definition updates Subscribe to FCS product category and definition update classification 25

Signature Details On client machine installed at: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates 26 26

Signature Details Item mpengine.dll Description The antivirus engine mpavbase.vdm mpavdlta.vdm mpasbase.vdm mpasdlta.vdm The AV signature database containing most of the signatures The AV signature database containing the most recent signature additions The spyware signature database containing most of the signatures The spyware signature database containing the most recent signature additions 27

Signature Package Overview See www.microsoft.com/security/portal mpam-fe.exe Antimalware Full + Engine package (for x86, amd64, ia64) Contains engine (mpengine.dll), mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlt.vdm, mpsigstub.exe. Size of 11M mpam-d.exe: Antimalware Delta package contains AV and AS signatures. Contains mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlta.vdm, mpsigstub.exe. Size < 0.5M 28

Scans Quick scan Full scan Custom scan Not: Removable disk Network disk Single folder 29

Engine Real-time protection Uses kernel-mode mini-filter Static analysis Emulation Executes in sandbox - to unpack Heuristics Detects user-mode rootkits Checks API detouring (= tunneling signatures) 30

FCS monitoring options Enterprise Security Dashboard High level view of the Organization Security State Alerts Actionable Immediate Alerts on Security Incidents 31 Reports Investigation of Security Issues Through Security State Visualization of Both Online and Historical Data

Enterprise Security Dashboard Dashboard The Security State in a Glance Switchboard Access the Different Views Reports Alerts Configuration Live Data Change Indication 32

Reports Security Focused Allow Investigation Drill Down Current vs. Historical Adjusting Email Subscriptions Limited Extensibility in V1.0 Filtering, Grouping, Aggregation Focus Performance Live Dashboard Investigation Tool Activity Static Security Summary Incident Summary Value 33

Main Report Security Summary 34

Reports Deployment Summary Alert Summary Computer Summary Threat Summary Security Summary Vulnerability Summary 35

Signature Deployment Details Deployment Summary Alert Detail Alert Summary Computer Detail Security Summary Computer Summary Threat Summary Threat Detail Vulnerability Detail 36 Vulnerability Summary

Deployment Summary Signature Deployment Details Alert Instance Alert Summary Alert Detail Security Summary Computer Summary Computer Detail Malware Instance Malware Summary Malware Detail 37 Vulnerability Summary Vulnerability Detail Vulnerability Instance

Alert Types Malware Activity Computer Infected / Malware On Network Successful / Failed Response Repeated Malware Infections Malware Outbreak Protection Agent Protection Turned Off Scanning Failed Signature Update Failed FCS Server Security Impact Flooding Detected Evaluation Product Expiration FCS Failures 38

Alert Levels Malware detected Malware failed to remove Malware outbreak Malware protection disabled Alert configuration is policy specific Alerts notify admin of high-value incidents, including: Alert levels control type & volume of alerts generated Critical Issues Only, Low Value Assets 1 2 3 4 5 Rich Data, High Value Assets Outbreak Malware removal failed Signature update failed Malware detected and removed Signature update failed (per min) 39

FCS Alert Levels Pre-canned Configuration for Management Attention Asset Value 5 Levels of Attention Detailed alerts for operational servers Low sensitivity for desktops Even less attention to Kiosk machines Set via FCS Policies 40

Alert Design Guidelines Important Only significant security incidents Actionable Each alert represent a work item Timely Relevant for immediate action Few No more then few events per day Correct Minimize false positives 41

Email alerts and reports Alerts In MOM 2005 Admin Console Define email server (SMTP) Add "operator" to Client Security Notification Group Reports In SQL Server 2005 Reporting Services Define email settings (SMTP) In http://<server>/reports Create report subscription 42

FCS Alerts What is an alert Kinds of alerts we have Criteria for a good alert Why alerts Security operator productive A list of actionable things How to use and configure alerts Alert Levels The MOM operator console 43

Alert Design Guidelines Important Only significant security incidents Actionable Each alert represent a work item Timely Relevant for immediate action Few No more then few events per day 44 Correct Minimize false positives

FCS Alert Level Pre-scanned Configuration for Management attention Asset value 5 Levels of Attention Detailed alerts for operational servers Low sensitivity for desktops Even less attention to Kiosk machines Set via FCS Policies 45

Security State Assessment Checks Evaluation Process Retrieve machine settings from available sources E.g. Registry, WMI, File System, WUA, Firewall Evaluate configuration against known criteria Assign score based on compliance with security best practices High, Medium, Low, or Informational Aggregate and report on results across multiple machines 46

Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control Effective Malware Protection supported by Microsoft Malware Response Center Integration with the existing environment makes FCS easier to manage Visibility over vulnerabilities helps proactively secure the environment against upcoming attacks An integral part of Microsoft Forefront 47 Download free evaluation software: http://www.microsoft.com/forefront/serversecurity

48

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information