Forefront Client Security implementering
Ved Christian Stahl, Microsoft Enterprise Services [email protected] Agenda
• Introduktion til ForeFront suiten • Introduktion til ForeFront Client Security • ForeFront informations flow • Leassons learned What is Microsoft Forefront?
A comprehensive line of business security products that helps you gain greater protection through deep integration and simplified management Unified Protection
• Unified agent for virus and spyware protection – Common engine used by Windows Defender, OneCare, Forefront Server Security • On-access protection via kernel mode mini-filter – Built on Windows Filter Manager platform – Malware prevented from executing entirely – anti- virus and anti-spyware • User mode scanning – System Configuration, IE Add-ons & Configuration – IE and Office downloads – Services & drivers – App execution & registration • Scheduled and on-demand scans – Quick scan - In memory processes, targeted directories, common malware extensibility points – Full scan – Quick scan + local drives Windows Windows Microsoft MSRT Windows Live Safety OneCare Client Defender Center Live Protection Remove most prevalent viruses Remove all known viruses Real-time antivirus Remove all known spyware Real-time antispyware Central reporting and alerting
Customization
IT Infrastructure Integration
FOR INDIVIDUAL USERS FOR BUSINESSES SMS Simplified Administration Client deployment and signature distribution
Agent installation and signature deployment optimized for Microsoft Update (MU) and Windows Server Update Services (WSUS) Can use any software distribution system Microsoft Malware Update Research Auto and manual approval of definitions
Agent installation process Administrator deploys client policy
Computers download installation package from Windows WSUS and install agent per policy settings Server Update Client Security installs an Update Assistant Services service to: Increase sync frequency between WSUS and Microsoft Update (MU) for definitions
Support for roaming users Deploy Failover from WSUS to Microsoft Update Client Policy
Desktops, Laptops and Servers Critical Visibility and Control Know where action is required
Provides “at-a-glance” view of threats & vulnerabilities across organization Machines reporting security issues (malware not cleaned, critical vulnerabilities present) Machines not reporting issues Machines not reporting 30-day trend history
Notification of machines reporting alerts
Launch insightful reports
Stay informed with state assessment scans and security alerts Critical Visibility & Control Summary Report
Security Summary Critical Visibility & Control Security State Assessment
Scanning based on security check definitions and scheduled via policy or invoked on-demand Security checks Detect missing security updates based on Microsoft Update Compare system configuration against security best practices Examine data from registry, file system, WMI, IIS metabase, SQL server, etc. A “Score” and “Severity” is given for each check: Score Value – level of risk associated with security issues Severity Value – provided by the Microsoft Security Response Center for Security Updates Reporting enables drilldown into specific security issues Scan results are collected from managed clients Used to show vulnerability exposure and overall risk Extensible with new checks over time – e.g. Windows Firewall “Is my environment compliant with security best practices?”
“Has my level of vulnerability exposure changed over time?”
“What portion of my environment is at high risk?” Simplified Administration Policy deployment One console for simplified security administration One policy to manage client protection agent settings, e.g.:
Scan schedule Anti-spyware unknown action Real time protection on/off Alert level Signature update frequency Event and logging settings Anti-spyware signature overrides SpyNet reporting on/off Security state assessment settings Level of end-user UI shown
Choice of 3 integrated policy profile deployment methods: Microsoft Forefront Client Security Console (uses AD/GP) ADM file (uses AD/GP) Export to a file then use existing software distribution system
Microsoft Confidential Authoring a Policy
• FCS Dashboard without any policies defined Creating a Policy General tab •Policy Name
•Description
•Deployment information Creating a Policy Protection Tab
•Malware Protection
•Scan Settings
•Security State Assessment settings Creating a Policy Advanced Tab •Definition Updates
•Advanced Scan options
•Exclusions
•Client UI settings Configuring an Override Overrides Tab •Select malware by name
•Change the default behavior Configuring an Override Overrides Tab
•Override based on Severity
•Override based on Category Creating a Policy Reporting Tab
•Alert Levels
•Logging
•SpyNet Alert configuration is policy specific Alerts notify admin of high-value incidents, including:
Malware detected Malware outbreak Malware failed to remove Malware protection disabled
Alert levels control type & volume of alerts generated
Critical Issues Only, Rich Data, Low Value Assets 1 2 3 4 5 High Value Assets
Outbreak Malware removal Signature update Malware detected and Signature update failed failed failed removed (per min) Deploying a Policy
•OU/Domain
•Security Group
•File
•Advanced (target: RC) Deploying a Policy
•OU/Domain
•Security Group
•File
•Advanced (target: RC) FCS Components Review
• Management Service – A console used to configure FCS policies, run reports, and open the collection service console • Collection Service – (MOM “lite”) a service to collect statistics and alerts from clients • Reporting Service – SQL Reporting services, periodically transfers data from the collection database, used to generate predefined and custom reports • Distribution Service – WSUS, by default, periodically downloads signature and client software updates from Windows Update and clients periodically pull updates from WSUS server (standard windows update process) • Client Agent – Actually 3 clients, AV, AS and MOM FCS Server Roles Review
• Management Server - Hosts the FCS Console
• Collection Server - Hosts FCS MOM 2005 Server
• Reporting Server - Hosts SQL Reporting Services and FCS reports
• Distribution Server - Hosts WSUS
• Collection DB Server - Hosts the OnePoint DB
• Reporting DB Server - Hosts the SystemCenterReporting DB Forefront Architecture Options
Three Servers
Server components Processor RAM Hard disk configuration SCSI disks with the operating system, data Management, collection, files, and log files separated. Four 2 GHz or faster 32- and reporting; collection 4 GB Data files and log files each on a 2 disk bit processors database RAID configuration.
SCSI disks with the operating system, data files, and log files separated. Two 2 GHz or faster 32- Reporting database 4 GB Data files and log files each on a 2 disk bit processors RAID configuration.
Single 2 GHz or faster 32- SCSI disks with the operating system Distribution server 1 GB bit processor separated from the data and log files. Forefront Architecture Options
Four Servers
Server components Processor RAM Hard disk configuration Two 2 GHz or faster 32- Management server 2 GB bit processors SCSI disks with the operating system, data Reporting and Reporting Four 2 GHz or faster 32- files, and log files separated. 4 – 8 GB Database bit processors Data files and log files each on a 2 disk RAID configuration. SCSI disks with the operating system, data Collection and Collection Four 2 GHz or faster 32- files, and log files separated. 4 GB Database bit processors Data files and log files each on a 2 disk RAID configuration. Single 2 GHz or faster 32- SCSI disks with the operating system Distribution server 2 GB bit processor separated from the data and log files. Forefront Architecture Options
Five Servers
Server components Processor RAM Hard disk configuration
Two 2 GHz or faster 32- Management Server 2 GB bit processors Two2 GHz or faster 32-bit Collection Server 2 GB processors Four 2 GHz or faster 32- Reporting Server 2 GB bit processors Two 2 GHz or faster 32- SCSI disks with the operating system Distribution server 2 GB bit processor separated from the data and log files. SCSI disks with the operating system, data Four 2 GHz or faster 32- files, and log files separated. SQL Server 4-8 GB bit processors Data files and log files each on a 2 disk RAID configuration. Forefront Architecture Options
Six Servers
Server components Processor RAM Hard disk configuration Two 2 GHz or faster 32- Management Server 2 GB bit processors Two 2 GHz or faster 32- Collection Server 2 GB bit processors Four 2 GHz or faster 32- Reporting Server 2 GB bit processors Two 2 GHz or faster 32- SCSI disks with the operating system Distribution server 2 GB bit processor separated from the data and log files. SCSI disks with the operating system, data Four 2 GHz or faster 32- files, and log files separated. Collection DB Server 4 GB bit processors Data files and log files each on a 2 disk RAID configuration. SCSI disks with the operating system, data Four 2 GHz or faster 32- files, and log files separated. Reporting DB Server bit processors 4-8 GB Data files and log files each on a 2 disk RAID configuration. Enterprise Deployments
• Involve multiple FCS pods • Increased scope and complexity • Require more in-depth planning – phased deployment – resource allocation – assumptions/dependencies Enterprise Deployment Example
Pod 2: 8,750 clients
Pod 3: 9,300 clients Pod 1: 10,000 clients Forefront Client Security Enterprise Manager Function
FCS Management Server
MOM MOM FCS Web Admin Operator Console Browser Console Console
Top-Tier SQL MOM Reporting Management Services via Group IIS
Sub-Tier Sub-Tier Sub-Tier MOM MOM MOM Management Management X 10 Management Group Group Group
X 10,000 Using Existing SQL Server Instances
• More / faster spindles are better for performance • Validate configurations prior to deployment • Place log files on RAID 1+0 (or RAID 1) disks for better write performance • Isolate log from data at the physical disk level • Consider configuration of TEMPDB database – TEMPDB needs adequate storage and sizing – Performance may benefit if TEMPDB is placed on RAID 1+0 – Multi-core CPUs improves scalability for allocation intensive workloads
http://www.microsoft.com/technet/prodtechnol/sql/bestpra ctice/storage-top-10.mspx Forefront Architecture Planning Database Sizes
• Client Security uses four databases. Two that you need to adjust appropriately during FCS setup are: – Collection database (aka MOM OnePoint database) – Reporting database (aka MOM SystemCenterReporting database) • Principle factor in database sizing is number of events per managed computer per day. • Collection and Reporting sizes are set during FCS setup.
Database Default data size Default log size Autogrow Collection 15 gigabytes (GB) 20% of data Not supported (OnePoint) data Reporting (System 1 GB data 50% of data Not supported Center Reporting) Forefront Architecture Planning Database Sizes • Data from each managed computer is stored in the Collection database first, and then sent to the Reporting database for long term storage. • Growth rates of these databases depends on: – Number of managed computers – Frequency of malware occurrence – Number of Security State Assessment vulnerabilities discovered – Number and types of scans performed • Version of SQL used is also a factor: Standard edition and Enterprise edition handle indexes differently. Enterprise edition is needed for more than 3000 managed computers. • Data Retention needs – by default, the Reporting database retains data for 395 days (1 year and 1 month) Database Growth Factors
Action Event count per Client Security agent
Antimalware scan Two—one each for the start and completion of the scan Threat detected Two—one detection event and one action taken event for each detected threat Security state assessment (SSA) One scan SSA vulnerability detected One for each vulnerability scored medium or higher Definition update One Policy update One State summary One
Clients set for one AM scan and one SSA per day will generate a minimum of four events per Client Security agent.
If each event consumes 6KB in the collection database: 4 x 6KB x 10,000 clients = 240MB per day! Forefront Architecture Mind the Firewalls! Component Connection Topologies Port (protocols) Notes
Collection server To collection database Five-server and six-server 1433 (TCP and UDP) None.
Using a firewall between these two servers is not supported. The Microsoft 445 (TCP and UDP), 135 Four-server, five-server, and six- Operations Manager (MOM) Management server To collection server (TCP), and DCOM port server Administrator and Operator consoles on range the management server require a connection to the collection server.
Four-server, five-server, and six- 1433 (TCP) and 1434 Management server To collection database None. server (UDP)
Three-server, four-server, five- Port 80 is used for HTTP and port 443 is Management server To reporting server 80 (TCP) or 443 (TCP) server, and six-server used for HTTPS.
Three-server, four-server, and 1433 (TCP) and 1434 Using a firewall between these two Reporting database To collection database six-server (UDP) databases is not supported.
Four-server, five-server, and six- 1433 (TCP) and 1434 Reporting server To Collection database None. server (UDP) Three-server, five-server, and 1433 (TCP) and 1434 Reporting server To Reporting database None. six-server (UDP)
To obtain updates from Microsoft To Microsoft Update or Update, the distribution server uses Distribution server All 80 (TCP) or 443 (TCP) upstream WSUS server port 80 for HTTP and port 443 for HTTPS. http://www.microsoft.com/security/portal/ Malware Protection Center Web Portal
Up-to-date information about current threats, news, and research from the Malware Protection Center
Top threat telemetry - key insights on the latest and most prevalent threats
Searchable malware encyclopedia
Alternate download location for Forefront Client Security signatures
Ability for customers to submit malware samples to Microsoft for analysis
Technical resources (Guidance, Whitepapers etc.) www.microsoft.com/security/portal
Past Present Future Integrated Client Next Generation
Client Security Codenamed „Stirling‟ Codenamed Next Generation SP Server Security Management & Protection 1
SP Server 1
(Beta 2)
Edge Next Generation Edge Security & Access
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.