Forefront Client Security Implementering

Forefront Client Security Implementering

Forefront Client Security implementering Ved Christian Stahl, Microsoft Enterprise Services [email protected] Agenda • Introduktion til ForeFront suiten • Introduktion til ForeFront Client Security • ForeFront informations flow • Leassons learned What is Microsoft Forefront? A comprehensive line of business security products that helps you gain greater protection through deep integration and simplified management Unified Protection • Unified agent for virus and spyware protection – Common engine used by Windows Defender, OneCare, Forefront Server Security • On-access protection via kernel mode mini-filter – Built on Windows Filter Manager platform – Malware prevented from executing entirely – anti- virus and anti-spyware • User mode scanning – System Configuration, IE Add-ons & Configuration – IE and Office downloads – Services & drivers – App execution & registration • Scheduled and on-demand scans – Quick scan - In memory processes, targeted directories, common malware extensibility points – Full scan – Quick scan + local drives Windows Windows Microsoft MSRT Windows Live Safety OneCare Client Defender Center Live Protection Remove most prevalent viruses Remove all known viruses Real-time antivirus Remove all known spyware Real-time antispyware Central reporting and alerting Customization IT Infrastructure Integration FOR INDIVIDUAL USERS FOR BUSINESSES SMS Simplified Administration Client deployment and signature distribution Agent installation and signature deployment optimized for Microsoft Update (MU) and Windows Server Update Services (WSUS) Can use any software distribution system Microsoft Malware Update Research Auto and manual approval of definitions Agent installation process Administrator deploys client policy Computers download installation package from Windows WSUS and install agent per policy settings Server Update Client Security installs an Update Assistant Services service to: Increase sync frequency between WSUS and Microsoft Update (MU) for definitions Support for roaming users Deploy Failover from WSUS to Microsoft Update Client Policy Desktops, Laptops and Servers Critical Visibility and Control Know where action is required Provides “at-a-glance” view of threats & vulnerabilities across organization Machines reporting security issues (malware not cleaned, critical vulnerabilities present) Machines not reporting issues Machines not reporting 30-day trend history Notification of machines reporting alerts Launch insightful reports Stay informed with state assessment scans and security alerts Critical Visibility & Control Summary Report Security Summary Critical Visibility & Control Security State Assessment Scanning based on security check definitions and scheduled via policy or invoked on-demand Security checks Detect missing security updates based on Microsoft Update Compare system configuration against security best practices Examine data from registry, file system, WMI, IIS metabase, SQL server, etc. A “Score” and “Severity” is given for each check: Score Value – level of risk associated with security issues Severity Value – provided by the Microsoft Security Response Center for Security Updates Reporting enables drilldown into specific security issues Scan results are collected from managed clients Used to show vulnerability exposure and overall risk Extensible with new checks over time – e.g. Windows Firewall “Is my environment compliant with security best practices?” “Has my level of vulnerability exposure changed over time?” “What portion of my environment is at high risk?” Simplified Administration Policy deployment One console for simplified security administration One policy to manage client protection agent settings, e.g.: Scan schedule Anti-spyware unknown action Real time protection on/off Alert level Signature update frequency Event and logging settings Anti-spyware signature overrides SpyNet reporting on/off Security state assessment settings Level of end-user UI shown Choice of 3 integrated policy profile deployment methods: Microsoft Forefront Client Security Console (uses AD/GP) ADM file (uses AD/GP) Export to a file then use existing software distribution system Microsoft Confidential Authoring a Policy • FCS Dashboard without any policies defined Creating a Policy General tab •Policy Name •Description •Deployment information Creating a Policy Protection Tab •Malware Protection •Scan Settings •Security State Assessment settings Creating a Policy Advanced Tab •Definition Updates •Advanced Scan options •Exclusions •Client UI settings Configuring an Override Overrides Tab •Select malware by name •Change the default behavior Configuring an Override Overrides Tab •Override based on Severity •Override based on Category Creating a Policy Reporting Tab •Alert Levels •Logging •SpyNet Alert configuration is policy specific Alerts notify admin of high-value incidents, including: Malware detected Malware outbreak Malware failed to remove Malware protection disabled Alert levels control type & volume of alerts generated Critical Issues Only, Rich Data, Low Value Assets 1 2 3 4 5 High Value Assets Outbreak Malware removal Signature update Malware detected and Signature update failed failed failed removed (per min) Deploying a Policy •OU/Domain •Security Group •File •Advanced (target: RC) Deploying a Policy •OU/Domain •Security Group •File •Advanced (target: RC) FCS Components Review • Management Service – A console used to configure FCS policies, run reports, and open the collection service console • Collection Service – (MOM “lite”) a service to collect statistics and alerts from clients • Reporting Service – SQL Reporting services, periodically transfers data from the collection database, used to generate predefined and custom reports • Distribution Service – WSUS, by default, periodically downloads signature and client software updates from Windows Update and clients periodically pull updates from WSUS server (standard windows update process) • Client Agent – Actually 3 clients, AV, AS and MOM FCS Server Roles Review • Management Server - Hosts the FCS Console • Collection Server - Hosts FCS MOM 2005 Server • Reporting Server - Hosts SQL Reporting Services and FCS reports • Distribution Server - Hosts WSUS • Collection DB Server - Hosts the OnePoint DB • Reporting DB Server - Hosts the SystemCenterReporting DB Forefront Architecture Options Three Servers Server components Processor RAM Hard disk configuration SCSI disks with the operating system, data Management, collection, files, and log files separated. Four 2 GHz or faster 32- and reporting; collection 4 GB Data files and log files each on a 2 disk bit processors database RAID configuration. SCSI disks with the operating system, data files, and log files separated. Two 2 GHz or faster 32- Reporting database 4 GB Data files and log files each on a 2 disk bit processors RAID configuration. Single 2 GHz or faster 32- SCSI disks with the operating system Distribution server 1 GB bit processor separated from the data and log files. Forefront Architecture Options Four Servers Server components Processor RAM Hard disk configuration Two 2 GHz or faster 32- Management server 2 GB bit processors SCSI disks with the operating system, data Reporting and Reporting Four 2 GHz or faster 32- files, and log files separated. 4 – 8 GB Database bit processors Data files and log files each on a 2 disk RAID configuration. SCSI disks with the operating system, data Collection and Collection Four 2 GHz or faster 32- files, and log files separated. 4 GB Database bit processors Data files and log files each on a 2 disk RAID configuration. Single 2 GHz or faster 32- SCSI disks with the operating system Distribution server 2 GB bit processor separated from the data and log files. Forefront Architecture Options Five Servers Server components Processor RAM Hard disk configuration Two 2 GHz or faster 32- Management Server 2 GB bit processors Two2 GHz or faster 32-bit Collection Server 2 GB processors Four 2 GHz or faster 32- Reporting Server 2 GB bit processors Two 2 GHz or faster 32- SCSI disks with the operating system Distribution server 2 GB bit processor separated from the data and log files. SCSI disks with the operating system, data Four 2 GHz or faster 32- files, and log files separated. SQL Server 4-8 GB bit processors Data files and log files each on a 2 disk RAID configuration. Forefront Architecture Options Six Servers Server components Processor RAM Hard disk configuration Two 2 GHz or faster 32- Management Server 2 GB bit processors Two 2 GHz or faster 32- Collection Server 2 GB bit processors Four 2 GHz or faster 32- Reporting Server 2 GB bit processors Two 2 GHz or faster 32- SCSI disks with the operating system Distribution server 2 GB bit processor separated from the data and log files. SCSI disks with the operating system, data Four 2 GHz or faster 32- files, and log files separated. Collection DB Server 4 GB bit processors Data files and log files each on a 2 disk RAID configuration. SCSI disks with the operating system, data Four 2 GHz or faster 32- files, and log files separated. Reporting DB Server bit processors 4-8 GB Data files and log files each on a 2 disk RAID configuration. Enterprise Deployments • Involve multiple FCS pods • Increased scope and complexity • Require more in-depth planning – phased deployment – resource allocation – assumptions/dependencies Enterprise Deployment Example Pod 2: 8,750 clients Pod 3: 9,300 clients Pod 1: 10,000 clients Forefront Client Security Enterprise Manager Function FCS Management Server MOM MOM

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    38 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us