Professional Documents
Culture Documents
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide
endpoint protection while greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2007 R2, allowing customers to use their existing client management infrastructure to deploy and maintain endpoint protection.
2010 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, Forefront, Windows, Windows Server, all Forefront products, and Active Directory Rights Management Services are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This reviewers guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Other product and company names herein may be trademarks of their respective owners. Microsoft Corp. One Microsoft Way Redmond, WA 98052-6399 USA
This guide is designed to walk you through an end-to-end evaluation of Microsoft Forefront Endpoint Protection 2010, based on task-driven scenarios that you would commonly find in your daily production use. Step-by-step instructions will give you a sense of product features, capabilities, usage, and end-user benefits in order to help your pre-purchase assessment.
TABLE OF CONTENTS
Table of Contents .................................................................................................................................. 4 Introduction ........................................................................................................................................... 6 Using This Guide 6 Chapter 1: Overview ............................................................................................................................. 7 What Is Forefront Endpoint Protection 2010? 7 The Convergence of Desktop Security and Management 7 Reduce Ownership Costs 7 Improved Protection 7 Increased Efficiency 8 Whats New in Forefront Endpoint Protection 2010 9 Common Usage Scenarios for Forefront Endpoint Protection 2010 11 Ease of Deployment 11 Enhanced Protection 12 Simplified Management 13 Getting Started 14 Summary 15 Chapter 2: Ease of Deployment and Simplified Management ........................................................ 17 Exercise 1: Deploying Forefront Endpoint Protection 2010 18 Exercise 2: Using Configuration Manager to deploy FEP clients 21 Exercise 3: Operations 27 Exercise 3.1 Operational status: Dashboard overview 28 Exercise 3.2: Policy management 29 Exercise 3.3: Policy customization 32 Exercise 3.4: Policy assignment 39 Exercise 3.5: Using Group Policy for FEP 40 Exercise 3.6: Signature updates 44 Summary 50 Chapter 3: Comprehensive Protection ............................................................................................. 52 Exercise 4: Detecting and cleaning malware impact scanning 53 Exercise 5: On-demand, scheduled and real-time scanning 56 Exercise 5.1: Forefront Endpoint Protection 2010 real-time scanning 57 Exercise 5.2: Forefront Endpoint Protection 2010 scheduled scanning 60 Exercise 5.3: Forefront Endpoint Protection 2010 on-demand scanning 60 Summary 62 Chapter 4: Simplified ManagementReporting and Alerting ........................................................ 63 Exercise 6: Forefront Endpoint Protection 2010 reports 63 Exercise 7: Forefront Endpoint Protection 2010 alerts 66 Exercise 7.1: Sending a Malware Outbreak alert 66 Exercise 7.2: Sending a Malware Detection alert 68 Exercise 7.3: Sending a Repeated Malware Detection alert 70 Exercise 7.4: Sending a Multiple Malware Detection alert 72 Exercise 7.5: Setting the alert level 74 Summary 75
APPENDIX: System Requirements and Prerequisites .................................................................... 76 Hardware Requirements 76 Pre-configured Virtual Environment System Requirements 76 Forefront Endpoint Protection 2010 System Requirements 76 Forefront Endpoint Protection 2010 Client 77 Software Prerequisites for Forefront Endpoint Protection Deployment 77 Exercise 8: Deploying SQL Server 78 Deploying Configuration Manager 2007 R2 80 Forefront Endpoint Protection Security Management Pack: Enabling Real-Time Monitoring with System Center Operations Manager 2007 R2 .................................................................................. 81 Exercise 9: Enabling real-time monitoring with Forefront Endpoint Protection 2010 83 Exercise 10: Generating alerts and notifications 86 Exercise 11: Performing task remediation 89 Resources ............................................................................................................................................ 92
Evaluation Guide
Page 5
INTRODUCTION
Forefront Endpoint Protection 2010 (FEP), the next version of Forefront Client Security, enables businesses to simplify and improve endpoint protection while greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2007 R2 and R3, and allows customers to use their existing client management infrastructure to deploy and maintain endpoint protection. .
Using This Guide This guide highlights important features of FEP and is designed to simplify your review process.
Chapter 1 provides an overview of FEP and outlines its new features, benefits, and common usage scenarios. Chapter 2 covers FEP setup and configuration and signature updates, with installation and management using System Center. Chapter 3 covers the comprehensive antimalware detection and prevention capabilities of FEP, including results analysis. Chapter 4 covers reporting and alerting capabilities of FEP. The appendices provide steps to install System Center server components and other pre-requisites for FEP evaluation. They also explain how you can use Microsoft System Center Operations Manager to monitor FEP activities in real time using the Forefront Endpoint Protection Security Management Pack.
The labs throughout this guide provide evaluation and testing instructions and explain the design and use of various features.
Evaluation Guide
Page 6
CHAPTER 1: OVERVIEW
Secure and Streamline the Windows Optimized Desktop
Forefront Endpoint Protection 2010 and Configuration Manager are part of the Windows Optimized Desktop, which is built on the Windows 7 Enterprise operating system. The Windows Optimized Desktop also deploys virtualization technologies with integrated management across physical and virtual machines, including Microsoft Virtual Desktop Infrastructure (VDI). Along with Microsoft Office 2010, Windows Internet Explorer 8. and the Microsoft Desktop Optimization Pack, FEP and Configuration Manager help create a more productive, manageable, and secure workforce environment.
Improved Protection
Many desktop vulnerabilities are a result of poor system configuration, yet security administrators often lack easy access to inventory, patch level, and other desktop-specific data. Forefront Endpoint Protection 2010 and Configuration Manager 2007 give your organization industry-leading threat-detection capabilities to remediate endpoint security vulnerabilities. The FEP antimalware engine provides highly accurate and efficient threat detection and protects against the latest malware and rootkits with low false-positive rate. It also helps protect the clients against unknown or zero-day threats. The combination of these technologies in a single infrastructure offers a unique, consolidated view into the health and protection status of user systems. IT can better identify at-risk machines and take action to patch systems, block outbreaks, and initiate clean-up efforts. These technologies can also consolidate and simplify reporting on the complete desktop environment.
Evaluation Guide
Page 7
Increased Efficiency
Forefront Endpoint Protection 2010 centralizes visibility into the management and security of endpoints, which can help you identify and remediate potentially vulnerable endpoints via: A single experience to manage clients and to create and configure endpoint protection policies Increased awareness of potentially vulnerable clients
Evaluation Guide
Page 8
Description
Improved visibility
Forefront Endpoint Protection 2010 is built on Configuration Manager 2007 R2 or R3, which enables you to use your existing and client-management infrastructure. You can deploy and manage infrastructure for endpoint protection through a single interface of Configuration desktop Manager, which enables you to manage and secure endpoints management and without the need for additional servers to support FEP. This integration is based on: protection
o o
Centralized deployment: Central package installation on client machines. Policy Management: Endpoint security policies can be defined centrally through the management console. Predefined templates for productivity and security defaults make it simpler to define policies based on best practices. It helps reduce complexity and improve troubleshooting and reporting insights, and can save time and effort. Customized alerts: Forefront Endpoint Protection generates alerts when it detects malwarealerts are based on the severity of the malware. Alerts can also be customized for specific types of malware detection. Reporting: View the overall status of security threats, actions needed, and the overall health status of client machines.
Integrate
Single infrastructure
Enterprise scalability
Enterprise scalability
Protect
Highly accurate detection
Forefront Endpoint Protection 2010 uses the Configuration Manager infrastructure to more efficiently deploy clients and policies. This enables enterprises to deploy and manage endpoint protection clients on a very large scale. The new antimalware engine protects against the latest malware and rootkits with a low rate of false positives. The engine also helps keep employees productive with scanning that has low impact on performance. It enables the administrators to limit processor usage during scans and uses new improvements in the engine like advanced caching to provide high-quality security with optimized performance.
Behavior monitoring
Efficient scanning
Evaluation Guide
Page 9
Description
Forefront Endpoint Protection 2010 uses system behavior and file reputation data to identify and block attacks on client systems from previously unknown threats. Detection methods include behavior monitoring, emulation, and Dynamic Translation. Behavior monitoring identifies new threats and tracks behavior of unknown processes or known processes gone bad. Any behavior monitoring detection triggers a request to a cloud-based Dynamic Signature Service that can deliver protection in near-real time for new threats that are not in the signature set on the endpoint. Forefront Endpoint Protection 2010 provides protection against network-level exploits and intrusions by inspecting inbound and outbound network traffic. Based on the Microsoft Network Inspection System, it balances protection with performance by only enabling signatures for the unpatched vulnerabilities. Forefront Endpoint Protection 2010 ensures that Windows Firewall is active and working properly to protect against network-layer threats. It also enables you to more easily manage these protections across the enterprise from the FEP console. Forefront Endpoint Protection 2010 provides multiple options to receive signature and engine updates. Organizations can use their existing Windows Server Update Services (WSUS) infrastructure to receive FEP updates. Administrators can also configure a client to connect to Microsoft Update or use a file share to download the latest definition updates. Forefront Endpoint Protection 2010 automatically alerts you if it detects viruses, spyware, or other potentially unwanted software. It also provides the level of alert for a detected item:
Signature updates
Severe or high-level alerts: Forefront Endpoint Protection alerts you to a threat and then always recommends that you remove the program(s). Medium-level alerts: Review the alert details (click the Show details link) to see why FEP detected the item. If you dislike what the software does or if it comes from an unknown or untrusted publisher, consider blocking or removing the software. Low-level alerts: This type of alert typically occurs when a program is installed and FEP is unsure about the authenticity of the program. To allow the software, review the alert details or check to see if you recognize and trust the software publisher.
You can also customize alerts and set FEP to alert you if you run software that has not yet been analyzed. You can also set alerts to notify you if software makes or tries to make some changes to your computer. Detailed reports Forefront Endpoint Protection 2010 uses the same reporting infrastructure as Configuration Manager and provides easy-to-use reports out of the box that provide deep insight into enterprisewide client security activities.
The FEP Security Management Pack enables you to monitor the security of server operating systems or critical assets in real time Manager 2007 R2 using existing Operations Manager infrastructure. Integration with Operations
Evaluation Guide
Page 10
Forefront Endpoint Protection 2010 uses Configuration Manager 2007 to centralize deployment of security software and policies to multiple endpoints. You can deploy FEP Server on a Configuration Manager standalone (single) site or to a hierarchical site environment. In a hierarchical Configuration Manager deployment there is a parent site that has one or more sites (child sites) attached to it in the hierarchy. Configuration Manager 2007 sites define the scope of administrative control. The administrative control requirements will determine where FEP should be installed:
For centralized policy creation and control, install FEP on the central site For decentralized policy creation and control, install FEP on the child sites
Configuration Manager distribution is used to centrally manage and monitor the deployment of FEP to client computers in your existing infrastructure. With this method, you can control which Configuration Manager collections the client is deployed to, and use the provided reports to determine deployment status or drilldown to information about computers on which the client failed to deploy and why Organizations can use their existing WSUS infrastructure to receive the signature and antimalware engine updates. Additionally, administrators can define network file shares or Internet-based Microsoft Update to provide the latest signature updates to the clients.
In the related section of this common usage scenario, you will evaluate the process of centralized client deployment through Configuration Manager 2007. This scenario provides step-by step instructions to distribute and advertise the software to existing or new endpoints.
Evaluation Guide
Page 11
Enhanced Protection
Exposure to fast-evolving security threats requires businesses to frequently test patches and updates before they release them to users. Viruses, rootkits, spyware, malware, and directed attacks can arise from inside and outside an organizations network. Some threats breach tight security on the corporate network, and some enter via removable devices. Forefront Endpoint Protection 2010 detects known and unknown threats with a high degree of accuracy and actively protects against network-level exploits. Administrators can enable real-time protection against the evolving threats by defining endpoint protection policies.
Evaluation Guide
Page 12
Simplified Management
In combination with Configuration Manager 2007, FEP provides a central location for you to create and apply malware protection policies on endpoints. This policy mechanism allows you to centrally control and manage malware-scanning properties, and it provides configurable protection on client computers such as: Scheduled scans Threat-handling settings Real-time protection Exclusion of files, folders, file types, and processes from scans Scans of removable drives and devices Overrides of recommended actions against threats
You can enable updates based on behavior monitoring through the cloud-based Dynamic Signature Service This approach can make policy management a more efficient process that can save organizations time and resources. In the related section in this guide for this common usage scenario, you will evaluate the process of policy creation and centralized deployment on multiple endpoints.
Evaluation Guide
Page 13
Getting Started
The step-by-step instructions in the following sections show you how to distribute FEP to client computers, create and manage policies, configure FEP alerts, monitor FEP status, look at FEP reporting, and force a quick scan on specific computers. To evaluate FEP, you can either use an FEP Pre-configured Virtual Environment on downloadable virtual machines pre-configured for evaluation or FEP evaluation software that you can deploy in your own environment.
Evaluation Guide
Page 14
This guide uses the pre-configured virtual environment to provide step-by-step guidance on common security tasks. The environment is pre-configured with the following virtual machines:
Using FEP evaluation software: If you choose to set up your own environment to evaluate FEP, you first need to set up the server and client machines. The prerequisite installations for this setup include: SQL Server 2005 SP2 or 2008 Configuration Manager 2007 R2 / R3 Forefront Endpoint Protection 2010
For detailed installation steps and system requirements, refer to Appendix A. You can download FEP evaluation software at: http://technet.microsoft.com/en-us/evalcenter/ff182914.aspx After you install the software, go to the evaluation scenarios.
Summary
This chapter showed how customers use their existing client management infrastructure to deploy and manage FEP. It discussed the benefits and features of FEP and the reasons why organizations should make it a part of their infrastructure. It also gave an overview of the three common usage scenarios, which the subsequent sections of the guide cover in greater detail. You can find an overview of the three evaluation scenarios in these sections: Common Usage Scenarios for FEP 2010: Describes the common usage scenarios for using FEP Getting Started with the evaluation scenarios: This helps users evaluate FEP
Evaluation Guide
Page 15
Chapter 2 provides more information about the ease of deployment and simplified management and covers the following topics: Deploying Forefront Endpoint Protection 2010: Step-by-step installation of FEP. Using Configuration Manager to Deploy FEP Clients: Step-by-step process to distribute and advertise the software to existing or new endpoints. Dashboard Reporting using Forefront Endpoint Protection 2010: The dashboard summarizes the overall health status of clients and provides detailed reports for particular computers. Policy Management using Forefront Endpoint Protection 2010: Defines the various configuration options of the FEP client that users can manage such as: policy customization, policy assignment, group policy configuration, the scan schedule, the location and frequency of definition updates, and scan exclusions Performing Signature Updates on Forefront Endpoint Protection 2010 clients: Provide the latest updates to all endpoints from a central console and keep them protected from new threats.
Evaluation Guide
Page 16
Forefront Endpoint Protection 2010 and Configuration Manager together provide the enterprise scalability to efficiently deploy enhanced security within large organizations. Forefront Endpoint Protection 2010 Installation: consists of downloading the package, verifying prerequisites, installing the FEP server, and validating that the success of the installation. Deploy FEP: distribute the client and policies using Configuration Manager to multiple endpoints. Operationalized Security: centralized operations management through Configuration Manager across multiple client machines: o
Use existing infrastructure No new servers Integrated console Supports Configuration Manager 2007 SP2/R2 and later
Dashboard Monitoring: summarizes the overall health status of machines and provides detailed reports for particular computers. o Policy Creation: create, configure, and assign FEP policies to endpoints. o Signature Updates: enables administrators to provide latest updates to all endpoints centrally and thus keep them protected against new threats In this chapter, you will evaluate the installation of FEP, FEP centralized client deployment using Configuration Manager 2007, and operations. This chapter will cover the following exercises:
Exercise
1. Deploying FEP 2. Using Configuration Manager to deploy FEP clients 3. Operations 3.1. Operational status: Dashboard overview 3.2. Policy management 3.3. Policy customization 3.4. Policy assignment 3.5. Using Group Policy for FEP 3.6. Signature updates
Illustrates
Step-by-step installation of FEP Centralized deployment of FEP from server to client machines. Description of the operations that can be performed with FEP Contents of Dashboard of Configuration Manager 2007 Step-by-step creation of FEP policies Advanced protection methods to customize policies and change granular settings Assign FEP policies to a Configuration Manager collection Configure clients with FEP Group Policy objects, pre-configured policy templates, and the FEP Group Policy Tool Methods to provide signature updates to endpoints.
Evaluation Guide
Page 17
NOTE: This lab requires a server installed with Configuration Manager 2007 and SQL Server 2008. For system requirements and prerequisite installation details, you can refer to the following sections of the Appendix: APPENDIX: System Requirements and Prerequisites Deploying SQL Server Deploying System Center Configuration Manager 2007 R2 Deploying Windows Installer version 3.1 Deploying WFP Rollup Package
If you are evaluating FEP with the pre-configured virtual environment, you will need the following virtual machines:
If you chose to use the pre-configured virtual environment to evaluate FEP, please skip to Using Configuration Manager to Deploy FEP Clients
1. 2.
Go to the location where you extracted the FEP server source files, and then double-click serversetup.exe to open the FEP server setup wizard. Enter your Name and Organization.
Evaluation Guide
Page 18
3.
After accepting the license agreement, select one of four installation options: Basic topology: Install all infrastructures on a single server. Basic topology with remote reporting database: Install all FEP components except the remote reporting database. This option allows you to specify a different SQL Server for the FEP reporting database Advanced topology: Customized option that lets you define the following FEP components to install in a distributed environment: o o o Configuration Manager Site Server FEP Extension FEP Reporting and Alerts Configuration Manager Console Extension for FEP
Configuration Manager Console FEP 2010 Extension Only: Install FEP as an extension for the Configuration Manager console.
Based on the install options you choose, the prompts and content you see in the setup wizard may vary from the next steps described here. The remaining steps assume that you used the Advanced topology option was used and selected the capabilities for Site Server, FEP Reporting and Alerts, and Configuration Manager Console Extension for FEP (See Figure 1.3). Extension of FEP for System Center: Integrating FEP with Configuration Manager occurs at multiple levels: the software distribution procedures and analysis, and security configuration through components. These extensions allow the creation of collections, packages for distribution processes, and the creation of objects and baselines used in the desired configuration. Forefront Endpoint Protection 2010 Reporting and Alerts: Allows component installation on local machines for monitoring FEP. Configuration Manager Console extension for FEP: Installation of the FEP console in Configuration Manager for centralized management.
4.
The wizard provides information to configure the FEP database, including Configuration Manager database computer, database instance, and Forefront Endpoint Protection 2010 database name (See Figure 1.4). If you chose to build your own test environment, enter the information to reference your SQL Server installation.
5.
Next, the wizard configures FEP to use Microsoft Update for automatic updates for Windows and other Microsoft products, including FEP (See Figure 1.5). If you select Join the customer experience program, Microsoft will collect information about the system hardware and FEP usage, to enable further improvements.
Evaluation Guide
Page 19
6.
If you choose to join the Microsoft SpyNet community, you can automatically send and share information about detected software. This information helps Microsoft create new definitions for improved protection, which can help your software better detect and notify you of potential malware. Basic Membership enables the Dynamic Signature Service to provide updates based on behavior monitoring without waiting for the regular signature update process (See Figure 1.6).
7.
The Installation Location page allows you to specify the path and folder locations for Forefront files and data files. You can also use the Browse button to change the storage location of product files. This dialog also specifies disk space requirements (See Figure 1.7).
8.
The final screen prior to setup is a pre-requisite check. The installer will verify that each of the pre-requisites listed in step 1 have been met. If a pre-requisite check fails, the installer will provide an explanation and remediation steps. Only when all pre-requisites have been met will setup continue (See Figure 1.8).
After you have met all the prerequisites to install FEP, the wizard displays a summary of wizard selections to configure, including general settings, updates, and FEP site extension (See Figure 1.9).
9.
The FEP installation will configure antimalware support on the server automatically. You can use the configuration snap-in added to the Configuration Manager console to manage and monitor FEP.
Evaluation Guide
Page 20
The following step-by-step instructions use the pre-configured virtual environment and are configured on the virtual machine called Fargo (Server 2 in the table above). To examine the integration between FEP Server and Configuration Manager: 1.
Figure 2.1 Start menu.
On the Start menu, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console to open the Configuration Manager 2007 SP1 R2 console.
2.
In the Configuration Manager Console, expand Site Database, expand Computer Management, and then expand Forefront Endpoint Protection. The Forefront Endpoint Protection 2010 node contains subnodes for Policies, Alerts, and Reports. Notice that FEP Server integrates with the Configuration Manager console to manage FEP client policies, alerts, and reporting.
Evaluation Guide
Page 21
3.
Under Computer Management, expand Collections, and then expand Forefront Endpoint Protection 2010 collections. Note that FEP Server maintains several collections of client computers.
To use the Software Distribution wizard to deploy FEP client software 1. In the Configuration Management console, in the left pane, under Collections, select All Systems. Server and client computers are listed in this collection.
2.
In the middle pane, right-click a client to deploy, click Distribute, and then click Software to open the Distribute Software to Resource wizard. Note: Instead of deploying the FEP client software to a single computer, you can also distribute FEP to all computers in a particular collection at once.
3.
Evaluation Guide
Page 22
4.
On the Package page, ensure that Select an existing package is selected, and then click Browse. This page also provides options to Create a new package from a definition file and to Create a new package and program without a definition file, which can be used to create new packages.
5.
In the Select a Package dialog box, select the Microsoft Corporation Forefront Endpoint Protection 2010 - Deployment 1.0 package, and then click OK.
6.
7.
On the Distribution Points page, select your default distribution point (Fargo, if you are using the virtual environment) and then click Next. On this page, you can select distribution points based on where the clients will access the package. If the package was previously distributed, some distribution points will already be selected. If you cancel the selection of a distribution point, the package will be deleted from it.
Evaluation Guide
Page 23
8.
On the Select Program page, select Install, and then click Next. Note: You can also use the software distribution package to uninstall FEP clients.
9.
On the Advertisement Target page, select Advertise this program to an existing collection that contains this resource, and then click Next. Note: This page also provides you the option to Advertise this program to an existing collection that contains this resource and then select the collection to send the advertisement.
10. On the Advertisement Name page, in the Name box, type FEP Deployment Install to All Systems. The name of the new advertisement will start with Forefront FEP Deployment Install to All Systems.
11. On the Advertisement Subcollection page, select Advertise the program to members of the collection and its subcollections, and then click Next. Note: This page also provides you the option to Advertise the program only to members of the specified collection.
Evaluation Guide
Page 24
13. On the Assign Program page, select Yes, assign the program, select Ignore maintenance windows, and then click Next.
Evaluation Guide
Page 25
To examine the FEP deployment 1. In the Configuration Manager Console, in the left pane, expand System Status, expand Advertisement Status, and then select the Forefront Endpoint Protection 2010 - Deployment advertisement. In the middle pane, notice that the related program from this advertisement has successfully started.
2.
In the left pane, under Computer Management, select Forefront Endpoint Protection.
3.
In the Actions page, click Update Forefront Endpoint Protection 2010 Collections membership.
4.
Click OK to confirm that you want to update the membership of the FEP collections. In the middle pane, notice that FEP is now deployed on the client machines.
5.
After the distribution is successfully completed, FEP client will be installed on the endpoint. The time needed for successful deployment depends on the Configuration Manager client setting. After successful installation, you can see the FEP icon ( ) in the task bar. Note: When you install the FEP client package, it will automatically uninstall existing antimalware clients, including: Forefront Client Security version 1, including the Operations Manager agent Symantec Endpoint Protection version 11 TrendMicro OfficeScan version 8.0 and version 10.0 McAfee VirusScan Enterprise version 8.5 and version 8.7 Symantec Endpoint Protection Small Business Edition version 12 Symantec Corporate Edition version 10
Evaluation Guide
Page 26
Exercise 3: Operations
This exercise will help you evaluate ease of operations while managing endpoint security with FEP. Operations include viewing client health status on the Dashboard, centralized policy creation, and configuration of signature updates for multiple clients. This exercise covers the following sub-exercises:
Exercise
3.1. Operational status: Dashboard overview 3.2. Policy management
Illustrates
Contents of Dashboard of Configuration Manager 2007
Step-by-step creation of FEP policy Once the policy is created from the template, FEP offers flexibility to customize it further. Administrators can open the properties of the policy and customize the policyshow an example, for e.g. Administrators can define CPU threshold for scans(highlight it, its anew feature) and many other granular settings Assign the FEP policy to a Configuration Manager collection Configure clients by using Forefront Endpoint Protection GPOs, pre-configured policy templates, and the Forefront Endpoint Protection Group Policy Tool Methods to provide signature updates to endpoints.
3.4. Policy assignment 3.5. Using Group Policy for FEP 3.6. Signature updates
If you are using the pre-configured virtual environment to evaluate FEP, you will need the following virtual machines: Lab Environment
S.No.
1 2 3 4
Machine Name
Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo)
Roles
DC CA AD FS, , WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP
The following step-by-step instructions use the pre-configured virtual environment and the steps are configured on the server machine named Fargo (Server 2) and the FEP Client machine named Cairo (Client 2).
Evaluation Guide
Page 27
Exercise 3.1 Operational status: Dashboard overview The Dashboard summarizes the overall health status of clients and provides detailed reports for specific clients. To open the Dashboard, in the Configuration Manager Console under Computer Management, click Forefront Endpoint Protection 2010.
The Dashboard has several sections and sub-sections: Operational Statistics: These are statistics based on the operations performed by FEP on the system and they consist of: o Client Deployment Status: An account of the number of clients targeted and not targeted by FEP and the number of successful, pending, or failed deployments. The graph shown represents these statistics. o Malware Activity Status: The status of malware activity on the clients scanned and any required action to be taken. Active Malware indicates the presence of malware content in the client machines indicated by the numbered link. Restart required shows that the client machines indicated by the numbered link need to be restarted. Full scan required indicates the client machines that need a full system scan. Malware cleaned (Last 24 hours) shows all the malware removed from client machines in the past 24 hours. o Definition Status: Information about definition updates on client machines. The definition update information is categorized as: Older than 1 week Up to 7 days old Up to 3 days old Up to date o Policy Distribution Status: The distribution status of the FEP policy deployed to clients in terms of: Distribution failed Distribution in progress Policy Distributed o Forefront Endpoint Protection Baselines: These include the following baselines: FEP Standard Desktop FEP High- Security FEP Optimized Desktop FEP Laptop o Links and Resources: Links to reports, policy management, alert configuration, and resources for more information.
Evaluation Guide
Page 28
Exercise 3.2: Policy management Forefront Endpoint Protection 2010 policy settings define the configuration options of the FEP client and the desktop firewall that you can manage such as, the scan schedule, the location and frequency of definition updates, and scan exclusions. Forefront Endpoint Protection 2010 policy settings that you specify are contained in an FEP policy object. Policies only affect FEP clients after you assign them to a Configuration Manager collection. This section describes how to create a new FEP policy. To create a new FEP policy 1. On the server, in the Configuration Manager console, in the left pane, under Computer Management, expand Forefront Endpoint Policies, and then select Policies. Note: Forefront Endpoint Protection 2010 policy settings define various configuration options of the FEP client that an administrator can manage. You can associate an FEP policy with multiple collections, and you can associate multiple policies with a single collection. Policies are applied in order of precedence.
Figure 3.2 FEP Policies page.
2.
In the Actions pane, click New Policy to open the New Policy wizard.
3.
On the General page, in the Policy name box, type Forefront Endpoint Protection 2010 Desktop policy, and then click Next.
Evaluation Guide
Page 29
4.
On the Policy Type page, select High Security policy, and then click Next. Note: You can choose other templates based on client requirements. For example, the High-security policy enables maximum security settings for antimalware and desktop firewall, and the Performance-optimized policy maximizes performance and enables baseline protections. You can also choose to load one of 16 pre-configured templates that provide optimized security settings based on the server role.
5.
On the Scheduled Scans page, under Weekly scan, in the Day box select Sunday, in the Hour box select 3:00 AM, and then click Next.
6.
7.
On the Updates page, click Next. This page provides options for you to select locations from which clients can receive definition updates. By default, the selected options are: Enable updates from Configuration Manager or WSUS Enable updates from Microsoft Update
This page also allows you to enable updates from specified file locations. Note that FEP clients can obtain antimalware signature updates from four sources (in order): Configuration Manager, WSUS, Microsoft Update Web site, and UNC file share.
Evaluation Guide
Page 30
8.
On the Client Configuration Options page, select Real-time protection, and then click Next. With this setting, users can configure the scheduled scan time and can choose to receive notification when malware is detected.
9.
Evaluation Guide
Page 31
Exercise 3.3: Policy customization After you create the policy from the template, FEP offers flexibility to customize it. Administrators can open the properties of the policy and customize the policy and many other settings. Defining CPU Usage for Scans Administrators can limit the processor usage during the scans to different percentages. 1. 2. Open the FEP Console and click Policies. Select the newly created policy, right-click the policy, and select Properties.
3.
Click the Antimalware tab and select Limit processor usage during scans to the following percentage to define the percentage of processor usage (see Figure 3.13). Users on endpoint computers can configure CPU usage limits for scans.
Evaluation Guide
Page 32
Exporting a Policy Administrators have the option to export policies that can be used to create a backup or to use it for clients that are not managed by Configuration Manager. 1. 2. Open the FEP Console and click Policies. Select your policy, right-click the policy, and then click Export Policy.
3.
Save the policy XML file to the desired location on the system
Evaluation Guide
Page 33
Policy Precedence Policies that have a higher precedence override settings that are defined in policies lower in the precedence order. It allows users to select any policy and adjust its precedence order. Multiple policies can be applied to the same machine, but the policy with the highest precedence takes priority. 1. 2. Open the FEP Console and click Policies. Select your Policy and in the Actions pane click Policy Precedence.
3. 4.
Define the precedence for the policies by moving the policies up and down using the buttons available. When you are finished, click OK.
Evaluation Guide
Page 34
Advanced Protection Methods Dynamic Signature Service (Microsoft SpyNet) Microsoft SpyNet service enables users to join an online community that helps them choose how to respond to potential threats and helps stop the spread of new infections. Users can choose to send basic or advanced information about detected software. Additional information helps Microsoft create new definitions to better protect users machines. This service is also used to provide dynamic updates to the endpoints based on behavior-monitoring detections. 1. Click Start, click All programs, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console.
2.
In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection, and then click Policies.
Evaluation Guide
Page 35
3. 4.
Double-click Default FEP policy. Click the Antimalware tab and in the list on the left side of the dialog box, select Microsoft SpyNet.
Figure 3.20 Property Dialog Box > Antimalware > Microsoft SpyNet.
5.
Select Join Microsoft SpyNet, and then select either Basic membership or Advanced membership. The screenshot in this example shows the Basic membership selected. Select Allow users on endpoint computers to change SpyNet settings. Click Apply and then click OK.
6. 7.
Firewall Management
Figure 3.21 Join Microsoft SpyNet.
You can centrally enable Windows Firewall on client machines to protect them. Windows Firewall protects client machines from dangerous attacks and helps prevent resource theft and misuse. 1. Click Start, click All programs, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console.
Evaluation Guide
Page 36
2.
In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection, and then click Policies. In the middle pane, you can see two new default policies: Default Server Policy and Default Desktop Policy
3. 4.
Double-click Default Server policy to open the Default Forefront Endpoint Protection Policy Properties dialog box. Click the Windows Firewall tab.
5.
Select Enable Host Firewall protection. You can configure Windows Firewall settings for: Domain Networks - Domain network settings are the settings for workplace networks that are attached to a domain. Private Networks - Private network settings are the settings for the networks at home or work where the user knows and trusts the people and devices on the network. Public Networks - Public network settings are the settings for networks in public places such as airports and coffee shops Firewall state (On/Off) On is recommended Incoming Connections (Block Default /Allow/ Block all) Block Default is recommended Notification Display (Yes/No)
For any of these network types, you can adjust settings and preferences for:
Figure 3.25 Enable Host Firewall Protection.
Block All blocks all unsolicited attempts to connect to your machine. Use this setting when you need maximum protection, such as when you connect to a public network, or when a computer worm is spreading over the Internet. With this setting, Windows Firewall does not notify you if it blocks programs, and it ignores programs in the list of allowed programs. You can still view most webpages, send and receive email, and send and receive instant messages. Block Default blocks the connections defined by policies applied in the organization. Everything else will pass through Windows Firewall.
Evaluation Guide
Page 37
Restore Point System Restore is a component of the Windows operating system that allows you to roll back system files, registry keys, and installed programs, to a previous state in the event of system malfunction or failure. A restore point is a saved snapshot of a machine's data at a specific time. By creating a restore point, you can save the state of the operating system and your own data so that if future changes cause a problem, you can restore the system and your data to its state before the changes occurred.
1.
In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection, and then click Policies.
2. 3.
Double-click Default FEP policy to open the Default Forefront Endpoint Protection Policy Properties dialog box. Click the Antimalware tab and in the list on the left select Additional Settings.
4. 5.
Select Create a system restore point before cleaning computers. Click Apply and then click OK.
Evaluation Guide
Page 38
Exercise 3.4: Policy assignment To assign FEP policies to clients, you first assign them to a Configuration Manager collection. You can assign a policy to more than one collection if needed and you can assign more than on policy to a collection. When an FEP client has more than one policy assigned to it, the FEP client applies the policy with the highest precedence. To assign a policy to a collection 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection 2010, and then click Policies. Right-click the policy that you want to assign, and then click Assign Policy. Note: You cannot assign the Default Server Policy or the Default Desktop Policy.
Figure 3.29 Assign Policy.
2.
3. 4.
In the Add/Remove Collection dialog box, click Add. In the Browse Collection dialog box, select the collection to which you want to assign the policy, and then click OK. If you need to assign this policy to multiple collections, in the Add/Remove Collection dialog box, for each collection, click Add and repeat this step.
5.
To monitor FEP policy deployment 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and click Forefront Endpoint Protection 2010. View the Policy Distribution Status section of the Operational Statistics on the Forefront Endpoint Protection dashboard. You might need to refresh the page to get latest information. In the Links and Resources pane under Web Reports click Policy Distribution Overview for policy deployment information started at the collection level down to the computer level. Note: The FEP reports and FEP Dashboard statistics include only those machines running the FEP client software and the Configuration Manager agent.
2.
3.
Evaluation Guide
Page 39
Exercise 3.5: Using Group Policy for FEP Users can configure FEP client settings by using Active Directory Group Policy and Group Policy objects (GPOs). The following procedures will show you how to configure clients by using FEP GPOs, pre-configured policy templates, and the FEP Group Policy Tool. Exercise 3.5.1: Converting FEP policies to Group Policy
You can convert policy settings contained in configured FEP policies to the format that is used by Group Policy. In order to convert policies, you must first download and install the FEP Group Policy Tool. This tool is available in the Microsoft Download Center as part of the FEP Group Policy Tools download package. The package also contains ADMX and ADML files. Although these files are not required to use the FEP Group Policy Tool, they are required in order to view or edit GPO policy settings. To extract and install the FEP Group Policy Tool 1. Obtain the Forefront Endpoint Protection Group Policy Tool from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=205492) and copy it to your machine. Double-click fep2010grouppolicytools.exe and extract the files from the package. The Forefront Endpoint Protection Group Policy Tools package includes the following files: fep2010.adml fep2010.admx fep2010gptool.exe
2.
3.
Locate and double-click fep2010gptool.exe to open the FEP Group Policy Tool.
Evaluation Guide
Page 40
To convert FEP policy settings to Group Policy 1. Locate and double-click fep2010gptool.exe to open the FEP Group Policy Tool. 2. 3. 4.
Figure 3.33 FEP Group Policy Tool.
Select the Domain and the name of the Group Policy object in that domain that you want to populate with pre-configured FEP policy settings. Click Select Policy File. Locate and select the XML policy file that contains the settings that you want to import to the Group Policy object. Select Clear existing Forefront Endpoint Protection settings, and then click OK to import the settings. You can then edit and view the policy settings by using gpedit.msc. Warning: Selecting Clear existing Forefront Endpoint Protection settings will remove all FEP settings contained in the selected Group Policy object and replace them with the imported FEP policy settings. Only select this item if you want to clear all of the existing FEP policy settings from the Group Policy object.
To add ADMX and ADML files locally in order to view or edit policy settings 1. 2. Navigate to the location where you extracted the ADMX and ADML files in the previous procedure. Copy the ADMX file to the %systemroot%\PolicyDefinitions\ folder.
3.
Copy the ADML file to the %systemroot%\PolicyDefinitions\ language folder. For example, en-US. Note: You must restart the Group Policy Object Editor after performing the preceding steps.
Evaluation Guide
Page 41
Exercise 3.5.2: Merging policies You can merge policy settings from one or more FEP policies into a single GPO. This is helpful when you have settings contained in multiple FEP policies and you would like to combine those policy settings and use Group Policy to configure clients. In order to merge FEP policies into a single GPO, you must use the FEP Group Policy Tool. Warning: When you merge multiple policies to a single GPO, the order in which you merge the policies will affect the outcome of the effective policy. For example, if you merge three policies that contain conflicting settings for a particular feature, the settings in the last policy that you merge will overwrite any conflicting settings that are already merged or contained in the GPO. To merge FEP policy settings to a GPO: 1. 2. 3. Double-click fep2010gptool.exe to open the FEP Group Policy Tool. Select the Domain and the name of the GPO in that domain that you want to populate with pre-configured FEP policy settings. Click Select Policy File. Locate and select the XML policy file that contains the settings that you want to import into the GPO. If this is the first policy that you are merging and there are no FEP policy settings that you want to retain that already exist in the selected GPO, select Clear existing Forefront Endpoint Protection settings. When you select this option, it clears all FEP policy settings in the target GPO. Clearing the previous policy settings ensures that only the FEP settings that are contained in this policy will be present in the target GPO settings.
Figure 3.36 Merging FEP policy settings.
However, if this is not the first policy that you have merged to the selected GPO and you want to retain existing previous settings contained in that GPO, verify that the check box is not selected. Selecting the check box will clear any previously configured FEP policy settings that are contained in that GPO. Click Apply to merge the policy settings to the GPO. Note: Merging policy settings by using the FEP Group Policy Tool does not affect the source FEP policy file. 4. To merge additional settings contained in FEP policies into the selected GPO, repeat the previous step.
Evaluation Guide
Page 42
Exercise 3.5.3: Configuring and viewing policies You can view and configure Forefront Endpoint Protection settings by using the Group Policy Object Editor. Each policy setting contains parameter information specific to the feature that you want to configure. Typically you will access the Group Policy Object Editor by selecting a Group Policy object (GPO) from within the Group Policy Management Console (GPMC), and then selecting the edit action for that object. To view FEP Group Policy settings 1. Open the Group Policy Object Editor and go to Local Computer Policy\Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010. Expand Forefront Endpoint Protection 2010 and click the folder that contains the settings that you want to view. For more information about each policy setting, in the right pane, double-click the setting that you want to view to open the configuration dialog box and view the additional policy setting information.
2.
To edit FEP GPO settings 1. Open Group Policy Management. 2. 3. In the console tree, double-click Group Policy Objects in the forest and domain containing the GPO that you want to edit. Right-click the GPO, and then click Edit. Note: You must have edit permissions for the GPO that you want to edit. 4. In the Group Policy Object Editor console, expand Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010 and click the folder that contains the settings that you want to configure. In the right pane, double-click the setting that you want to configure in order to open the configuration dialog box. Configure the settings that you want to deploy to clients, and then click OK. Deploy the policy settings to clients.
5. 6.
Evaluation Guide
Page 43
Exercise 3.6: Signature updates The Updates section allows you to configure how the FEP clients check for definition updates. This enables you to provide the latest updates to all endpoints centrally and protected them from new threats. Note: If you are evaluating FEP in your own environment, you need to perform the following pre-requisites before proceeding to the next steps: Install WSUS 3.0: Before you can successfully install and configure a software update point on a site system server in Configuration Manager 2007, you must install WSUS 3.0 on the server. Install WSUS 3.0 Administration Console: You need to install the WSUS 3.0 Administration Console on the Configuration Manager 2007 site server to allow the site server and remote Configuration Manager consoles to configure and synchronize software updates. Create and configure an active Software Update Point: The software update point in Center Configuration Manager 2007 is a required component of software updates and is installed as a site system role in the Configuration Manager console. You must create the software update point site system role on a site system server that has WSUS 3.0 installed You can find more information on configuring the Software Update Point here: http://technet.microsoft.com/en-us/library/bb633119.aspx
The above settings are already completed in the pre-configured virtual environment on the server machine named Denver (Server 1-WSUS) and Fargo (Server 2FEP/ConfigMgr server) The following step-by-step instructions use the pre-configured virtual environment and the steps are configured on the server machines named Denver (Server 1) and Fargo (Server 2). Software Updates and Windows Server Update Services When you configure FEP or the FEP Security Management Pack deployment for WSUS-based definition updates, you must perform the following tasks: Configure either the Software Updates area of Configuration Manager or your WSUS server to synchronize both updates and definition updates. Approve the FEP definitions in the WSUS Administration console.
Evaluation Guide
Page 44
To synchronize updates and approve FEP definitions in Software Updates in Configuration Manager (in the virtual evaluation environment, this is the virtual machine named Fargo) 1. In the Configuration Manager Console, expand Site Management, expand the site name, expand Site Settings, and then click Component Configuration.
2.
In the middle pane, right-click Software Update Point Component, and then click Properties.
3.
4.
On the Products tab, select Forefront Endpoint Protection 2010, and then click OK.
Evaluation Guide
Page 45
1.
To synchronize updates and approve FEP definitions in WSUS Using an account that has local administrator user rights, log on to the machine running WSUS (in the virtual evaluation environment, this is the virtual machine named Denver). Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services.
2.
3. 4. 5.
In the WSUS Administration console, in the tree, expand Computers, click Options, and then click Products and Classifications. In the Products and Classifications dialog box, on the Products tab, select Forefront Endpoint Protection 2010 On the Classifications tab, select Definition Updates and Updates, and then click OK.
Approving Updates
Figure 3.41 Forefront Endpoint Protection 2010.
Updates for the FEP client must be approved before those updates are offered to clients requesting the list of available updates. Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates. Updates will only be offered to clients after they are approved for installation and after the WSUS server has completed the binary download. To approve definitions and updates in WSUS 1. 2. 3. 4. Using an account that has local administrator user rights, log on to the computer running WSUS. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services. In the WSUS Administration console, click Updates, and then click All Updates or the classification of updates you want to approve. On the list of updates, right-click the update or updates you want to approve for installation, and then click Approve. In the Approve Updates dialog box, click the arrow next to the group for which you want to approve the updates, and then click Approved for Install. Note: You can also set an Automatic Approval rule for definition updates and FEP updates, which configures WSUS to automatically approve for installation any definition updates or FEP updates downloaded by WSUS.
5.
Evaluation Guide
Page 46
To configure an automatic approval rule 1. In the WSUS Administration console, click Options, and then click Automatic Approvals.
2.
3.
Figure 3.44 New rule.
In the Add Rule dialog box, under Step 1: Select properties, select When an update is in a specific product. Under Step 2: Edit the properties, click any product. Clear all selections except Forefront Endpoint Protection, and then click OK. In the Step 3: Specify a name box, enter a name for the Forefront Endpoint Protection Definition Updates rule, and then click OK. In the Automatic Approvals dialog box, select the newly created Forefront Endpoint Protection Definition Updates rule and then click Run rule.
4. 5. 6. 7.
Evaluation Guide
Page 47
Microsoft Updates Definition Updates You use the Microsoft Update definition update option to keep definitions on mobile clients up-to-date when they are not connected to the corporate network. The Microsoft Update definition update option works in the same way as a normal Microsoft Update request. If configured, the FEP client will query Microsoft Update for new definitions per the frequency configured in the FEP policy. You can configure clients to check for definition updates by setting a policy option.
To configure clients to check Microsoft Update 1. 2. When you create an FEP policy, on the Updates page, select Enable updates from Microsoft Update. When you want to add Microsoft Update as a definition update option to an existing policy, in the properties of the policy, click the Updates tab, and in the update source list, select Updates from Microsoft Updates (MU).
File Share-Based Definition Updates Forefront Endpoint Protection clients can be configured to check a file share for definition updates. To check for updates, the client accounts must have read access to the file share in which you store the definition files. Domain users need read access as well. The user account is used when a manual update is performed. Note: When you configure clients to check a file share for definition updates, clients check the file share first, by default, before they check WSUS or Microsoft Update. You can change this hierarchy. To enable file share-based definition updates 1. 2. 3. 4. Create a folder called File Share on Server 1 (Denver). Right-click the folder and go to Share with. Add the user, select Read/Write access and then click Share. When you create an FEP policy, on the Updates page, select Enable updates from the following file share location, then, in the text box, enter the Universal Naming Convention (UNC) path to the file share. Note: FEP does not create or set permissions on the share automatically
Figure 3.47 UNC check Box and Path for the file share.
Evaluation Guide
Page 48
To enable file share-based definition updates in an existing policy 1. 2. 3. 4. 5. In the Configuration Manager console, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. In the middle pane, right-click the policy you want to edit, and then click Properties. Click the Updates tab, then, in the list of update sources, select Updates from UNC file shares (specified below). Under Specify, in order of preference, file shares, click Add, and then type the UNC path to the file share. If necessary, click Add again and add additional UNC paths. Note: You can alter the order of the list of file shares by selecting a listed path, and then, under the list, click Up or Down. 6. When finished, click OK.
1.
Download the required files from the following locations: For x64:
Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197094) Note: This file is required only if you have selected Enable protection against network-based exploits on the Antimalware tab of an FEP policy.
For x86:
Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197095) Note: This file is required only if you have selected Enable protection against network-based exploits on the Antimalware tab of an FEP policy.
Evaluation Guide
Page 49
2.
The files for x64-based computers must be in a folder named x64 The files for x86-based computers must be in a folder named x86
For example:
Figure 3.49 UNC checkbox and path.
...\Updates\x86 ...\Updates\x64 3. Ensure that each folder contains the following files:
Mpam-fe.exe Nis_full.exe
Summary
This chapter has shown how you can deploy FEP to secure client machines. You can use Configuration Manager 2007 to centrally install and uninstall FEP clients, manage policies, and view the state of client protection. For more details refer to: Deploying Forefront Endpoint Protection 2010: Step-by-step installation of Forefront Endpoint Protection 2010. It is an easy wizard driven setup. Using Configuration Manager to Deploy FEP Clients: Step-by step process to distribute and advertise the software to an already existing or a new collection of endpoints. Overview of the contents of the Dashboard of System Center Configuration Manager 2007: The Dashboard summarizes the overall health status of clients. It provides drilled down reports for particular computers. Policy creation for Forefront Endpoint Protection 2010: Defines the various configuration options of the FEP client that users can manage such as, policy customization and assignment, configuring group policy, the scan schedule, the location and frequency of definition updates, and scan exclusions. Providing signature updates to endpoints: Enables the administrators to provide latest updates to all endpoints centrally and thus keep them protected against new threats.
Evaluation Guide
Page 50
In Chapter 3, you will learn how FEP can comprehensively protect client machines by detecting and cleaning malware, provide reports and alerts, and provide different types of configurable scanning methods that can be configured for client machines. For more details, refer to: Detecting and Cleaning Malware: Step-by-step process of detecting and cleaning malware using Configuration Manager 2007. On-demand, Schedule and Real-time Scanning: The scanning methods used by FEP include: Real-time scanning: Process of configuring real-time scans Scheduled scanning: Process of configuring scheduled scans On-demand scanning: Process of configuring on-demand scans
Evaluation Guide
Page 51
Forefront Endpoint Protection 2010 makes it easier to protect critical desktop, laptop, and server operating systems against viruses, spyware, rootkits, and other threats. Highly accurate and efficient threat detection: The FEP engine protects against the latest malware and rootkits with a low false-positive rate and helps keep employees productive with low-impact scanning. Detection of unknown threats: Forefront Endpoint Protection 2010 uses system behavior and file reputation data to identify and block previously unknown threats from attacking endpoints. Improved network-based protection: Forefront Endpoint Protection 2010 ensures Windows Firewall is active and working properly to protect against network-layer threats, and it allows you to more easily manage protection across the enterprise.
Performance-Oriented Defaults Template-driven policy creation based on risk Workload-specific policies for servers
Forefront Endpoint Protection 2010 provides protection against these threats using the following techniques: Antimalware protection: The FEP client helps users stay secure and productive both at work and on the go with a lightweight, easy-to-use interface. Whenever possible, the FEP client automatically solves security issues as they occur without disturbing users, so users can stay safe and continue with their work without contacting their desktop administrators. Protection against rootkits: Rootkits are software that enables continued privileged access to a computer, while hiding their presence from administrators. Forefront Endpoint Protection 2010 has features that provide efficient rootkit detection. Heuristics and emulation techniques: Dynamic Translation technology in FEP uses heuristics-based protection. Based on emulated behavior, it translates code that accesses real resources into code that accesses virtualized resources, which keeps the real resources in the system safe from any malicious content. Behavior monitoring: Live system behavior monitoring identifies new threats and tracks behavior of unknown processes and known good processes gone bad. Detections trigger a request to the Dynamic Signature Service and clients will receive an updated signature through the cloud if it is recently identified malware without waiting for the regular signature update process. Network vulnerability shielding: Forefront Endpoint Protection 2010 provides protection against network level exploits and intrusions by inspecting inbound and outbound network traffic. It balances protection with performance by only enabling signatures for the unpatched vulnerabilities.
Evaluation Guide
Page 52
In this scenario, you will evaluate the process of detecting and cleaning malware using FEP. This section will provide you with the step-by-step processes to detect a malware, run the FEP software to clean up the malware, and generate reports of the malware operations.
Exercise
4. Detecting and cleaning malware impact scanning 5. On-demand, scheduled, and real-time scanning
Illustrates
Detecting and cleaning malware on the client computer Protecting endpoints against malware in real-time
Lab Environment
S.No.
1 2 3 4
Machine Name
Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo)
Roles
DC CA AD FS, AD-RMS, FCI, WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP
In this exercise, you will see an example of detecting and cleaning malware on a client machine. The following step by step instructions use the pre-configured virtual environment and are configured on the client machine called Cairo (Client 2 in the table above) 1. If you are using the virtual environment, then directly open the folder where the EICAR test virus file is stored to run a malware and skip to step 4. If you are using your own environment, download the EICAR antimalware test file eicar.com.txt from the EICAR website (http://www.eicar.org/download/eicar.com.txt). Note: Forefront Endpoint Protection 2010 should block this file from being downloaded. The Sample folder contains several copies of the EICAR test virus. This is not a real virus, but a sample file used for antimalware tests Place the file in the C:\Tools\Sample folder
2.
3.
Evaluation Guide
Page 53
4.
In the Sample folder, right-click eicar.com.txt, and then click Open. FEP real-time detection recognizes the EICAR test virus, and blocks access to the file. Near the notification area, a popup appears that briefly informs the user about the blocked access to the files.
5.
Click OK to acknowledge that Windows cannot access the file. Notice that the eicar.com.txt file is no longer in the folder; FEP has removed it.
6. 7. 8.
Close the Sample folder In the Notification area, right-click the FEP icon, and then click Open. In the FEP window, click the History tab. Note: It may take up to 10 minutes before the detected item appears in the list.
9.
10. On the FEP Server (In the pre-configured virtual environment, it is the server named Fargo), in the Configuration Manager console, under Computer Management, select Forefront Endpoint Protection.
Evaluation Guide
Page 54
11. In the middle pane, note that the Malware Activity Status section shows the number of detected and cleaned malware. Note: The detected malware from the client may not show up immediately. The status change depends on the Configuration Manager client state update setting.
12. In the Configuration Manager console, under Forefront Endpoint Protection, select Reports. The middle pane lists the three pre-defined reports.
13. In the middle pane, select Antimalware Activity Report. 14. Right-click the report, and then click Run.
Figure 4.8 Right-click the Antimalware Activity Report and then click Run.
Notice that FEP 2010 integrates with both Configuration Manager and SQL Server Reporting. The malware information may take some time to appear in the report. In the virtual environment, it will take 10-15 minutes for the latest information to populate. In general, it depends on the interval set for a client to upload state messages,
Evaluation Guide
Page 55
Exercise
5.1. FEP real-time scanning 5.2. FEP scheduled scanning 5.3. FEP on-demand scanning
Illustrates
Real-time scanning on an FEP Client Scheduled scanning on an FEP Client On-demand scanning on an FEP Client
If you choose to evaluate FEP with the pre-configured virtual environment, you will need the following virtual machines:
Lab Environment
S.No.
1 2 3 4
Machine Name
Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo)
Roles
DC CA AD FS, , WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP
Evaluation Guide
Page 56
Exercise 5.1: Forefront Endpoint Protection 2010 real-time scanning Real-time scan: protects endpoints against malware in real-time. This can help prevent infection by malware present in the files being accessed. Real-time scanning: All FEP incidents on client machines are reported to the FEP server, used for reporting, creating, and distributing FEP policies throughout the network. In this exercise, you will see an example of configuring and scheduling a scan on the client machine in real time. These step-by-step instructions use the pre-configured virtual environment and the steps are configured on the client machine named Cairo (Client 2 in the table above). 1.
Figure 5.1 Click Computer.
In the FEP client, click the Start menu, and then click Computer.
2.
Evaluation Guide
Page 57
3.
On the K: disk, right-click Woodgrove Bank Trey Information.doc, and then click Open Forefront Endpoint Protection 2010 blocks access to the document. Even though the client computer may be on the corporate network, behind the firewalls, malware-infected files can still enter the network through the use of portable USB drives. However, FEP on the client machine detects and blocks the malicious content.
4. 5.
Click OK to close the Microsoft Word dialog box. Close Microsoft Word.
Evaluation Guide
Page 58
Note: The steps to enable real-time scanning are shown in the Policy Creation section in the Evaluation Scenario: Single Infrastructure. These steps are completed on the FEP Configuration Manager Console
Evaluation Guide
Page 59
Exercise 5.2: Forefront Endpoint Protection 2010 scheduled scanning Scheduled scan enables an organization to: Configure a scheduled scan: You can select the scan frequency from Weekly quick scan, Weekly full scan, Daily quick scan, Daily full scan, Daily quick scan and Weekly full scan. You can also set the time and day for weekly scans. Allow clients to schedule scan time: Select this option to allow end users to schedule scans on their client machines. Scan only when the computer is idle Randomize scheduled scan start times (within 30 minutes from scheduled time) Force a scan upon reboot when two or more scheduled scans are missed. Scan archived files Limit processor usage during scans: You can set the processor usage at the client machine for the scanning process.
In this exercise, you will configure and schedule a scan on a client machine.
Figure 5.6 Enable Scheduled scanning.
In the FEP Client, the steps to enable scheduled scanning are mentioned in the Policy Creation section in the Evaluation Scenario: Single Infrastructure. Exercise 5.3: Forefront Endpoint Protection 2010 on-demand scanning On demand scan: enables an organization to perform three kinds of scanning: Quick scan: checks the areas that malicious softwareincluding viruses, spyware and unwanted softwareis most likely to infect. Full scan: checks all the files on the hard disk and checks all running programs. Time duration of the scan depends on the system. Custom scan: checks only the locations and files that user selects.
The scanning can be performed either manually or by running the endpoint scan from the FEP management console In this exercise, you will perform the three types of on-demand scans on a client machine. 1. Quick Scan
Manual steps a. b. c. Double-click the FEP icon on the taskbar. Under Scan options, click Quick. Click Scan now to start scanning.
Evaluation Guide
Page 60
Open Configuration Manager console, expand Computer Management, and expand Collections. Select All Systems. Select the client machine Cairo. Go to the Action Pane, and under the client machine Cairo select FEP Operations. Click Run Quick Scan.
2.
Full Scan
Manual Steps a. b. c. Double-click the FEP icon on the taskbar. Under Scan options, click Full. Click Scan now to start scanning.
Running the Quick Scan from the FEP Management Console a. b. c. d. e. Open Configuration Manager console, expand Computer Management and expand Collections. Select All Systems. Select the client machine Cairo. Go to the Action Pane, and under the client machine Cairo select FEP Operations. Click Run Full Scan.
3.
Custom Scan a. Double-click the FEP icon on the taskbar and then click Custom Scan.
Evaluation Guide
Page 61
b.
c.
Summary
This chapter showed how FEP can provide comprehensive protection to client machines by detecting and cleaning malware, providing reports and alerts, and by providing different types of configurable scanning methods. For more details, please refer to the following sections: Detecting and Cleaning Malware: Step by step process of detecting and cleaning malware impact scanning using Configuration Manager 2007. On-demand, Scheduled and Real-time Scanning: The scanning methods used by FEP
In Chapter 4, you will learn how FEP provides simplified management by using predefined reports and customized alerts. For more details, please refer to the following sections: FEP Reports: Predefined reports with information on client deployment, health, and malware detection. FEP Alerts: Receive email notifications when FEP detects security incidents and generates alerts
Evaluation Guide
Page 62
Forefront Endpoint Protection 2010 is built on Configuration Manager 2007 R2 and provides a single interface for you to manage and secure endpoints, which helps reduce complexity and improve troubleshooting and reporting insights. It provides a central location for you to create and apply all endpoint-related policies. With a shared view of endpoint protection and configuration, you can more easily identify and remediate vulnerable computers. Forefront Endpoint Protection 2010 provides simplified access to information and tools you need to keep your enterprise secure and running. No separate console: Configuration Manager provides a single interface to manage and secure endpoints, which helps to reduce complexity and improve troubleshooting and reporting insights. This approach also helps to reduce the training necessary for client administration. Improved endpoint visibility: With a shared view of endpoint protection and configuration, you can more easily identify and remediate vulnerable computers.
Exercise
6. FEP reports 7. FEP alerts
Illustrates
Reports on client deployment, health, and malware detection Notification when security threats are detected
If you choose to evaluate FEP with the pre-configured virtual environment, you will need the following virtual machines:
Lab Environment
S.No.
1 2 3 4
Machine Name
Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo)
Roles
DC CA AD FS, AD RMS, FCI, WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP
Evaluation Guide
Page 63
Antimalware Activity Report: This report displays a dashboard summarizing the overall antimalware status. Security Alerts: Displays a summary of raised FEP alerts. Security Status: Displays a summary of client machines by FEP client status. Antimalware Activity: Displays a dashboard of information about all detected malware. Malware Activity: Displays lists of the top malware infections by severity and frequency.
Antimalware Protection Summary Report: This report provides an overview of antimalware deployment and health. Antimalware Deployment and Health: Displays a dashboard of antimalware information. Security Status: Displays a summary of client machines by FEP client status.
Malware Details Report: This report displays further details about specific malware. Malware Details: Displays details about the detected malware. Antimalware Activity: Displays a dashboard of information about the detected malware. Infected Computers: Displays a list of client machines that the detected malware has infected.
Evaluation Guide
Page 64
Computer List Report: This report displays a list of computers. Computer List: When you run this report from the Reports node, it displays a list of computers on which the FEP client is deployed. When you run this report by drilling down, it displays a filtered list of computers according to the clicked link.
Figure 6.4 Computer List report.
Computer Details Report: This report displays further details about the specified computer. Computer Details: Displays details about the specified computer. Protection Status: Displays information about the status of the FEP client features. Malware Activity: Displays a summary of malware information followed by a list of malware that has been detected on the specified computer.
Policy Deployment Report: This Web report displays the breakdown of FEP 2010 client distribution states per collection Click the FEP Dashboard and scroll to the Links and Resources Section. Under Web Reports, click Deployment Overview
Evaluation Guide
Page 65
Exercise 7.1: Sending a Malware Outbreak alert 1. Click Start, click All Programs, under Microsoft System Center click Configuration Manager 2007, and then click ConfigMgr Console.
2. In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection, and then click Alerts.
Evaluation Guide
Page 66
5.
Select Enable alerts for malware outbreaks and then specify the criteria for malware outbreak alerts, such as: Malware detected on number of computers and Malware detection interval (in minutes). Add the addresses of the recipients to whom alerts should be sent.
Evaluation Guide
Page 67
6.
Exercise 7.2: Sending a Malware Detection alert 1. Under Computer Management, expand Forefront Endpoint Protection, and then click Alerts. In the middle pane, select Malware Detection alert.
Figure 7.6 Enable Alerts for Malware Outbreaks.
Evaluation Guide
Page 68
3.
Select Enable alerts for malware detection and then click Browse to select the parent collection you want to monitor.
4.
In the Browse Collection dialog box, click All Systems, and then click OK.
Evaluation Guide
Page 69
5. 6.
Set the Alert detection level to Medium and then add the addresses of recipients to whom alerts should be sent. Click Apply and then click OK.
Exercise 7.3: Sending a Repeated Malware Detection alert 1. Under Computer Management, expand Forefront Endpoint Protection, click Alerts, and then click Repeated Malware Detection Alert.
2. Click Browse.
Figure 7.14 Properties dialog box for Repeated Malware Detection Alert.
Evaluation Guide
Page 70
3. In the Browse Collection dialog box, click All Systems, and then click OK.
4. Select Add recipients Email ID. Click Apply and then click OK. Note: In order to send the email alerts, the SMTP settings need to be defined
5.
To define the SMTP settings, in the Actions pane, click Email Settings.
6.
Enter the SMTP Server and Email address, and then click OK
Evaluation Guide
Page 71
Exercise 7.4: Sending a Multiple Malware Detection alert 1. Under Computer Management, expand Forefront Endpoint Protection, expand Alerts, and then select Multiple Malware Detection Alert.
2. 3.
In the Action pane on the right side, click New Multiple Malware Detection Alert. Click Browse.
Figure 7.20 Properties Dialog box for Multiple Malware Detection Alert.
4.
In the Browse Collection dialog box, select All Systems, and then click OK
Evaluation Guide
Page 72
5.
Select Add recipients Email ID. Click Apply and then click OK. Note: In order to send the email alerts, the SMTP settings need to be defined.
6.
To define the SMTP settings, in the Actions pane, click Email Settings.
7.
Enter the SMTP Server and Email address and then click OK.
Evaluation Guide
Page 73
Exercise 7.5: Setting the alert level 1. Click Start, click All Programs, under Microsoft System Center click Configuration Manager 2007, and then click ConfigMgr Console.
2.
In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection and then click Policies.
3.
Double-click Default FEP policy to open the Default FEP Policy Properties dialog box. Click the Antimalware tab. In the list on the left, select Threat Handling.
4. 5.
Figure 7.27 Property Dialog Box > Antimalware > Threat Handling.
Evaluation Guide
Page 74
Forefront Endpoint Protection 2010 responds to potential threats and classifies them at different alert levels: Low Level: These programs collect personal information or change settings but do not damage the system and operate within the licensing terms displayed when the software is installed. Medium Level: These programs collect personal information or change settings but do not damage the system. High Level: These programs collect personal information, change settings without the users consent or knowledge, or damage the system. Severe Level: These are exceptionally malicious programs that threaten the privacy and security of the client machine and can damage the system.
For each of the alert levels, you can choose to take action as follows: Allow: This action allows the detected item and will also add it to the Allowed Items list. Quarantine: This action moves the detected item to the quarantined area and enables the user to either restore or permanently delete the item. Remove: This action permanently deletes the detected item. Recommended Action: These actions are recommended by Microsoft Security Essentials based on their severity level. o o o
Figure 7.28 Action types for each Alert Level.
Severe and High: Remove the detected programs immediately. Medium: Consider removing the detected item if it is from an untrusted publisher. Low: Consider quarantining the detected item if it is from an untrusted publisher.
Summary
This chapter described how FEP provides simplified management through predefined reports and customized alerts and how it provides the necessary tools to keep the enterprise secure and running. For more details, please refer to the following sections: FEP Reports: Predefined reports with information on client deployment, health, and malware detection. FEP Alerts: Allows administrators to receive email notifications when FEP detects security incidents and generates alerts.
Evaluation Guide
Page 75
NOTE: This appendix will help you install FEP. Because this guide has been prepared for the purpose of the following labs, instructions in this section may not be suitable for production environments. Please refer to the respective product manuals for information about the setup for production environments.
Hardware Requirements
For this evaluation, you can use either a Hyper-V based FEP virtual environment (called Business Ready Security Demo Environment) or FEP evaluation software that you can deploy in your own test/production environment. NOTE: For a list of compatible systems and peripherals required for Windows Server 2008 R2, visit http://www.microsoft.com/whdc/hcl/default.ms px
Additional Requirements o o o o o No earlier versions of Forefront Endpoint Protection Server installed No installations of other antimalware protection Microsoft Windows Installer version 3.1 or later Microsoft .NET Framework 3.5 Service Pack 1 SQL Server 2005 SP2 or 2008 Enterprise, including: Analysis Services Integration Services Reporting Services SQL Server Agent
Configuration Manager 2007 Service Pack 2 Release 2 site installed with default roles, configured to use the SQL Server Reporting Services, and the following installed and configured: o o o o Hardware Inventory Software Distribution Desired Configuration Management Management Class Hotfix Package
Evaluation Guide Page 76
Memory o o Windows XP: 256 MB RAM or higher Windows Vista or Windows 7: 1 GB RAM or higher
Operating System o o o o o o Windows XP SP3 and later x64 Windows Vista RTM and later, x64 and x86 Windows 7 RTM x64, x86 Windows 7 XP mode Windows Server 2003 SP2 and later, x64 and x86 Windows Server 2008 RTM and later, x64 and x86 (not server core)
Additional Requirements o o o o o Configuration Manager agent Windows Installer 3.1 Filter manager rollup (KB914882) WFP rollup package (KB981889). Redistributed by client Windows Update
Evaluation Guide
Page 77
Exercise 8: Deploying SQL Server Forefront Endpoint Protection 2010 requires SQL Server 2005 SP2 or 2008 Enterprise with Analysis Services, Integration Services, Reporting Services, and SQL Server Agent running. The SQL Server should be part of the domain. 1. Run System Configuration Checker to detect if SQL Server 2008 R2 is installed on your machine. If it detects SQL Server 2008 on the machine, it will show a message about the automatic upgrade of SQL Server 2008 R2, otherwise setup begins with step 2.
2.
To use the database, analysis, and reporting services for FEP, select the following SQL Server components:
Figure 8.2 Services Selection.
Database Engine Services Analysis Services Reporting Services Integration Services SQL server agent
You need to specify a Default instance or a Named instance to use or run the FEP analysis and reporting services and to activate the databases. MSSQLSERVER is the default Named instance and Instance ID.
3.
Microsoft recommends separate accounts for the respective FEP services. This page shows the Service Account tab, which indicates the service account details for the SQL Server services and allows you to specify the startup type for each of the services (for example, Automatic, Manual, and Disabled).
Evaluation Guide
Page 78
4.
The Database Engine Configuration enables you to maintain and generate FEP reports and to enable secure access to those reports. Use the Account Provisioning tab to specify the Authentication Mode and administrators for the database engine:
Authentication Mode: SQL Server supports two authentication modes, Windows authentication mode and Mixed Mode. Specify SQL Server administrators: You must specify at least one system administrator for each instance of SQL Server.
The Data Directories tab enables you to specify non-default installation directories and in the FILESTREAM tab you can enable FILESTREAM for instances of SQL Server.
5.
On the Analysis Services Configuration page, the Account Provisioning tab enables administrators to specify users with administrative privileges to allow access to analysis services.
6.
On the Reporting Services Configuration page, you can select the type of Reporting Services you wish to install. Options include:
Install the native mode default configuration Install the SharePoint integrated mode default configuration Install, but do not configure the report server
7.
On the Ready to Install page, you can see a tree view of the installation options specified during Setup.
Evaluation Guide
Page 79
After you complete the installation of SQL Server 2008, the installer will provide a link to the summary log file for the installation and other important notes.
Before you install Configuration Manager 2007 R2, make sure you fulfill the following prerequisites:
Extend the Active Directory schema Create a Configuration Manager 2007 R2 System Management Container in Active Directory Install the Microsoft Remote Differential Compression feature Install WebDAV and configured in IIS Install the BITS Server Extensions feature Install WSUS Server 3.0 SP1
During the Configuration Manager installation, when you configure the client agent option, select the following options:
Software inventory: Discovers the software installed on the system. Hardware inventory: Scans and reports for hardware configuration for the specific machine. Collected reports or data is controlled by Managed Object Format (MOF). Defined classes are added to WMI, which reports back to the site server. Desired configuration management: Defines the schedule that the system will scan for compliance based on DCM rules. System Center Client Deployment: Configures the client settings including the account that is used to connect to the software distribution locationand notification settings.
Evaluation Guide
Page 80
FOREFRONT ENDPOINT PROTECTION SECURITY MANAGEMENT PACK: ENABLING REAL-TIME MONITORING WITH SYSTEM CENTER OPERATIONS MANAGER 2007 R2
High-value assets (typically servers) that require a greater degree of monitoring can report their events to an Operations Manager infrastructure. Forefront Endpoint Protection 2010 includes the FEP Security Management Pack, which is a standard management pack that you can import to Operations Manager 2007 R2. The FEP Security Management Pack serves two goals. First, organizations that use Operations Manager 2007 R2 to monitor servers can now use their preferred tool to monitor security, too. Second, for organizations that require guaranteed real-time monitoring for their critical systems (like servers) the management pack uses Operations Manager 2007 R2 capabilities to ensure real-time reporting on FEP. In addition to real-time monitoring and alerting, the FEP Security Management Pack can use SQL Reporting or Microsoft Excel to connect to the Operations Manager 2007 R2 database to generate custom reports.
The Operations Manager 2007 R2 console provides access to real-time data generated by FEP clients with Operations Manager 2007 R2 agents installed. This data includes a state view of the various FEP client components (antimalware engine, antimalware activity, definitions, last scan time, firewall state, and others), a list of active alerts, and a list of all FEP-related events that the servers have sent./ The FEP Security Management Pack for Operations Manager 2007 R2 provides a server-centric view under Operations Manager with the following features: Server security and availability tasks Predefined reporting views that can be used to generate custom reports using Excel (an Excel sample spreadsheet with various example of possible reports is available in the download center) Real-time monitoring and alerting for critical systems
Evaluation Guide
Page 81
In this scenario, you will import the FEP Management Pack into an Operations Manager 2007 R2 Management Group. You can then monitor all the servers assigned to that Management Group that have the FEP client installed.
If you are evaluating FEP with the pre-configured virtual environment, you will need the following virtual machines:
Lab Environment
S.No.
1 2 3
Machine Name
Server 1 (Denver) Server 2 (Madrid) Server 3 (Oxford)
Roles
DC, CA, AD FS, AD RMS, FCI Exchange 2010 FEP Security Management Pack, Operations Manager
The following step-by-step instructions use the pre-configured virtual environment and the steps are configured on the FEP server machine called Madrid (Server 2 in the table above). The FEP Security Management Pack and Operations Manager Console are configured on the server machine called Oxford (Server 3 in the table above). You can also download the evaluation version of FEP Security Management Pack software to evaluate it with System Center Operations Manager in your test environment.
Exercise
9. Enabling realtime monitoring with FEP 10. Generating alerts and notifications 11. Performing task remediation
Illustrates
Step-by-step guide to import the FEP Security Management Pack, creating an override to allow discovery of Windows Clients and use Operations Manager Console to monitor FEP. Step-by-step guide to generate alerts and create an incident in Operations Manager Console. Step-by-step guide for remediation tasks targeted at computers by Operations Manager operators and delivered to them for execution.
Evaluation Guide
Page 82
Exercise 9: Enabling real-time monitoring with Forefront Endpoint Protection 2010 This section explains the steps required to import the FEP Security Management Pack. The following steps need to be completed if you are using the evaluation version of FEP Software Management Pack. If you are evaluating FEP Security Management Pack using the pre-configured virtual environment, please skip to Exercise 10 (the FEP Security Management Pack is already installed in the preconfigured virtual environment). To import management pack files into Operations Manager, you must first extract the files from the fep2010 security mp.msi package. You are not required to extract the package locally on the Operations Manager server; however, you must be able to access the files from the Operations Manager console in order to import them. Download and expand the Forefront Endpoint Protection Security Management Pack from the Forefront Endpoint Protection download page (http://go.microsoft.com/fwlink/?LinkID=196678).
To extract Management Pack files 1. Double-click fep2010 security mp.msi. Note: No Management Pack files are installed or imported to Operations Manager during this procedure. The wizard only extracts files.
2.
Read and accept the license agreement, and then click Next.
3.
On the Select Installation Folder page, specify the folder to which you want to extract the management pack files, and then click Next.
Evaluation Guide
Page 83
4. 5.
On the Confirm Installation page, click Install to extract the package to the specified location. On the Installation Complete page, click Close. Navigate to the file location specified earlier and verify that the following files are present: Microsoft.FEPS.Application.mp Microsoft.FEPS.Library.mp Microsoft.FEPS.Reports.mp
To import the FEP Security Management Pack 1. Log on to the server running System Center Operations Manager 2007 by using an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group. In the Operations Console, click the Administration button.
2.
3.
Right-click the Management Packs node and then click Import Management Pack(s) to open the Import Management Packs dialog box.
4.
In the Import Management Packs dialog box, click Add, and then click Add from disk.
5. 6.
In the Online Catalog Connection dialog box, Select No. In the Select Management Packs to import dialog box, browse to C:\Program Files (x86)\System Center Management Packs\FEP 2010 for Servers OpsMgr 2007 R2 MP, press CTRL+A to select the three .mp files and then click Open. On the Select Management Packs page, the management packs that you selected for import are listed. Next to each management pack a green check mark icon should appear that indicates that the management pack is ready to import. Click Install to import the selected management packs After installation, click Close to close the Import Management Packs window.
7.
Figure 9.5 Add Management pack.
8. 9.
10. In the Management Packs node, press F5 to refresh the list of management packs installed to Operations Manager. Then, in the Look for text box, type Protection, and then click Find Now. The two management packs imported in step 7 should appear in the view.
Evaluation Guide
Page 84
To create an override to allow discovery of Windows clients The Operations Manager Discovery that discovers the FEP client installed on Windows Client machines is disabled. In order to allow Operations Manager to monitor FEP on Windows clients you need to configure an override. 1. 2.
Figure 9.7 Change Scope .
In the lower-left corner, select the Authoring node. Expand Management Pack Objects and select Object Discoveries. In the top-right corner, click Change Scope.
3.
4. 5. 6.
Select View all targets. In the Look for box, type Forefront. Click Clear All to clear the default objects and then click Select All to select all the Forefront objects. Click OK.
7.
8.
Evaluation Guide
Page 85
9.
Click the Override button and select For all objects of class: Windows Client.
10. In the top Override box, change the Override Value to True. Click OK and Close.
Exercise 10: Generating alerts and notifications To generate alerts for the monitors, you first need to create an incident so Operations Manager can identify the issue and generate alerts. In this procedure, you will create an incident by stopping FEP service. To stop the FEP service on a server Perform the following step on the Server 2 (Madrid) computer Open Task Manager, go to the Services tab, right-click Microsoft Antimalware Service, and then click Stop.
Evaluation Guide
Page 86
To monitor the FEP service stopping on a server and then restart it 1. Select Protected Server State and click Refresh until the state changes. This should take less than 1 minute and the Antimalware Engine and Antimalware Definitions components should change to Critical.
2.
Select the Active Alerts view. Three alerts are raised in response to this condition.
3.
Select the domain controller, and in the Action pane, click Health Explorer. As before, you can review information about the monitors that raised these alerts.
4.
Evaluation Guide
Page 87
5.
Select the State Change Events tab to see when the computer entered this state.
6.
Near the bottom of the window is a recovery task called Enable real-time protection. Click the link to run it and then click Yes.
7. 8.
Close the Health Explorer window and return to the Protected Server State view. Click Refresh a few times until the state changes to Healthy.
Evaluation Guide
Page 88
9.
Return to the Active Alerts view. The alerts are automatically set to Closed after the monitors change state, and they are removed from the Active Alerts view.
Exercise 11: Performing task remediation Tasks are targeted at computers by Operations Manager operators and delivered to them for execution. In this exercise, you will use a task to retrieve FEP information and update definitions on the domain controller. You will also investigate the FEP reports and extract more details To use a task to retrieve FEP information from a Windows Server 1. Select Protected Server State. 2. Select the Server 2 (Madrid) computer and in the Action pane under Protected Server Tasks, click Retrieve Endpoint Settings.
Figure 11.1 Retrieve Endpoint settings.
3. Accept the defaults and click Run and then click Close. 4. Select Task Status and click Refresh until the task status changes from Queued to Success. 5. Select the completed task and scroll down to see detailed information about the client. Examine the list of other taskssuch as Run a full / quick scan, Stop a scan, Update definition files, and others.
Figure 11.2 Task Status.
Evaluation Guide
Page 89
To use a task to update definitions on the domain controller 1. Select Protected Server State. 2. Select the domain controller and in the Action pane under Protected Server Tasks, click Update Antimalware Definitions 3. Accept the defaults and click Run and then click Close. 4. Select Task Status and click Refresh until the task status changes from Queued to Success. This may take a minute or so.
To investigate FEP Reports 1. Select Protected Server State. 2. Select the domain controller and in the Action pane under Protected Server Reports, click Event Analysis.
Figure 11.5 Select Yesterday in the From box and then click Run.
Evaluation Guide
Page 90
4. Expand the Protect Server object to see the events related to that server. You can also filter by event type, category, ID or source. Close the report.
5. Click Alerts
6. In the From box, select Yesterday and then click Run. Expand Antimalware Engine Malfunction to see more details.
Evaluation Guide
Page 91
RESOURCES
Forefront Endpoint Protection 2010 Overview: http://www.microsoft.com/fep
System Center Configuration Manager Overview: http://www.microsoft.com/systemcenter/en/us/default.aspx
Forefront Endpoint Protection 2010 Datasheet: http://download.microsoft.com/download/E/8/1/E81B0B04-5A97-4C0C-8E157464EBCAAE7C/FEP_ds_FINAL%20110810.pdf, Forefront Endpoint Protection 2010 Evaluation Download: http://technet.microsoft.com/en-us/evalcenter/ff182914.aspx Forefront Endpoint Protection 2010 System Requirements: http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-systemrequirements.aspx
Forefront Endpoint Protection 2010 Hyper-V enabled Virtual Machine Environment for Evaluation: http://go.microsoft.com/fwlink/?LinkId=190269
Forefront Endpoint Protection 2010 Deployment Guide: http://technet.microsoft.com/en-us/library/ff823762.aspx Forefront Endpoint Protection 2010 Technical Library: http://technet.microsoft.com/en-us/library/ff684073.aspx Forefront Endpoint Protection 2010 FAQ: http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-faq.aspx
Forums: http://social.technet.microsoft.com/Forums/en-US/FCSNext/threads
Evaluation Guide
Page 92