This presentation discusses some topics about Forefront Endpoint Protection 2012 beta version, and my experience in deploying it
This presentation has been given at MCT SUmmit San Franciso
Injustice - Developers Among Us (SciFiDevCon 2024)
Mct summit na what's new in forefront endpoint protection 2012 beta
1. What’s new in Forefront Endpoint
Protection 2012
According to beta material
Peter De Tender
October 19–21, 2011
2. About the speaker
• Managing Partner ICTinus (Belgian IT Company)
• +15 years IT Pro on Microsoft technologies
• Focus on Exchange & Forefront
• MCT for 3 years
• Country Lead MCT Europe Belgian Chapter
• Email: Peter.detender@ictinus.be
• Blogs: http://the-c-spot.org + http://trycatch.be/blogs/pdtit
• LinkedIn: http://be.linkedin.com/in/pdtit
• Twitter: http://twitter.com/pdtit
OCT
19-21
3. Agenda
• About FEP
• Server installation walkthrough
• Client management & deployment
• Update mechanism
• Reporting
• Q&A
OCT
19-21
4. Agenda
• About FEP
• Server installation walkthrough
• Client management & deployment
• Update mechanism
• Reporting
• Q&A
OCT
19-21
5. Business Needs and IT Challenges
Stop known and unknown threats Constantly evolving threats
Increased complexity with separate
Easily secure endpoints, maintain
workloads for endpoint protection and
productivity
desktop management
High cost to maintain separate
Reduce cost of client protection infrastructure
BUSINESS Needs IT Needs
Agility and Flexibility Control
OCT
19-21
6. Convergence of Desktop Security &
Management
Security + Management
IMPROVED PROTECTION LOWER COSTS
• Security personnel have access to desktop • One server infrastructure to maintain
configuration data
• A single mechanism to deploy software
• Health status and protection status in a updates to clients
single interface, with consolidated
reporting • Central policy implementation for security
and management
• Incident response (identify / update /
remediate) is more targeted • One set of training for administrators
• A single license to purchase (*CAL)
OCT
19-21
7. Forefront Endpoint Protection 2012
Enhanced Protection Simplified Desktop
Ease of Deployment
and Productivity Management
• Built on distribution infrastructure of • Protection against viruses, • Unified management interface for
Microsoft® System Center spyware, rootkits, and network desktop administrators
Configuration Manager software vulnerabilities
• Timely and effective alerts
• Supports all System Center • Productivity-oriented default
Configuration Manager topologies configuration • Simple, operation-oriented policy
and enables enterprise-wide administration
scalability • Integrated management of host
firewall • Historical reporting for security
• Facilitates easy migration administrators
• Backed by Microsoft Malware
• Able to deploy across various Protection Center
operating systems (including
Microsoft Windows® client and
Microsoft Windows Server ®)
OCT
19-21
8. Forefront Protection Stack: Overview
Firewall & Focus
Configuration Management
• Reduce time and cost to protect
Antimalware • Increase cost to attack, decrease exploit
window
Generics and Heuristics • Operationalize new protection
Dynamic
technologies
Signature
Service
Behavior Monitoring
Operationalizing protection
Browser Protection • Balancing protection vs. performance
• Remediation and threat management
Network Vulnerability Shielding improvements
• Simplifying deployment
Anti-rootkit
Malware Response “MMPC”
OCT
19-21
9. New / Updated features of FEP 2012
• Easier to deploy client
• Building on top of SCCM 2012 architecture
– Scalability / high availability / ...
• Network-friendly definition deployment
• Simpler to setup and operate
• Email subscriptions for alerting
• Built-in security admin role (RBAC)
OCT
19-21
10. New / Updated Licensing model
• Previous versions:
– Part of Forefront Protection Suite CAL
– Separate FEP 2007/2010 CAL
– Part of E-CAL in EA
• Present version:
– Part of Core-CAL in EA
– (+ older possibilities still apply)
OCT
19-21
11. Agenda
• About FEP
• Server installation walkthrough
• Client management & deployment
• Update mechanism
• Reporting
• Q&A
OCT
19-21
18. Protect Clients without Complexity
• Simple interface
– Minimal, high-level user
interactions
– Only necessary
interactions
• Administration options
– User configurability
controls
– Central policy enforcement
• Maintain high
productivity
– CPU throttling during
scans
– Faster scans through
advanced caching
OCT
19-21
19. FEP UI – Home Tab
• Clear Status
information
OCT
19-21
20. FEP UI – Home Tab
• Scan details
• Scan options
• Custom scan
• Initiate scan
OCT
19-21
24. FEP UI – History Tab
• Displays all
malware
detections and
actions
• Delete history
• Display
quarantined
• Display
allowed
OCT
19-21
25. FEP UI – Settings Tab
• Settings can be
centrally
managed, or
delegated to
users
OCT
19-21
26. Agenda
• About FEP
• Server installation walkthrough
• Client management & deployment
• Update mechanism
• Reporting & alerting
• Q&A
OCT
19-21
27. Update Mechanism
• +/- 8h update polling to Microsoft MU/WU
from server – 15min polling from client to
server
• Policy based, not package based as in
FEP2010
• Relying on WSUS integration (= server role)
• Update engine based on feedback from MMPC
and SpyNet
OCT
19-21
28. Agenda
• About FEP
• Server installation walkthrough
• Client management & deployment
• Update mechanism
• Reporting & alerting
• Q&A
OCT
19-21
29. Reporting & Alerting
• Built on SQL Reporting Services
• It’s all in the “monitoring” space
• Alerts - by mail:
– Malware Detection
– Malware Outbreak
– Repeated Malware Detection
– Multiple Detections have
OCT
19-21
30. Agenda
• About FEP
• Server installation walkthrough
• Client management & deployment
• Update mechanism
• Reporting
• Q&A
OCT
19-21
Business NeedsTo stay competitive, businesses are employing a growing number of remote and mobile employees. These various worker scenarios make it more difficult to meet security requirements. As such, businesses are struggling to:Keep users and systems secure as well as productive. Protect systems from complex threats and vulnerabilities on endpoints, application servers, and the network edge.Reduce the risks of sensitive information loss.Optimize efficiency and reduce management costs to lower the total cost of ownership (TCO) of security infrastructure. However, many IT challenges stand in the way:Ever-evolving, financially motivated threats can cause business disruption and financial loss. The threat landscape is very dynamic in nature, and with more and more applications going into the cloud, security systems need to be a step ahead of potential threats.The wide range of users and devices can make it difficult to apply consistent policy and protection for remote access.Most of the threats are a result of improper configuration or poor client update process. In the traditional model, desktop management and client security are managed in 2 different silos. Desktop administrators lack easy access to security tools that will help them get visibility into the security state of the clients. On the other side, security admins are overburdened with doing day to day security operations, which takes them away from focusing on developing end to end compliance policies and researching the next generation of threats.Uncoordinated protection between fragmented, poorly integrated security products can lead to slower response times.There is limited visibility because of poor communication / alignment between functional silos.Duplicate infrastructures can raise complexity and TCO. With discrete infrastructures for management and security, companies need to purchase and maintain separate hardware and software, create and manage two sets of policies, and take two sets of actions when security incidents occur
Desktop management and security have traditionally existed as two separate disciplines, yet both play central roles in keeping users safe and productive. Management ensures proper system configuration, deploys updates against vulnerabilities, and delivers necessary security updates. Security provides critical threat detection, incident response, and remediation of system infection. Most malware incidents on endpoints result from poor system configuration and security personnel’s lack of ready access to inventory, update level, and other endpoint-specific configuration data.A side effect of this “siloed” approach is that organizations have separate security and management infrastructures to maintain. That means that two sets of servers need to be purchased and maintained, two sets of policies need to be created and managed, and two sets of actions need to be taken when a security incident occurs.Forefront Endpoint Protection 2010 introduces the ability to consolidate these two work streams into a single infrastructure. Organizations can combine the threat-detection capabilities of Forefront Endpoint Protection 2010 with Microsoft System Center Configuration Manager 2007 R2 or R3 (the most widely used tool for remediating endpoint security vulnerabilities) to gain a unique, consolidated view into the health and protection status of their systems—visibility that previously could have required accessing three or more separate consoles. This combination of technologies also makes it easier for IT to consolidate and report on the risk status of their environment to management. In the case of a security incident, IT administrators can identify at-risk machines and take action to update systems, block outbreaks, and initiate clean up efforts using a single infrastructure.With this strategy, Microsoft enables operationalization of client security. Endpoint protection can be managed by the desktop and server administration teams, enabling them to quickly remediate any endpoint security issues and carry out day to day security operations efficiently, using the same tools that they use for endpoint management. This frees up the information security resources to tackle new and emerging threats and focus on developing end to end security policies for the enterprise.With the convergence of security and management, organizations have:One server infrastructure to maintain.A single mechanism to deploy software and updates to clients.Central policy implementation for security and management.A single solution that desktop administrators need to train on.A single license to purchase (ECAL) that contains everything organizations need to manage and secure endpoints – no need to buy single purpose software. These efficiencies not only lower hardware, maintenance, and training costs, they also allow IT administrators to do their job better and more efficiently, meaning that organizations can also benefit from a reduction in help desk calls.
Forefront Endpoint Protection is the next generation of Forefront Client Security. It builds on the protection technologies included in the previous versions and provides a completely new management experience.The product has been designed around three key themes:Ease of DeploymentSince FEP is built on Configuration Manager, it offers easy installation of FEP server and even easier deployment of clients using the existing infrastructure. Microsoft realizes that switching from one protection product to another can be complex and costly for large organizations, so has engineered the FEP client to seamlessly replace the most common protection products in the market today.FEP clients benefit from all of the flexible management scenarios available to Configuration Manager clients – such as branch offices, roaming, non-domain joined scenarios and management via Internet-only connection.FEP is also able to support enterprise wide scalability of up to 300,000 clients per console across various Windows operating systems.Enhanced Protection and ProductivityFEP provides highly accurate detection of known and unknown threats using many new and improved technologies in its antimalware engine, host-based Intrusion Prevention System (IPS) and host firewall management. While providing comprehensive protection, FEP keeps employees productive with low performance impact scanning and productivity-oriented default policies.Simplified Desktop ManagementWith FEP, Administrators have a central location for creating and applying all endpoint-related policies. With a shared view of endpoint protection and configuration, administrators can more easily identify and remediate vulnerable computers.The following list describes a number of business goals that FEP has been designed to meet:Multi-layered protection to desktops, laptops and servers (“endpoints”) from malicious code (“malware”)File and network-based attack vectors – protects against malware embedded in files as well as attacks against vulnerable services across the network (Intrusion Prevention System) Signature and behavior-based detection – detects known malware variants, plus identifies “malware-like” behavior to block unknown malware. Also leverages SpyNet to access up to the minute information from the Microsoft Malware protection Center (MMPC)Protect regardless of locationData center, head office, branch office, Internet – definitions can be obtained from within the corporate network, or Microsoft Update for roaming clients. Results returned via distributed ConfigMgr Management Points and ConfigMgr Site hierarchy. Results cached on roaming clients and uploaded on return.ConfigMgr Native mode allows Internet Based Client Management (IBCM) to manage clients regardless of where they are (as long as they have Internet connectivity).Real-time monitoring & alerting of critical assets – critical assets are likely monitored by OpsMgr. The FEP 2010 Security Management Pack exposes all FEP information to OpsMgr, and enables FEP-specific tasks to be sent from a central consoleMinimize interruptions & performance impact on users – comparableperformance to the leading competitors in terms of detection, remediation and performance. Focused UI design to minimize interruptions to users when no action is requiredMinimize costDeployment of infrastructure and migration of clients – leverage ConfigMgr and OpsMgr so most customers wont require new infrastructure (actually, less as can decommission infrastructure used to manage existing AV)Solution management costs – client and definition update deployment issues can be assigned to Desktop and Server Administrators, which is what they specialize in. This reduces the load on security personnel to only focus on root cause, malware reduction initiatives etcIntegrate with and leverage existing technologyConfigMgr, OpsMgr, Group Policy, WSUS – get more benefit out of existing infrastructure instead of deploying more. Leverage existing familiarity to reduce training requirementsSupport security compliance efforts – rich reporting on malware activity across the organization. Trend analysis to focus malware reduction efforts. Leverage ConfigMgr DCM to provide detailed reports to audit on compliance with established security baselinesSupport virtualization strategy – server components fully supported on virtual environments to align with organization strategy
This is the protection stack that is implemented in FEP 2010, and we will go through each of the layers in detail.Operationalizing protection means finding the right balance between protecting systems and minimizing the performance impact of that protection.
Now that we have seen some of the protections included in FEP, lets discuss the end user experience on the FEP client. The main design principle for FEP was to provide a high degree of protection whilst minimizing the impact on user productivity.This is achieved through the following:A simple, uncluttered interface that requires minimal interaction from the user. The color of the FEP icon indicates the malware status of the client, and the user is only notified if user interaction is required. Administrators use policy to configure the level of notification and interaction required by the userAdministration options. End users can be delegated a high degree of control over the client configuration, everything can be managed centrally via policy or a mix of the two approaches can be usedMaintain high productivity. It enables higher productivity by allowing administrators to limit CPU usage during scheduled scans. The system scans are also faster using advanced caching techniques (that persist between reboots), ensuring that content that has not changed is not rescanned.
The Home tab shows the current status of the client – whether the computer is protected by real-time protection, whether definitions are up to date, and the status of scheduled scans. The Help menu provides access to a range of information:Get offline help – opens the locally installed help .CHM file. If you click the word “Help”, the browser opens and takes you to the online version of FEP 2010 Help.Submit malicious software sample – opens the browser to the MMPC malware submission portalCustomer experience improvement program – allows you to opt in or out of the programView privacy statement – opens the browser to let you download the FEP 2010 privacy statement document from the Microsoft Download CenterView license agreement – opens the license agreement that the administrator saw when they installed FEP on the serverCheck for software updates – runs Microsoft UpdateAbout Forefront Endpoint Protection – shows:FEP client versionAM client versionAM engine versionAnti-virus definitionAnti-spyware definitionNIS engine versionNIS definitionFEP policy applied
The home tab is also the launching point for scans:Quick scan - checks the places, processes in memory, and registry files on your computer's hard disk that malicious software is most likely to infect.Full scan - checks all files on the hard disk and all currently running programsCustom scan – choose the files and folders to include in the scan (as well as what is scanned during a quick scan)You can also right-click on any file or folder to perform a scan on that.
This slide shows the results of the scan.
The update tab provides information on:Definition status (up to date or the number of days old)Date the definitions were createdDate that definitions were last checkedAnti-virus definition versionAnti-spyware definition versionIt also gives you the ability to initiate an immediate check for definition updates (the update sources configured in FEP policy are used in the order specified)
This slide shows the status when a definition update is in progress (either user-initiated, scheduled or immediately after installation):SearchingDownloadingInstallingThe status then changes to “up to date”.
The history tab shows:recent malware detections and responsesQuarantined items. Items can be removed or restored from this viewAllowed items. Programs that were detected as malware or potentially unwanted software, and the default behavior was overridden – either by the user (if allowed) or by an override in FEP policy
The settings tab shows the limited set of settings that can be configured via the FEP client interface. Settings configured in FEP policy are greyed out – unless the administrator has specified that the user can change a particular element. In this case, the end user can’t change the scan type,scan day or any other properties, but they have been delegated the right to choose a scan time that suits their schedule (e.g. while they are away from their computer).We will look at policy settings in detail in module 4.
Don’t forget to thank our sponsors! They made this possible! Go sponsors!!!!!