Protegendo seus desktops e servidores com o Microsoft Forefront Client Security

Visão Geral e Implementação Técnica – Parte 3

Ricardo Frois

Security Specialist

Microsoft Brasil

• Overview

• Architecture

• Unified Protection

• Simplified Administration

• Visibility and Control

• Additional Resources

Agenda

3

Solução unificada contra virus e spyware Construido usando como base tecnologia usada por

milhões de usuários Resposta a ameaças eficaz Complementa as outras soluções de segurança Microsoft

Console única para administração de segurança Definição de uma única política para as configurações de

proteção de clientes Distribuição de assinaturas e software de forma mais

rápida Integração com a infra estrutura existente

Um único painel de controle para visualização de ameaças e vulnerabilidades

Visualização de relatórios mais importantes Permite que os administradores se mantenham informados

sobre o estado de scannings, alertas de segurança

Proteção unificada contra malware para desktops, laptops e servidores corporativos com gerenciamento e controle unificados

Greater confidence

Greater efficiency

Greater control

Proteção unificada contra malware para desktops, laptops e servidores corporativos com gerenciamento e controle unificados

5

Remove most Remove most prevalent viruses prevalent viruses

Remove all Remove all known known

viruses viruses Real-time Real-time antivirusantivirus

Remove all Remove all known known

spywarespywareReal-time Real-time antispywareantispyware

Central reporting Central reporting and alertingand alerting

CustomizationCustomization

Forefront Forefront ClientClient

SecuritySecurityMSRT MSRT Windows Windows DefenderDefender

Windows Windows Live Safety Live Safety

Center Center

Windows Windows Live Live

OneCare OneCare

IT Infrastructure IT Infrastructure IntegrationIntegration

FOR INDIVIDUAL USERSFOR INDIVIDUAL USERS FOR FOR BUSINESSESBUSINESSES

6

• One solution for spyware and virus protection

• Built on protection technology used by millions

worldwide

• Effective threat response

• Complements other Microsoft security products

• One engine for virus and spyware protection

– Also used in Windows Defender, OneCare, Antigen, Forefront Server Security products, MSRT,

etc.

– Simplified deployment and administration

– Reduces conflict when detecting blended threats

• Detection and removal capabilities include:

– Real-time, scheduled or on-demand detection & removal

– Comprehensive system cleaning for viruses and spyware, with checks to ensure system is fully

functional after cleaning

– Scanning dozens of archives and packers

– Using tunneling signatures that bypass user-mode rootkits

– Code emulation for behavior analysis and polymorphic viruses

– Heuristic detections for new malware and variants

• Kernel mode scanning– On-Access Mini Filter

– Essential to any Malware

protection

– Malware must compromise

kernel to evade

– Malware is prevented from

executing entirely

• User mode scanning– System Configuration

– Internet Explorer Add-ons

– Internet Explorer

Configurations

– Internet Explorer Downloads

– Services and Drivers

– Application Execution

– Application Registration

– Windows Add-ons

Antimalware – Real Time ScanningAntimalware – Real Time Scanning

Quick Scan– In memory processes– Targeted Directories *

• User Profile• Desktop• System Directories• Program Files

– Common Malware extensibility points *

Full Scan

– All aspects of Quick Scan

– Full evaluation of local

drives

Antimalware – Scheduled ScanningAntimalware – Scheduled Scanning

* Defined in Definition Update to respond to Malware evolution* Defined in Definition Update to respond to Malware evolution

Demo

• Using Forefront Client Security to Protect Client Computers

•Simplified Administration

DDemonstration

Define security steady state

Specify the ongoing security behavior of my clients

Keep systems up-to-date

Ensure that clients have the latest signatures

View reports

Determine the security state, now and over time

Respond to alerts

What critical security events require my attention?

One console for simplified security administration

One policy to manage client protection agent settings, e.g.:

Choice of 3 integrated policy profile deployment methods:

Microsoft Forefront Client Security Console (uses AD/GP)

ADM file (uses AD/GP)

Export to a file then use existing software distribution system

Anti-spyware unknown Anti-spyware unknown actionaction

Alert levelAlert level

Event and logging settingsEvent and logging settings

SpyNet reporting on/offSpyNet reporting on/off

Level of end-user UI shownLevel of end-user UI shown

Scan scheduleScan schedule

Real time protection on/offReal time protection on/off

Signature update frequencySignature update frequency

Anti-spyware signature Anti-spyware signature overridesoverrides

Security state assessment Security state assessment settingssettings

Console deploys policy through use of Active

Directory® Group Policy Objects

Granularity at OU-level with exceptions using

security groups

Console creates GPO, sends to Sysvol, GP

deploys profile

Policy applied on host per AD default

READ,READ,

SAVESAVEGPOGPO

Signature deployment optimized for Windows

Server Update Services (WSUS)

Can use any software distribution system

Auto and manual approval of definitions

Client Security installs an Update Assistant service

to:

Increase sync frequency between WSUS and

Microsoft Update (MU) for definitions

Support for roaming users

Failover from WSUS to Microsoft Update

Malware Malware ResearchResearch

Microsoft Microsoft UpdateUpdate

WSUS + WSUS + Update Update AssistantAssistant

Desktops, Laptops Desktops, Laptops and Serversand Servers

SyncSync

SyncSync

®

Install WSUS

• Store updates locally

• Create a WSUS Web site during installation—FCS requires WSUS to use port 8530

• Configure automatic approval

• First synchronization can take several hours

• One console for simplified security

administration

• Define one policy to manage client protection

agent settings

• Deploy signatures and software faster

• Integrates with your existing infrastructure

• Supported Platforms

– Server• Windows 2003 Server/SP1

• Windows 2003 Server/R2

• Longhorn Server (at RTM)

– Client• Windows 2000/SP4 + Rollup

– Requires GDI+ QFE

• Windows XP/SP2– Requires Filter Manager QFE

• Windows Vista– Business SKUs only

• Server

– Server Setup

– Configuration Wizard

• Client

– Command line (no UI)

– Use existing deployment technologies

• Policy

– AD

– .reg file (client side tool)

• Signatures

– WSUS

– SMS/others (RTM)

Demo

• Visibility and Control

• Updating Signature Files

• Using Policies to Manage Client Computers

DDemonstration

Understanding Policies

Forefront Client Security Console

Administrator creates & deploys policy

Group Policy Management Console

Clients

22

One dashboard for visibility into threats and vulnerabilities

View insightful reports

Stay informed with state assessment scans and security alerts

Security SummarySecurity SummarySecurity SummarySecurity Summary

26

Malware outbreakMalware outbreak

Malware protection disabledMalware protection disabled

Malware detectedMalware detected

Malware failed to removeMalware failed to remove

Respond to AlertsAlerting Functionality

Notificação e administração dos valores de incidentes

incluindo:

Controle do tipo de nivel de alertas & volume de alertas Controle do tipo de nivel de alertas & volume de alertas geradosgerados

11 55443322

OutbreakOutbreak Malware Malware removal removal

failedfailed

Signature Signature update update failedfailed

Malware Malware detected and detected and

removedremoved

Signature Signature update failed update failed

(per min)(per min)

Rich Data,Rich Data,High Value AssetsHigh Value Assets

Critical Issues Only,Critical Issues Only,Low Value Assets Low Value Assets

Client (Host)

Alerting and Reporting Architecture

MOM Server SQL Server ReportingServices

System Log

MOM Agent

•Event Table

•Alerts Table

•State Table

28

Viewing ReportsReporting Details

Integração com MOM 2005

Uso SQL Reporting Services

Demonstra o status da segurança contra malware na

sua empresa

Especifica point-in-time e over time

Tipos de Relatorios

Malware Threat(s)Malware Threat(s)

Vulnerability SummaryVulnerability Summary

Scan ResultsScan Results

Historical InformationHistorical Information

Summary ReportSummary Report

Deployment Deployment

AlertsAlerts

ComputersComputers

Demo

Running and Reviewing Reports

View Security State Assessment reportView Computer Detail report

demonstration

•CurrentCurrent

•ClientClient

•ServerServer

•EdgeEdge

•Dec 2006Dec 2006 •20072007++

•TBDTBD

Security Product Roadmap

AntigenMessaging Security Suite

Microsoft®

• Public beta available now!

– Download at

http://www.microsoft.com/clientsecurity

– Community-based support at

http://www.microsoft.com/technet/clientsecurity

• Release To Manufacture planned for

Q2 CY2007

• Will be available through Microsoft’s

volume licensing programs

http://www.microsoft.com/isaserver/

2006

http://www.microsoft.com/clientsecurityhttp://www.microsoft.com/clientsecurity

http://www.microsoft.com/antigenhttp://www.microsoft.com/antigen

Put your organization through a security auditPut your organization through a security audit

Contact your Microsoft rep or reseller for information Contact your Microsoft rep or reseller for information and adviceand advice

http://www.microsoft.com/forefronthttp://www.microsoft.com/forefront

Download trial versions ofDownload trial versions of

Register for beta information aboutRegister for beta information about

Other Resources

Technical Chats and WebcastsTechnical Chats and Webcastshttp://www.microsoft.com/communities/chats/http://www.microsoft.com/communities/chats/default.mspx default.mspx

http://www.microsoft.com/usa/webcasts/http://www.microsoft.com/usa/webcasts/default.aspdefault.asp

Microsoft Learning and CertificationMicrosoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspxhttp://www.microsoft.com/learning/default.mspx

MSDN & TechNet MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/msdn

http://microsoft.com/technethttp://microsoft.com/technet

Virtual LabsVirtual Labshttp://www.microsoft.com/technet/traincert/http://www.microsoft.com/technet/traincert/virtuallab/rms.mspxvirtuallab/rms.mspx

© 2006 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.