Introducing Introducing Microsoft Forefront Microsoft Forefront Client Security Client Security Steve Lamb Steve Lamb Technical Security Advisor, Microsoft Ltd Technical Security Advisor, Microsoft Ltd [email protected]http://blogs.technet.com/steve_lamb http://blogs.technet.com/steve_lamb
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Introducing Microsoft Introducing Microsoft Forefront Client SecurityForefront Client Security
Steve LambSteve Lamb
Technical Security Advisor, Microsoft LtdTechnical Security Advisor, Microsoft [email protected]
““All security frameworks All security frameworks should include a should include a comprehensive, comprehensive, layered approach...” layered approach...”
Understanding the Nine Protection Understanding the Nine Protection Styles of Host-Based Intrusion Styles of Host-Based Intrusion PreventionPreventionGartner – May 2005Gartner – May 2005
““Integration and simplified manageabilityIntegration and simplified manageabilityare important drivers when purchasing are important drivers when purchasing security” security”
The State of Security in SMB & Enterprises,The State of Security in SMB & Enterprises,Forrester Research, Inc. – Sept. 21, 2005Forrester Research, Inc. – Sept. 21, 2005
Microsoft Forefront’s comprehensive line of
business security products helps you gain
greater protection through deep integration
and simplified management
Remove most Remove most prevalent viruses prevalent viruses
Central reporting Central reporting and alertingand alerting
CustomizationCustomization
MicrosoftMicrosoftForefront Forefront
ClientClientSecuritySecurity
MSRT MSRT Windows Windows DefenderDefender
Windows Windows Live Safety Live Safety
Center Center
Windows Windows Live Live
OneCare OneCare
IT Infrastructure IT Infrastructure IntegrationIntegration
FOR INDIVIDUAL USERSFOR INDIVIDUAL USERSFOR FOR
BUSINESSESBUSINESSES
One solution for spyware and virus protectionBuilt on protection technology used by millions worldwideEffective threat responseComplements other Microsoft security products
One console for simplified security administrationDefine one policy to manage client protection agent settings Deploy signatures and software fasterIntegrates with your existing infrastructure
One dashboard for visibility into threats and vulnerabilitiesView insightful reportsStay informed with state assessment scans and security alerts
Unified malware protection for business
desktops, laptops and server operating
systems that is easier to manage and
control
One engine for virus and spyware protectionOne engine for virus and spyware protection
Also used in Windows Defender, OneCare, Antigen, MSRT, etc.Also used in Windows Defender, OneCare, Antigen, MSRT, etc.
Comprehensive system cleaning for viruses and spyware, with Comprehensive system cleaning for viruses and spyware, with checks to ensure system is fully functional after cleaningchecks to ensure system is fully functional after cleaning
Real-time, scheduled or on-demand detection & removal Real-time, scheduled or on-demand detection & removal
Checks to ensure system is fully functional after cleaningChecks to ensure system is fully functional after cleaning
Tenets of a unified designTenets of a unified design
Scale: Usage drives sample submissions and signature creationScale: Usage drives sample submissions and signature creation
Multi-user or limited user supportMulti-user or limited user support
Consistent UX for detection & protection from malwareConsistent UX for detection & protection from malware
Detection and removal capabilities include:Detection and removal capabilities include:
Scanning dozens of archives and packersScanning dozens of archives and packers
Using tunneling signatures that bypass user mode rootkitsUsing tunneling signatures that bypass user mode rootkits
Code emulation for behavior analysis and polymorphic virusesCode emulation for behavior analysis and polymorphic viruses
Heuristic or generic detections for new malware and variantsHeuristic or generic detections for new malware and variants
Directed quick-scanDirected quick-scan
Identifies latent registry keys and files that reference the scan target filesIdentifies latent registry keys and files that reference the scan target files
Quarantines/removes ClassIDs, RunKeys, and the infected files as one unitQuarantines/removes ClassIDs, RunKeys, and the infected files as one unit
Cleaning scriptsCleaning scripts
Custom script language for cleaning difficult threatsCustom script language for cleaning difficult threats
Frequent updates for new format support and detection featuresFrequent updates for new format support and detection features
Engine to be delivered as part of the signature packageEngine to be delivered as part of the signature package
Define security steady stateDefine security steady stateSpecify the ongoing security behavior of my clientsSpecify the ongoing security behavior of my clients
Keep systems up-to-dateKeep systems up-to-dateEnsure that clients have the latest signaturesEnsure that clients have the latest signatures
View reportsView reportsDetermine the security state, now and over timeDetermine the security state, now and over time
Respond to alertsRespond to alertsWhat critical security events require my attention?What critical security events require my attention?
Console deploys policy through use of Console deploys policy through use of Active Directory Group Policy ObjectsActive Directory Group Policy Objects
Granularity at OU-level with exceptions Granularity at OU-level with exceptions using security groupsusing security groups
If:If:
Policy A Policy A Redmond OURedmond OU
Policy B Policy B Marketing Security GroupMarketing Security Group
ThenThen
Marketing in the Redmond OU will get Policy BMarketing in the Redmond OU will get Policy B
Console creates GPO, sends to Sysvol, GP Console creates GPO, sends to Sysvol, GP deploys profiledeploys profile
Policy applied on host per AD defaultPolicy applied on host per AD default
READ,READ,SAVESAVEGPOGPO
*Agents deployed via existing software distribution system*Agents deployed via existing software distribution system
Client Client Security Security ConsoleConsole
GPMCGPMC Existing SW Existing SW Dist SystemDist System
In ConsoleIn Console GPMC, using GPMC, using ADM fileADM file
ExportedExportedfilesfiles
Tightly integrated Tightly integrated with industry with industry leading MSRC leading MSRC
response processresponse process
Dedicated team, Dedicated team, analysis analysis
automation and automation and testingtesting
Multiple data Multiple data sources enabling sources enabling
advanced advanced telemetry on telemetry on
threatsthreats
Security Research OrganizationSecurity Research Organization• Identify malware and create signature definitionsIdentify malware and create signature definitions
• Develop Windows Defender (25+ million users) & MSRTDevelop Windows Defender (25+ million users) & MSRT
• Achieved VB 100% award, West Coast Labs & ICSA CertificationAchieved VB 100% award, West Coast Labs & ICSA Certification
• With protection engine implementation in Windows Live With protection engine implementation in Windows Live OneCareOneCare
• MSRT whitepaper: In-depth perspective of the malware MSRT whitepaper: In-depth perspective of the malware landscapelandscape
Signature deployment optimized for Signature deployment optimized for Windows Server Update Services (WSUS)Windows Server Update Services (WSUS)
Can use any software distribution systemCan use any software distribution system
Auto and manual approval of definitionsAuto and manual approval of definitions
Client Security installs an Update Assistant Client Security installs an Update Assistant service to:service to:
Increase sync frequency between WSUS and Increase sync frequency between WSUS and Microsoft Update (MU) for definitionsMicrosoft Update (MU) for definitions
Notify console when new signatures require Notify console when new signatures require approvalapproval
Support for roaming usersSupport for roaming users
Failover from WSUS to Microsoft updateFailover from WSUS to Microsoft update
Malware Malware ResearchResearchMUMU
WSUS + WSUS + Update Update AssistantAssistant
Desktops, Desktops, Laptops and Laptops and ServersServers
SyncSync
SyncSync
One dashboard for visibility One dashboard for visibility into threats and into threats and vulnerabilitiesvulnerabilities
Insightful reportsInsightful reportsReal-time and emerging Real-time and emerging trendstrends
Focus on critical informationFocus on critical information
Executive reports Executive reports
Drill down for detailDrill down for detail
Linked within the consoleLinked within the console
Built on MOM 2005 technologyBuilt on MOM 2005 technology
Currently in private beta with select customersCurrently in private beta with select customers
Public beta planned for Q4 CY2006Public beta planned for Q4 CY2006
Release to manufacturing planned for 1H CY2007Release to manufacturing planned for 1H CY2007
Unified malware protection for business desktops, laptops Unified malware protection for business desktops, laptops and server operating systemsand server operating systems that is easier to manage and that is easier to manage and control control
Critical Visibility & ControlCritical Visibility & Control
An integral part of Microsoft ForefrontAn integral part of Microsoft Forefront
For more informationFor more information
Visit:Visit:http://www.microsoft.com/clientsecurityhttp://www.microsoft.com/clientsecurity to learn about to learn about Forefront Client Security and register for beta Forefront Client Security and register for beta informationinformation
http://www.microsoft.com/forefronthttp://www.microsoft.com/forefront to learn more to learn more about other Microsoft Forefront offeringsabout other Microsoft Forefront offerings