Protegendo seus desktops e servidores com o Microsoft Forefront Client Security Visão Geral e Implementação Técnica – Parte 3 Ricardo Frois Security Specialist Microsoft Brasil
Mar 26, 2015
Protegendo seus desktops e servidores com o Microsoft Forefront Client Security
Visão Geral e Implementação Técnica – Parte 3
Ricardo Frois
Security Specialist
Microsoft Brasil
• Overview
• Architecture
• Unified Protection
• Simplified Administration
• Visibility and Control
• Additional Resources
Agenda
3
Solução unificada contra virus e spyware Construido usando como base tecnologia usada por
milhões de usuários Resposta a ameaças eficaz Complementa as outras soluções de segurança Microsoft
Console única para administração de segurança Definição de uma única política para as configurações de
proteção de clientes Distribuição de assinaturas e software de forma mais
rápida Integração com a infra estrutura existente
Um único painel de controle para visualização de ameaças e vulnerabilidades
Visualização de relatórios mais importantes Permite que os administradores se mantenham informados
sobre o estado de scannings, alertas de segurança
Proteção unificada contra malware para desktops, laptops e servidores corporativos com gerenciamento e controle unificados
Greater confidence
Greater efficiency
Greater control
Proteção unificada contra malware para desktops, laptops e servidores corporativos com gerenciamento e controle unificados
5
Remove most Remove most prevalent viruses prevalent viruses
Remove all Remove all known known
viruses viruses Real-time Real-time antivirusantivirus
Remove all Remove all known known
spywarespywareReal-time Real-time antispywareantispyware
Central reporting Central reporting and alertingand alerting
CustomizationCustomization
Forefront Forefront ClientClient
SecuritySecurityMSRT MSRT Windows Windows DefenderDefender
Windows Windows Live Safety Live Safety
Center Center
Windows Windows Live Live
OneCare OneCare
IT Infrastructure IT Infrastructure IntegrationIntegration
FOR INDIVIDUAL USERSFOR INDIVIDUAL USERS FOR FOR BUSINESSESBUSINESSES
6
• One solution for spyware and virus protection
• Built on protection technology used by millions
worldwide
• Effective threat response
• Complements other Microsoft security products
• One engine for virus and spyware protection
– Also used in Windows Defender, OneCare, Antigen, Forefront Server Security products, MSRT,
etc.
– Simplified deployment and administration
– Reduces conflict when detecting blended threats
• Detection and removal capabilities include:
– Real-time, scheduled or on-demand detection & removal
– Comprehensive system cleaning for viruses and spyware, with checks to ensure system is fully
functional after cleaning
– Scanning dozens of archives and packers
– Using tunneling signatures that bypass user-mode rootkits
– Code emulation for behavior analysis and polymorphic viruses
– Heuristic detections for new malware and variants
• Kernel mode scanning– On-Access Mini Filter
– Essential to any Malware
protection
– Malware must compromise
kernel to evade
– Malware is prevented from
executing entirely
• User mode scanning– System Configuration
– Internet Explorer Add-ons
– Internet Explorer
Configurations
– Internet Explorer Downloads
– Services and Drivers
– Application Execution
– Application Registration
– Windows Add-ons
Antimalware – Real Time ScanningAntimalware – Real Time Scanning
Quick Scan– In memory processes– Targeted Directories *
• User Profile• Desktop• System Directories• Program Files
– Common Malware extensibility points *
Full Scan
– All aspects of Quick Scan
– Full evaluation of local
drives
Antimalware – Scheduled ScanningAntimalware – Scheduled Scanning
* Defined in Definition Update to respond to Malware evolution* Defined in Definition Update to respond to Malware evolution
Demo
• Using Forefront Client Security to Protect Client Computers
•Simplified Administration
DDemonstration
Define security steady state
Specify the ongoing security behavior of my clients
Keep systems up-to-date
Ensure that clients have the latest signatures
View reports
Determine the security state, now and over time
Respond to alerts
What critical security events require my attention?
One console for simplified security administration
One policy to manage client protection agent settings, e.g.:
Choice of 3 integrated policy profile deployment methods:
Microsoft Forefront Client Security Console (uses AD/GP)
ADM file (uses AD/GP)
Export to a file then use existing software distribution system
Anti-spyware unknown Anti-spyware unknown actionaction
Alert levelAlert level
Event and logging settingsEvent and logging settings
SpyNet reporting on/offSpyNet reporting on/off
Level of end-user UI shownLevel of end-user UI shown
Scan scheduleScan schedule
Real time protection on/offReal time protection on/off
Signature update frequencySignature update frequency
Anti-spyware signature Anti-spyware signature overridesoverrides
Security state assessment Security state assessment settingssettings
Console deploys policy through use of Active
Directory® Group Policy Objects
Granularity at OU-level with exceptions using
security groups
Console creates GPO, sends to Sysvol, GP
deploys profile
Policy applied on host per AD default
READ,READ,
SAVESAVEGPOGPO
Signature deployment optimized for Windows
Server Update Services (WSUS)
Can use any software distribution system
Auto and manual approval of definitions
Client Security installs an Update Assistant service
to:
Increase sync frequency between WSUS and
Microsoft Update (MU) for definitions
Support for roaming users
Failover from WSUS to Microsoft Update
Malware Malware ResearchResearch
Microsoft Microsoft UpdateUpdate
WSUS + WSUS + Update Update AssistantAssistant
Desktops, Laptops Desktops, Laptops and Serversand Servers
SyncSync
SyncSync
®
Install WSUS
• Store updates locally
• Create a WSUS Web site during installation—FCS requires WSUS to use port 8530
• Configure automatic approval
• First synchronization can take several hours
• One console for simplified security
administration
• Define one policy to manage client protection
agent settings
• Deploy signatures and software faster
• Integrates with your existing infrastructure
• Supported Platforms
– Server• Windows 2003 Server/SP1
• Windows 2003 Server/R2
• Longhorn Server (at RTM)
– Client• Windows 2000/SP4 + Rollup
– Requires GDI+ QFE
• Windows XP/SP2– Requires Filter Manager QFE
• Windows Vista– Business SKUs only
• Server
– Server Setup
– Configuration Wizard
• Client
– Command line (no UI)
– Use existing deployment technologies
• Policy
– AD
– .reg file (client side tool)
• Signatures
– WSUS
– SMS/others (RTM)
Demo
• Visibility and Control
• Updating Signature Files
• Using Policies to Manage Client Computers
DDemonstration
Understanding Policies
Forefront Client Security Console
Administrator creates & deploys policy
Group Policy Management Console
Clients
22
One dashboard for visibility into threats and vulnerabilities
View insightful reports
Stay informed with state assessment scans and security alerts
Security SummarySecurity SummarySecurity SummarySecurity Summary
26
Malware outbreakMalware outbreak
Malware protection disabledMalware protection disabled
Malware detectedMalware detected
Malware failed to removeMalware failed to remove
Respond to AlertsAlerting Functionality
Notificação e administração dos valores de incidentes
incluindo:
Controle do tipo de nivel de alertas & volume de alertas Controle do tipo de nivel de alertas & volume de alertas geradosgerados
11 55443322
OutbreakOutbreak Malware Malware removal removal
failedfailed
Signature Signature update update failedfailed
Malware Malware detected and detected and
removedremoved
Signature Signature update failed update failed
(per min)(per min)
Rich Data,Rich Data,High Value AssetsHigh Value Assets
Critical Issues Only,Critical Issues Only,Low Value Assets Low Value Assets
Client (Host)
Alerting and Reporting Architecture
MOM Server SQL Server ReportingServices
System Log
MOM Agent
•Event Table
•Alerts Table
•State Table
28
Viewing ReportsReporting Details
Integração com MOM 2005
Uso SQL Reporting Services
Demonstra o status da segurança contra malware na
sua empresa
Especifica point-in-time e over time
Tipos de Relatorios
Malware Threat(s)Malware Threat(s)
Vulnerability SummaryVulnerability Summary
Scan ResultsScan Results
Historical InformationHistorical Information
Summary ReportSummary Report
Deployment Deployment
AlertsAlerts
ComputersComputers
Demo
Running and Reviewing Reports
View Security State Assessment reportView Computer Detail report
demonstration
•CurrentCurrent
•ClientClient
•ServerServer
•EdgeEdge
•Dec 2006Dec 2006 •20072007++
•TBDTBD
Security Product Roadmap
AntigenMessaging Security Suite
Microsoft®
• Public beta available now!
– Download at
http://www.microsoft.com/clientsecurity
– Community-based support at
http://www.microsoft.com/technet/clientsecurity
• Release To Manufacture planned for
Q2 CY2007
• Will be available through Microsoft’s
volume licensing programs
http://www.microsoft.com/isaserver/
2006
http://www.microsoft.com/clientsecurityhttp://www.microsoft.com/clientsecurity
http://www.microsoft.com/antigenhttp://www.microsoft.com/antigen
Put your organization through a security auditPut your organization through a security audit
Contact your Microsoft rep or reseller for information Contact your Microsoft rep or reseller for information and adviceand advice
http://www.microsoft.com/forefronthttp://www.microsoft.com/forefront
Download trial versions ofDownload trial versions of
Register for beta information aboutRegister for beta information about
Other Resources
Technical Chats and WebcastsTechnical Chats and Webcastshttp://www.microsoft.com/communities/chats/http://www.microsoft.com/communities/chats/default.mspx default.mspx
http://www.microsoft.com/usa/webcasts/http://www.microsoft.com/usa/webcasts/default.aspdefault.asp
Microsoft Learning and CertificationMicrosoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspxhttp://www.microsoft.com/learning/default.mspx
MSDN & TechNet MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/msdn
http://microsoft.com/technethttp://microsoft.com/technet
Virtual LabsVirtual Labshttp://www.microsoft.com/technet/traincert/http://www.microsoft.com/technet/traincert/virtuallab/rms.mspxvirtuallab/rms.mspx
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.