E N D
1. Ronald Beekelaar
Beekelaar Consultancy
ronald@beekelaar.com
2. Introductions Presenter – Ronald Beekelaar
MVP Windows Security
MVP Virtual Machine Technology
E-mail: ronald@beekelaar.com
Work
Beekelaar Consultancy
Security consultancy
Forefront, IPSec, PKI
Virtualization consultancy
Create many VM-based labs and demos
3. Agenda - FCS Architecture
Deployment
FCS server roles
FCS agents
FCS policies
Definition Updates
Signatures and engine
Scans and engine
Reports & Alerts
5.
6. Architecture
7. Architecture
8. Deployment Deploy FCS server
Multiple server roles
Deploy FCS client to client computes
Client scanning and user interface
Deploy FCS policy
Configuration settings
Deploy FCS definition updates
Signatures and engine
9. FCS Server Supported Matrix
10. Server Software Prerequisites Prerequisites for FCS Server
SQL 2005 SP1
SQL 2005 Reporting SP1
WSUS 2.0 SP1 or later
GPMC
MMC 3.0
.NET Framework 2.0
IIS 6.0
MOM 2005 hotfixes for SQL 2005
11. What ships as part of FCS? FCS Server deliverable includes:
MOM 2005 SP1
MOM 2005 Reporting SP1
MOM hotfixes required by FCS
FCS console + reports
FCS Clients deliverable includes:
FCS AntiMalware
Security State Assessment
MOM Agent 2005 SP1
FCSLocalPolicyTool.exe
12. MOM 2005 – Challenges & Solutions Challenges:
Desktop Management Focus
Collection Scalability
Cross Machine Alerts
Specialized Views on Live Data
Application vs. Platform
Solutions:
A Dedicated MOM 2005 Installation
Reduced Event Stream
Special Configuration and Base MOM Pack
Custom Schema
Multi-homing (deployment and versions)
Server Based Analysis
Reporting Against The Operational Database
Auto Approval for New Agents + Flood resiliency
Future: System Center Operation Manager
13. FCS Server Roles
14. FCS Server Deployment - Topologies FCS supports the following topologies
15. FCS Client - Support
16. FCS Client - Setup No UI (command line)
Example syntax:
clientsetup.exe /MS momserver3 /CG fcsgroup
clientsetup.exe /nomom
Install Tasks:
Pre-req checking
Installing MOM agent, FCS SSA agent and FCS AM agent
logging actions and errors to a file
How to deploy the client software
Group Policy
SMS
Other third party distribution tool
Login scripts
WSUS
17. Deploy FCS agent with WSUS Recommended way to deploy FCS agent
Step 0 - Remove existing antivirus software
For scripts, see www.codeplex.com/fcscompete
Step 1 - In WSUS: Approve FCS package
Step 2 - On server: Create and deploy FCS policy
Step 3 - Client: will install FCS agent from WSUS
Speed up (after uninstall existing anti-virus):
gpupdate.exe /force
wuauclt.exe /detectnow
18. Deploy FCS agent with WSUS Step 1 - In WSUS: Approve FCS package
19. FCS Policy Settings FCS policy manages the following
Antimalware and Security State Assessment scan settings
Signature override settings
Alert levels and reporting
Advanced settings
Signature check frequency
Path and file extension exclusions
Client UI options
21. Deploying a FCS Policy to a File Ability to deploy and report on a policy distributed outside of Group Policy
Exports the policy to a .reg file
Import on the client using the included FCSLocalPolicyTool.exe
Q: Why can’t I just double-click the .reg file and import?
A1: Service is listening for an update via GP, and this won’t raise the proper event – policy won’t be picked up until you stop/start the service
A2: The tool creates the proper LGPO object, which is the prescribed method to update policy
Can be used to distribute policy to non-AD machines (via scripts or other distribution tool)
22. Deploying a Policy to a FileWhy it's not recommended
23. Signature deployment optimized for Windows Server Update Services (WSUS)
Can use any software distribution system
Auto and manual approval of definitions
Client Security installs an Update Assistant service to:
Increase sync frequency between WSUS and Microsoft Update (MU) for definitions
Support for roaming users
Failover from WSUS to Microsoft Update ..
24. Signature Distribution Channels Microsoft Update - http://update.microsoft.com
Windows Server Update Services (WSUS)
Supports WSUS 2.0 SP1 and 3.0
Manual download anddistribution via other software (SMS, login script, etc)
Through signature download site
25. FCS Distribution Server WSUS
WSUS assistant (if WSUS 2.0)
Force WSUS 2.0 to sync up with Microsoft Update hourly
Not needed in WSUS 3.0
Auto-approval rules for FCS definition updates
Subscribe to FCS product category and definition update classification
26. Signature Details On client machine installed at:
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates
27. Signature Details
28. Signature Package Overview mpam-fe.exe
Antimalware Full + Engine package (for x86, amd64, ia64)
Contains engine (mpengine.dll), mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlt.vdm, mpsigstub.exe.
Size of 11M
mpam-d.exe:
Antimalware Delta package contains AV and AS signatures.
Contains mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlta.vdm, mpsigstub.exe.
Size < 0.5M
29. Scans Quick scan
Full scan
Custom scan
Not:
Removable disk
Network disk
Single folder
30. Engine Real-time protection
Uses kernel-mode mini-filter
Static analysis
Emulation
Executes in sandbox - to unpack
Heuristics
Detects user-mode rootkits
Checks API detouring (= tunneling signatures)
31. FCS monitoring options Enterprise Security Dashboard
High level view of the Organization Security State
Alerts
Actionable Immediate Alerts on Security Incidents
Reports
Investigation of Security Issues Through Security State Visualization of Both Online and Historical Data
32. Enterprise Security Dashboard Reports
Alerts
Configuration
Live Data
Change Indication
33. Reports Security Focused
Allow Investigation
Drill Down
Current vs. Historical
Filtering, Grouping, Adjusting
Email Subscriptions
Limited Extensibility in V1.0
34. Main Report
35. Reports
38. Alert Types
39. Alert configuration is policy specific
Alerts notify admin of high-value incidents, including:
40. FCS Alert Levels Pre-canned Configuration for
Management Attention
Asset Value
5 Levels of Attention
Detailed alerts for operational servers
Low sensitivity for desktops
Even less attention to Kiosk machines
Set via FCS Policies
41. Alert Design Guidelines Important – Only significant security incidents
Actionable – Each alert represent a work item
Timely – Relevant for immediate action
Few – No more then few events per day
Correct – Minimize false positives
42. Email alerts and reports Alerts
In MOM 2005 Admin Console
Define email server (SMTP)
Add "operator" to Client Security Notification Group
Reports
In SQL Server 2005 Reporting Services
Define email settings (SMTP)
In http://<server>/reports
Create report subscription
43. FCS Alerts What is an alert
Kinds of alerts we have
Criteria for a good alert
Why alerts
Security operator productive
A list of actionable things
How to use and configure alerts
Alert Levels
The MOM operator console
44. Alert Design Guidelines Important
Only significant security incidents
Actionable
Each alert represent a work item
Timely
Relevant for immediate action
Few
No more then few events per day
Correct
Minimize false positives
45. FCS Alert Level Pre-scanned Configuration for
Management attention
Asset value
5 Levels of Attention
Detailed alerts for operational servers
Low sensitivity for desktops
Even less attention to Kiosk machines
Set via FCS Policies
46. Security State Assessment ChecksEvaluation Process Retrieve machine settings from available sources
E.g. Registry, WMI, File System, WUA, Firewall
Evaluate configuration against known criteria
Assign score based on compliance with security best practices
High, Medium, Low, or Informational
Aggregate and report on results across multiple machines
47. Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control
Effective Malware Protection supported by Microsoft Malware Response Center
Integration with the existing environment makes FCS easier to manage
Visibility over vulnerabilities helps proactively secure the environment against upcoming attacks
An integral part of Microsoft Forefront
Download free evaluation software: http://www.microsoft.com/forefront/serversecurity
49. Extra Slides
52. Problems Addressed Limited visibility into the security state of the enterprise
Which clients are vulnerable to exploitation?
Which clients expose an increased surface area for attack?
Difficult to prioritize security issues based on impact to an organization
Are my clients vulnerable to infection from this virus?
Can my clients be re-infected by the same virus?
IT resources focused on reacting to threats rather than managing vulnerabilities
53. Goals Provide visibility into vulnerabilities and insecure configurations on managed clients
Help customers focus efforts on managing vulnerability exposure instead of reacting to malware threats
54. Solution Approach SSA Agents
Installed on managed clients to perform state assessment scans
Security Checks
Detect common vulnerabilities and missing security updates
Compare system configuration against security best practices
FCS Reports
Surface issues found across the enterprise
Reports help focus IT resources on the right security issues
55. Drilldown: Scheduled ScansFCS Scan Policy Time-Based Scan
Scan once per day at the specified time
Scan When Missed - Option to scan after reboot if a daily scan was unable to run at the scheduled time
Interval-Based Scan
Scans once every N hours
Scans can occur more than once per day
56. Drilldown: On-Demand ScansFCS Console Invoked by “Scan Now…” button in FCS Console
Allow users to trigger scans immediately
Can target a single machine or all managed computers
Performs both AM and SSA scans
57. Security State Assessment ChecksOverview Types of vulnerabilities:
Missing security updates
Configuration exposures
Checks “power” SSA scans:
Assess Security State – System settings and patch status
Evaluate Vulnerability Risk – Assign score based on compliance with security best practices
58. Drilldown: Security Updates CheckOverview Two types of updates reported:
Security Bulletins – Updates that address specific security vulnerabilities
Cumulative Security Updates – Rollups & Service Packs that supersede security updates
Updates categorized by Product Family
59. Drilldown: Security Updates CheckDetection Logic Security updates are “missing” if:
Required updates are not installed
Installed updates require system restart
Built on Windows Update platform:
Update search performed against default Update Server (WSUS or MU)
Only detects approved security updates when scanning against WSUS
Reports connection failures to Update Server
60. Drilldown: Windows Firewall CheckOverview Provides central monitoring of Windows Firewall
Gives visibility into end-user configuration
Reports on:
Firewall status (on/off)
User-defined exceptions
Applicability to each network interface
61. Drilldown: Windows Firewall CheckEvaluation Logic Firewall Status
If disabled on any network interface, score is “High”
If configured by Group Policy, score is “Informational
Exceptions
Enumerates each port and application exception
Any exception not configured via GP, score is “Medium”
If configured by Group Policy, scores as “Informational”
62. Drilldown: Configuration ChecksChecks Available in FCS
63. Drilldown: Configuration ChecksChecks Available in FCS
64. Drilldown: Configuration ChecksDetailed Descriptions Each check is like a different feature
Administrators can judge risk represented by each by understanding how each check is evaluated and scored
Each check documented on TechNet
http://technet.microsoft.com/en-us/library/bb418830.aspx
Includes information on evaluation criteria, scores, and possible results
65. Reporting ResultsBringing Visibility to Issues SSA scan results:
Collected from managed clients
Aggregated to determine vulnerability exposure and overall risk
Drilldown into issues:
Console – Number of computers reporting critical vulnerabilities
Security Summary – Top 5 vulnerability exposures
SSA Summary – All vulnerability issues in the enterprise
Vulnerability Detail – Enterprise exposure to a single vulnerability
Computer Detail – All SSA results for a single client
66. Drilldown: ConsoleOverview of Security Issues Computers Reporting Critical Issues:
Percentage of managed computers reporting critical issues
Includes: malware detection events, missing security updates
Links to FCS Reports:
Security Summary Report
SSA Summary Report
67. Drilldown: ConsoleOverview of Security Issues
68. Drilldown: Security Summary ReportOverview of Vulnerability Issues Top Vulnerabilities
Top 5 vulnerabilities currently exposed in the enterprise
Prioritized by risk and exposure
Vulnerability Trend
Shows trend in vulnerability exposure over the past month
69. Drilldown: SSA Summary ReportOverview of SSA Results Computers by Score
Breakdown of computers by risk of vulnerability exposure
Computers by MSRC Severity
Breakdown of computers by security bulletin severity value
Vulnerabilities List
List of security issues prioritized by risk factor and exposure in the enterprise
Drill through to specific issue reports
70. Drilldown: SSA Summary ReportComputers by Score
71. Drilldown: SSA Summary ReportHigh Score Computers by MSRC Severity