1 / 70

Ronald Beekelaar Beekelaar Consultancy ronaldbeekelaar

thao
Download Presentation

Ronald Beekelaar Beekelaar Consultancy ronaldbeekelaar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Ronald Beekelaar Beekelaar Consultancy ronald@beekelaar.com

    2. Introductions Presenter – Ronald Beekelaar MVP Windows Security MVP Virtual Machine Technology E-mail: ronald@beekelaar.com Work Beekelaar Consultancy Security consultancy Forefront, IPSec, PKI Virtualization consultancy Create many VM-based labs and demos

    3. Agenda - FCS Architecture Deployment FCS server roles FCS agents FCS policies Definition Updates Signatures and engine Scans and engine Reports & Alerts

    5.

    6. Architecture

    7. Architecture

    8. Deployment Deploy FCS server Multiple server roles Deploy FCS client to client computes Client scanning and user interface Deploy FCS policy Configuration settings Deploy FCS definition updates Signatures and engine

    9. FCS Server Supported Matrix

    10. Server Software Prerequisites Prerequisites for FCS Server SQL 2005 SP1 SQL 2005 Reporting SP1 WSUS 2.0 SP1 or later GPMC MMC 3.0 .NET Framework 2.0 IIS 6.0 MOM 2005 hotfixes for SQL 2005

    11. What ships as part of FCS? FCS Server deliverable includes: MOM 2005 SP1 MOM 2005 Reporting SP1 MOM hotfixes required by FCS FCS console + reports FCS Clients deliverable includes: FCS AntiMalware Security State Assessment MOM Agent 2005 SP1 FCSLocalPolicyTool.exe

    12. MOM 2005 – Challenges & Solutions Challenges: Desktop Management Focus Collection Scalability Cross Machine Alerts Specialized Views on Live Data Application vs. Platform Solutions: A Dedicated MOM 2005 Installation Reduced Event Stream Special Configuration and Base MOM Pack Custom Schema Multi-homing (deployment and versions) Server Based Analysis Reporting Against The Operational Database Auto Approval for New Agents + Flood resiliency Future: System Center Operation Manager

    13. FCS Server Roles

    14. FCS Server Deployment - Topologies FCS supports the following topologies

    15. FCS Client - Support

    16. FCS Client - Setup No UI (command line) Example syntax: clientsetup.exe /MS momserver3 /CG fcsgroup clientsetup.exe /nomom Install Tasks: Pre-req checking Installing MOM agent, FCS SSA agent and FCS AM agent logging actions and errors to a file How to deploy the client software Group Policy SMS Other third party distribution tool Login scripts WSUS

    17. Deploy FCS agent with WSUS Recommended way to deploy FCS agent Step 0 - Remove existing antivirus software For scripts, see www.codeplex.com/fcscompete Step 1 - In WSUS: Approve FCS package Step 2 - On server: Create and deploy FCS policy Step 3 - Client: will install FCS agent from WSUS Speed up (after uninstall existing anti-virus): gpupdate.exe /force wuauclt.exe /detectnow

    18. Deploy FCS agent with WSUS Step 1 - In WSUS: Approve FCS package

    19. FCS Policy Settings FCS policy manages the following Antimalware and Security State Assessment scan settings Signature override settings Alert levels and reporting Advanced settings Signature check frequency Path and file extension exclusions Client UI options

    21. Deploying a FCS Policy to a File Ability to deploy and report on a policy distributed outside of Group Policy Exports the policy to a .reg file Import on the client using the included FCSLocalPolicyTool.exe Q: Why can’t I just double-click the .reg file and import? A1: Service is listening for an update via GP, and this won’t raise the proper event – policy won’t be picked up until you stop/start the service A2: The tool creates the proper LGPO object, which is the prescribed method to update policy Can be used to distribute policy to non-AD machines (via scripts or other distribution tool)

    22. Deploying a Policy to a File Why it's not recommended

    23. Signature deployment optimized for Windows Server Update Services (WSUS) Can use any software distribution system Auto and manual approval of definitions Client Security installs an Update Assistant service to: Increase sync frequency between WSUS and Microsoft Update (MU) for definitions Support for roaming users Failover from WSUS to Microsoft Update ..

    24. Signature Distribution Channels Microsoft Update - http://update.microsoft.com Windows Server Update Services (WSUS) Supports WSUS 2.0 SP1 and 3.0 Manual download and distribution via other software (SMS, login script, etc) Through signature download site

    25. FCS Distribution Server WSUS WSUS assistant (if WSUS 2.0) Force WSUS 2.0 to sync up with Microsoft Update hourly Not needed in WSUS 3.0 Auto-approval rules for FCS definition updates Subscribe to FCS product category and definition update classification

    26. Signature Details On client machine installed at: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates

    27. Signature Details

    28. Signature Package Overview mpam-fe.exe Antimalware Full + Engine package (for x86, amd64, ia64) Contains engine (mpengine.dll), mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlt.vdm, mpsigstub.exe. Size of 11M mpam-d.exe: Antimalware Delta package contains AV and AS signatures. Contains mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlta.vdm, mpsigstub.exe. Size < 0.5M

    29. Scans Quick scan Full scan Custom scan Not: Removable disk Network disk Single folder

    30. Engine Real-time protection Uses kernel-mode mini-filter Static analysis Emulation Executes in sandbox - to unpack Heuristics Detects user-mode rootkits Checks API detouring (= tunneling signatures)

    31. FCS monitoring options Enterprise Security Dashboard High level view of the Organization Security State Alerts Actionable Immediate Alerts on Security Incidents Reports Investigation of Security Issues Through Security State Visualization of Both Online and Historical Data

    32. Enterprise Security Dashboard Reports Alerts Configuration Live Data Change Indication

    33. Reports Security Focused Allow Investigation Drill Down Current vs. Historical Filtering, Grouping, Adjusting Email Subscriptions Limited Extensibility in V1.0

    34. Main Report

    35. Reports

    38. Alert Types

    39. Alert configuration is policy specific Alerts notify admin of high-value incidents, including:

    40. FCS Alert Levels Pre-canned Configuration for Management Attention Asset Value 5 Levels of Attention Detailed alerts for operational servers Low sensitivity for desktops Even less attention to Kiosk machines Set via FCS Policies

    41. Alert Design Guidelines Important – Only significant security incidents Actionable – Each alert represent a work item Timely – Relevant for immediate action Few – No more then few events per day Correct – Minimize false positives

    42. Email alerts and reports Alerts In MOM 2005 Admin Console Define email server (SMTP) Add "operator" to Client Security Notification Group Reports In SQL Server 2005 Reporting Services Define email settings (SMTP) In http://<server>/reports Create report subscription

    43. FCS Alerts What is an alert Kinds of alerts we have Criteria for a good alert Why alerts Security operator productive A list of actionable things How to use and configure alerts Alert Levels The MOM operator console

    44. Alert Design Guidelines Important Only significant security incidents Actionable Each alert represent a work item Timely Relevant for immediate action Few No more then few events per day Correct Minimize false positives

    45. FCS Alert Level Pre-scanned Configuration for Management attention Asset value 5 Levels of Attention Detailed alerts for operational servers Low sensitivity for desktops Even less attention to Kiosk machines Set via FCS Policies

    46. Security State Assessment Checks Evaluation Process Retrieve machine settings from available sources E.g. Registry, WMI, File System, WUA, Firewall Evaluate configuration against known criteria Assign score based on compliance with security best practices High, Medium, Low, or Informational Aggregate and report on results across multiple machines

    47. Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control Effective Malware Protection supported by Microsoft Malware Response Center Integration with the existing environment makes FCS easier to manage Visibility over vulnerabilities helps proactively secure the environment against upcoming attacks An integral part of Microsoft Forefront Download free evaluation software: http://www.microsoft.com/forefront/serversecurity

    49. Extra Slides

    52. Problems Addressed Limited visibility into the security state of the enterprise Which clients are vulnerable to exploitation? Which clients expose an increased surface area for attack? Difficult to prioritize security issues based on impact to an organization Are my clients vulnerable to infection from this virus? Can my clients be re-infected by the same virus? IT resources focused on reacting to threats rather than managing vulnerabilities

    53. Goals Provide visibility into vulnerabilities and insecure configurations on managed clients Help customers focus efforts on managing vulnerability exposure instead of reacting to malware threats

    54. Solution Approach SSA Agents Installed on managed clients to perform state assessment scans Security Checks Detect common vulnerabilities and missing security updates Compare system configuration against security best practices FCS Reports Surface issues found across the enterprise Reports help focus IT resources on the right security issues

    55. Drilldown: Scheduled Scans FCS Scan Policy Time-Based Scan Scan once per day at the specified time Scan When Missed - Option to scan after reboot if a daily scan was unable to run at the scheduled time Interval-Based Scan Scans once every N hours Scans can occur more than once per day

    56. Drilldown: On-Demand Scans FCS Console Invoked by “Scan Now…” button in FCS Console Allow users to trigger scans immediately Can target a single machine or all managed computers Performs both AM and SSA scans

    57. Security State Assessment Checks Overview Types of vulnerabilities: Missing security updates Configuration exposures Checks “power” SSA scans: Assess Security State – System settings and patch status Evaluate Vulnerability Risk – Assign score based on compliance with security best practices

    58. Drilldown: Security Updates Check Overview Two types of updates reported: Security Bulletins – Updates that address specific security vulnerabilities Cumulative Security Updates – Rollups & Service Packs that supersede security updates Updates categorized by Product Family

    59. Drilldown: Security Updates Check Detection Logic Security updates are “missing” if: Required updates are not installed Installed updates require system restart Built on Windows Update platform: Update search performed against default Update Server (WSUS or MU) Only detects approved security updates when scanning against WSUS Reports connection failures to Update Server

    60. Drilldown: Windows Firewall Check Overview Provides central monitoring of Windows Firewall Gives visibility into end-user configuration Reports on: Firewall status (on/off) User-defined exceptions Applicability to each network interface

    61. Drilldown: Windows Firewall Check Evaluation Logic Firewall Status If disabled on any network interface, score is “High” If configured by Group Policy, score is “Informational Exceptions Enumerates each port and application exception Any exception not configured via GP, score is “Medium” If configured by Group Policy, scores as “Informational”

    62. Drilldown: Configuration Checks Checks Available in FCS

    63. Drilldown: Configuration Checks Checks Available in FCS

    64. Drilldown: Configuration Checks Detailed Descriptions Each check is like a different feature Administrators can judge risk represented by each by understanding how each check is evaluated and scored Each check documented on TechNet http://technet.microsoft.com/en-us/library/bb418830.aspx Includes information on evaluation criteria, scores, and possible results

    65. Reporting Results Bringing Visibility to Issues SSA scan results: Collected from managed clients Aggregated to determine vulnerability exposure and overall risk Drilldown into issues: Console – Number of computers reporting critical vulnerabilities Security Summary – Top 5 vulnerability exposures SSA Summary – All vulnerability issues in the enterprise Vulnerability Detail – Enterprise exposure to a single vulnerability Computer Detail – All SSA results for a single client

    66. Drilldown: Console Overview of Security Issues Computers Reporting Critical Issues: Percentage of managed computers reporting critical issues Includes: malware detection events, missing security updates Links to FCS Reports: Security Summary Report SSA Summary Report

    67. Drilldown: Console Overview of Security Issues

    68. Drilldown: Security Summary Report Overview of Vulnerability Issues Top Vulnerabilities Top 5 vulnerabilities currently exposed in the enterprise Prioritized by risk and exposure Vulnerability Trend Shows trend in vulnerability exposure over the past month

    69. Drilldown: SSA Summary Report Overview of SSA Results Computers by Score Breakdown of computers by risk of vulnerability exposure Computers by MSRC Severity Breakdown of computers by security bulletin severity value Vulnerabilities List List of security issues prioritized by risk factor and exposure in the enterprise Drill through to specific issue reports

    70. Drilldown: SSA Summary Report Computers by Score

    71. Drilldown: SSA Summary Report High Score Computers by MSRC Severity

More Related