Ronald Beekelaar

1
Forefront Client Security

• Ronald Beekelaar
• Beekelaar Consultancy
• ronald_at_beekelaar.com

2
Introductions

• Presenter Ronald Beekelaar
• MVP Windows Security
• MVP Virtual Machine Technology
• E-mail ronald_at_beekelaar.com
• Work
• Beekelaar Consultancy
• Security consultancy
• Forefront, IPSec, PKI
• Virtualization consultancy
• Create many VM-based labs and demos

3
Agenda - FCS

• Architecture
• Deployment
• FCS server roles
• FCS agents
• FCS policies
• Definition Updates
• Signatures and engine
• Scans and engine
• Reports Alerts

4
Unified malware protection for business desktops,
laptops and server operating systems that is
easy to manage and control

• One solution for virus and spyware protection
• Uses advanced malware protection technologies
• Backed by global malware research response

• One console for simplified security
  administration
• Deploy signatures and software quickly
• Integrates with your existing infrastructure

• One dashboard for real-time visibility into
  threats and vulnerabilities
• View insightful reports
• Stay informed with state assessment scans

5
Architecture
6
Architecture
7
Deployment

• Deploy FCS server
• Multiple server roles
• Deploy FCS client to client computes
• Client scanning and user interface
• Deploy FCS policy
• Configuration settings
• Deploy FCS definition updates
• Signatures and engine

8
FCS Server Supported Matrix
9
Server Software Prerequisites

• Prerequisites for FCS Server
• SQL 2005 SP1
• SQL 2005 Reporting SP1
• WSUS 2.0 SP1 or later
• GPMC
• MMC 3.0
• .NET Framework 2.0
• IIS 6.0
• MOM 2005 hotfixes for SQL 2005

10
What ships as part of FCS?

• FCS Server deliverable includes
• MOM 2005 SP1
• MOM 2005 Reporting SP1
• MOM hotfixes required by FCS
• FCS console reports
• FCS Clients deliverable includes
• FCS AntiMalware
• Security State Assessment
• MOM Agent 2005 SP1
• FCSLocalPolicyTool.exe

11
MOM 2005 Challenges Solutions

• Challenges
• Desktop Management Focus
• Collection Scalability
• Cross Machine Alerts
• Specialized Views on Live Data
• Application vs. Platform
• Solutions
• A Dedicated MOM 2005 Installation
• Reduced Event Stream
• Special Configuration and Base MOM Pack
• Custom Schema
• Multi-homing (deployment and versions)
• Server Based Analysis
• Reporting Against The Operational Database
• Auto Approval for New Agents Flood resiliency
• Future System Center Operation Manager

12
FCS Server Roles

• Management Server
• FCS Management Console
• FCS Client
• MOM 2005 SP1
• GPMC
• FCS functional management pack

• Reporting Server
• MOM 2005 SP1 Reporting
• IIS 6.0

• Reporting Server Database
• SQL Server Reporting Service 2005 SP1
• SQL Server 2005 SP1
• MOM 2005 SP1 Data Warehouse

• Collection Server
• MOM 2005 SP1 Server
• MOM 2005 SP1 Console

• Distribution Server
• WSUS 2.0 SP1 or later
• FCS Update Assistant

• Collection Server Database
• SQL Server 2005 SP1
• MOM 2005 SP1 Operational Database
• Configuration Repository

13
FCS Server Deployment - Topologies

• FCS supports the following topologies

14
FCS Client - Support
15
FCS Client - Setup

• No UI (command line)
• Example syntax
• clientsetup.exe /MS momserver3 /CG fcsgroup
• clientsetup.exe /nomom
• Install Tasks
• Pre-req checking
• Installing MOM agent, FCS SSA agent and FCS AM
  agent
• logging actions and errors to a file
• How to deploy the client software
• Group Policy
• SMS
• Other third party distribution tool
• Login scripts
• WSUS

16
Deploy FCS agent with WSUS

• Recommended way to deploy FCS agent
• Step 0 - Remove existing antivirus software
• For scripts, see www.codeplex.com/fcscompete
• Step 1 - In WSUS Approve FCS package
• Step 2 - On server Create and deploy FCS policy
• Step 3 - Client will install FCS agent from WSUS
• Speed up (after uninstall existing anti-virus)
• gpupdate.exe /force
• wuauclt.exe /detectnow

17
Deploy FCS agent with WSUS

• Step 1 - In WSUS Approve FCS package

18
FCS Policy Settings

• FCS policy manages the following
• Antimalware and Security State Assessment scan
  settings
• Signature override settings
• Alert levels and reporting
• Advanced settings
• Signature check frequency
• Path and file extension exclusions
• Client UI options

19
Profile Deployment Options
Existing SW Dist System
FCS Console
GPMC
SW dist system
Infrastructure used
AD/GP
AD/GP
GPMC(no ADM file)
Exported files
Policy distribution via
Console
Single machine
Single machine
Targeting granularity
OU-level
Security Groups
Policy exceptions
Unlimited
Unlimited
Enables policy compliance report
Yes
Yes
Yes
Agents deployed via existing software
distribution system
20
Deploying a FCS Policy to a File

• Ability to deploy and report on a policy
  distributed outside of Group Policy
• Exports the policy to a .reg file
• Import on the client using FCSLocalPolicyTool.exe
• Question Why cant I just double-click the .reg
  file and import?
• A1 Service is listening for an update via GP,
  and this wont raise the proper event policy
  wont be picked up until you stop/start the
  service
• A2 The tool creates the proper local GPO
  object, which is the prescribed method to update
  policy
• Can be used to distribute policy to non-AD
  machines(via scripts or other distribution tool)

21
Deploying a Policy to a FileWhy it's not
recommended
22
Keep Systems Up-to-date
Malware Research

• Signature deployment optimized for Windows Server
  Update Services (WSUS)
• Can use any software distribution system
• Auto and manual approval of definitions
• Client Security installs an Update Assistant
  service to
• Increase sync frequency between WSUS and
  Microsoft Update (MU) for definitions
• Support for roaming users
• Failover from WSUS to Microsoft Update

Microsoft Update
Sync
WSUS Update Assistant
Sync
Desktops, Laptops and Servers
23
Signature Distribution Channels

• Microsoft Update - http//update.microsoft.com
• Windows Server Update Services (WSUS)
• Supports WSUS 2.0 SP1 and 3.0
• Manual download anddistribution via other
  software (SMS, login script, etc)
• Through signature download site

24
FCS Distribution Server

• WSUS
• WSUS assistant (if WSUS 2.0)
• Force WSUS 2.0 to sync up with Microsoft Update
  hourly
• Not needed in WSUS 3.0
• Auto-approval rules for FCS definition updates
• Subscribe to FCS product category and definition
  update classification

25
Signature Details

• On client machine installed at
• C\Documents and Settings\All Users\Application
  Data\Microsoft\Microsoft Forefront\Client
  Security\Client\Antimalware\Definition Updates

25
26
Signature Details
27
Signature Package Overview

• mpam-fe.exe
• Antimalware Full Engine package (for x86,
  amd64, ia64)
• Contains engine (mpengine.dll), mpasbase.vdm,
  mpasdlta.vdm, mpavbase.vdm, mpavdlt.vdm,
  mpsigstub.exe.
• Size of 11M
• mpam-d.exe
• Antimalware Delta package contains AV and AS
  signatures.
• Contains mpasbase.vdm, mpasdlta.vdm,
  mpavbase.vdm, mpavdlta.vdm, mpsigstub.exe.
• Size lt 0.5M

28
Scans

• Quick scan
• Full scan
• Custom scan
• Not
• Removable disk
• Network disk
• Single folder

29
Engine

• Real-time protection
• Uses kernel-mode mini-filter
• Static analysis
• Emulation
• Executes in sandbox - to unpack
• Heuristics
• Detects user-mode rootkits
• Checks API detouring ( tunneling signatures)

30
FCS monitoring options

• Enterprise Security Dashboard
• High level view of the Organization Security
  State
• Alerts
• Actionable Immediate Alerts on Security Incidents
• Reports
• Investigation of Security Issues Through Security
  State Visualization of Both Online and Historical
  Data

31
Enterprise Security Dashboard

• Dashboard The Security State in a Glance
• Switchboard Access the Different Views

• Reports
• Alerts
• Configuration
• Live Data
• Change Indication

32
Reports

• Security Focused
• Allow Investigation
• Drill Down
• Current vs. Historical
• Filtering, Grouping, Adjusting
• Email Subscriptions
• Limited Extensibility in V1.0

Performance
Aggregation
Focus
Dashboard
Investigation Tool
Activity
Live
Value
Security Summary
Incident Summary
Static
33
Main Report
Security Summary
34
Reports
Deployment Summary
Alert Summary
Computer Summary
Threat Summary
Security Summary
Vulnerability Summary
35
Signature Deployment Details
Deployment Summary
Alert Detail
Alert Summary
Computer Detail
Computer Summary
Threat Detail
Security Summary
Threat Summary
Vulnerability Detail
Vulnerability Summary
36
Signature Deployment Details
Deployment Summary
Alert Instance
Alert Summary
Alert Detail
Computer Summary
Computer Detail
Malware Instance
Security Summary
Malware Detail
Malware Summary
Vulnerability Instance
Vulnerability Summary
Vulnerability Detail
37
Alert Types
Malware Activity Computer Infected / Malware On
Network Successful / Failed Response Repeated
Malware Infections Malware Outbreak
Protection Agent Protection Turned Off Scanning
Failed Signature Update Failed
FCS Server Security Impact Flooding
Detected Evaluation Product Expiration FCS
Failures
38
Alert Levels

• Alert configuration is policy specific
• Alerts notify admin of high-value incidents,
  including

• Alert levels control type volume of alerts
  generated

Rich Data, High Value Assets
Critical Issues Only, Low Value Assets
1
5
4
3
2
Outbreak
Malware removal failed
Signature update failed
Malware detected and removed
Signature update failed (per min)
39
FCS Alert Levels

• Pre-canned Configuration for
• Management Attention
• Asset Value
• 5 Levels of Attention
• Detailed alerts for operational servers
• Low sensitivity for desktops
• Even less attention to Kiosk machines
• Set via FCS Policies

40
Alert Design Guidelines

• Important Only significant security incidents
• Actionable Each alert represent a work item
• Timely Relevant for immediate action
• Few No more then few events per day
• Correct Minimize false positives

41
Email alerts and reports

• Alerts
• In MOM 2005 Admin Console
• Define email server (SMTP)
• Add "operator" to Client Security Notification
  Group
• Reports
• In SQL Server 2005 Reporting Services
• Define email settings (SMTP)
• In http//ltservergt/reports
• Create report subscription

42
FCS Alerts

• What is an alert
• Kinds of alerts we have
• Criteria for a good alert
• Why alerts
• Security operator productive
• A list of actionable things
• How to use and configure alerts
• Alert Levels
• The MOM operator console

43
Alert Design Guidelines

• Important
• Only significant security incidents
• Actionable
• Each alert represent a work item
• Timely
• Relevant for immediate action
• Few
• No more then few events per day
• Correct
• Minimize false positives

44
FCS Alert Level

• Pre-scanned Configuration for
• Management attention
• Asset value
• 5 Levels of Attention
• Detailed alerts for operational servers
• Low sensitivity for desktops
• Even less attention to Kiosk machines
• Set via FCS Policies

45
Security State Assessment ChecksEvaluation
Process

• Retrieve machine settings from available sources
• E.g. Registry, WMI, File System, WUA, Firewall
• Evaluate configuration against known criteria
• Assign score based on compliance with security
  best practices
• High, Medium, Low, or Informational
• Aggregate and report on results across multiple
  machines

46
Summary Forefront Client Security

• Unified malware protection for business desktops,
  laptops and server operating systems that is
  easy to manage and control
• Effective Malware Protection supported by
  Microsoft Malware Response Center
• Integration with the existing environment makes
  FCS easier to manage
• Visibility over vulnerabilities helps proactively
  secure the environment against upcoming attacks
• An integral part of Microsoft Forefront
• Download free evaluation software
  http//www.microsoft.com/forefront/serversecurity

47
QA
48
Extra Slides
49
Alert Type
Machine and Domain
How many times did this happen?
Comprehensive description
Microsoft Client Protection has detected the
following malicious software threat
!AceSFX. Microsoft Client Protection cannot
eliminate the threat. The following action was
attempted on the threat Clean. The following
error occurred Access Denied. Error code 12. To
learn more about the infection in this computer,
read the infection instance report
http//ReportServer/Reports/FCS/InfectionInstanceR
eport To learn more about the threat, read the
threat details report http//ReportServer/Reports
/FCS/threatReport And the computer details
report http//ReportServer/Reports/FCS/computerRe
port You can read about the threat in the
Microsoft Malicious Software Encyclopedia http//
ReportServer/Reports/FCS/maliciousEncyclopediaRepo
rt
Detailed reports
Associated machine event
Associated knowledge base article
Company knowledge records
50
Reporting Capabilities Main concepts
51
Problems Addressed
Visibility Control
Simplified Administration
Unified Protection

• Limited visibility into the security state of the
  enterprise
• Which clients are vulnerable to exploitation?
• Which clients expose an increased surface area
  for attack?
• Difficult to prioritize security issues based on
  impact to an organization
• Are my clients vulnerable to infection from this
  virus?
• Can my clients be re-infected by the same virus?
• IT resources focused on reacting to threats
  rather than managing vulnerabilities

52
Goals

• Provide visibility into vulnerabilities and
  insecure configurations on managed clients
• Help customers focus efforts on managing
  vulnerability exposure instead of reacting to
  malware threats

53
Solution Approach

• SSA Agents
• Installed on managed clients to perform state
  assessment scans
• Security Checks
• Detect common vulnerabilities and missing
  security updates
• Compare system configuration against security
  best practices
• FCS Reports
• Surface issues found across the enterprise
• Reports help focus IT resources on the right
  security issues

54
Drilldown Scheduled ScansFCS Scan Policy

• Time-Based Scan
• Scan once per day at the specified time
• Scan When Missed - Option to scan after reboot if
  a daily scan was unable to run at the scheduled
  time
• Interval-Based Scan
• Scans once every N hours
• Scans can occur more than once per day

55
Drilldown On-Demand ScansFCS Console

• Invoked by Scan Now button in FCS Console
• Allow users to trigger scans immediately
• Can target a single machine or all managed
  computers
• Performs both AM and SSA scans

56
Security State Assessment ChecksOverview

• Types of vulnerabilities
• Missing security updates
• Configuration exposures
• Checks power SSA scans
• Assess Security State System settings and patch
  status
• Evaluate Vulnerability Risk Assign score based
  on compliance with security best practices

57
Drilldown Security Updates CheckOverview

• Two types of updates reported
• Security Bulletins Updates that address
  specific security vulnerabilities
• Cumulative Security Updates Rollups Service
  Packs that supersede security updates
• Updates categorized by Product Family

58
Drilldown Security Updates CheckDetection Logic

• Security updates are missing if
• Required updates are not installed
• Installed updates require system restart
• Built on Windows Update platform
• Update search performed against default Update
  Server (WSUS or MU)
• Only detects approved security updates when
  scanning against WSUS
• Reports connection failures to Update Server

59
Drilldown Windows Firewall CheckOverview

• Provides central monitoring of Windows Firewall
• Gives visibility into end-user configuration
• Reports on
• Firewall status (on/off)
• User-defined exceptions
• Applicability to each network interface

60
Drilldown Windows Firewall CheckEvaluation Logic

• Firewall Status
• If disabled on any network interface, score is
  High
• If configured by Group Policy, score is
  Informational
• Exceptions
• Enumerates each port and application exception
• Any exception not configured via GP, score is
  Medium
• If configured by Group Policy, scores as
  Informational

61
Drilldown Configuration ChecksChecks Available
in FCS
62
Drilldown Configuration ChecksChecks Available
in FCS
63
Drilldown Configuration ChecksDetailed
Descriptions

• Each check is like a different feature
• Administrators can judge risk represented by each
  by understanding how each check is evaluated and
  scored
• Each check documented on TechNet
• http//technet.microsoft.com/en-us/library/bb41883
  0.aspx
• Includes information on evaluation criteria,
  scores, and possible results

64
Reporting ResultsBringing Visibility to Issues

• SSA scan results
• Collected from managed clients
• Aggregated to determine vulnerability exposure
  and overall risk
• Drilldown into issues
• Console Number of computers reporting critical
  vulnerabilities
• Security Summary Top 5 vulnerability exposures
• SSA Summary All vulnerability issues in the
  enterprise
• Vulnerability Detail Enterprise exposure to a
  single vulnerability
• Computer Detail All SSA results for a single
  client

65
Drilldown ConsoleOverview of Security Issues

• Computers Reporting Critical Issues
• Percentage of managed computers reporting
  critical issues
• Includes malware detection events, missing
  security updates
• Links to FCS Reports
• Security Summary Report
• SSA Summary Report

66
Drilldown ConsoleOverview of Security Issues
67
Drilldown Security Summary ReportOverview of
Vulnerability Issues

• Top Vulnerabilities
• Top 5 vulnerabilities currently exposed in the
  enterprise
• Prioritized by risk and exposure
• Vulnerability Trend
• Shows trend in vulnerability exposure over the
  past month

68
Drilldown SSA Summary ReportOverview of SSA
Results

• Computers by Score
• Breakdown of computers by risk of vulnerability
  exposure
• Computers by MSRC Severity
• Breakdown of computers by security bulletin
  severity value
• Vulnerabilities List
• List of security issues prioritized by risk
  factor and exposure in the enterprise
• Drill through to specific issue reports

69
Drilldown SSA Summary ReportComputers by Score
70
Drilldown SSA Summary ReportHigh Score
Computers by MSRC Severity

• Trend data reveals interesting patterns
• Updates released on second Tuesday of every month
  (Patch Tuesday)
• MS07-017 security update was released a week
  early
• Result was two spikes in trend for missing
  updates in the month of April