Protegendo seus desktops e servidores com o Microsoft Forefront Client Security Visão Geral e Implementação Técnica – Parte 3 Ricardo Frois Security Specialist Microsoft Brasil Agenda • Overview • Architecture • Unified Protection • Simplified Administration • Visibility and Control • Additional Resources Proteção unificada contra malware para desktops, laptops e servidores corporativos com gerenciamento e controle unificados Solução unificada contra virus e spyware Construido usando como base tecnologia usada por milhões de usuários Resposta a ameaças eficaz Complementa as outras soluções de segurança Microsoft Console única para administração de segurança Definição de uma única política para as configurações de proteção de clientes Distribuição de assinaturas e software de forma mais rápida Integração com a infra estrutura existente Um único painel de controle para visualização de ameaças e vulnerabilidades Visualização de relatórios mais importantes Permite que os administradores se mantenham informados sobre o estado de scannings, alertas de segurança 3 Proteção unificada contra malware para desktops, laptops e servidores corporativos com gerenciamento e controle unificados Greater confidence Greater efficiency Greater control FOR INDIVIDUAL USERS FOR BUSINESSES Forefront Client Windows Defender MSRT Remove most prevalent viruses Remove all known viruses Real-time antivirus Remove all known spyware Real-time antispyware Central reporting and alerting Customization IT Infrastructure Integration 5 Windows Live Windows Live Safety Center OneCare Security 6 • One solution for spyware and virus protection • Built on protection technology used by millions worldwide • Effective threat response • Complements other Microsoft security products • One engine for virus and spyware protection – Also used in Windows Defender, OneCare, Antigen, Forefront Server Security products, MSRT, etc. • – Simplified deployment and administration – Reduces conflict when detecting blended threats Detection and removal capabilities include: – Real-time, scheduled or on-demand detection & removal – Comprehensive system cleaning for viruses and spyware, with checks to ensure system is fully functional after cleaning – Scanning dozens of archives and packers – Using tunneling signatures that bypass user-mode rootkits – Code emulation for behavior analysis and polymorphic viruses – Heuristic detections for new malware and variants Antimalware – Real Time Scanning • Kernel mode scanning • User mode scanning – On-Access Mini Filter – System Configuration – Essential to any Malware – Internet Explorer Add-ons protection – Internet Explorer – – Malware must compromise Configurations kernel to evade – Internet Explorer Downloads Malware is prevented from – Services and Drivers executing entirely – Application Execution – Application Registration – Windows Add-ons Antimalware – Scheduled Scanning Quick Scan – In memory processes – Targeted Directories * • User Profile • Desktop • System Directories • Program Files – Common Malware extensibility points * * Defined in Definition Update to respond to Malware evolution Full Scan – All aspects of Quick Scan – Full evaluation of local drives Demo Demonstration • Using Forefront Client Security to Protect Client Computers •Simplified Administration Define security steady state Specify the ongoing security behavior of my clients Keep systems up-to-date Ensure that clients have the latest signatures View reports Determine the security state, now and over time Respond to alerts What critical security events require my attention? One console for simplified security administration One policy to manage client protection agent settings, e.g.: Scan schedule Real time protection on/off Signature update frequency Anti-spyware signature overrides Security state assessment settings Anti-spyware unknown action Alert level Event and logging settings SpyNet reporting on/off Level of end-user UI shown Choice of 3 integrated policy profile deployment methods: Microsoft Forefront Client Security Console (uses AD/GP) ADM file (uses AD/GP) Export to a file then use existing software distribution system Console deploys policy through use of Active Directory Group Policy Objects ® GPO READ, SAVE Granularity at OU-level with exceptions using security groups Console creates GPO, sends to Sysvol, GP deploys profile Policy applied on host per AD default Malware Research Signature deployment optimized for Windows ® Server Update Services (WSUS) Microsoft Update Can use any software distribution system Sync Auto and manual approval of definitions Client Security installs an Update Assistant service WSUS + Update Assistant to: Increase sync frequency between WSUS and Microsoft Update (MU) for definitions Sync Support for roaming users Failover from WSUS to Microsoft Update Desktops, Laptops and Servers Install WSUS • Store updates locally • Create a WSUS Web site during installation—FCS requires WSUS to use port 8530 • Configure automatic approval • First synchronization can take several hours • One console for simplified security administration • Define one policy to manage client protection agent settings • Deploy signatures and software faster • Integrates with your existing infrastructure • Supported Platforms – Server • • • Windows 2003 Server/SP1 Windows 2003 Server/R2 Longhorn Server (at RTM) – Client • Windows 2000/SP4 + Rollup – Requires GDI+ QFE • Windows XP/SP2 – Requires Filter Manager QFE • Windows Vista – Business SKUs only • • • • Server – Server Setup – Configuration Wizard Client – Command line (no UI) – Use existing deployment technologies Policy – AD – .reg file (client side tool) Signatures – WSUS – SMS/others (RTM) Demo Demonstration • Visibility and Control • Updating Signature Files • Using Policies to Manage Client Computers Understanding Policies Forefront Client Security Console Administrator creates & deploys policy Group Policy Management Console Clients One dashboard for visibility into threats and vulnerabilities View insightful reports Stay informed with state assessment scans and security alerts 22 Security Summary Respond to Alerts Alerting Functionality Notificação e administração dos valores de incidentes incluindo: Malware detected Malware outbreak Malware failed to remove Malware protection disabled Controle do tipo de nivel de alertas & volume de alertas gerados Critical Issues Only, Low Value Assets Outbreak 1 2 Malware removal failed 3 4 5 Rich Data, High Value Assets Signature Malware detected Signature update update failed and removed failed (per min) 26 Alerting and Reporting Architecture Client (Host) System Log MOM Server •Event Table •Alerts Table •State Table MOM Agent SQL Server Reporting Services Viewing Reports Reporting Details Integração com MOM 2005 Uso SQL Reporting Services Demonstra o status da segurança contra malware na sua empresa Especifica point-in-time e over time Tipos de Relatorios Summary Report Malware Threat(s) Deployment Vulnerability Summary Alerts Scan Results Computers Historical Information 28 Demo demonstration Running and Reviewing Reports View Security State Assessment report View Computer Detail report Security Product Roadmap •Current •Dec 2006 •2007+ •Client •Server Microsoft® Antigen Messaging Security Suite •Edge •TBD • Public beta available now! – Download at http://www.microsoft.com/clientsecurity – Community-based support at http://www.microsoft.com/technet/clientsecurity • Release To Manufacture planned for Q2 CY2007 Put your organization through a security audit http://www.microsoft.com/forefront Download trial versions of http://www.microsoft.com/isaserver/2006 http://www.microsoft.com/antigen Register for beta information about http://www.microsoft.com/clientsecurity Contact your Microsoft rep or reseller for information and advice Other Resources Technical Chats and Webcasts http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx MSDN & TechNet http://microsoft.com/msdn http://microsoft.com/technet Virtual Labs http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.