Microsoft Forefront Client Security

1
Microsoft Forefront Client Security

• Bernt Lervik berntl_at_avanade.com
• Infrastructure Architect Avanade Norway

2
Agenda

• The Security Environment
• What is Microsoft Forefront?
• Microsoft Forefront Client Security
• Three Dimensions to Securing Clients

3

• More advanced
• More frequent
• Profit motivated
• Application-oriented

• Too many point products
• Poor interoperability
• Lack of integration

• Multiple consoles
• Uncoordinated event reporting analysis
• Cost and complexity

4

• Protect Information and Control Access at
• Operating system
• Server applications
• Network edge
• Content
• Heterogeneity
• Third-party products
• Secure custom apps
• 24/7 security research and response

• Unified view and analytics
• Reduced number of management consoles
• Simplified deployment
• Appliances and appliance-like experience
• Technical and industry guidance
• Simplified licensing

• Cross-product integration
• MSFT security products
• MSFT server applications
• Integration with Microsoft IT infrastructure
• Active Directory, SQL Server, Operations
  Manager, etc.
• Integration with ecosystem partners and custom
  apps

5
A comprehensive line of business security
products that helps you gain greater protection
through deep integration and simplified management
6
(No Transcript)
7
FOR INDIVIDUAL USERS
FOR BUSINESSES
Windows Live OneCare Safety Scanner
Microsoft Forefront Client Security
Windows Defender
Windows Live OneCare
MSRT
Remove most prevalent viruses
Remove all known viruses
Real-time antivirus
Remove all known spyware
Real-time antispyware
Central reporting and alerting
Customization
IT Infrastructure Integration
8
Unified malware protection for business desktops,
laptops and server operating systems that is easy
to manage and control

• One solution for spyware and virus protection
• Built on protection technology used by millions
  worldwide
• Effective threat response

• One console for simplified security
  administration
• Define one policy to manage client protection
  agent settings
• Integrates with your existing infrastructure

• One dashboard for visibility into threats and
  vulnerabilities
• View insightful reports
• Stay informed with state assessment scans and
  security alerts

9
Microsoft Forefront Security Server Management
Console

• Single management console for all Forefront
  products
• Beta / TAP starting January 2007
• Supported for production environments!
• RTM targeted for June 2007
• Target retail price 50 USD per management server

10
(No Transcript)
11

• One engine for virus and spyware protection
• Used in Windows Defender, OneCare, Forefront
  Server Security, etc.
• Compatible with NAP through Windows Security
  Center
• Supports new Windows Vista Transactional NTFS
  file system
• Detection and removal capabilities include
• Real-time, scheduled or on-demand detection
  removal
• Real-time detection uses Windows Filter Manager
  technology
• Checks to ensure system is fully functional after
  cleaning
• Scanning dozens of archives and packers
• Using tunneling signatures that bypass user mode
  rootkits
• Code emulation for behavior analysis and
  polymorphic viruses
• Heuristic detections for new malware and variants

12

• Define security steady state
• Specify the ongoing security behavior of my
  clients
• Keep systems up-to-date
• Ensure that clients have the latest signatures
• View reports
• Determine the security state, now and over time
• Respond to alerts
• What critical security events require my
  attention?

13

• One console for simplified security
  administration
• One policy to manage client protection agent
  settings, e.g.
• Choice of 3 integrated policy profile deployment
  methods
• Microsoft Forefront Client Security Console (uses
  AD/GP)
• ADM file (uses AD/GP)
• Export to a file then use existing software
  distribution system

• Anti-spyware unknown action
• Alert level
• Event and logging settings
• SpyNet reporting on/off
• Level of end-user UI shown

• Scan schedule
• Real time protection on/off
• Signature update frequency
• Anti-spyware signature overrides
• Security state assessment settings

14
Client Security Console
Existing SW Dist System
GPMC
SW dist system
Infrastructure used
AD/GP
AD/GP
GPMC, using ADM file
Exported files
Policy distribution via
Console
Single machine
Single machine
Targeting granularity
OU-level
Security Groups
Policy exceptions
Unlimited
Unlimited
Enables policy compliance report
Yes
No
No
Agents deployed via existing software
distribution system
15
Tight integration with MSRC and other support
processes
Dedicated team with automated analysis and
testing
Multiple data sources enabling advanced threat
telemetry

• Deliver malware definition updates for
• Forefront Client Security, Forefront Server
  Security
• Windows Live OneCare, Windows Defender
• Develop core antimalware engine in Forefront and
  OneCare
• Develop Windows Malicious Software Removal Tool

16

• Certifications and awards for Windows Live
  OneCare
• ICSA Labs certification
• West Coast Labs Checkmark certification
• VirusBulletin 100 award
• Recently published malware reports
• Malicious Software Removal Tool Progress Made,
  Trends Observed (June 2006)
• In-depth perspective of malware landscape based
  on anonymous data collected from its execution
  2.7 billion times on at least 290 million
  computers worldwide
• Security Intelligence Report (October 2006)
• Covers malware and potentially unwanted software
  trends in 1H CY06
• Industry thought leadership
• Behavioral Classification paper delivered at
  2006 European Institute for Computer Antivirus
  Research (EICAR) conference

17
Malware Research
Microsoft Update

• Signature deployment optimized for Windows Server
  Update Services (WSUS)
• Can use any software distribution system
• Auto and manual approval of definitions
• Client Security installs an Update Assistant
  service to
• Increase sync frequency between WSUS and
  Microsoft Update (MU) for definitions
• Support for roaming users
• Failover from WSUS to Microsoft Update

Sync
WSUS Update Assistant
Sync
18

• One dashboard for visibility into threats and
  vulnerabilities
• View insightful reports
• Stay informed with state assessment scans and
  security alerts

19

• Enables focus on threats and possible
  vulnerabilities
• State assessment scans determine which machines
• Need to be patched
• Are configured insecurely
• Report categories include
• Built on MOM 2005 technology
• Uses SQL Reporting Services

20
(No Transcript)
21
(No Transcript)
22

• Alert configuration is policy specific
• Alerts notify admin of high-value incidents,
  including

• Alert levels control type volume of alerts
  generated

Rich Data, High Value Assets
Critical Issues Only, Low Value Assets
1
5
4
3
2
Outbreak
Malware removal failed
Signature update failed
Malware detected and removed
Signature update failed (per min)
23
Server and Domain Isolation (SDI)
Combined Solution
Forefront Client Security
Windows Vista
24

• Public beta available now!
• Download at http//www.microsoft.com/clientsecurit
  y
• Community-based support at http//www.microsoft.co
  m/technet/clientsecurity
• Release To Manufacture planned for Q2 CY2007
• Will be available through Microsofts
  volume licensing programs

25

• Unified Virus Spyware Protection
• Simplified Administration
• Critical Visibility Control
• An integral part of Microsoft Forefront
• Better together with Windows Vista and SDI

Download now! http//www.microsoft.com/clientsecur
ity
26
(No Transcript)