Docstoc

2 Forefront Client Security

Document Sample
2 Forefront Client Security Powered By Docstoc
					Forefront Client Security
Ronald Beekelaar
Beekelaar Consultancy
ronald@beekelaar.com
    Introductions

     Presenter – Ronald Beekelaar
       MVP Windows Security
       MVP Virtual Machine Technology
       E-mail: ronald@beekelaar.com

     Work
      Beekelaar Consultancy
         Security consultancy
            Forefront, IPSec, PKI
         Virtualization consultancy
            Create many VM-based labs and demos

2
    Agenda - FCS
     Architecture
     Deployment
        FCS server roles
        FCS agents
        FCS policies
     Definition Updates
        Signatures and engine
     Scans and engine
     Reports & Alerts




3
    Unified malware protection for business desktops,
      laptops and server operating systems that is
               easy to manage and control


           One solution for virus and spyware protection
           Uses advanced malware protection technologies
           Backed by global malware research & response


           One console for simplified security administration
           Deploy signatures and software quickly
           Integrates with your existing infrastructure


           One dashboard for real-time visibility into threats
           and vulnerabilities
           View insightful reports
           Stay informed with state assessment scans


4
    Architecture




5
          Architecture

       MOM agent           MOM agent sends                Source for reports   MOM Console
       reads events        events to MOM server,          on last 24 hours                                                                 The MOM
       from logs           downloads rules, tasks         and current status                            Events             Alerts
                                                                                                                                           console is used
                                                                                                                                           for manipulation
                                                                                                                                           of alerts and
                                                                                                        Tasks              State
                                                                                                                                           investigation
         Host                                      MOM Server
                                                        MOM DB
           MOM Agent     Rules, Tasks                   · Event table          MOM Web UI Application                Web Browser           The MOM Web
                                                        · Alerts table                                                                     UI is pointed to
                                                        · State table                                                                      from alert
                                                            Mgmt Pack                                                     Alerts, State,   notification
           System Log         XML File                                                                                       Events

                                                                                                                                           Rendered reports
                                                        MOM DWH                SQL Reporting Services
           AM Service                                                                                                                      are viewed in a
                            SSA Service                 · Event table
                                                                                                                                           web browser but
                                                        · Alert table
                                                                                                                                           also through
                                                                                    Report RDL                          Rendered Report    email
           Registry        Policy                                                                                                          subscriptions
                                                                                    File

                                                                                      SQL queries         Report
                                                                                                         Processor                         UI Controls are
                                                                                      Source table                   FCS Console           based on data
    AM and VA services              MOM agent           Source for
                                                        reports on historic            definitions                                         from the MOM
    write events to                 reads event
                                                        data                                                                               operational DB
    system log                      from log
                                                                                       Rendering                                           The console
                                                                                                                          UI Controls
                                                                                       directives                                          launches MOM
                                                                                                                                           tasks
                Policy is deployed via GP.        FCS Reports are XML
                One of the policy settings        (.rdl) files driving a set
                is the alert level.               of stored procedures




6
    Deployment

     Deploy FCS server
       Multiple server roles

     Deploy FCS client to client computes
       Client scanning and user interface

     Deploy FCS policy
       Configuration settings

     Deploy FCS definition updates
       Signatures and engine
7
    Operating System                 FCS Server
    Windows Server 2003 Standard,    Supported
    Enterprise SP1 +

    Windows Server 2003 R2 +         Supported
    Windows Server 2003 SP1/R2 x64   Not supported
    editions

    Windows Server 2008              Supported (at Win2008 RTM)
    Windows 2003 and R2 Datacenter   Not supported
    Editions

    Windows 2003 Web editions        Not supported
    Windows 2003 SBS                 Not supported




8
    Prerequisites for FCS Server
      SQL 2005 SP1
      SQL 2005 Reporting SP1
      WSUS 2.0 SP1 or later
      GPMC
      MMC 3.0
      .NET Framework 2.0
      IIS 6.0
      MOM 2005 hotfixes for SQL 2005




9
     FCS Server deliverable includes:
       MOM 2005 SP1
       MOM 2005 Reporting SP1
       MOM hotfixes required by FCS
       FCS console + reports

     FCS Clients deliverable includes:
       FCS AntiMalware
       Security State Assessment
       MOM Agent 2005 SP1
       FCSLocalPolicyTool.exe

10
     Challenges:
       Desktop Management Focus
       Collection Scalability
       Cross Machine Alerts
       Specialized Views on Live Data
       Application vs. Platform

     Solutions:
        A Dedicated MOM 2005 Installation
          Reduced Event Stream
          Special Configuration and Base MOM Pack
          Custom Schema
          Multi-homing (deployment and versions)
       Server Based Analysis
       Reporting Against The Operational Database
       Auto Approval for New Agents + Flood resiliency

     Future: System Center Operation Manager

11
     FCS Server Roles
        Management Server                      Reporting Server
         • FCS Management Console               • MOM 2005 SP1 Reporting
         • FCS Client                           • IIS 6.0
         • MOM 2005 SP1
         • GPMC
         • FCS functional management pack

       Collection Server                       Reporting Server Database
                                                 • SQL Server Reporting Service 2005 SP1
         • MOM 2005 SP1 Server
                                                 • SQL Server 2005 SP1
         • MOM 2005 SP1 Console
                                                 • MOM 2005 SP1 Data Warehouse



                                               Distribution Server
       Collection Server Database                • WSUS 2.0 SP1 or later
         • SQL Server 2005 SP1                   • FCS Update Assistant
         • MOM 2005 SP1 Operational Database
         • Configuration Repository




12
     FCS Server Deployment - Topologies

      FCS supports the following topologies
        Topology   Role Distribution                        Recommended For
                                                            Pilot deployments or
        1 Server   All roles on a single server
                                                            small sites
                   Distribution role separated from other
        2 Server                                            1000-2500 seats
                   roles
                   Distribution and
        3 Server   SystemCenterReporting DB                 2500-5000 seats
                   separated
                                                            Large Deployments
        4 Server   All 4 roles separated, DB’s local
                                                            (>5k)
                   All 4 roles separated, both DB’s off-    Large Deployments
        5 Server
                   box (same server)                        (>5k)

                                                            Large Deployments
        6 Server   All 6 roles on separate servers
                                                            (>5k)

13
     FCS Client - Support


         Operating System                      Client Security Agent
         Windows 2000 SP4 + Security Rollup    Supported
         and GDI+ hotfix

         Windows XP SP2 (with Filter Manager   Supported
         hotfix)

         Windows XP “Media Center” edition     Not supported


         Windows Server 2003/R2 x64 SP1 +      Supported


         Windows XP “Tablet” editions          Supported
         Windows Server 2003 X86 SP1 +         Supported
         Windows Server 2003 R2 +              Supported
         Windows Vista Business, Enterprise,   Supported
         and Ultimate




14
     FCS Client - Setup

      No UI (command line)
        Example syntax:
            clientsetup.exe /MS momserver3 /CG fcsgroup
            clientsetup.exe /nomom
      Install Tasks:
         Pre-req checking
         Installing MOM agent, FCS SSA agent and FCS AM agent
         logging actions and errors to a file
      How to deploy the client software
         Group Policy
         SMS
         Other third party distribution tool
         Login scripts
         WSUS
15
     Deploy FCS agent with WSUS

      Recommended way to deploy FCS agent

      Step 0 - Remove existing antivirus software
                For scripts, see www.codeplex.com/fcscompete
      Step 1 - In WSUS: Approve FCS package
      Step 2 - On server: Create and deploy FCS policy
      Step 3 - Client: will install FCS agent from WSUS

      Speed up (after uninstall existing anti-virus):
        gpupdate.exe /force
        wuauclt.exe /detectnow

16
     Deploy FCS agent with WSUS

      Step 1 - In WSUS: Approve FCS package




17
     FCS Policy Settings

      FCS policy manages the following
        Antimalware and Security State Assessment scan settings
        Signature override settings
        Alert levels and reporting
        Advanced settings
          Signature check frequency
          Path and file extension exclusions
          Client UI options




18
   Profile Deployment Options

                                                                Existing SW
                       FCS Console               GPMC           Dist System

Infrastructure                                                   SW dist
used
                         AD/GP                  AD/GP
                                                                 system

Policy distribution                             GPMC            Exported
                         Console
via                                          (no ADM file)        files

Targeting                                       Single            Single
granularity             OU-level
                                               machine           machine

Policy                   Security
                                               Unlimited        Unlimited
exceptions               Groups

Enables policy
compliance report          Yes                    Yes*             Yes*

19 *Agents deployed via existing software distribution system
     Deploying a FCS Policy to a File

      Ability to deploy and report on a policy distributed outside of
      Group Policy
        Exports the policy to a .reg file
        Import on the client using FCSLocalPolicyTool.exe
           Question: Why can’t I just double-click the .reg file and import?
           A1: Service is listening for an update via GP, and this won’t raise
           the proper event – policy won’t be picked up until you stop/start the
           service
           A2: The tool creates the proper local GPO object, which is the
           prescribed method to update policy
        Can be used to distribute policy to non-AD machines
        (via scripts or other distribution tool)

20
     Operation                      FCS Console GPMC/.adm
     Maintain policy deployment         Yes        No
     state for FCS reporting

     Configure Overrides                Yes        No



     Changes made to a deployed         N/A        No
     policy via GPMC reflected in
     the FCS console



21
     Keep Systems Up-to-date

                                                                        Malware
     Signature deployment optimized for Windows                         Research
                                                           Microsoft
     Server Update Services (WSUS)                    ®


                                                           Update
        Can use any software distribution system
        Auto and manual approval of definitions     Sync


     Client Security installs an Update Assistant
     service to:                                           WSUS +
                                                           Update Assistant
        Increase sync frequency between WSUS
        and Microsoft Update (MU) for definitions

     Support for roaming users                      Sync

        Failover from WSUS to Microsoft Update
                                                           Desktops, Laptops
                                                           and Servers

22
     Signature Distribution Channels

      Microsoft Update - http://update.microsoft.com
      Windows Server Update Services (WSUS)
         Supports WSUS 2.0 SP1 and 3.0
      Manual download and
      distribution via other software (SMS, login script, etc)
         Through signature download site




23
     FCS Distribution Server

      WSUS
      WSUS assistant (if WSUS 2.0)
         Force WSUS 2.0 to sync up with Microsoft Update
         hourly
         Not needed in WSUS 3.0
      Auto-approval rules for FCS definition updates
      Subscribe to FCS product category and definition update
      classification




24
     Signature Details

     On client machine installed at:
     C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft
         Forefront\Client Security\Client\Antimalware\Definition Updates




25                                                               25
     Signature Details
     Item           Description

     mpengine.dll   The antivirus engine


     mpavbase.vdm   The AV signature database containing most of the
                    signatures

     mpavdlta.vdm   The AV signature database containing the most recent
                    signature additions

     mpasbase.vdm   The spyware signature database containing most of the
                    signatures

     mpasdlta.vdm   The spyware signature database containing the most recent
                    signature additions


26
     Signature Package Overview

      mpam-fe.exe
        Antimalware Full + Engine package (for x86, amd64, ia64)
            Contains engine (mpengine.dll), mpasbase.vdm, mpasdlta.vdm,
            mpavbase.vdm, mpavdlt.vdm, mpsigstub.exe.
         Size of 11M

      mpam-d.exe:
        Antimalware Delta package contains AV and AS signatures.
            Contains mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm,
            mpavdlta.vdm, mpsigstub.exe.
         Size < 0.5M




27
     Scans

     Quick scan
     Full scan
     Custom scan

     Not:
       Removable disk
       Network disk
       Single folder




28
     Engine

     Real-time protection
       Uses kernel-mode mini-filter

     Static analysis
     Emulation
        Executes in sandbox - to unpack
     Heuristics
     Detects user-mode rootkits
        Checks API detouring (= tunneling signatures)



29
     FCS monitoring options
       Enterprise Security Dashboard
         High level view of the
         Organization Security State

       Alerts
          Actionable Immediate Alerts on
          Security Incidents




       Reports
         Investigation of Security Issues
         Through Security State
         Visualization of Both Online and
30
         Historical Data
     Enterprise Security Dashboard
      Dashboard – The Security State in a Glance
      Switchboard – Access the Different Views

         Reports
         Alerts
         Configuration

      Live Data
      Change
      Indication




31
     Reports

       Security Focused                 Adjusting
       Allow Investigation              Email Subscriptions
       Drill Down                       Limited Extensibility in V1.0
       Current vs. Historical

       Filtering, Grouping,
                 Aggregation           Focus           Performance


      Live        Dashboard       Investigation Tool     Activity


      Static   Security Summary   Incident Summary        Value


32
     Main Report


      Security Summary




33
                          Deployment
     Reports              Summary



                          Alert
                          Summary



                          Computer
                          Summary



                          Threat
                          Summary



       Security Summary   Vulnerability
                          Summary


34
                                        Signature
                                        Deployment
                                        Details

                Deployment Summary
                                        Alert Detail



                Alert Summary
                                        Computer Detail



                Computer Summary
                                        Threat Detail
     Security
     Summary

                Threat Summary
                                        Vulnerability Detail




35              Vulnerability Summary
                                                Signature
                                                Deployment
                                                Details
                  Deployment Summary

                                                              Alert Instance


                   Alert Summary Alert Detail




                  Computer Summary                 Computer
                                                    Detail    Malware Instance
     Security
     Summary

                Malware Summary   Malware Detail




          Vulnerability Summary    Vulnerability Detail       Vulnerability Instance
36
     Alert Types
          Malware Activity
             Computer Infected / Malware On Network
             Successful / Failed Response
             Repeated Malware Infections
             Malware Outbreak


          Protection Agent
             Protection Turned Off
             Scanning Failed
             Signature Update Failed



          FCS Server Security Impact
             Flooding Detected
             Evaluation Product Expiration
             FCS Failures


37
     Alert Levels


             Malware detected                       Malware outbreak
             Malware failed to remove               Malware protection disabled


         Alert configuration is policy specific
         Alerts notify admin of high-value incidents, including:

          Alert levels control type & volume of alerts generated

Critical Issues Only,                                                  Rich Data,
Low Value Assets          1         2         3         4        5     High Value Assets


            Outbreak      Malware         Signature    Malware detected Signature update
                        removal failed   update failed  and removed      failed (per min)
38
     FCS Alert Levels

      Pre-canned Configuration for
         Management Attention
         Asset Value
      5 Levels of Attention
         Detailed alerts for operational servers
         Low sensitivity for desktops
         Even less attention to Kiosk machines
      Set via FCS Policies




39
     Alert Design Guidelines

      Important – Only significant security incidents
      Actionable – Each alert represent a work item
      Timely – Relevant for immediate action
      Few – No more then few events per day
      Correct – Minimize false positives




40
     Email alerts and reports

     Alerts
        In MOM 2005 Admin Console
           Define email server (SMTP)
           Add "operator" to Client Security Notification Group


     Reports
       In SQL Server 2005 Reporting Services
           Define email settings (SMTP)
        In http://<server>/reports
           Create report subscription




41
     FCS Alerts

     What is an alert
       Kinds of alerts we have
       Criteria for a good alert
     Why alerts
       Security operator productive
       A list of actionable things
     How to use and configure alerts
       Alert Levels
       The MOM operator console



42
     Alert Design Guidelines
       Important
                    Only significant security incidents


       Actionable
                    Each alert represent a work item


       Timely
                    Relevant for immediate action


       Few
                    No more then few events per day


       Correct
43                  Minimize false positives
     FCS Alert Level

     Pre-scanned Configuration for
        Management attention
        Asset value

     5 Levels of Attention
        Detailed alerts for operational servers
        Low sensitivity for desktops
        Even less attention to Kiosk machines

     Set via FCS Policies

44
     Security State Assessment Checks
     Evaluation Process
        Retrieve machine settings from available sources
          E.g. Registry, WMI, File System, WUA, Firewall

        Evaluate configuration against known criteria

        Assign score based on compliance with security best
        practices
           High, Medium, Low, or Informational

        Aggregate and report on results across multiple
        machines
45
     Unified malware protection for business desktops,
     laptops and server operating systems that is
     easy to manage and control
     Effective Malware Protection supported by Microsoft
     Malware Response Center
     Integration with the existing environment makes FCS
     easier to manage
     Visibility over vulnerabilities helps proactively secure
     the environment against upcoming attacks
     An integral part of Microsoft Forefront
     Download free evaluation software:
     http://www.microsoft.com/forefront/serversecurity
46
47
     Extra Slides




48
            Top issues




            Context




       “What portion of my
     environment is at risk?”



50
     Problems Addressed
       Unified               Simplified              Visibility &
      Protection           Administration             Control

       Limited visibility into the security state of the enterprise
          Which clients are vulnerable to exploitation?
          Which clients expose an increased surface area for
          attack?

       Difficult to prioritize security issues based on impact to
       an organization
          Are my clients vulnerable to infection from this
          virus?
          Can my clients be re-infected by the same virus?
51
     Goals

       Provide visibility into vulnerabilities and insecure
       configurations on managed clients

       Help customers focus efforts on managing vulnerability
       exposure instead of reacting to malware threats




52
     Solution Approach

       SSA Agents
         Installed on managed clients to perform state
         assessment scans

       Security Checks
         Detect common vulnerabilities and missing security
         updates
         Compare system configuration against security best
         practices

       FCS Reports
         Surface issues found across the enterprise
53
         Reports help focus IT resources on the right security
     Drilldown: Scheduled Scans
     FCS Scan Policy
        Time-Based Scan
          Scan once per day at the specified time
          Scan When Missed - Option to scan after reboot if a
          daily scan was unable to run at the scheduled time

        Interval-Based Scan
           Scans once every N hours
           Scans can occur more than once per day




54
     Drilldown: On-Demand Scans
     FCS Console
       Invoked by “Scan Now…” button in FCS Console
       Allow users to trigger scans immediately
       Can target a single machine or all managed computers
       Performs both AM and SSA scans




55
     Security State Assessment Checks
     Overview
        Types of vulnerabilities:
          Missing security updates
          Configuration exposures

        Checks “power” SSA scans:
          Assess Security State – System settings and patch
          status
          Evaluate Vulnerability Risk – Assign score based
          on compliance with security best practices



56
     Drilldown: Security Updates Check
     Overview
        Two types of updates reported:
          Security Bulletins – Updates that address specific
          security vulnerabilities
          Cumulative Security Updates – Rollups & Service
          Packs that supersede security updates

        Updates categorized by Product Family




57
     Drilldown: Security Updates Check
     Detection Logic
        Security updates are “missing” if:
          Required updates are not installed
          Installed updates require system restart

        Built on Windows Update platform:
          Update search performed against default Update
          Server (WSUS or MU)
          Only detects approved security updates when
          scanning against WSUS
          Reports connection failures to Update Server


58
     Drilldown: Windows Firewall Check
     Overview
        Provides central monitoring of Windows Firewall
        Gives visibility into end-user configuration

        Reports on:
          Firewall status (on/off)
          User-defined exceptions
          Applicability to each network interface




59
     Drilldown: Windows Firewall Check
     Evaluation Logic
        Firewall Status
           If disabled on any network interface, score is “High”
           If configured by Group Policy, score is “Informational

        Exceptions
          Enumerates each port and application exception
          Any exception not configured via GP, score is
          “Medium”
          If configured by Group Policy, scores as
          “Informational”


60
     Drilldown: Configuration Checks
     Checks Available in FCS
      Check                  Description
      Automatic Updates      Identifies whether the Automatic Updates feature is
                             enabled on the scanned computer and if so, how it is
                             configured
      Administrators         Identifies and lists the individual user accounts that
                             belong to the local Administrators group
      Guest Account          Determines whether the built-in Guest account is
                             enabled
      Unnecessary Services   Determines whether the following services are
                             installed and not disabled: World Wide Web Service,
                             SMTP Service, Telnet, and FTP Publishing
      Autologon              Determines whether the Auto Logon feature is
                             enabled on the scanned computer, and if the logon
                             password is encrypted in the registry or stored in
                             plaintext

61
     Drilldown: Configuration Checks
     Checks Available in FCS
      Check                 Description
      Incomplete Updates    Determines whether any installed software updates
                            require a system restart to complete installation
      File System           Determines the file system of each hard drive, to
                            ensure that the NTFS file system is being used
      Password Expiration   Determines whether any local accounts have
                            passwords that do not expire
      Restrict Anonymous    Determines whether anonymous connections are
                            restricted on the scanned computer
      Shares                Determines if there are any shared folders on the
                            client computer




62
     Drilldown: Configuration Checks
     Detailed Descriptions
        Each check is like a different feature
          Administrators can judge risk represented by each
          by understanding how each check is evaluated and
          scored

        Each check documented on TechNet
          http://technet.microsoft.com/en-
          us/library/bb418830.aspx
          Includes information on evaluation criteria, scores,
          and possible results


63
     Reporting Results
     Bringing Visibility to Issues
        SSA scan results:
          Collected from managed clients
          Aggregated to determine vulnerability exposure and
          overall risk

        Drilldown into issues:
           Console – Number of computers reporting critical
           vulnerabilities
           Security Summary – Top 5 vulnerability exposures
           SSA Summary – All vulnerability issues in the
           enterprise
           Vulnerability Detail – Enterprise exposure to a
64
     Drilldown: Console
     Overview of Security Issues
        Computers Reporting Critical Issues:
          Percentage of managed computers reporting critical
          issues
          Includes: malware detection events, missing security
          updates

        Links to FCS Reports:
           Security Summary Report
           SSA Summary Report



65
     Drilldown: Console
     Overview of Security Issues




66
     Drilldown: Security Summary Report
     Overview of Vulnerability Issues
        Top Vulnerabilities
          Top 5 vulnerabilities currently exposed in the
          enterprise
          Prioritized by risk and exposure

        Vulnerability Trend
          Shows trend in vulnerability exposure over the past
          month




67
     Drilldown: SSA Summary Report
     Overview of SSA Results
        Computers by Score
          Breakdown of computers by risk of vulnerability
          exposure

        Computers by MSRC Severity
          Breakdown of computers by security bulletin severity
          value

        Vulnerabilities List
          List of security issues prioritized by risk factor and
          exposure in the enterprise
          Drill through to specific issue reports
68
     Drilldown: SSA Summary Report
     Computers by Score




69
     Drilldown: SSA Summary Report
     High Score Computers by MSRC Severity
        Trend data reveals interesting patterns
            Updates released on second Tuesday of every month (“Patch
            Tuesday”)
            MS07-017 security update was released a week early
            Result was two spikes in trend for missing updates in the
            month of April




70

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:9/16/2012
language:Latin
pages:69