jayesh mowjee security consultant microsoft session code: sia203
TRANSCRIPT
Security Management and Protection: What's in Microsoft Forefront Client Security Version 2
Jayesh MowjeeSecurity ConsultantMicrosoftSession Code: SIA203
Session Objectives And Takeaways
Session Objectives: Understand the capabilities of FCSv2Know how FCSv2 protects endpoints against threatsPlan an FCSv2 deployment
Key Takeaways:FCSv2 provides comprehensive endpoint protectionFCSv2 is part of Forefront codename: “Stirling”
Agenda
Forefront TodayForefront Client Security v2
Unified ProtectionSimplified AdministrationVisibility and ControlEnterprise Ready
Question and Answer
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Highly Secure & Interoperable Platform
IdentityIntegrate and extend
security across the enterprise
Protect everywhere,access anywhere
Simplify the security experience,manage compliance
Block
from:
EnableCost Value
Siloed Seamless
to:
Comprehensive line of business security products that helps you gain greater protection
and secure access through deep integration and simplified management
Network EdgeServer ApplicationsClient & Server OS
Unified endpoint security that integrates anti-malware, host firewall and moreCoordinated protection with Forefront codename: “Stirling”Inspection, threat mitigation and remediation
Manage from a single role-based consoleIntegrates with existing Microsoft infrastructureEasy discovery and deployment of protection for endpoints
One dashboard for visibility into threats, vulnerabilities, and configuration risksIncreased visibility into endpoint security with vulnerability assessment scanning
Comprehensive protection for business desktops, laptops and server operating systems
that is easier to manage and control
ComprehensiveProtection
Simplified Administration
Visibility and Control
Comprehensive ProtectionForefront Client Security v2
Vulnerability RemediationReduce attack surface of vulnerabilities
Host FirewallRestrict what applications can do
VulnerabilityAssessmentScan for vulnerabilities and configuration exposures
BehaviorMonitoring
Monitor suspicious processes
Antivirus/AntispywareBlock, remove and clean malicious software
Proactive
Reactive
Limit exposure from vulnerable clients Network AccessProtection
AVComparatives(Feb 2008)
Test of consumer anti-virus products using a malware
sample covering approximately the last three years.
Received AVComparatives Advanced Certification
FCS Awards and Certifications
In recent tests, Microsoft rated among the leaders in anti-virus protection
Test based on more than 1 million malware samples
AVTest.org(March 2008)
Kaspersky 98.3%Symantec 97.7%
McAfee 94.9%Microsoft 93.9%
VBA32 87.7%
AVK (G Data) 99.9%Trend Micro 98.7%
Sophos 98.1%Microsoft 97.8%Kaspersky 97.2%
F-Secure 96.8%Norton (Symantec) 95.7%
McAfee 95.6%eTrust / VET (CA) 72.1%
Antivirus – AntispywareBuilding on FCS v1
Test based on more than 1 million malware samples
AVTest.org(Sept 2008)
AVK 2009 (G Data) 99.8%F-Secure 99.2%
Norton (Symantec) 98.7%Kaspersky 98.4%Microsoft 97.7%
Sophos 97.5%McAfee 93.6%
Trend Micro 91.3%CA - VET 65.5%
Antivirus – AntispywareBuilding on FCS v1Integrated anti-virus/anti-spyware agent delivering real-time protection
Uses Windows Filter ManagerMaintains stable operationScans viruses and spyware in real-time
Dynamic TranslationUnique to Microsoft agentMaximizes scanning speed: Decryption and code emulation of malware with speed of native code execution
Other protection features:Tunneling signatures for detecting and removing rootkitsAdvanced system cleaning: Customized remediation (recreating registry entries, restoring settings)Event Flood Protection: Shields reporting infrastructure during outbreak from infected clientsHeuristics for classifying programs based on behavior
Better malware detectionMultiple technologies for malware protectionGreater stability of client environmentFaster malware scanning conducted in real-time
Sources: West Coast Labs, AVTest.org, Performance benchmarking study conducted by West Coast Labs.
Product Name/ Capability
LeadingCompetitor
Forefront Client Security
Memory Footprint1
Client – uninfected Client -infected
536 Mbs593 Mbs
522 Mbs495 Mbs
Avg Usage, CPU & Memory2
% Client – uninfected % Client - infected
82.37%88.56%
79%81.6%
Scanning timeUninfected client
Infected client147.69min167.09min
81.82 min95.33 min
Application Startup time
Starting Word with no AV – 1.725 2.425 sec 2.233 sec
Starting IEwith no AV – 2.275 3.6 sec 2.6 sec
7% less CPU
2x faster
Antivirus – AntispywareBuilding on FCS v1
Product Name/ Capability
Leading Competitor
Forefront Client Security
Memory Footprint1
ServerClient
58.6 Mbs66.3 Mbs
56.5 Mbs57.9 Mbs
Avg Usage, CPU & Memory2
% Server Avg% Client Avg
30.5%29.4%
2.0%11.1%
Boot time increase3
62% avg increase
4.5% avg increase
Scanning time (quick)Network 1 (Avg)4
Network 2 (Avg)4 29.9 min12.0 min
13.6 min5.3 min
Scanning time (full)Network 1 (Avg)4
Network 2 (Avg)4 156.8 min92.8 min
34.6 min18.3 min
60%+ less CPU
usage
14x faster
at boot time
2x faster in
quick scans
5x faster in full scans
The FCS agent efficiently uses system resources, scans
quickly, and detects malware effectively
Vulnerability ManagementProactively reduce the surface area
Assess
Remediate
NEW
Detect common vulnerabilities and missing security updatesDiscover misconfiguration exposuresConfigure security checks parameterNew checks include: IE Security Setting, DEP, IIS Setting, and more…
Compare system configuration against security best practicesAssign score based on associated riskSurface issues found across the enterprise in real time
Automatically remediate based on policyIntegrate with NAP for compliance enforcementRemotely remediate from the management console
Vulnerability Assessment ChecksAvailable in Forefront Client Security v2
Internet Explorer Browser Security Restricted Sites Allowed Trusted Sites Home Page Protection
Internet Explorer Browser Security Phishing Filter Pop-up Blocker Protected Mode
Antimalware•Malware detected and/or failed to clean
BitLocker
Device Control
Antimalware AM Service Running AM Signatures Up-To-Date AM Scan Required
Windows Firewall
Data Execution Prevention (DEP)
Account Management Guest Account Autologon Restrict Anonymous Auditing (Login/Logoff) Password Expiration
File System File System NTFS Shares
Security Updates Approved Updates Unapproved Updates Automatic Updates
Unnecessary Desktop Services
Office Macros
Internet Explorer Browser Security Internet Explorer Zones Enhanced Security
Configuration
User Account Control (UAC) Application Elevation for App Install Application Elevation for Signed Exe Application Elevation for UIAccess
Apps ActiveX Install Without Prompt Virtualization for File and Registry
Failures Admin Approval Mode for Built-In
Admin Elevation Prompt for Admins Elevation Prompt for Standard Users Admin Approval Mode for All
Admins Elevation Prompt Secure Desktop Secure Credential Entry
Network Access Protection
15
Up-to-date Protection: ensures that all clients have the latest definitions & host protection policy
Compliance Enforcement: enables administrators to enforce their corporate security policy and protect the network from non-compliant and vulnerable clients
Outbreak Containment: protects the network from clients with active malware infections
Network Eviction: enables administrators to protect the network from suspicious and potentially compromised clients
Host FirewallFirewall Management: centralized management of the Windows Firewall
Windows XP/2003, Windows Vista/2008, and Windows 7Support Inbound and Outbound FilteringConfigure Firewall Exceptions for Ports, Applications, and ServicesConfigure Network Location Profiles for Roaming Users
Centralized Visibility: Firewall State in the EnterpriseSensors for Security Incident Detection
Activity Monitoring
Statistics
Central Management Server
Forefront Code Name "Stirling"
Network Edge
Server Applications
Client &Server OS
An integrated security suite that deliverscomprehensive protection across endpoint, application servers, and the edge that is easier to manage and control
Code Name “Stirling”
Third-Party Partner Solutions
Other Microsoft Solutions
Active Directory
NAP
Unified Management In-Depth Investigation Enterprise-Wide Visibility
Security Assessment Sharing (SAS)
Simplified Administration With StirlingProtect your business with greater efficiency
FCSv2 is managed through “Stirling”One console for simplified, role-based security managementDefine one security policy for your assets across protection technologiesDeploy signatures, policies and software quicklyIntegrates with your existing infrastructure: SQL, WSUS, AD, NAP, SCCM, SCOM (new & existing)
REPORTS
POLICY
SIGNATURE, UPDATES
MicrosoftUpdate
GROUPS
(OR ALTERNATE SYSTEM)
POLICY
EVEN
TS
Network AccessProtection (NAP)
(OR ALTERNATE SYSTEMS)
Forefront Client Security, Forefront Security for Exchange Server,Forefront Security for SharePoint, Forefront Threat Management Gateway
Required Infrastructure
INTEGRATION INFRASTRUCTURE
CORE INFRASTRUCTURE
Integration With Your Infrastructure
Stirling Core
Stirling Console
Stirling SQL DB
SCOM Root Management Server(RMS)
SCOM SQL DB
SQL Reporting Server
SQL Reporting DB
Stirling Server Roles
Software/Signature Deploymente.g. WSUS or SCCM(TYPICALLY ALREADY DEPLOYED BEFORE STIRLING)
250 – 2,500 Assets 1
Up to 25,000 Assets
Stirling ConsoleStirling CoreSCOM (RMS)SQL Reporting Server Stirling SQL DB
SCOM SQL DBSQL Reporting DB
WSUS
4
1 2
1
Scaling Up…
Stirling ConsoleStirling CoreSQL Reporting Server
SCOM RMS
SCOM SQL DB+
Per 25,000 Assets Per 20,000 Assets
1
1
WSUS1
1Stirling SQL DBSQL Reporting DB1
An asset is a computer with one of the Stirling protection technologies
(FCS, FSE, FSSP and/or TMG)
Deployment and Scalability
Know your security stateView insightful reportsInvestigate and remediate security risks
Critical Visibility and ControlKnow where action is required
FCSv2 Tasks:Update signaturesAM quick/full ScanVulnerability scanInstall missing updatesVulnerability remediationNetwork evictionReboot computer
Integrated With Dynamic Response
Critical Visibility and ControlTake action to remediate issues
Enhanced Enterprise CapabilitiesForefront Client Security
Scale to the largest enterprises
Role-based Administration
Virtualized Deployments
Clustering and High Availability Deployments
Support for both domain and non-domain joined assets
Protection for Windows Server Roles
Native NAP Integration
Microsoft Confidential
Platform SupportClient Agents
Windows XP, Windows Vista, Windows 7
Windows 2003, Windows 2008
Virtual machines (MSFT virtual machine technology only)
Non-domain joined machines
Windows Embedded, WEPOS
Server Infrastructure
Windows Server 2003, Windows 2008 (x64 only)
SQL Server 2008 Standard or Enterprise
Will support installation of server infrastructure on virtual machines (MSFT virtual machine technology only)
Will support clustered environments for high availability
Summary
Forefront Client Security v2 provides unified protection for endpoints (desktops, laptops and servers)
that is easier to manage and control
Built on FCS v1 strong foundationsOffers greater protection Integrated with “Stirling”
Centralized managementComprehensive, insightful reports
Enterprise Ready
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.