Busca datos

Forefront Endpoint Protection 2010, the next version of Forefront Client Security, enables businesses to simplify and improve endpoint protection while greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2007 R2, allowing customers to use their existing client management infrastructure to deploy and maintain endpoint protection.

Microsoft Forefront Endpoint Protection 2010 Evaluation Guide

© 2010 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, Forefront, Windows, Windows Server, all Forefront products, and Active Directory Rights Management Services are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

This reviewers guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Other product and company names herein may be trademarks of their respective owners.

Microsoft Corp. • One Microsoft Way • Redmond, WA 98052-6399 • USA

This guide is designed to walk you through an end-to-end

evaluation of Microsoft® Forefront

™ Endpoint Protection

2010, based on task-driven scenarios that you would

commonly find in your daily production use. Step-by-step

instructions will give you a sense of product features,

capabilities, usage, and end-user benefits in order to help

your pre-purchase assessment.

Forefront Endpoint

Protection 2010

Evaluation Guide

Table of Contents .................................................................................................................................. 4

Introduction ........................................................................................................................................... 6 Using This Guide 6

Chapter 1: Overview ............................................................................................................................. 7 What Is Forefront Endpoint Protection 2010? 7

The Convergence of Desktop Security and Management 7

Reduce Ownership Costs 7

Improved Protection 7

Increased Efficiency 8

What’s New in Forefront Endpoint Protection 2010 9

Common Usage Scenarios for Forefront Endpoint Protection 2010 11

Ease of Deployment 11

Enhanced Protection 12

Simplified Management 13

Getting Started 14

Summary 15

Chapter 2: Ease of Deployment and Simplified Management ........................................................ 17 Exercise 1: Deploying Forefront Endpoint Protection 2010 18

Exercise 2: Using Configuration Manager to deploy FEP clients 21

Exercise 3: Operations 27

Exercise 3.1 Operational status: Dashboard overview 28

Exercise 3.2: Policy management 29

Exercise 3.3: Policy customization 32

Exercise 3.4: Policy assignment 39

Exercise 3.5: Using Group Policy for FEP 40

Exercise 3.6: Signature updates 44

Summary 50

Chapter 3: Comprehensive Protection ............................................................................................. 52 Exercise 4: Detecting and cleaning malware impact scanning 53

Exercise 5: On-demand, scheduled and real-time scanning 56

Exercise 5.1: Forefront Endpoint Protection 2010 real-time scanning 57

Exercise 5.2: Forefront Endpoint Protection 2010 scheduled scanning 60

Exercise 5.3: Forefront Endpoint Protection 2010 on-demand scanning 60

Summary 62

Chapter 4: Simplified Management—Reporting and Alerting ........................................................ 63 Exercise 6: Forefront Endpoint Protection 2010 reports 63

Exercise 7: Forefront Endpoint Protection 2010 alerts 66

Exercise 7.1: Sending a Malware Outbreak alert 66

Exercise 7.2: Sending a Malware Detection alert 68

Exercise 7.3: Sending a Repeated Malware Detection alert 70

Exercise 7.4: Sending a Multiple Malware Detection alert 72

Exercise 7.5: Setting the alert level 74

Summary 75

TABLE OF CONTENTS

Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 5

APPENDIX: System Requirements and Prerequisites .................................................................... 76 Hardware Requirements 76

Pre-configured Virtual Environment System Requirements 76

Forefront Endpoint Protection 2010 System Requirements 76

Forefront Endpoint Protection 2010 Client 77

Software Prerequisites for Forefront Endpoint Protection Deployment 77

Exercise 8: Deploying SQL Server 78

Deploying Configuration Manager 2007 R2 80

Forefront Endpoint Protection Security Management Pack: Enabling Real-Time Monitoring with

System Center Operations Manager 2007 R2 .................................................................................. 81 Exercise 9: Enabling real-time monitoring with Forefront Endpoint Protection

2010 83

Exercise 10: Generating alerts and notifications 86

Exercise 11: Performing task remediation 89

Resources ............................................................................................................................................ 92


Forefront Endpoint Protection 2010 (FEP), the next version of Forefront Client

Security, enables businesses to simplify and improve endpoint protection while

greatly reducing infrastructure costs. It builds on System Center Configuration

Manager 2007 R2 and R3, and allows customers to use their existing client

management infrastructure to deploy and maintain endpoint protection. .

Microsoft Forefront Endpoint Protection 2010 Overview

Simplify

Creates a single administrative experience for managing and securing endpoints

Improves visibility to help administrators identify and remediate

potentially vulnerable endpoints

Integrate

Lowers ownership costs by using a single infrastructure for

endpoint management and security

Deploys effortlessly to hundreds of thousands of endpoints using

existing Configuration Manager agents

Protect

Provides highly accurate detection of known and unknown

threats

Manages Windows® Firewall configurations to actively protect

against network-level attacks

Using This Guide

This guide highlights important features of FEP and is designed to simplify your

review process.

Chapter 1 provides an overview of FEP and outlines its new features,

benefits, and common usage scenarios.

Chapter 2 covers FEP setup and configuration and signature updates, with

installation and management using System Center.

Chapter 3 covers the comprehensive antimalware detection and prevention

capabilities of FEP, including results analysis.

Chapter 4 covers reporting and alerting capabilities of FEP.

The appendices provide steps to install System Center server components

and other pre-requisites for FEP evaluation. They also explain how you can

use Microsoft System Center Operations Manager to monitor FEP activities

in real time using the Forefront Endpoint Protection Security Management

Pack.

The labs throughout this guide provide evaluation and testing instructions and

explain the design and use of various features.

INTRODUCTION


What Is Forefront Endpoint Protection 2010?

Desktop management and security have traditionally

existed as two separate disciplines, yet both play a

central role in keeping users safe and productive.

Forefront Endpoint Protection 2010 enables

businesses to align client security and management to improve endpoint protection

while greatly reducing operational costs. It provides protection from evolving

malware threats and builds on Configuration Manager 2007 R2 and R3. This

enables customers to use their existing client management infrastructure to deploy

and manage endpoint protection.

With discrete infrastructures for management and

security, companies need to purchase and maintain

separate hardware and software, create and manage two sets of policies, and take

two sets of actions when security incidents occur. Together, FEP and Configuration

Manager 2007 deliver operational efficiencies not available with traditional

management and security silos.

You can use your existing Configuration Manager infrastructure to easily deploy

FEP to provide:

Simplified deployment of endpoint protection through a proven

infrastructure that scales to hundreds of thousands of clients across a

distributed environment

Reduced infrastructure costs by using your existing Configuration Manager

deployment for both endpoint protection and client management

Many desktop vulnerabilities are a result of poor

system configuration, yet security administrators often

lack easy access to inventory, patch level, and other desktop-specific data.

Forefront Endpoint Protection 2010 and Configuration Manager 2007 give your

organization industry-leading threat-detection capabilities to remediate endpoint

security vulnerabilities. The FEP antimalware engine provides highly accurate and

efficient threat detection and protects against the latest malware and rootkits with

low false-positive rate. It also helps protect the clients against unknown or zero-day

threats. The combination of these technologies in a single infrastructure offers a

unique, consolidated view into the health and protection status of user systems. IT

can better identify at-risk machines and take action to patch systems, block

outbreaks, and initiate clean-up efforts. These technologies can also consolidate

and simplify reporting on the complete desktop environment.

CHAPTER 1: OVERVIEW

The Convergence of Desktop

Security and Management

Reduce Ownership Costs

Improved Protection

Secure and Streamline the Windows

Optimized Desktop

Forefront Endpoint Protection 2010

and Configuration Manager are part of

the Windows Optimized Desktop,

which is built on the Windows 7

Enterprise operating system. The

Windows Optimized Desktop also

deploys virtualization technologies

with integrated management across

physical and virtual machines,

including Microsoft Virtual Desktop

Infrastructure (VDI).

Along with Microsoft Office 2010,

Windows Internet Explorer 8. and the

Microsoft Desktop Optimization Pack,

FEP and Configuration Manager help

create a more productive,

manageable, and secure workforce

environment.

For more information on

Windows Optimized Desktop, visit

www.microsoft.com/windows/enter

prise.

http://www.microsoft.com/windows/enterprise

http://www.microsoft.com/windows/enterprise


Forefront Endpoint Protection 2010 centralizes

visibility into the management and security of

endpoints, which can help you identify and remediate potentially vulnerable

endpoints via:

A single experience to manage clients and to create and configure endpoint

protection policies

Increased awareness of potentially vulnerable clients

Increased Efficiency


What’s New in Forefront Endpoint Protection 2010

Forefront Endpoint Protection 2010 makes it easier to protect critical desktop,

laptop, and server operating systems from viruses, spyware, rootkits, and other

threats. Some of the key new capabilities in FEP include:


Feature Description

Single console

and

infrastructure for

desktop

management and

protection

Forefront Endpoint Protection 2010 is built on Configuration

Manager 2007 R2 or R3, which enables you to use your existing

client-management infrastructure. You can deploy and manage

endpoint protection through a single interface of Configuration

Manager, which enables you to manage and secure endpoints

without the need for additional servers to support FEP. This

integration is based on:

o Centralized deployment: Central package installation on

client machines.

o Policy Management: Endpoint security policies can be

defined centrally through the management console. Predefined templates for productivity and security defaults make it simpler to define policies based on best practices. It helps reduce complexity and improve troubleshooting and reporting insights, and can save time and effort.

o Customized alerts: Forefront Endpoint Protection

generates alerts when it detects malware—alerts are based on the severity of the malware. Alerts can also be customized for specific types of malware detection.

o Reporting: View the overall status of security threats,

actions needed, and the overall health status of client machines.

Enterprise

scalability

Forefront Endpoint Protection 2010 uses the Configuration

Manager infrastructure to more efficiently deploy clients and

policies. This enables enterprises to deploy and manage endpoint

protection clients on a very large scale.

More accurate

and efficient

threat detection

The new antimalware engine protects against the latest malware

and rootkits with a low rate of false positives. The engine also

helps keep employees productive with scanning that has low

impact on performance. It enables the administrators to limit

processor usage during scans and uses new improvements in the

engine like advanced caching to provide high-quality security with

optimized performance.

Key New Features

Simplify

Single console

FEP is built on Configuration Manager

2007 R2. Configuration Manager

provides a single interface for

managing and securing endpoints,

reducing complexity, and improving

troubleshooting and reporting insights.

Central policy creation

Administrators have a central location

for creating and applying all endpoint-

related policies.

Improved visibility

With a shared view of endpoint

protection and configuration,

administrators can more easily identify

and remediate vulnerable computers.

Integrate

Single infrastructure

FEP uses Configuration Manager

infrastructure to deploy and manage

endpoint protection. Eliminates the

expense of purchasing and

maintaining an independent security

infrastructure.

Enterprise scalability

Using the Configuration Manager

infrastructure, FEP clients and policies

can be efficiently deployed to

hundreds of thousands of users.

Protect

Highly accurate detection

FEP helps protect against the latest

malware and rootkits with lower false

positives. Includes protection against

network vulnerability exploits.

Behavior monitoring

FEP detects system behavior and file

reputation data to identify unknown

threats.

Efficient scanning

FEP keeps employees productive with

low performance impact scanning.

Client firewall management

FEP helps administrators centrally

manage Windows Firewall protections

across the enterprise.



Feature Description

Behavioral threat

detection

Forefront Endpoint Protection 2010 uses system behavior and file

reputation data to identify and block attacks on client systems from

previously unknown threats. Detection methods include behavior

monitoring, emulation, and Dynamic Translation. Behavior

monitoring identifies new threats and tracks behavior of unknown

processes or known processes gone bad. Any behavior monitoring

detection triggers a request to a cloud-based Dynamic Signature

Service that can deliver protection in near-real time for new threats

that are not in the signature set on the endpoint.

Network

Vulnerability

Shielding

Forefront Endpoint Protection 2010 provides protection against

network-level exploits and intrusions by inspecting inbound and

outbound network traffic. Based on the Microsoft Network

Inspection System, it balances protection with performance by only

enabling signatures for the unpatched vulnerabilities.

Windows Firewall

Management

Forefront Endpoint Protection 2010 ensures that Windows Firewall

is active and working properly to protect against network-layer

threats. It also enables you to more easily manage these

protections across the enterprise from the FEP console.

Signature

updates

Forefront Endpoint Protection 2010 provides multiple options to

receive signature and engine updates. Organizations can use their

existing Windows Server Update Services (WSUS) infrastructure

to receive FEP updates. Administrators can also configure a client

to connect to Microsoft Update or use a file share to download the

latest definition updates.

Customized

alerts based on

incidents and

assets

Forefront Endpoint Protection 2010 automatically alerts you if it

detects viruses, spyware, or other potentially unwanted software. It

also provides the level of alert for a detected item:

o Severe or high-level alerts: Forefront Endpoint Protection

alerts you to a threat and then always recommends that you remove the program(s).

o Medium-level alerts: Review the alert details (click the Show details link) to see why FEP detected the item. If you

dislike what the software does or if it comes from an unknown or untrusted publisher, consider blocking or removing the software.

o Low-level alerts: This type of alert typically occurs when a

program is installed and FEP is unsure about the authenticity of the program. To allow the software, review the alert details or check to see if you recognize and trust the software publisher.

You can also customize alerts and set FEP to alert you if you run

software that has not yet been analyzed. You can also set alerts to

notify you if software makes or tries to make some changes to

your computer.

Detailed reports Forefront Endpoint Protection 2010 uses the same reporting

infrastructure as Configuration Manager and provides easy-to-use

reports out of the box that provide deep insight into enterprise-

wide client security activities.

Integration with

Operations

Manager 2007 R2

The FEP Security Management Pack enables you to monitor the

security of server operating systems or critical assets in real time

using existing Operations Manager infrastructure.


Common Usage Scenarios for Forefront Endpoint Protection

2010

Endpoint protection that operates separately from

existing endpoint management systems often requires

many resources and has high maintenance costs.

Forefront Endpoint Protection 2010 uses Configuration Manager 2007 to centralize

deployment of security software and policies to multiple endpoints. You can deploy

FEP Server on a Configuration Manager standalone (single) site or to a hierarchical

site environment. In a hierarchical Configuration Manager deployment there is a

parent site that has one or more sites (child sites) attached to it in the hierarchy.

Configuration Manager 2007 sites define the scope of administrative control. The

administrative control requirements will determine where FEP should be installed:

For centralized policy creation and control, install FEP on the central site

For decentralized policy creation and control, install FEP on the child sites

Configuration Manager distribution is used to centrally manage and monitor the

deployment of FEP to client computers in your existing infrastructure. With this

method, you can control which Configuration Manager collections the client is

deployed to, and use the provided reports to determine deployment status or drill-

down to information about computers on which the client failed to deploy and why

Organizations can use their existing WSUS infrastructure to receive the signature

and antimalware engine updates. Additionally, administrators can define network

file shares or Internet-based Microsoft Update to provide the latest signature

updates to the clients.

In the related section of this common usage scenario, you will evaluate the process

of centralized client deployment through Configuration Manager 2007. This scenario

provides step-by step instructions to distribute and advertise the software to existing

or new endpoints.

Ease of Deployment


Exposure to fast-evolving security threats requires

businesses to frequently test patches and updates before

they release them to users. Viruses, rootkits, spyware,

malware, and directed attacks can arise from inside and outside an organization’s

network. Some threats breach tight security on the corporate network, and some

enter via removable devices.

Forefront Endpoint Protection 2010 detects known and unknown threats with a high

degree of accuracy and actively protects against network-level exploits.

Administrators can enable real-time protection against the evolving threats by

defining endpoint protection policies.

Enhanced Protection


In combination with Configuration Manager 2007, FEP

provides a central location for you to create and apply

malware protection policies on endpoints. This policy

mechanism allows you to centrally control and manage malware-scanning

properties, and it provides configurable protection on client computers such as:

Scheduled scans

Threat-handling settings

Real-time protection

Exclusion of files, folders, file types, and processes from scans

Scans of removable drives and devices

Overrides of recommended actions against threats

You can enable updates based on behavior monitoring through the cloud-based

Dynamic Signature Service This approach can make policy management a more

efficient process that can save organizations time and resources. In the related

section in this guide for this common usage scenario, you will evaluate the process

of policy creation and centralized deployment on multiple endpoints.

Simplified

Management


Getting Started

The step-by-step instructions in the following sections show you how to distribute

FEP to client computers, create and manage policies, configure FEP alerts, monitor

FEP status, look at FEP reporting, and force a quick scan on specific computers.

To evaluate FEP, you can either use an FEP Pre-configured Virtual Environment on

downloadable virtual machines pre-configured for evaluation or FEP evaluation

software that you can deploy in your own environment.

Forefront Endpoint Protection 2010 Evaluation Options

Using the pre-configured virtual environment (Business Ready Security

demonstration environment): These Hyper-V-based virtual machines are pre-

configured for an easy evaluation of FEP. If you are using the downloadable pre-

configured virtual environment (Hyper-V), the FEP environment is already

established on the server and client machines. Start with the section: ―Forefront

Endpoint Protection 2010 Evaluation Scenarios for Configuring, Deploying and

Using FEP 2010.‖ To deploy the virtual evaluation environment, which is built on

virtual hard drives, you will need at least one Windows Server 2008 R2 Standard

system with Hyper-V enabled.

Note: Before you deploy the virtual environment lab or the evaluation software, in

Appendix A please refer to the System Requirements section and ensure that the

server and client machines in your environment meet all requirements.

Pre-Configured Virtual Environment for FEP Evaluation Link:

You can download the pre-configured virtual environment at:

http://go.microsoft.com/fwlink/?LinkId=190269

Access the pre-configured virtual environment for evaluation: Before you can

do the lab exercises, you must log on to the virtual machines. The user name and

password are the same for all virtual machines:

User name: WoodgroveBank\Administrator

Password: password



This guide uses the pre-configured virtual environment to provide step-by-step

guidance on common security tasks. The environment is pre-configured with the

following virtual machines:

Using FEP evaluation software: If you choose to set up your own environment to

evaluate FEP, you first need to set up the server and client machines. The

prerequisite installations for this setup include:

SQL Server® 2005 SP2 or 2008

Configuration Manager 2007 R2 / R3


For detailed installation steps and system requirements, refer to Appendix A.

You can download FEP evaluation software at:

http://technet.microsoft.com/en-us/evalcenter/ff182914.aspx

After you install the software, go to the evaluation scenarios.

Summary

This chapter showed how customers use their existing client management

infrastructure to deploy and manage FEP. It discussed the benefits and features of

FEP and the reasons why organizations should make it a part of their infrastructure.

It also gave an overview of the three common usage scenarios, which the

subsequent sections of the guide cover in greater detail.

You can find an overview of the three evaluation scenarios in these sections:

Common Usage Scenarios for FEP 2010: Describes the common usage

scenarios for using FEP

Getting Started with the evaluation scenarios: This helps users evaluate

FEP



Chapter 2 provides more information about the ease of deployment and simplified

management and covers the following topics:

Deploying Forefront Endpoint Protection 2010: Step-by-step installation of

FEP.

Using Configuration Manager to Deploy FEP Clients: Step-by-step process

to distribute and advertise the software to existing or new endpoints.

Dashboard Reporting using Forefront Endpoint Protection 2010: The

dashboard summarizes the overall health status of clients and provides

detailed reports for particular computers.

Policy Management using Forefront Endpoint Protection 2010: Defines the

various configuration options of the FEP client that users can manage such

as: policy customization, policy assignment, group policy configuration, the

scan schedule, the location and frequency of definition updates, and scan

exclusions

Performing Signature Updates on Forefront Endpoint Protection 2010

clients: Provide the latest updates to all endpoints from a central console

and keep them protected from new threats.


Forefront Endpoint Protection 2010 and Configuration Manager together provide the

enterprise scalability to efficiently deploy enhanced security within large

organizations.

Forefront Endpoint Protection 2010 Installation: consists of

downloading the package, verifying prerequisites, installing the FEP server,

and validating that the success of the installation.

Deploy FEP: distribute the client and policies using Configuration Manager

to multiple endpoints.

Operationalized Security: centralized operations management through

Configuration Manager across multiple client machines:

o Dashboard Monitoring: summarizes the overall health status of

machines and provides detailed reports for particular computers.

o Policy Creation: create, configure, and assign FEP policies to

endpoints.

o Signature Updates: enables administrators to provide latest updates

to all endpoints centrally and thus keep them protected against new

threats

In this chapter, you will evaluate the installation of FEP, FEP centralized client

deployment using Configuration Manager 2007, and operations. This chapter will

cover the following exercises:

Exercise Illustrates

1. Deploying FEP Step-by-step installation of FEP

2. Using Configuration

Manager to deploy FEP

clients

Centralized deployment of FEP from server to client

machines.

3. Operations Description of the operations that can be performed

with FEP

3.1. Operational status:

Dashboard overview

Contents of Dashboard of Configuration Manager

2007

3.2. Policy management Step-by-step creation of FEP policies

3.3. Policy customization Advanced protection methods to customize policies

and change granular settings

3.4. Policy assignment Assign FEP policies to a Configuration Manager

collection

3.5. Using Group Policy for

FEP

Configure clients with FEP Group Policy objects,

pre-configured policy templates, and the FEP

Group Policy Tool

3.6. Signature updates Methods to provide signature updates to endpoints.

CHAPTER 2: EASE OF

DEPLOYMENT AND

SIMPLIFIED

MANAGEMENT

Deployment and

Management Benefits

Simple installation

process

Installs on root site, deploys to hierarchy

Automatically creates additional components (FEP distribution packages, DCM baselines)

Creates new reporting database

Converged System

Management

Simple Centralized

Policy

Use existing infrastructure

No new servers

Integrated console

Supports Configuration

Manager 2007 SP2/R2

and later


If you are evaluating FEP with the pre-configured virtual environment, you will need

the following virtual machines:

Lab Environment

S.No. Machine Name Roles

1 Server 1 (Denver) DC – CA – AD FS, WSUS

2 Server 2 (Fargo) FEP Server and Configuration Manager

3 Client 1 (Chicago) Forefront Client Security (FCS) Client

4 Client 2 (Cairo) FEP

If you chose to use the pre-configured virtual environment to evaluate FEP, please

skip to Using Configuration Manager to Deploy FEP Clients

Exercise 1: Deploying Forefront Endpoint Protection 2010

To install FEP, you need to download FEP, verify prerequisites, which include SQL Server 2008 and Configuration Manager 2007, install the FEP server, and validate the success of the installation.

This section describes how to install FEP.

After you set up and install the pre-requisites, you can install FEP on the

Configuration Manager server.

1. Go to the location where you extracted the FEP server source files, and then double-click serversetup.exe to open the FEP server setup wizard.

2. Enter your Name and Organization.

NOTE:

This lab requires a server installed with

Configuration Manager 2007 and SQL

Server 2008. For system requirements

and prerequisite installation details,

you can refer to the following sections

of the Appendix:

APPENDIX: System Requirements

and Prerequisites

Deploying SQL Server

Deploying System Center

Configuration Manager 2007 R2

Deploying Windows Installer

version 3.1

Deploying WFP Rollup Package

Figure 1.1 Welcome screen.

http://www.microsoft.com/downloads/en/details.aspx?familyid=889482fc-5f56-4a38-b838-de776fd4138c&displaylang=en

http://www.microsoft.com/downloads/en/details.aspx?familyid=889482fc-5f56-4a38-b838-de776fd4138c&displaylang=en

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b18a6ba9-af43-4b0a-babd-1e60a2d5e08a&displaylang=en


3. After accepting the license agreement, select one of four installation options:

Basic topology: Install all infrastructures on a single server.

Basic topology with remote reporting database: Install all FEP

components except the remote reporting database. This option allows you to specify a different SQL Server for the FEP reporting database

Advanced topology: Customized option that lets you define the following FEP components to install in a distributed environment:

o Configuration Manager Site Server FEP Extension

o FEP Reporting and Alerts

o Configuration Manager Console Extension for FEP

Configuration Manager Console FEP 2010 Extension Only: Install FEP as an extension for the Configuration Manager console.

Based on the install options you choose, the prompts and content you see in the setup wizard may vary from the next steps described here. The remaining steps assume that you used the Advanced topology option was used and selected the capabilities for Site Server, FEP Reporting and Alerts, and Configuration Manager Console Extension for FEP (See Figure 1.3).

Extension of FEP for System Center: Integrating FEP with Configuration Manager occurs at multiple levels: the software distribution procedures and analysis, and security configuration through components. These extensions allow the creation of collections, packages for distribution processes, and the creation of objects and baselines used in the desired configuration.

Forefront Endpoint Protection 2010 Reporting and Alerts: Allows component installation on local machines for monitoring FEP.

Configuration Manager Console extension for FEP: Installation of

the FEP console in Configuration Manager for centralized management.

4. The wizard provides information to configure the FEP database, including Configuration Manager database computer, database instance, and Forefront Endpoint Protection 2010 database name (See Figure 1.4).

If you chose to build your own test environment, enter the information to reference your SQL Server installation.

5. Next, the wizard configures FEP to use Microsoft Update for automatic updates for Windows and other Microsoft products, including FEP (See Figure 1.5).

If you select Join the customer experience program, Microsoft will collect information about the system hardware and FEP usage, to enable further improvements.

Figure 1.2 Deployment options.

Figure 1.3 Advanced topology.

Figure 1.4 Database configuration.

Figure 1.5 Update and customer experience.


6. If you choose to join the Microsoft SpyNet community, you can automatically send and share information about detected software.

This information helps Microsoft create new definitions for improved protection, which can help your software better detect and notify you of potential malware. Basic Membership enables the Dynamic Signature Service to provide updates based on behavior monitoring without waiting for the regular signature update process (See Figure 1.6).

7. The Installation Location page allows you to specify the path and folder locations for Forefront files and data files. You can also use the Browse button to change the storage location of product files. This dialog also specifies disk space requirements (See Figure 1.7).

8. The final screen prior to setup is a pre-requisite check. The installer will verify that each of the pre-requisites listed in step 1 have been met. If a pre-requisite check fails, the installer will provide an explanation and remediation steps. Only when all pre-requisites have been met will setup continue (See Figure 1.8).

After you have met all the prerequisites to install FEP, the wizard displays a summary of wizard selections to configure, including general settings, updates, and FEP site extension (See Figure 1.9).

9. The FEP installation will configure antimalware support on the server automatically. You can use the configuration snap-in added to the Configuration Manager console to manage and monitor FEP.

Figure 1.6 SpyNet policy configuration.

Figure 1.7 Installation location.

Figure 1.8 Prerequisites verification.

Figure 1.9 Setup summary.

Figure 1.10 Installation complete.


Exercise 2: Using Configuration Manager to deploy FEP clients

Software deployment in a large network is generally a tedious process that requires

a great deal of administrators’ time and resources. Installing the software on

individual client computers reduces productivity and increases the need for remote

and centralized deployment. Using different infrastructures for security management

and deployment makes the task more complex.

In this exercise, you will perform centralized deployment of FEP from a single server

to selected endpoints (client machines). This section provides a step-by-step

process to distribute and advertise the software to an existing or new collection of

endpoints using the same process that is used in Configuration Manager.

If you are evaluating with the pre-configured virtual environment, you will need the

following virtual machines:

Lab Environment


1 Server 1 (Denver) DC




The following step-by-step instructions use the pre-configured virtual environment

and are configured on the virtual machine called Fargo (Server 2 in the table

above).

To examine the integration between FEP Server and Configuration Manager:

1. On the Start menu, click Microsoft System Center, click Configuration

Manager 2007, and then click ConfigMgr Console to open the Configuration

Manager 2007 SP1 R2 console.

2. In the Configuration Manager Console, expand Site Database, expand

Computer Management, and then expand Forefront Endpoint Protection.

The Forefront Endpoint Protection 2010 node contains subnodes for Policies,

Alerts, and Reports. Notice that FEP Server integrates with the Configuration

Manager console to manage FEP client policies, alerts, and reporting.

Key Deployment Benefits

Deploys effortlessly to

multiple endpoints using

existing Configuration

Manager agents

NOTE:

Appendix A contains the System

Requirements for Client

computers.

Figure 2.1 Start menu.

Figure 2.2 Configuration Manager console.


3. Under Computer Management, expand Collections, and then expand

Forefront Endpoint Protection 2010 collections.

Note that FEP Server maintains several collections of client computers.

To use the Software Distribution wizard to deploy FEP client software

1. In the Configuration Management console, in the left pane, under Collections,

select All Systems. Server and client computers are listed in this collection.

2. In the middle pane, right-click a client to deploy, click Distribute, and then click

Software to open the Distribute Software to Resource wizard.

Note: Instead of deploying the FEP client software to a single computer, you

can also distribute FEP to all computers in a particular collection at once.

3. On the Welcome page, click Next.

Figure 2.3 Collections.

Figure 2.4 All systems.

Figure 2.5 Distribute software.

Figure 2.6 Welcome page.


4. On the Package page, ensure that Select an existing package is selected,

and then click Browse.

This page also provides options to Create a new package from a definition

file and to Create a new package and program without a definition file,

which can be used to create new packages.

5. In the Select a Package dialog box, select the Microsoft Corporation

Forefront Endpoint Protection 2010 - Deployment 1.0 package, and then

click OK.

6. On the Package page, click Next.

7. On the Distribution Points page, select your default distribution point (Fargo, if

you are using the virtual environment) and then click Next.

On this page, you can select distribution points based on where the clients will

access the package. If the package was previously distributed, some

distribution points will already be selected. If you cancel the selection of a

distribution point, the package will be deleted from it.

Figure 2.7 Package page.

Figure 2.8 Select a Package dialog box.

Figure 2.9 Package page.

Figure 2.10 Distribution Points page.


8. On the Select Program page, select Install, and then click Next.

Note: You can also use the software distribution package to uninstall FEP

clients.

9. On the Advertisement Target page, select Advertise this program to an

existing collection that contains this resource, and then click Next.

Note: This page also provides you the option to Advertise this program to an

existing collection that contains this resource and then select the collection

to send the advertisement.

10. On the Advertisement Name page, in the Name box, type

FEP – Deployment – Install to All Systems.

The name of the new advertisement will start with Forefront FEP –

Deployment – Install to All Systems.

11. On the Advertisement Subcollection page, select Advertise the program to

members of the collection and its subcollections, and then click Next.

Note: This page also provides you the option to Advertise the program only

to members of the specified collection.

Figure 2.11 Select Program page.

Figure 2.14 Advertisement Subcollection

page.

Figure 2.12 Advertisement Target page.

Figure 2.13 Advertisement Name page.


12. On the Advertisement Schedule page, click Next.

13. On the Assign Program page, select Yes, assign the program, select Ignore

maintenance windows, and then click Next.

14. On the Summary page, click Next.

15. On the Wizard Completed page, click Close.

Figure 2.15 Advertisement Schedule page.

Figure 2.16 Assign Program page.

Figure 2.18 Wizard Completed page.

Figure 2.17 Summary page.


To examine the FEP deployment

1. In the Configuration Manager Console, in the left pane, expand

System Status, expand Advertisement Status, and then select the Forefront

Endpoint Protection 2010 - Deployment advertisement.

In the middle pane, notice that the related program from this advertisement has

successfully started.

2. In the left pane, under Computer Management, select

Forefront Endpoint Protection.

3. In the Actions page, click Update Forefront Endpoint Protection

2010 Collections membership.

4. Click OK to confirm that you want to update the membership of the FEP

collections.

In the middle pane, notice that FEP is now deployed on the client machines.

5. After the distribution is successfully completed, FEP client will be installed on

the endpoint. The time needed for successful deployment depends on the

Configuration Manager client setting. After successful installation, you can see

the FEP icon ( ) in the task bar.

Note: When you install the FEP client package, it will automatically uninstall

existing antimalware clients, including:

Forefront Client Security version 1, including the Operations Manager

agent

Symantec Endpoint Protection version 11

TrendMicro OfficeScan version 8.0 and version 10.0

McAfee VirusScan Enterprise version 8.5 and version 8.7

Symantec Endpoint Protection Small Business Edition version 12

Symantec Corporate Edition version 10

Figure 2.21 Update FEP Collections

membership.

Figure 2.22 FEP icon.

Figure 2.19 Deployment status.

Figure 2.20 Actions page.


Exercise 3: Operations

This exercise will help you evaluate ease of operations while managing endpoint

security with FEP. Operations include viewing client health status on the

Dashboard, centralized policy creation, and configuration of signature updates for

multiple clients.

This exercise covers the following sub-exercises:


3.1. Operational

status: Dashboard

overview

Contents of Dashboard of Configuration Manager 2007

3.2. Policy

management Step-by-step creation of FEP policy

3.3. Policy

customization

Once the policy is created from the template, FEP offers

flexibility to customize it further. Administrators can open

the properties of the policy and customize the policy-

show an example, for e.g. Administrators can define CPU

threshold for scans(highlight it, its anew feature) and

many other granular settings

3.4. Policy assignment Assign the FEP policy to a Configuration Manager

collection

3.5. Using Group

Policy for FEP

Configure clients by using Forefront Endpoint Protection

GPOs, pre-configured policy templates, and the Forefront

Endpoint Protection Group Policy Tool

3.6. Signature updates Methods to provide signature updates to endpoints.

If you are using the pre-configured virtual environment to evaluate FEP, you will

need the following virtual machines:

Lab Environment


1 Server 1 (Denver) DC – CA – AD FS, , WSUS





and the steps are configured on the server machine named Fargo (Server 2) and

the FEP Client machine named Cairo (Client 2).


The Dashboard summarizes the overall health status of clients and provides

detailed reports for specific clients.

To open the Dashboard, in the Configuration Manager Console under

Computer Management, click Forefront Endpoint Protection 2010.

The Dashboard has several sections and sub-sections:

Operational Statistics: These are statistics based on the operations

performed by FEP on the system and they consist of:

o Client Deployment Status: An account of the number of clients

targeted and not targeted by FEP and the number of successful,

pending, or failed deployments. The graph shown represents these

statistics.

o Malware Activity Status: The status of malware activity on the

clients scanned and any required action to be taken.

Active Malware indicates the presence of malware content

in the client machines indicated by the numbered link.

Restart required shows that the client machines indicated

by the numbered link need to be restarted.

Full scan required indicates the client machines that need

a full system scan.

Malware cleaned (Last 24 hours) shows all the malware

removed from client machines in the past 24 hours.

o Definition Status: Information about definition updates on client

machines. The definition update information is categorized as:

Older than 1 week

Up to 7 days old

Up to 3 days old

Up to date

o Policy Distribution Status: The distribution status of the FEP policy

deployed to clients in terms of:

Distribution failed

Distribution in progress

Policy Distributed

o Forefront Endpoint Protection Baselines: These include the

following baselines:

FEP – Standard Desktop

FEP – High- Security

FEP – Optimized Desktop

FEP – Laptop

o Links and Resources: Links to reports, policy management, alert

configuration, and resources for more information.

Exercise 3.1 Operational status: Dashboard overview

Figure 3.1 Configuration Manager Console.


Forefront Endpoint Protection 2010 policy settings define the configuration options

of the FEP client and the desktop firewall that you can manage such as, the scan

schedule, the location and frequency of definition updates, and scan exclusions.

Forefront Endpoint Protection 2010 policy settings that you specify are contained in

an FEP policy object. Policies only affect FEP clients after you assign them to a

Configuration Manager collection.

This section describes how to create a new FEP policy.

To create a new FEP policy

1. On the server, in the Configuration Manager console, in the left pane, under Computer Management, expand Forefront Endpoint Policies, and then select Policies.

Note: Forefront Endpoint Protection 2010 policy settings define various configuration options of the FEP client that an administrator can manage.

You can associate an FEP policy with multiple collections, and you can associate multiple policies with a single collection. Policies are applied in order of precedence.

2. In the Actions pane, click New Policy to open the New Policy wizard.

3. On the General page, in the Policy name box, type Forefront Endpoint Protection 2010 Desktop policy, and then click Next.

Exercise 3.2: Policy management

Figure 3.2 FEP Policies page.

Figure 3.3 New Policy wizard.

Figure 3.4 General page.


4. On the Policy Type page, select High Security policy, and then click Next.

Note: You can choose other templates based on client requirements.

For example, the High-security policy enables maximum security settings for antimalware and desktop firewall, and the Performance-optimized policy maximizes performance and enables baseline protections.

You can also choose to load one of 16 pre-configured templates that provide optimized security settings based on the server role.

5. On the Scheduled Scans page, under Weekly scan, in the Day box select Sunday, in the Hour box select 3:00 AM, and then click Next.

6. On the Scan Exclusions page, click Next.

7. On the Updates page, click Next. This page provides options for you to select locations from which clients can receive definition updates.

By default, the selected options are:

Enable updates from Configuration Manager or WSUS

Enable updates from Microsoft Update

This page also allows you to enable updates from specified file locations.

Note that FEP clients can obtain antimalware signature updates from four sources (in order): Configuration Manager, WSUS, Microsoft Update Web site, and UNC file share.

Figure 3.6 Schedule Scans page.

Figure 3.7 Scan Exclusions page.

Figure 3.8 Updates page.

Figure 3.5 Policy Type page.


8. On the Client Configuration Options page, select Real-time protection, and then click Next.

With this setting, users can configure the scheduled scan time and can choose to receive notification when malware is detected.

9. On the Summary page, click Next.

10. On the Wizard Completed page, click Close.

Figure 3.9 Client Configuration Options page.

Figure 3.10 Summary page.

Figure 3.11 Wizard Completed page.


After you create the policy from the template, FEP offers flexibility to customize it.

Administrators can open the properties of the policy and customize the policy and

many other settings.

Administrators can limit the processor usage during the scans to different

percentages.

1. Open the FEP Console and click Policies.

2. Select the newly created policy, right-click the policy, and select Properties.

3. Click the Antimalware tab and select Limit processor usage during scans to

the following percentage to define the percentage of processor usage (see Figure 3.13). Users on endpoint computers can configure CPU usage limits for scans.

Exercise 3.3: Policy customization

Defining CPU Usage for Scans

Figure 3.12 Policy > Properties.

Figure 3.13 Limit processor usage.


Administrators have the option to export policies that can be used to create a

backup or to use it for clients that are not managed by Configuration Manager.


2. Select your policy, right-click the policy, and then click Export Policy.

3. Save the policy XML file to the desired location on the system

Exporting a Policy

Figure 3.14 Export policy.

Figure 3.15 Save the policy XML.


Policies that have a higher precedence override settings that are defined in policies

lower in the precedence order. It allows users to select any policy and adjust its

precedence order. Multiple policies can be applied to the same machine, but the

policy with the highest precedence takes priority.


2. Select your Policy and in the Actions pane click Policy Precedence.

3. Define the precedence for the policies by moving the policies up and down using the buttons available.

4. When you are finished, click OK.

Policy Precedence

Figure 3.16 Policy precedence.

Figure 3.17 Edit policy precedence.


Dynamic Signature Service (Microsoft SpyNet)

Microsoft SpyNet service enables users to join an online community that helps them

choose how to respond to potential threats and helps stop the spread of new

infections. Users can choose to send basic or advanced information about detected

software. Additional information helps Microsoft create new definitions to better

protect users’ machines. This service is also used to provide dynamic updates to

the endpoints based on behavior-monitoring detections.

1. Click Start, click All programs, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console.

2. In Configuration Manager 2007, expand Computer Management. Under

Computer Management, expand Forefront Endpoint Protection, and then click Policies.

Advanced Protection Methods

Figure 3.18 Click ConfigMgr Console.

Figure 3.19 Computer Management >

FEP > Policies.


3. Double-click Default FEP policy.

4. Click the Antimalware tab and in the list on the left side of the dialog box, select Microsoft SpyNet.

5. Select Join Microsoft SpyNet, and then select either Basic membership or Advanced membership. The screenshot in this example shows the Basic membership selected.

6. Select Allow users on endpoint computers to change SpyNet settings.

7. Click Apply and then click OK.

You can centrally enable Windows Firewall on client machines to protect them.

Windows Firewall protects client machines from dangerous attacks and helps

prevent resource theft and misuse.

1. Click Start, click All programs, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console.

Firewall Management

Figure 3.20 Property Dialog Box >

Antimalware > Microsoft SpyNet.

Figure 3.21 Join Microsoft SpyNet.

Figure 3.22: Click ConfigMgr Console.




In the middle pane, you can see two new default policies: Default Server Policy and Default Desktop Policy

3. Double-click Default Server policy to open the Default Forefront Endpoint Protection Policy Properties dialog box.

4. Click the Windows Firewall tab.

5. Select Enable Host Firewall protection.

You can configure Windows Firewall settings for:

Domain Networks - Domain network settings are the settings for workplace networks that are attached to a domain.

Private Networks - Private network settings are the settings for the networks at home or work where the user knows and trusts the people and devices on the network.

Public Networks - Public network settings are the settings for networks

in public places such as airports and coffee shops

For any of these network types, you can adjust settings and preferences for:

Firewall state (On/Off) – On is recommended

Incoming Connections (Block Default /Allow/ Block all) – Block Default is recommended

Notification Display (Yes/No)

Block All blocks all unsolicited attempts to connect to your machine. Use this setting when you need maximum protection, such as when you connect to a public network, or when a computer worm is spreading over the Internet. With this setting, Windows Firewall does not notify you if it blocks programs, and it ignores programs in the list of allowed programs. You can still view most webpages, send and receive email, and send and receive instant messages.

Block Default blocks the connections defined by policies applied in the organization. Everything else will pass through Windows Firewall.

Figure 3.25 Enable Host Firewall

Protection.

Figure 3.23 FEP > Policies > Default Server

Policy.

Figure 3.24 Windows Firewall tab.


System Restore is a component of the Windows operating system that allows you

to roll back system files, registry keys, and installed programs, to a previous state in

the event of system malfunction or failure.

A restore point is a saved snapshot of a machine's data at a specific time. By

creating a restore point, you can save the state of the operating system and your

own data so that if future changes cause a problem, you can restore the system

and your data to its state before the changes occurred.



2. Double-click Default FEP policy to open the Default Forefront Endpoint Protection Policy Properties dialog box.

3. Click the Antimalware tab and in the list on the left select Additional Settings.

4. Select Create a system restore point before cleaning computers.


Restore Point


FEP > Policies.

Figure 3.28 Create a Restore Point.

Figure 3.27 Antimalware > Additional

Settings.


To assign FEP policies to clients, you first assign them to a Configuration Manager

collection. You can assign a policy to more than one collection if needed and you

can assign more than on policy to a collection. When an FEP client has more than

one policy assigned to it, the FEP client applies the policy with the highest

precedence.

To assign a policy to a collection

1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection 2010, and then click Policies.

2. Right-click the policy that you want to assign, and then click Assign Policy.

Note: You cannot assign the Default Server Policy or the Default Desktop Policy.

3. In the Add/Remove Collection dialog box, click Add.

4. In the Browse Collection dialog box, select the collection to which you want to assign the policy, and then click OK.

If you need to assign this policy to multiple collections, in the Add/Remove Collection dialog box, for each collection, click Add and repeat this step.

5. In the Add/Remove Collection dialog box, click OK.

To monitor FEP policy deployment

1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and click Forefront Endpoint Protection 2010.

2. View the Policy Distribution Status section of the Operational Statistics on the Forefront Endpoint Protection dashboard. You might need to refresh the page to get latest information.

3. In the Links and Resources pane under Web Reports click Policy Distribution Overview for policy deployment information started at the collection level down to the computer level.

Note: The FEP reports and FEP Dashboard statistics include only those machines running the FEP client software and the Configuration Manager agent.

Exercise 3.4: Policy assignment

Figure 3.29 Assign Policy.

Figure 3.30 Adding Collection.

Figure 3.31 Policy Distribution status.


Users can configure FEP client settings by using Active Directory Group Policy and Group Policy objects (GPOs). The following procedures will show you how to configure clients by using FEP GPOs, pre-configured policy templates, and the FEP Group Policy Tool.

You can convert policy settings contained in configured FEP policies to the format that is used by Group Policy. In order to convert policies, you must first download and install the FEP Group Policy Tool. This tool is available in the Microsoft Download Center as part of the FEP Group Policy Tools download package. The package also contains ADMX and ADML files. Although these files are not required to use the FEP Group Policy Tool, they are required in order to view or edit GPO policy settings.

To extract and install the FEP Group Policy Tool

1. Obtain the Forefront Endpoint Protection Group Policy Tool from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=205492) and copy it to your machine.

2. Double-click fep2010grouppolicytools.exe and extract the files from the package.

The Forefront Endpoint Protection Group Policy Tools package includes

the following files:

fep2010.adml

fep2010.admx

fep2010gptool.exe

3. Locate and double-click fep2010gptool.exe to open the FEP Group Policy Tool.

Exercise 3.5: Using Group Policy for FEP

Exercise 3.5.1: Converting FEP policies to Group Policy

Figure 3.32 Extract Group Policy Tool.



To convert FEP policy settings to Group Policy

1. Locate and double-click fep2010gptool.exe to open the FEP Group Policy Tool.

2. Select the Domain and the name of the Group Policy object in that domain that you want to populate with pre-configured FEP policy settings.

3. Click Select Policy File. Locate and select the XML policy file that contains the settings that you want to import to the Group Policy object.

4. Select Clear existing Forefront Endpoint Protection settings, and then click OK to import the settings. You can then edit and view the policy settings by using gpedit.msc.

Warning: Selecting Clear existing Forefront Endpoint Protection settings

will remove all FEP settings contained in the selected Group Policy object and replace them with the imported FEP policy settings. Only select this item if you want to clear all of the existing FEP policy settings from the Group Policy object.

To add ADMX and ADML files locally in order to view or edit policy settings

1. Navigate to the location where you extracted the ADMX and ADML files in the previous procedure.

2. Copy the ADMX file to the %systemroot%\PolicyDefinitions\ folder.

3. Copy the ADML file to the %systemroot%\PolicyDefinitions\ language folder. For example, en-US.

Note: You must restart the Group Policy Object Editor after performing the preceding steps.

Figure 3.33 FEP Group Policy Tool.

Figure 3.34 Copying an ADMX file.

Figure 3.35 Copying the ADML file.


You can merge policy settings from one or more FEP policies into a single GPO. This is helpful when you have settings contained in multiple FEP policies and you would like to combine those policy settings and use Group Policy to configure clients. In order to merge FEP policies into a single GPO, you must use the FEP Group Policy Tool.

Warning: When you merge multiple policies to a single GPO, the order in which you merge the policies will affect the outcome of the effective policy. For example, if you merge three policies that contain conflicting settings for a particular feature, the settings in the last policy that you merge will overwrite any conflicting settings that are already merged or contained in the GPO.

To merge FEP policy settings to a GPO:

1. Double-click fep2010gptool.exe to open the FEP Group Policy Tool.

2. Select the Domain and the name of the GPO in that domain that you want to populate with pre-configured FEP policy settings.

3. Click Select Policy File. Locate and select the XML policy file that contains the settings that you want to import into the GPO.

If this is the first policy that you are merging and there are no FEP policy settings that you want to retain that already exist in the selected GPO, select Clear existing Forefront Endpoint Protection settings.

When you select this option, it clears all FEP policy settings in the target GPO. Clearing the previous policy settings ensures that only the FEP settings that are contained in this policy will be present in the target GPO settings.

However, if this is not the first policy that you have merged to the selected GPO and you want to retain existing previous settings contained in that GPO, verify that the check box is not selected. Selecting the check box will clear any previously configured FEP policy settings that are contained in that GPO. Click Apply to merge the policy settings to the GPO.

Note: Merging policy settings by using the FEP Group Policy Tool does not affect the source FEP policy file.

4. To merge additional settings contained in FEP policies into the selected GPO, repeat the previous step.

Exercise 3.5.2: Merging policies

Figure 3.36 Merging FEP policy settings.


You can view and configure Forefront Endpoint Protection settings by using the Group Policy Object Editor. Each policy setting contains parameter information specific to the feature that you want to configure. Typically you will access the Group Policy Object Editor by selecting a Group Policy object (GPO) from within the Group Policy Management Console (GPMC), and then selecting the edit action for that object.

To view FEP Group Policy settings

1. Open the Group Policy Object Editor and go to Local Computer Policy\Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010.

2. Expand Forefront Endpoint Protection 2010 and click the folder that contains the settings that you want to view.

For more information about each policy setting, in the right pane, double-click the setting that you want to view to open the configuration dialog box and view the additional policy setting information.

To edit FEP GPO settings

1. Open Group Policy Management.

2. In the console tree, double-click Group Policy Objects in the forest and domain containing the GPO that you want to edit.

3. Right-click the GPO, and then click Edit.

Note: You must have edit permissions for the GPO that you want to edit.

4. In the Group Policy Object Editor console, expand Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010 and click the folder that contains the settings that you want to configure. In the right pane, double-click the setting that you want to configure in order to open the configuration dialog box.

5. Configure the settings that you want to deploy to clients, and then click OK.

6. Deploy the policy settings to clients.

Exercise 3.5.3: Configuring and viewing policies


The Updates section allows you to configure how the FEP clients check for

definition updates. This enables you to provide the latest updates to all endpoints

centrally and protected them from new threats.

Note: If you are evaluating FEP in your own environment, you need to perform the

following pre-requisites before proceeding to the next steps:

Install WSUS 3.0: Before you can successfully install and configure a

software update point on a site system server in Configuration Manager

2007, you must install WSUS 3.0 on the server.

Install WSUS 3.0 Administration Console: You need to install the WSUS

3.0 Administration Console on the Configuration Manager 2007 site server

to allow the site server and remote Configuration Manager consoles to

configure and synchronize software updates.

Create and configure an active Software Update Point: The software

update point in Center Configuration Manager 2007 is a required

component of software updates and is installed as a site system role in the

Configuration Manager console. You must create the software update point

site system role on a site system server that has WSUS 3.0 installed

You can find more information on configuring the Software Update Point

here: http://technet.microsoft.com/en-us/library/bb633119.aspx

The above settings are already completed in the pre-configured virtual environment

on the server machine named Denver (Server 1-WSUS) and Fargo (Server 2-

FEP/ConfigMgr server)


and the steps are configured on the server machines named Denver (Server 1) and

Fargo (Server 2).

Software Updates and Windows Server Update Services

When you configure FEP or the FEP Security Management Pack deployment for WSUS-based definition updates, you must perform the following tasks:

Configure either the Software Updates area of Configuration Manager or

your WSUS server to synchronize both updates and definition updates.

Approve the FEP definitions in the WSUS Administration console.

Exercise 3.6: Signature updates

http://technet.microsoft.com/en-us/library/bb693980.aspx





To synchronize updates and approve FEP definitions in Software Updates in

Configuration Manager (in the virtual evaluation environment, this is the virtual

machine named Fargo)

1. In the Configuration Manager Console, expand Site Management, expand the site name, expand Site Settings, and then click Component Configuration.

2. In the middle pane, right-click Software Update Point Component, and then click Properties.

3. On the Classifications tab, select Definition Updates and Updates.

4. On the Products tab, select Forefront Endpoint Protection 2010, and then click OK.

Figure 3.37 Component Configuration page.

Figure 3.38 Classifications tab.

Figure 3.39 Products tab.


To synchronize updates and approve FEP definitions in WSUS

1. Using an account that has local administrator user rights, log on to the machine running WSUS (in the virtual evaluation environment, this is the virtual machine named Denver).

2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services.

3. In the WSUS Administration console, in the tree, expand Computers, click Options, and then click Products and Classifications.

4. In the Products and Classifications dialog box, on the Products tab, select Forefront Endpoint Protection 2010

5. On the Classifications tab, select Definition Updates and Updates, and then click OK.

Approving Updates

Updates for the FEP client must be approved before those updates are offered to

clients requesting the list of available updates. Clients connect to the WSUS server

to check for applicable updates and then request the latest approved definition

updates. Updates will only be offered to clients after they are approved for

installation and after the WSUS server has completed the binary download.

To approve definitions and updates in WSUS

1. Using an account that has local administrator user rights, log on to the computer running WSUS.

2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services.

3. In the WSUS Administration console, click Updates, and then click All Updates or the classification of updates you want to approve.

4. On the list of updates, right-click the update or updates you want to approve for installation, and then click Approve.

5. In the Approve Updates dialog box, click the arrow next to the group for which you want to approve the updates, and then click Approved for Install.

Note: You can also set an Automatic Approval rule for definition updates and FEP updates, which configures WSUS to automatically approve for installation any definition updates or FEP updates downloaded by WSUS.

Figure 3.41 Forefront Endpoint Protection

2010.

Figure 3.40 Product and Classifications.

Figure 3.42 Approve all pending updates.


To configure an automatic approval rule

1. In the WSUS Administration console, click Options, and then click Automatic Approvals.

2. On the Update Rules tab, click New Rule.

3. In the Add Rule dialog box, under Step 1: Select properties, select When an update is in a specific product.

4. Under Step 2: Edit the properties, click any product.

5. Clear all selections except Forefront Endpoint Protection, and then click OK.

6. In the Step 3: Specify a name box, enter a name for the Forefront Endpoint Protection Definition Updates rule, and then click OK.

7. In the Automatic Approvals dialog box, select the newly created Forefront Endpoint Protection Definition Updates rule and then click Run rule.

Figure 3.43 Automatic approvals.

Figure 3.44 New rule.

Figure 3.45 Forefront Endpoint Protection

2010.


Microsoft Updates Definition Updates

You use the Microsoft Update definition update option to keep definitions on mobile

clients up-to-date when they are not connected to the corporate network.

The Microsoft Update definition update option works in the same way as a normal

Microsoft Update request. If configured, the FEP client will query Microsoft Update

for new definitions per the frequency configured in the FEP policy.

You can configure clients to check for definition updates by setting a policy option.

To configure clients to check Microsoft Update

1. When you create an FEP policy, on the Updates page, select Enable updates from Microsoft Update.

2. When you want to add Microsoft Update as a definition update option to an existing policy, in the properties of the policy, click the Updates tab, and in the update source list, select Updates from Microsoft Updates (MU).

File Share-Based Definition Updates

Forefront Endpoint Protection clients can be configured to check a file share for

definition updates. To check for updates, the client accounts must have read access

to the file share in which you store the definition files. Domain users need read

access as well. The user account is used when a manual update is performed.

Note: When you configure clients to check a file share for definition updates, clients

check the file share first, by default, before they check WSUS or Microsoft Update.

You can change this hierarchy.

To enable file share-based definition updates

1. Create a folder called File Share on Server 1 (Denver).

2. Right-click the folder and go to Share with.

3. Add the user, select Read/Write access and then click Share.

4. When you create an FEP policy, on the Updates page, select Enable updates from the following file share location, then, in the text box, enter the Universal Naming Convention (UNC) path to the file share.

Note: FEP does not create or set permissions on the share automatically

Figure 3.46: Updates tab.

Figure 3.47 UNC check Box and Path for the

file share.


To enable file share-based definition updates in an existing policy

1. In the Configuration Manager console, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies.

2. In the middle pane, right-click the policy you want to edit, and then click Properties.

3. Click the Updates tab, then, in the list of update sources, select Updates from UNC file shares (specified below).

4. Under Specify, in order of preference, file shares, click Add, and then type the UNC path to the file share.

5. If necessary, click Add again and add additional UNC paths.

Note: You can alter the order of the list of file shares by selecting a listed path, and then, under the list, click Up or Down.

6. When finished, click OK.

To configure a file share for definition updates

1. Download the required files from the following locations:

For x64:

Antimalware definitions

(http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64)

Network-based exploit definitions

(http://go.microsoft.com/fwlink/?LinkId=197094)

Note: This file is required only if you have selected Enable protection against network-based exploits on the Antimalware tab of an FEP policy.

For x86:

Antimalware definitions

(http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86)

Network-based exploit definitions

(http://go.microsoft.com/fwlink/?LinkId=197095)

Note: This file is required only if you have selected Enable protection against network-based exploits on the Antimalware tab of an FEP policy.

Figure 3.48 Downloaded files for x64.

http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64


http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86



2. Save the files in folders with the following names:

The files for x64-based computers must be in a folder named x64

The files for x86-based computers must be in a folder named x86

For example:

...\Updates\x86

...\Updates\x64

3. Ensure that each folder contains the following files:

Mpam-fe.exe

Nis_full.exe

Summary

This chapter has shown how you can deploy FEP to secure client machines. You

can use Configuration Manager 2007 to centrally install and uninstall FEP clients,

manage policies, and view the state of client protection. For more details refer to:

Deploying Forefront Endpoint Protection 2010: Step-by-step installation of

Forefront Endpoint Protection 2010. It is an easy wizard driven setup.

Using Configuration Manager to Deploy FEP Clients: Step-by step process

to distribute and advertise the software to an already existing or a new

collection of endpoints.

Overview of the contents of the Dashboard of System Center Configuration

Manager 2007: The Dashboard summarizes the overall health status of

clients. It provides drilled down reports for particular computers.

Policy creation for Forefront Endpoint Protection 2010: Defines the various

configuration options of the FEP client that users can manage such as,

policy customization and assignment, configuring group policy, the scan

schedule, the location and frequency of definition updates, and scan

exclusions.

Providing signature updates to endpoints: Enables the administrators to

provide latest updates to all endpoints centrally and thus keep them

protected against new threats.

Figure 3.49 UNC checkbox and path.


In Chapter 3, you will learn how FEP can comprehensively protect client machines

by detecting and cleaning malware, provide reports and alerts, and provide different

types of configurable scanning methods that can be configured for client machines.

For more details, refer to:

Detecting and Cleaning Malware: Step-by-step process of detecting and

cleaning malware using Configuration Manager 2007.

On-demand, Schedule and Real-time Scanning: The scanning methods

used by FEP include:

Real-time scanning: Process of configuring real-time scans

Scheduled scanning: Process of configuring scheduled scans

On-demand scanning: Process of configuring on-demand scans


Forefront Endpoint Protection 2010 makes it easier to protect critical desktop,

laptop, and server operating systems against viruses, spyware, rootkits, and other

threats.

Highly accurate and efficient threat detection: The FEP engine protects against the latest malware and rootkits with a low false-positive rate and helps keep employees productive with low-impact scanning.

Detection of unknown threats: Forefront Endpoint Protection 2010 uses system behavior and file reputation data to identify and block previously unknown threats from attacking endpoints.

Improved network-based protection: Forefront Endpoint Protection 2010

ensures Windows Firewall is active and working properly to protect against network-layer threats, and it allows you to more easily manage protection across the enterprise.

Forefront Endpoint Protection 2010 provides protection against these threats using

the following techniques:

Antimalware protection: The FEP client helps users stay secure and productive both at work and on the go with a lightweight, easy-to-use interface. Whenever possible, the FEP client automatically solves security issues as they occur without disturbing users, so users can stay safe and continue with their work without contacting their desktop administrators.

Protection against rootkits: Rootkits are software that enables continued privileged access to a computer, while hiding their presence from administrators. Forefront Endpoint Protection 2010 has features that provide efficient rootkit detection.

Heuristics and emulation techniques: Dynamic Translation technology in FEP uses heuristics-based protection. Based on emulated behavior, it translates code that accesses real resources into code that accesses virtualized resources, which keeps the real resources in the system safe from any malicious content.

Behavior monitoring: Live system behavior monitoring identifies new threats and tracks behavior of unknown processes and known good processes gone bad. Detections trigger a request to the Dynamic Signature Service and clients will receive an updated signature through the cloud if it is recently identified malware without waiting for the regular signature update process.

Network vulnerability shielding: Forefront Endpoint Protection 2010 provides protection against network level exploits and intrusions by inspecting inbound and outbound network traffic. It balances protection with performance by only enabling signatures for the unpatched vulnerabilities.

CHAPTER 3:

COMPREHENSIVE

PROTECTION

Simple Client Experience

Simple Interface

Keep user interactions minimal and high-level

Provide only necessary

interactions

Administrator-managed

options

Control user

configurability

Enforce central policy

Performance-Oriented

Defaults

Template-driven policy

creation based on risk

Workload-specific

policies for servers


In this scenario, you will evaluate the process of detecting and cleaning malware

using FEP. This section will provide you with the step-by-step processes to detect a

malware, run the FEP software to clean up the malware, and generate reports of

the malware operations.


4. Detecting and cleaning

malware impact

scanning

Detecting and cleaning malware on the client

computer

5. On-demand, scheduled,

and real-time scanning Protecting endpoints against malware in real-time

Exercise 4: Detecting and cleaning malware impact scanning

Companies today are challenged to protect endpoints from unauthorized access to

information and loss of critical data. Forefront Endpoint Protection 2010 enables

organizations to centrally protect endpoints against different types of malware like

viruses and rootkits.

While evaluating with pre-configured virtual environment, you will need the following

virtual machines:

Lab Environment


1 Server 1 (Denver) DC – CA – AD FS, AD-RMS, FCI, WSUS




In this exercise, you will see an example of detecting and cleaning malware on a

client machine.

The following step by step instructions use the pre-configured virtual environment

and are configured on the client machine called Cairo (Client 2 in the table above)

1. If you are using the virtual environment, then directly open the folder where the

EICAR test virus file is stored to run a malware and skip to step 4.

2. If you are using your own environment, download the EICAR antimalware test

file eicar.com.txt from the EICAR website

(http://www.eicar.org/download/eicar.com.txt).

Note: Forefront Endpoint Protection 2010 should block this file from being

downloaded. The Sample folder contains several copies of the EICAR test

virus. This is not a real virus, but a sample file used for antimalware tests

3. Place the file in the C:\Tools\Sample folder

Figure 4.1 Opening the Sample folder.

http://www.eicar.org/download/eicar.com.txt

http://www.eicar.org/download/eicar.com.txt


4. In the Sample folder, right-click eicar.com.txt, and then click Open.

FEP real-time detection recognizes the EICAR test virus, and blocks

access to the file.

Near the notification area, a popup appears that briefly informs the user

about the blocked access to the files.

5. Click OK to acknowledge that Windows cannot access the file.

Notice that the eicar.com.txt file is no longer in the folder; FEP has removed it.

6. Close the Sample folder

7. In the Notification area, right-click the FEP icon, and then click Open.

8. In the FEP window, click the History tab.

Note: It may take up to 10 minutes before the detected item appears in the list.

9. Close the FEP window

10. On the FEP Server (In the pre-configured virtual environment, it is the server

named Fargo), in the Configuration Manager console, under Computer

Management, select Forefront Endpoint Protection.

Figure 4.2 Notification for blocked

access to user.

Figure 4.4 History tab in the FEP

window.

Figure 4.5 Select Forefront Endpoint

Protection under Computer Management.

Figure 4.3 Right-click the FEP icon.


11. In the middle pane, note that the Malware Activity Status section shows the

number of detected and cleaned malware.

Note: The detected malware from the client may not show up immediately. The

status change depends on the Configuration Manager client state update

setting.

12. In the Configuration Manager console, under Forefront Endpoint Protection,

select Reports.

The middle pane lists the three pre-defined reports.

13. In the middle pane, select Antimalware Activity Report.

14. Right-click the report, and then click Run.

Notice that FEP 2010 integrates with both Configuration Manager and SQL

Server Reporting.

The malware information may take some time to appear in the report. In

the virtual environment, it will take 10-15 minutes for the latest information

to populate. In general, it depends on the interval set for a client to upload

state messages,

Figure 4.7 Select Reports from

Configuration Manager Console.

Figure 4.8 Right-click the Antimalware

Activity Report and then click Run.

Figure 4.6 Malware Activity Status section.


15. Close the Report Viewer window.

Exercise 5: On-demand, scheduled and real-time scanning

Forefront Endpoint Protection 2010 provides the options for on-demand, scheduled

and real-time scanning. The organization can select the option appropriate for its

business needs.


5.1. FEP real-time scanning Real-time scanning on an FEP Client

5.2. FEP scheduled

scanning Scheduled scanning on an FEP Client

5.3. FEP on-demand

scanning On-demand scanning on an FEP Client

If you choose to evaluate FEP with the pre-configured virtual environment, you will


Lab Environment


1 Server 1 (Denver) DC – CA – AD FS, , WSUS




Figure 4.9 Displayed Antimalware Activity

report.


Real-time scan: protects endpoints against malware in real-time. This can help

prevent infection by malware present in the files being accessed.

Real-time scanning: All FEP incidents on client machines are reported to the FEP

server, used for reporting, creating, and distributing FEP policies throughout the

network.

In this exercise, you will see an example of configuring and scheduling a scan on

the client machine in real time.

These step-by-step instructions use the pre-configured virtual environment and the

steps are configured on the client machine named Cairo (Client 2 in the table

above).

1. In the FEP client, click the Start menu, and then click Computer.

2. Right-click USB Disk (K:), and then click Open.

Exercise 5.1: Forefront Endpoint Protection 2010 real-time scanning

Figure 5.1 Click Computer.

Figure 5.2 Right-click to Open.


3. On the K: disk, right-click Woodgrove Bank Trey Information.doc, and then click Open

Forefront Endpoint Protection 2010 blocks access to the document. Even though the client computer may be on the corporate network, behind the firewalls, malware-infected files can still enter the network through the use of portable USB drives. However, FEP on the client machine detects and blocks the malicious content.

4. Click OK to close the Microsoft Word dialog box.

5. Close Microsoft Word.

Figure 5.3 Opening the document from the

USB drive.

Figure 5.4 Error message shown on the

infected file.


Note: The steps to enable real-time scanning are shown in the Policy Creation

section in the Evaluation Scenario: Single Infrastructure. These steps are

completed on the FEP Configuration Manager Console

Figure 5.5 Real-time scanning.


Scheduled scan enables an organization to:

Configure a scheduled scan: You can select the scan frequency from

Weekly quick scan, Weekly full scan, Daily quick scan, Daily full scan, Daily

quick scan and Weekly full scan. You can also set the time and day for

weekly scans.

Allow clients to schedule scan time: Select this option to allow end

users to schedule scans on their client machines.

Scan only when the computer is idle

Randomize scheduled scan start times (within 30 minutes from scheduled

time)

Force a scan upon reboot when two or more scheduled scans are missed.

Scan archived files

Limit processor usage during scans: You can set the processor usage

at the client machine for the scanning process.

In this exercise, you will configure and schedule a scan on a client machine.

In the FEP Client, the steps to enable scheduled scanning are mentioned in the

Policy Creation section in the Evaluation Scenario: Single Infrastructure.

On demand scan: enables an organization to perform three kinds of scanning:

Quick scan: checks the areas that malicious software—including viruses,

spyware and unwanted software—is most likely to infect.

Full scan: checks all the files on the hard disk and checks all running

programs. Time duration of the scan depends on the system.

Custom scan: checks only the locations and files that user selects.

The scanning can be performed either manually or by running the endpoint scan

from the FEP management console

In this exercise, you will perform the three types of on-demand scans on a client

machine.

1. Quick Scan

Manual steps

a. Double-click the FEP icon on the taskbar.

b. Under Scan options, click Quick.

c. Click Scan now to start scanning.

Exercise 5.2: Forefront Endpoint Protection 2010 scheduled scanning

Exercise 5.3: Forefront Endpoint Protection 2010 on-demand scanning

Figure 5.6 Enable Scheduled scanning.

Figure 5.7 Manually performing the Quick

scan.


Running the Quick Scan from the FEP Management Console

a. Open Configuration Manager console, expand Computer Management, and expand Collections.

b. Select All Systems.

c. Select the client machine Cairo.

d. Go to the Action Pane, and under the client machine Cairo select FEP Operations.

e. Click Run Quick Scan.

2. Full Scan

Manual Steps

a. Double-click the FEP icon on the taskbar.

b. Under Scan options, click Full.

c. Click Scan now to start scanning.

Running the Quick Scan from the FEP Management Console

a. Open Configuration Manager console, expand Computer Management and expand Collections.

b. Select All Systems.

c. Select the client machine Cairo.

d. Go to the Action Pane, and under the client machine Cairo select FEP Operations.

e. Click Run Full Scan.

3. Custom Scan

a. Double-click the FEP icon on the taskbar and then click Custom Scan.

Figure 5.9 Manually performing the Full scan.

Figure 5.11 Custom scan.

Figure 5.8 Run Quick Scan from FEP

console.

Figure 5.10 Run Full Scan from FEP console.


b. Select the locations/files that you want to scan.

c. Click OK to start the Custom Scan.

Summary

This chapter showed how FEP can provide comprehensive protection to client

machines by detecting and cleaning malware, providing reports and alerts, and by

providing different types of configurable scanning methods. For more details, please

refer to the following sections:

Detecting and Cleaning Malware: Step by step process of detecting and

cleaning malware impact scanning using Configuration Manager 2007.

On-demand, Scheduled and Real-time Scanning: The scanning methods

used by FEP

In Chapter 4, you will learn how FEP provides simplified management by using

predefined reports and customized alerts. For more details, please refer to the

following sections:

FEP Reports: Predefined reports with information on client deployment,

health, and malware detection.

FEP Alerts: Receive email notifications when FEP detects security

incidents and generates alerts

Figure 5.12 Select the file location.

Figure 5.13 Custom scan.


Forefront Endpoint Protection 2010 is built on Configuration Manager 2007 R2 and

provides a single interface for you to manage and secure endpoints, which helps

reduce complexity and improve troubleshooting and reporting insights. It provides a

central location for you to create and apply all endpoint-related policies.

With a shared view of endpoint protection and configuration, you can more easily

identify and remediate vulnerable computers. Forefront Endpoint Protection 2010

provides simplified access to information and tools you need to keep your

enterprise secure and running.

No separate console: Configuration Manager provides a single interface to manage and secure endpoints, which helps to reduce complexity and improve troubleshooting and reporting insights. This approach also helps to reduce the training necessary for client administration.

Improved endpoint visibility: With a shared view of endpoint protection and configuration, you can more easily identify and remediate vulnerable computers.


6. FEP reports Reports on client deployment, health, and malware detection

7. FEP alerts Notification when security threats are detected

If you choose to evaluate FEP with the pre-configured virtual environment, you will


Lab Environment


1 Server 1 (Denver) DC – CA – AD FS, AD RMS, FCI, WSUS




Exercise 6: Forefront Endpoint Protection 2010 reports

Forefront Endpoint Protection 2010 provides a number of predefined reports in the

Reports node under the Forefront Endpoint Protection node. These reports provide

information on client deployment, health, and malware detection. Forefront Endpoint

Protection 2010 has six predefined FEP reports:

Antimalware Activity Report, Antimalware Protection Summary Report, and Computer List Report run directly from the Reports node

Malware Details Report and Computer Details Report run by drilling down within the Antimalware Activity Report

Computer List Report and Policy Deployment run directly from the FEP Dashboard

CHAPTER 4: SIMPLIFIED

MANAGEMENT—

REPORTING AND

ALERTING

Reporting and Alerting

Benefits

Uses existing Reporting Infrastructure- no need for additional database servers

Improved visibility into client security and health

Critical level alerting

Rich historical reports


Antimalware Activity Report: This report displays a dashboard summarizing the overall antimalware status.

Security Alerts: Displays a summary of raised FEP alerts.

Security Status: Displays a summary of client machines by FEP client status.

Antimalware Activity: Displays a dashboard of information about all

detected malware.

Malware Activity: Displays lists of the top malware infections by severity and frequency.

Antimalware Protection Summary Report: This report provides an overview of

antimalware deployment and health.

Antimalware Deployment and Health: Displays a dashboard of antimalware information.

Security Status: Displays a summary of client machines by FEP client

status.

Malware Details Report: This report displays further details about specific

malware.

Malware Details: Displays details about the detected malware.

Antimalware Activity: Displays a dashboard of information about the

detected malware.

Infected Computers: Displays a list of client machines that the detected malware has infected.

Figure 6.1 Antimalware Activity report.

Figure 6.2 Antimalware Protection Summary

report.

Figure 6.3 Malware Details report.


Computer List Report: This report displays a list of computers.

Computer List: When you run this report from the Reports node, it

displays a list of computers on which the FEP client is deployed. When

you run this report by drilling down, it displays a filtered list of computers

according to the clicked link.

Computer Details Report: This report displays further details about the specified

computer.

Computer Details: Displays details about the specified computer.

Protection Status: Displays information about the status of the FEP client features.

Malware Activity: Displays a summary of malware information followed

by a list of malware that has been detected on the specified computer.

Policy Deployment Report: This Web report displays the breakdown of FEP

2010 client distribution states per collection

Click the FEP Dashboard and scroll to the Links and Resources

Section. Under Web Reports, click Deployment Overview

Figure 6.4 Computer List report.

Figure 6.5 Computer Details report.

Figure 6.6 Policy Deployment report.


Exercise 7: Forefront Endpoint Protection 2010 alerts

Forefront Endpoint Protection 2010 can notify you when it detects security incidents.

The alert types that FEP provides include:

Malware Outbreak: Forefront Endpoint Protection 2010 can send an alert

when it detects a malware outbreak. An outbreak occurs when the number

of malware detections reaches a certain threshold.

Malware Detection: When FEP detects malware on a client machine, it

sends an alert to the client machines that are members of its collection.

You can configure the settings to generate alerts and select the recipients

of the alerts,

Repeated Malware Detection: Forefront Endpoint Protection 2010 sends

an alert to client machines if the same malware infects them repeatedly.

The alert occurs after a certain number of repeated detections.

Multiple Malware Detection: Forefront Endpoint Protection 2010 sends an

alert to the client machines infected by multiple malware types. The alert

occurs after a certain number of malware detections on a single computer.

1. Click Start, click All Programs, under Microsoft System Center click Configuration Manager 2007, and then click ConfigMgr Console.


Computer Management, expand Forefront Endpoint Protection, and then click Alerts.

Exercise 7.1: Sending a Malware Outbreak alert


Figure 7.2: Computer Management > FEP >

Alerts.


3. After selecting Alerts, select Malware Outbreak Alert.

4. Right-click Malware Outbreak Alert and then click Properties.

The Malware Outbreak Alert Properties dialog box will appear.

5. Select Enable alerts for malware outbreaks and then specify the criteria for

malware outbreak alerts, such as: Malware detected on number of

computers and Malware detection interval (in minutes). Add the addresses

of the recipients to whom alerts should be sent.

Figure 7.3 Select Malware Outbreak Alert.

Figure 7.4 Right-click and Select Properties.

Figure 7.5 Properties dialog box.



1. Under Computer Management, expand Forefront Endpoint Protection, and

then click Alerts. In the middle pane, select Malware Detection alert. 2. Right-click Malware Detection Alert and then click Properties.

Exercise 7.2: Sending a Malware Detection alert

Figure 7.6 Enable Alerts for Malware

Outbreaks.

Figure 7.7 Select Malware Detection Alert.

Figure 7.8 Right-click and select Properties.


The Malware Detection Alert Properties dialog box will appear.

3. Select Enable alerts for malware detection and then click Browse to select

the parent collection you want to monitor.

4. In the Browse Collection dialog box, click All Systems, and then click OK.

Figure 7.9 Properties Dialog box.

Figure 7.10 Select Parent Collection.

Figure 7.11 Select All Systems.


5. Set the Alert detection level to Medium and then add the addresses of

recipients to whom alerts should be sent.


1. Under Computer Management, expand Forefront Endpoint Protection, click

Alerts, and then click Repeated Malware Detection Alert. 2. Click Browse.

Exercise 7.3: Sending a Repeated Malware Detection alert

Figure 7.12 Add recipients.

Figure 7.13 Repeated Malware Detection

Alert.

Figure 7.14 Properties dialog box for

Repeated Malware Detection Alert.


3. In the Browse Collection dialog box, click All Systems, and then click OK.

4. Select Add recipients Email ID. Click Apply and then click OK.

Note: In order to send the email alerts, the SMTP settings need to be defined

5. To define the SMTP settings, in the Actions pane, click Email Settings.

6. Enter the SMTP Server and Email address, and then click OK


Figure 7.16 Add recipients Email ID.

Figure 7.17 Email Settings.

Figure 7.18 Enter SMTP details.


1. Under Computer Management, expand Forefront Endpoint Protection,

expand Alerts, and then select Multiple Malware Detection Alert. 2. In the Action pane on the right side, click New Multiple Malware Detection

Alert.

3. Click Browse. 4. In the Browse Collection dialog box, select All Systems, and then click OK

Exercise 7.4: Sending a Multiple Malware Detection alert

Figure 7.19 Multiple Malware Detection Alert.

Figure 7.20 Properties Dialog box for Multiple

Malware Detection Alert.



5. Select Add recipients Email ID. Click Apply and then click OK.

Note: In order to send the email alerts, the SMTP settings need to be defined.

6. To define the SMTP settings, in the Actions pane, click Email Settings.

7. Enter the SMTP Server and Email address and then click OK.

Figure 7.22 Add recipients Email ID.

Figure 7.23 Email Settings.

Figure 7.24 Enter SMTP details.


Exercise 7.5: Setting the alert level

1. Click Start, click All Programs, under Microsoft System Center click Configuration Manager 2007, and then click ConfigMgr Console.


Computer Management, expand Forefront Endpoint Protection and then click Policies.

3. Double-click Default FEP policy to open the Default FEP Policy Properties

dialog box.

4. Click the Antimalware tab.

5. In the list on the left, select Threat Handling.



FEP > Policies.

Figure 7.27 Property Dialog Box >

Antimalware > Threat Handling.


Forefront Endpoint Protection 2010 responds to potential threats and classifies

them at different alert levels:

Low Level: These programs collect personal information or change settings but do not damage the system and operate within the licensing terms displayed when the software is installed.

Medium Level: These programs collect personal information or change

settings but do not damage the system.

High Level: These programs collect personal information, change settings without the user’s consent or knowledge, or damage the system.

Severe Level: These are exceptionally malicious programs that threaten the privacy and security of the client machine and can damage the system.

For each of the alert levels, you can choose to take action as follows:-

Allow: This action allows the detected item and will also add it to the

―Allowed Items‖ list.

Quarantine: This action moves the detected item to the quarantined area and enables the user to either restore or permanently delete the item.

Remove: This action permanently deletes the detected item.

Recommended Action: These actions are recommended by Microsoft

Security Essentials based on their severity level.

o Severe and High: Remove the detected programs immediately.

o Medium: Consider removing the detected item if it is from an untrusted publisher.

o Low: Consider quarantining the detected item if it is from an untrusted

publisher.

Summary

This chapter described how FEP provides simplified management through

predefined reports and customized alerts and how it provides the necessary tools to

keep the enterprise secure and running. For more details, please refer to the

following sections:

FEP Reports: Predefined reports with information on client deployment,

health, and malware detection.

FEP Alerts: Allows administrators to receive email notifications when FEP

detects security incidents and generates alerts.

Figure 7.28 Action types for each Alert Level.


NOTE: This appendix will help you install FEP. Because this guide has been

prepared for the purpose of the following labs, instructions in this section may not

be suitable for production environments. Please refer to the respective product

manuals for information about the setup for production environments.

Hardware Requirements

For this evaluation, you can use either a Hyper-V based FEP virtual environment

(called Business Ready Security Demo Environment) or FEP evaluation software

that you can deploy in your own test/production environment.

Pre-configured Virtual Environment System Requirements

To deploy the business ready security demo environment, which is built on virtual

hard disks, you need at least one Windows Server 2008 R2 Standard with Hyper-V

enabled with following recommended specifications:

Single processor with 1.4 GHz (x64 processor) or 1.3GHz (dual core)

8 GB RAM

100 GB of hard disk space

Forefront Endpoint Protection 2010 System Requirements

Configuration Manager requires a system running Windows 2003 SP2 or later with

the following specifications:

2 GB RAM

Disk Space

o Forefront Endpoint Protection Server: 600 MB

o Forefront Endpoint Protection Database: 1.25 GB

o Forefront Endpoint Protection Reporting Database: 1.25 GB

Additional Requirements

o No earlier versions of Forefront Endpoint Protection Server installed

o No installations of other antimalware protection

o Microsoft Windows Installer version 3.1 or later

o Microsoft .NET Framework 3.5 Service Pack 1

o SQL Server 2005 SP2 or 2008 Enterprise, including:

Analysis Services

Integration Services

Reporting Services

SQL Server Agent

Configuration Manager 2007 Service Pack 2 Release 2 site installed with

default roles, configured to use the SQL Server Reporting Services, and

the following installed and configured:

o Hardware Inventory

o Software Distribution

o Desired Configuration Management

o Management Class Hotfix Package

APPENDIX: SYSTEM

REQUIREMENTS AND

PREREQUISITES

NOTE:

For a list of compatible systems and

peripherals required for Windows Server

2008 R2, visit

http://www.microsoft.com/whdc/hcl/default.ms

px

NOTE:

Actual requirements will vary based on your

system configuration and the applications and

features you choose to install.

http://www.microsoft.com/whdc/hcl/default.mspx

http://www.microsoft.com/whdc/hcl/default.mspx


Forefront Endpoint Protection 2010 Client

Forefront Endpoint Protection 2010 protects multiple Microsoft operating systems.

System requirements for the FEP client include:

Processor

o Windows XP: 500 MHz or higher

o Windows Vista or Windows 7: 1.0 GHz or higher

Memory

o Windows XP: 256 MB RAM or higher

o Windows Vista or Windows 7: 1 GB RAM or higher

Disk Space

o 300 MB

Operating System

o Windows XP SP3 and later x64

o Windows Vista RTM and later, x64 and x86

o Windows 7 RTM x64, x86

o Windows 7 XP mode

o Windows Server 2003 SP2 and later, x64 and x86

o Windows Server 2008 RTM and later, x64 and x86 (not server core)

Additional Requirements

o Configuration Manager agent

o Windows Installer 3.1

o Filter manager rollup (KB914882)

o WFP rollup package (KB981889). Redistributed by client

o Windows Update

Software Prerequisites for Forefront Endpoint Protection

Deployment

The FEP Setup wizard checks that the prerequisites are already installed before

you continue with the installation. If the prerequisites verification check identifies

missing prerequisites, the wizard informs you where you can download and install

the required components.

Forefront Endpoint Protection 2010 Server requires Configuration Manager 2007

R2 / R3 and SQL Server. The following steps explain how to deploy SQL Server

and Configuration Manager 2007 for FEP.


Forefront Endpoint Protection 2010 requires SQL Server 2005 SP2 or 2008

Enterprise with Analysis Services, Integration Services, Reporting Services, and

SQL Server Agent running. The SQL Server should be part of the domain.

1. Run System Configuration Checker to detect if SQL Server 2008 R2 is installed

on your machine. If it detects SQL Server 2008 on the machine, it will show a

message about the automatic upgrade of SQL Server 2008 R2, otherwise setup

begins with step 2.

2. To use the database, analysis, and reporting services for FEP, select the

following SQL Server components:

Database Engine Services

Analysis Services

Reporting Services

Integration Services

SQL server agent

You need to specify a Default instance or a Named instance to use or run the

FEP analysis and reporting services and to activate the databases.

MSSQLSERVER is the default Named instance and Instance ID.

3. Microsoft recommends separate accounts for the respective FEP services. This

page shows the Service Account tab, which indicates the service account

details for the SQL Server services and allows you to specify the startup type

for each of the services (for example, Automatic, Manual, and Disabled).

Exercise 8: Deploying SQL Server

Figure 8.1 System Configuration Checker.

Figure 8.2 Services Selection.

Figure 8.3 Configuring database instance.

Figure 8.4 Authentication Selection.


4. The Database Engine Configuration enables you to maintain and generate FEP

reports and to enable secure access to those reports. Use the Account

Provisioning tab to specify the Authentication Mode and administrators for

the database engine:

Authentication Mode: SQL Server supports two authentication modes, Windows authentication mode and Mixed Mode.

Specify SQL Server administrators: You must specify at least one

system administrator for each instance of SQL Server.

The Data Directories tab enables you to specify non-default installation directories and in the FILESTREAM tab you can enable FILESTREAM for instances of SQL Server.

5. On the Analysis Services Configuration page, the Account Provisioning

tab enables administrators to specify users with administrative privileges to

allow access to analysis services.

6. On the Reporting Services Configuration page, you can select the type of

Reporting Services you wish to install. Options include:

Install the native mode default configuration

Install the SharePoint integrated mode default configuration

Install, but do not configure the report server

7. On the Ready to Install page, you can see a tree view of the installation

options specified during Setup.

Figure 8.5 Authentication Method.

Figure 8.6 Analysis Services Configuration.

Figure 8.7 Reporting Services Configuration.

Figure 8.8 Configuration View.


After you complete the installation of SQL Server 2008, the installer will provide

a link to the summary log file for the installation and other important notes.

Before you install Configuration

Manager 2007 R2, make sure you fulfill the following prerequisites:

Extend the Active Directory schema

Create a Configuration Manager 2007 R2 System Management Container in Active Directory

Install the Microsoft Remote Differential Compression feature

Install WebDAV and configured in IIS

Install the BITS Server Extensions feature

Install WSUS Server 3.0 SP1

During the Configuration Manager installation, when you configure the client agent

option, select the following options:

Software inventory: Discovers the software installed on the system.

Hardware inventory: Scans and reports for hardware configuration for the

specific machine. Collected reports or data is controlled by Managed Object Format (MOF). Defined classes are added to WMI, which reports back to the site server.

Desired configuration management: Defines the schedule that the

system will scan for compliance based on DCM rules.

System Center Client Deployment: Configures the client settings—

including the account that is used to connect to the software distribution location—and notification settings.

Deploying Configuration Manager 2007 R2

Figure 8.9 Installation Completion.

Figure 8.10 Agent Configuration Option.


High-value assets (typically servers) that require a greater degree of monitoring can

report their events to an Operations Manager infrastructure. Forefront Endpoint

Protection 2010 includes the FEP Security Management Pack, which is a standard

management pack that you can import to Operations Manager 2007 R2.

The FEP Security Management Pack serves two goals. First, organizations that use

Operations Manager 2007 R2 to monitor servers can now use their preferred tool to

monitor security, too. Second, for organizations that require guaranteed real-time

monitoring for their critical systems (like servers) the management pack uses

Operations Manager 2007 R2 capabilities to ensure real-time reporting on FEP. In

addition to real-time monitoring and alerting, the FEP Security Management Pack

can use SQL Reporting or Microsoft Excel® to connect to the Operations Manager

2007 R2 database to generate custom reports.

The Operations Manager 2007 R2 console provides access to real-time data

generated by FEP clients with Operations Manager 2007 R2 agents installed. This

data includes a state view of the various FEP client components (antimalware

engine, antimalware activity, definitions, last scan time, firewall state, and others), a

list of active alerts, and a list of all FEP-related events that the servers have sent./

The FEP Security Management Pack for Operations Manager 2007 R2 provides a

server-centric view under Operations Manager with the following features:

Server security and availability tasks

Predefined reporting views that can be used to generate custom reports

using Excel (an Excel sample spreadsheet with various example of

possible reports is available in the download center)

Real-time monitoring and alerting for critical systems

FOREFRONT ENDPOINT

PROTECTION SECURITY

MANAGEMENT PACK:

ENABLING REAL-TIME

MONITORING WITH

SYSTEM CENTER

OPERATIONS MANAGER

2007 R2


In this scenario, you will import the FEP Management Pack into an Operations

Manager 2007 R2 Management Group. You can then monitor all the servers

assigned to that Management Group that have the FEP client installed.

If you are evaluating FEP with the pre-configured virtual environment, you will need

the following virtual machines:

Lab Environment


1 Server 1 (Denver) DC, CA, AD FS, AD RMS, FCI

2 Server 2 (Madrid) Exchange 2010

3 Server 3 (Oxford) FEP Security Management Pack, Operations

Manager


and the steps are configured on the FEP server machine called Madrid (Server 2 in

the table above). The FEP Security Management Pack and Operations Manager

Console are configured on the server machine called Oxford (Server 3 in the table

above).

You can also download the evaluation version of FEP Security Management Pack

software to evaluate it with System Center Operations Manager in your test

environment.


9. Enabling real-

time monitoring

with FEP

Step-by-step guide to import the FEP Security Management

Pack, creating an override to allow discovery of Windows

Clients and use Operations Manager Console to monitor FEP.

10. Generating alerts

and notifications

Step-by-step guide to generate alerts and create an incident

in Operations Manager Console.

11. Performing task

remediation

Step-by-step guide for remediation tasks targeted at

computers by Operations Manager operators and delivered to

them for execution.


This section explains the steps required to import the FEP Security Management

Pack. The following steps need to be completed if you are using the evaluation

version of FEP Software Management Pack. If you are evaluating FEP Security

Management Pack using the pre-configured virtual environment, please skip to

Exercise 10 (the FEP Security Management Pack is already installed in the pre-

configured virtual environment).

To import management pack files into Operations Manager, you must first extract

the files from the fep2010 security mp.msi package. You are not required to

extract the package locally on the Operations Manager server; however, you must

be able to access the files from the Operations Manager console in order to import

them.

Download and expand the Forefront Endpoint Protection Security Management

Pack from the Forefront Endpoint Protection download page

(http://go.microsoft.com/fwlink/?LinkID=196678).

To extract Management Pack files

1. Double-click fep2010 security mp.msi.

Note: No Management Pack files are installed or imported to Operations Manager during this procedure. The wizard only extracts files.

2. Read and accept the license agreement, and then click Next.

3. On the Select Installation Folder page, specify the folder to which you want to extract the management pack files, and then click Next.

Exercise 9: Enabling real-time monitoring with Forefront Endpoint Protection 2010

Figure 9.1 Accept the license agreement.

Figure 9.2 Specify the installation folder.

http://go.microsoft.com/fwlink/?LinkID=196678


4. On the Confirm Installation page, click Install to extract the package to the specified location. On the Installation Complete page, click Close.

5. Navigate to the file location specified earlier and verify that the following files are present:

Microsoft.FEPS.Application.mp

Microsoft.FEPS.Library.mp

Microsoft.FEPS.Reports.mp

To import the FEP Security Management Pack

1. Log on to the server running System Center Operations Manager 2007 by using an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group.

2. In the Operations Console, click the Administration button.

3. Right-click the Management Packs node and then click Import Management Pack(s) to open the Import Management Packs dialog box.

4. In the Import Management Packs dialog box, click Add, and then click Add from disk.

5. In the Online Catalog Connection dialog box, Select No.

6. In the Select Management Packs to import dialog box, browse to C:\Program Files (x86)\System Center Management Packs\FEP 2010 for Servers OpsMgr 2007 R2 MP, press CTRL+A to select the three .mp files and then click Open.

7. On the Select Management Packs page, the management packs that you

selected for import are listed. Next to each management pack a green check

mark icon should appear that indicates that the management pack is ready to

import.

8. Click Install to import the selected management packs

9. After installation, click Close to close the Import Management Packs

window.

10. In the Management Packs node, press F5 to refresh the list of management packs installed to Operations Manager. Then, in the Look for text box, type Protection, and then click Find Now. The two management packs imported in step 7 should appear in the view.

Figure 9.3 Verification of extracted

Figure 9.4 Import Management pack.

Figure 9.5 Add Management pack.

Figure 9.6 Verifying Management Packs .


To create an override to allow discovery of Windows clients

The Operations Manager Discovery that discovers the FEP client installed on

Windows Client machines is disabled. In order to allow Operations Manager to

monitor FEP on Windows clients you need to configure an override.

1. In the lower-left corner, select the Authoring node.

2. Expand Management Pack Objects and select Object Discoveries.

3. In the top-right corner, click Change Scope.

4. Select View all targets.

5. In the Look for box, type Forefront.

6. Click Clear All to clear the default objects and then click Select All to select

all the Forefront objects. Click OK.

7. Double-click Protected Client Candidate Discovery.

8. Click the Overrides tab.

Figure 9.7 Change Scope .

Figure 9.8 Forefront Object selection.

Figure 9.9 Protected Client Candidate

Figure 9.10 Override tab selection.


9. Click the Override button and select For all objects of class: Windows

Client.

10. In the top Override box, change the Override Value to True. Click OK and

Close.

To generate alerts for the monitors, you first need to create an incident so

Operations Manager can identify the issue and generate alerts. In this procedure,

you will create an incident by stopping FEP service.

To stop the FEP service on a server

Perform the following step on the Server 2 (Madrid) computer

Open Task Manager, go to the Services tab, right-click Microsoft

Antimalware Service, and then click Stop.

Exercise 10: Generating alerts and notifications

Figure 9.12 True Override Value.

Figure 9.11 For all objects of class:

Figure 10.1 Stop Antimalware Service.


To monitor the FEP service stopping on a server and then restart it

1. Select Protected Server State and click Refresh until the state changes.

This should take less than 1 minute and the Antimalware Engine and

Antimalware Definitions components should change to Critical.

2. Select the Active Alerts view. Three alerts are raised in response to this

condition.

3. Select the domain controller, and in the Action pane, click Health Explorer.

As before, you can review information about the monitors that raised these

alerts.

4. Select Antimalware Engine to read information about this condition.

Figure 10.2 State change under Protected

Server State.

Figure 10.3 Active Alerts view.

Figure 10.4 Health Explorer.


5. Select the State Change Events tab to see when the computer entered this

state.

6. Near the bottom of the window is a recovery task called Enable real-time

protection. Click the link to run it and then click Yes.

7. Close the Health Explorer window and return to the Protected Server State

view.

8. Click Refresh a few times until the state changes to Healthy.

Figure 10.5 State Change Events tab.

Figure 10.6 Enable real-time protection.

Figure 10.7 Healthy state of system.


9. Return to the Active Alerts view.

The alerts are automatically set to Closed after the monitors change state,

and they are removed from the Active Alerts view.

Tasks are targeted at computers by Operations Manager operators and delivered to

them for execution. In this exercise, you will use a task to retrieve FEP information

and update definitions on the domain controller. You will also investigate the FEP

reports and extract more details

To use a task to retrieve FEP information from a Windows Server

1. Select Protected Server State.

2. Select the Server 2 (Madrid) computer and in the Action pane under

Protected Server Tasks, click Retrieve Endpoint Settings.

3. Accept the defaults and click Run and then click Close.

4. Select Task Status and click Refresh until the task status changes from

Queued to Success.

5. Select the completed task and scroll down to see detailed information about

the client. Examine the list of other tasks—such as Run a full / quick scan,

Stop a scan, Update definition files, and others.

Exercise 11: Performing task remediation

Figure 10.8 Closed Alerts under Active Alerts

Figure 11.1 Retrieve Endpoint settings.

Figure 11.2 Task Status.


To use a task to update definitions on the domain controller


2. Select the domain controller and in the Action pane under Protected Server

Tasks, click Update Antimalware Definitions

3. Accept the defaults and click Run and then click Close.

4. Select Task Status and click Refresh until the task status changes from

Queued to Success. This may take a minute or so.

To investigate FEP Reports


2. Select the domain controller and in the Action pane under Protected Server

Reports, click Event Analysis.

3. In the From box, select Yesterday and then click Run.

Figure 11.3 Update Antimalware Definitions.

Figure 11.4 Event Analysis.

Figure 11.5 Select Yesterday in the From box

and then click Run.


4. Expand the Protect Server object to see the events related to that server. You can also filter by event type, category, ID or source. Close the report.

5. Click Alerts

6. In the From box, select Yesterday and then click Run. Expand Antimalware

Engine Malfunction to see more details.

Figure 11.6 Event Analysis Report.

Figure 11.7 Alerts.

Figure 11.8 Alert Report.


Forefront Endpoint Protection 2010 Overview:

http://www.microsoft.com/fep

System Center Configuration Manager Overview:

http://www.microsoft.com/systemcenter/en/us/default.aspx

Forefront Endpoint Protection 2010 Datasheet:

http://download.microsoft.com/download/E/8/1/E81B0B04-5A97-4C0C-8E15-

7464EBCAAE7C/FEP_ds_FINAL%20110810.pdf,

Forefront Endpoint Protection 2010 Evaluation Download:


Forefront Endpoint Protection 2010 System Requirements:

http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-system-

requirements.aspx

Forefront Endpoint Protection 2010 Hyper-V enabled Virtual Machine

Environment for Evaluation: http://go.microsoft.com/fwlink/?LinkId=190269

Forefront Endpoint Protection 2010 Deployment Guide:

http://technet.microsoft.com/en-us/library/ff823762.aspx

Forefront Endpoint Protection 2010 Technical Library:


Forefront Endpoint Protection 2010 FAQ:

http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-faq.aspx

Forums:

http://social.technet.microsoft.com/Forums/en-US/FCSNext/threads

RESOURCES

http://www.microsoft.com/fep

http://www.microsoft.com/systemcenter/en/us/default.aspx

http://download.microsoft.com/download/E/8/1/E81B0B04-5A97-4C0C-8E15-7464EBCAAE7C/FEP_ds_FINAL%20110810.pdf

http://download.microsoft.com/download/E/8/1/E81B0B04-5A97-4C0C-8E15-7464EBCAAE7C/FEP_ds_FINAL%20110810.pdf


http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-system-requirements.aspx

http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-system-requirements.aspx




http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-faq.aspx

http://social.technet.microsoft.com/Forums/en-US/FCSNext/threads

Documents

Busca datos