Security Management and Protection: What's in Microsoft Forefront Client Security Version 2

Jayesh MowjeeSecurity ConsultantMicrosoftSession Code: SIA203

Session Objectives And Takeaways

Session Objectives: Understand the capabilities of FCSv2Know how FCSv2 protects endpoints against threatsPlan an FCSv2 deployment

Key Takeaways:FCSv2 provides comprehensive endpoint protectionFCSv2 is part of Forefront codename: “Stirling”

Agenda

Forefront TodayForefront Client Security v2

Unified ProtectionSimplified AdministrationVisibility and ControlEnterprise Ready

Question and Answer

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Highly Secure & Interoperable Platform

IdentityIntegrate and extend

security across the enterprise

Protect everywhere,access anywhere

Simplify the security experience,manage compliance

Block

from:

EnableCost Value

Siloed Seamless

to:

Comprehensive line of business security products that helps you gain greater protection

and secure access through deep integration and simplified management

Network EdgeServer ApplicationsClient & Server OS

Unified endpoint security that integrates anti-malware, host firewall and moreCoordinated protection with Forefront codename: “Stirling”Inspection, threat mitigation and remediation

Manage from a single role-based consoleIntegrates with existing Microsoft infrastructureEasy discovery and deployment of protection for endpoints

One dashboard for visibility into threats, vulnerabilities, and configuration risksIncreased visibility into endpoint security with vulnerability assessment scanning

Comprehensive protection for business desktops, laptops and server operating systems

that is easier to manage and control

ComprehensiveProtection

Simplified Administration

Visibility and Control

Comprehensive Protection

Comprehensive ProtectionForefront Client Security v2

Vulnerability RemediationReduce attack surface of vulnerabilities

Host FirewallRestrict what applications can do

VulnerabilityAssessmentScan for vulnerabilities and configuration exposures

BehaviorMonitoring

Monitor suspicious processes

Antivirus/AntispywareBlock, remove and clean malicious software

Proactive

Reactive

Limit exposure from vulnerable clients Network AccessProtection

AVComparatives(Feb 2008)

Test of consumer anti-virus products using a malware

sample covering approximately the last three years.

Received AVComparatives Advanced Certification

FCS Awards and Certifications

In recent tests, Microsoft rated among the leaders in anti-virus protection

Test based on more than 1 million malware samples

AVTest.org(March 2008)

Kaspersky 98.3%Symantec 97.7%

McAfee 94.9%Microsoft 93.9%

VBA32 87.7%

AVK (G Data) 99.9%Trend Micro 98.7%

Sophos 98.1%Microsoft 97.8%Kaspersky 97.2%

F-Secure 96.8%Norton (Symantec) 95.7%

McAfee 95.6%eTrust / VET (CA) 72.1%

Antivirus – AntispywareBuilding on FCS v1

Test based on more than 1 million malware samples

AVTest.org(Sept 2008)

AVK 2009 (G Data) 99.8%F-Secure 99.2%

Norton (Symantec) 98.7%Kaspersky 98.4%Microsoft 97.7%

Sophos 97.5%McAfee 93.6%

Trend Micro 91.3%CA - VET 65.5%

Antivirus – AntispywareBuilding on FCS v1Integrated anti-virus/anti-spyware agent delivering real-time protection

Uses Windows Filter ManagerMaintains stable operationScans viruses and spyware in real-time

Dynamic TranslationUnique to Microsoft agentMaximizes scanning speed: Decryption and code emulation of malware with speed of native code execution

Other protection features:Tunneling signatures for detecting and removing rootkitsAdvanced system cleaning: Customized remediation (recreating registry entries, restoring settings)Event Flood Protection: Shields reporting infrastructure during outbreak from infected clientsHeuristics for classifying programs based on behavior

Better malware detectionMultiple technologies for malware protectionGreater stability of client environmentFaster malware scanning conducted in real-time

Sources: West Coast Labs, AVTest.org, Performance benchmarking study conducted by West Coast Labs.

Product Name/ Capability

LeadingCompetitor

Forefront Client Security

Memory Footprint1

Client – uninfected Client -infected

536 Mbs593 Mbs

522 Mbs495 Mbs

Avg Usage, CPU & Memory2

% Client – uninfected % Client - infected

82.37%88.56%

79%81.6%

Scanning timeUninfected client

Infected client147.69min167.09min

81.82 min95.33 min

Application Startup time

Starting Word with no AV – 1.725 2.425 sec 2.233 sec

Starting IEwith no AV – 2.275 3.6 sec 2.6 sec

7% less CPU

2x faster

Antivirus – AntispywareBuilding on FCS v1

Product Name/ Capability

Leading Competitor

Forefront Client Security

Memory Footprint1

ServerClient

58.6 Mbs66.3 Mbs

56.5 Mbs57.9 Mbs

Avg Usage, CPU & Memory2

% Server Avg% Client Avg

30.5%29.4%

2.0%11.1%

Boot time increase3

62% avg increase

4.5% avg increase

Scanning time (quick)Network 1 (Avg)4

Network 2 (Avg)4 29.9 min12.0 min

13.6 min5.3 min

Scanning time (full)Network 1 (Avg)4

Network 2 (Avg)4 156.8 min92.8 min

34.6 min18.3 min

60%+ less CPU

usage

14x faster

at boot time

2x faster in

quick scans

5x faster in full scans

The FCS agent efficiently uses system resources, scans

quickly, and detects malware effectively

Vulnerability ManagementProactively reduce the surface area

Assess

Remediate

NEW

Detect common vulnerabilities and missing security updatesDiscover misconfiguration exposuresConfigure security checks parameterNew checks include: IE Security Setting, DEP, IIS Setting, and more…

Compare system configuration against security best practicesAssign score based on associated riskSurface issues found across the enterprise in real time

Automatically remediate based on policyIntegrate with NAP for compliance enforcementRemotely remediate from the management console

Vulnerability Assessment ChecksAvailable in Forefront Client Security v2

Internet Explorer Browser Security Restricted Sites Allowed Trusted Sites Home Page Protection

Internet Explorer Browser Security Phishing Filter Pop-up Blocker Protected Mode

Antimalware•Malware detected and/or failed to clean

BitLocker

Device Control

Antimalware AM Service Running AM Signatures Up-To-Date AM Scan Required

Windows Firewall

Data Execution Prevention (DEP)

Account Management Guest Account Autologon Restrict Anonymous Auditing (Login/Logoff) Password Expiration

File System File System NTFS Shares

Security Updates Approved Updates Unapproved Updates Automatic Updates

Unnecessary Desktop Services

Office Macros

Internet Explorer Browser Security Internet Explorer Zones Enhanced Security

Configuration

User Account Control (UAC) Application Elevation for App Install Application Elevation for Signed Exe Application Elevation for UIAccess

Apps ActiveX Install Without Prompt Virtualization for File and Registry

Failures Admin Approval Mode for Built-In

Admin Elevation Prompt for Admins Elevation Prompt for Standard Users Admin Approval Mode for All

Admins Elevation Prompt Secure Desktop Secure Credential Entry

Network Access Protection

15

Up-to-date Protection: ensures that all clients have the latest definitions & host protection policy

Compliance Enforcement: enables administrators to enforce their corporate security policy and protect the network from non-compliant and vulnerable clients

Outbreak Containment: protects the network from clients with active malware infections

Network Eviction: enables administrators to protect the network from suspicious and potentially compromised clients

Host FirewallFirewall Management: centralized management of the Windows Firewall

Windows XP/2003, Windows Vista/2008, and Windows 7Support Inbound and Outbound FilteringConfigure Firewall Exceptions for Ports, Applications, and ServicesConfigure Network Location Profiles for Roaming Users

Centralized Visibility: Firewall State in the EnterpriseSensors for Security Incident Detection

Activity Monitoring

Statistics

Simplified Administration

Central Management Server

Forefront Code Name "Stirling"

Network Edge

Server Applications

Client &Server OS

An integrated security suite that deliverscomprehensive protection across endpoint, application servers, and the edge that is easier to manage and control

Code Name “Stirling”

Third-Party Partner Solutions

Other Microsoft Solutions

Active Directory

NAP

Unified Management In-Depth Investigation Enterprise-Wide Visibility

Security Assessment Sharing (SAS)

Simplified Administration With StirlingProtect your business with greater efficiency

FCSv2 is managed through “Stirling”One console for simplified, role-based security managementDefine one security policy for your assets across protection technologiesDeploy signatures, policies and software quicklyIntegrates with your existing infrastructure: SQL, WSUS, AD, NAP, SCCM, SCOM (new & existing)

REPORTS

POLICY

SIGNATURE, UPDATES

MicrosoftUpdate

GROUPS

(OR ALTERNATE SYSTEM)

POLICY

EVEN

TS

Network AccessProtection (NAP)

(OR ALTERNATE SYSTEMS)

Forefront Client Security, Forefront Security for Exchange Server,Forefront Security for SharePoint, Forefront Threat Management Gateway

Required Infrastructure

INTEGRATION INFRASTRUCTURE

CORE INFRASTRUCTURE

Integration With Your Infrastructure

Stirling Core

Stirling Console

Stirling SQL DB

SCOM Root Management Server(RMS)

SCOM SQL DB

SQL Reporting Server

SQL Reporting DB

Stirling Server Roles

Software/Signature Deploymente.g. WSUS or SCCM(TYPICALLY ALREADY DEPLOYED BEFORE STIRLING)

250 – 2,500 Assets 1

Up to 25,000 Assets

Stirling ConsoleStirling CoreSCOM (RMS)SQL Reporting Server Stirling SQL DB

SCOM SQL DBSQL Reporting DB

WSUS

4

1 2

1

Scaling Up…

Stirling ConsoleStirling CoreSQL Reporting Server

SCOM RMS

SCOM SQL DB+

Per 25,000 Assets Per 20,000 Assets

1

1

WSUS1

1Stirling SQL DBSQL Reporting DB1

An asset is a computer with one of the Stirling protection technologies

(FCS, FSE, FSSP and/or TMG)

Deployment and Scalability

Visibility & Control

Know your security stateView insightful reportsInvestigate and remediate security risks

Critical Visibility and ControlKnow where action is required

FCSv2 Tasks:Update signaturesAM quick/full ScanVulnerability scanInstall missing updatesVulnerability remediationNetwork evictionReboot computer

Integrated With Dynamic Response

Critical Visibility and ControlTake action to remediate issues

Enterprise Ready

Enhanced Enterprise CapabilitiesForefront Client Security

Scale to the largest enterprises

Role-based Administration

Virtualized Deployments

Clustering and High Availability Deployments

Support for both domain and non-domain joined assets

Protection for Windows Server Roles

Native NAP Integration

Microsoft Confidential

Platform SupportClient Agents

Windows XP, Windows Vista, Windows 7

Windows 2003, Windows 2008

Virtual machines (MSFT virtual machine technology only)

Non-domain joined machines

Windows Embedded, WEPOS

Server Infrastructure

Windows Server 2003, Windows 2008 (x64 only)

SQL Server 2008 Standard or Enterprise

Will support installation of server infrastructure on virtual machines (MSFT virtual machine technology only)

Will support clustered environments for high availability

Summary

Forefront Client Security v2 provides unified protection for endpoints (desktops, laptops and servers)

that is easier to manage and control

Built on FCS v1 strong foundationsOffers greater protection Integrated with “Stirling”

Centralized managementComprehensive, insightful reports

Enterprise Ready

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.