Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Implem
mentation Plan Fo
or:
Prepared byy
Dr.Kernel
DrKernel.bloggspot.com
MSaadExpertt@gmail.com
Date:
Sunday Decem
mber 16, 2007
7
Implementing Microsoft Forefront Client Security Guide
Table of Contents
Scope of Services: .................................................................................................................................. 3
Out of Scope: ......................................................................................................................................... 3
Overview: ............................................................................................................................................... 3
Deploying Forefront Client Security on one server scenario: ................................................................ 4
Recommended Hardware Requirement: ............................................................................................... 4
The following software is required as prerequisites before deploying ................................................. 4
Client Prerequisites ................................................................................................................................ 5
Service Accounts: ................................................................................................................................... 5
install client security server: .................................................................................................................. 6
Installing Forefront Client Security ........................................................................................................ 6
Initial FCS Configuration: ........................................................................................................................ 8
WSUS configuring................................................................................................................................... 9
Create client security policy ................................................................................................................... 9
Deploying Client Security ..................................................................................................................... 11
Distributing definition and engine updates ......................................................................................... 12
Successful Implementation: ................................................................................................................. 12
Notes and considerations: ................................................................................................................... 12
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 2
Implementiing Microsoft Fo
orefront Client Seecurity Guide
of this guide::
Scope of o
‐ Install and co
onfigure Forefront Client Security
Out of Sco
ope:
‐ U
Uninstall the third party ssoftware fro
om the clientts like third p
party antivirrus.
Features Overview:
Forefront Client Securiity provides m
many advantaages to organizations desirring to improvve their clientt
security such as:
MSaadExpeert@gmail.com
Dr.Kernel Gu
uides
DrKernel.blo
ogspt.com. Page 3
Implementing Microsoft Forefront Client Security Guide
Deploying Forefront Client Security on one server scenario:
‐ The server will host the following components
o Management Server:
It includes the FCS console and the MOM console. It is the sever responsible for
managing all functions. Remote consoles connect to this server.
o Collection Server
Event and heartbeat data is collected by this server. There is a database associate
with this role. You can choose to install this database on another server if your
network size and event load requires it. Data is intended to only be stored for a
short period.
o Collection Database
This role exists if you split the database from the Collection Server.
o Reporting Server
It acts as an archive of data that is no longer stored on the Collection Server. It also
has SQL Reporting Services 2005 enabling you to run a set of preset reports or to
develop your own reports. These are all available over a website and reports can be
subscribed to. Again, there’s a database here that can be installed on another server
is your network size and reporting load requires it.
o Reporting Database
This role exists if you split the database from the Reporting Server as previously
mentioned.
o Distribution Server
This is your WSUS installation. It’s referred to as one server but it could of course be
many servers depending on your WSUS architecture.
Recommended Hardware Requirement:
o Dual Core CPU with 2.8 GB Processor
o 4 GB Memory
o 100 GB Free disk space
The following software is required as prerequisites before deploying
o Windows Server 2003 SP1 STD or ENT edition [X64 is not supported]
o IIS and ASP.NET and BITS
o .NET Framework
o GPMC with SP1
o WSUS 3 installed and synchronized
o MMC v3
o SQL Server 2005 with SP2 installed with these features
Database Services
Reporting Services
Integration Services
Work Station Components
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 4
Implementing Microsoft Forefront Client Security Guide
Client Prerequisites
Component Specs
Processor 700‐megahertz (MHz) or faster processor
RAM 256 MB of RAM or more
Operating System ‐ Microsoft Windows® 2000 Server with Service Pack 4 (SP4) and
Update Rollup 1
‐ Windows XP with Service Pack 2 (SP2)
‐ Windows Server 2003 with SP1
‐ Windows Vista™ Business, Enterprise, or Ultimate
Software ‐ Windows Update Agent 2.0
‐ Windows Installer 3.1
‐ Install hotfix KB 914882
Hard Disk 350 MB or more free disk
Open Ports ‐ 1270 (TCP and UDP) to the connection server
‐ 80 (TCP) or 8530 (TCP) or custom to the distribution server
Domain Part of one or more domains that have bidirectional trust with the
Membership domain that the Client Security servers are in
Service Accounts:
o DAS Account, domain user and local admin account will be used for FCS Service
accounts and the same for MOM DAS Account
o MOM Action Account will be local admin on all client computers through startup
scrip of restricted group, or we can make it domain admin with very complex
password at once
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 5
Implementing Microsoft Forefront Client Security Guide
Install client security server:
1‐ From add/remove program. Choose add/remove windows component.
2‐ Choose application server, click details, then select the ASP.NET and BITS check box, and
then complete the wizard
3‐ installing SQL Server 2005
4‐ choose the following components during the installation
a. SQL Server Database Services
b. Reporting Services
c. Integration Services
d. Workstation components
5‐ On the Service Account page of the wizard, click local system account.
6‐ Configure the SQL Server Agent service start automatically
7‐ Choose Windows Authentication as the security mode.
8‐ Download and install SP2 for SQL Server 2005
9‐ Download and install MMC 3 from http://go.microsoft.com/fwlink/?LinkID=77419
10‐ Download and install GPMC with SP1 from
http://go.microsoft.com/fwlink/?LinkId=77421
11‐ Install WSUS 3
12‐ synchronize WSUS server with updates and definition update nodes with the required
products and classifications
13‐ Create a GPO in a domain level to use WSUS server as update server and configure
group policy for automatic installation.
14‐ Create auto approve rule to approve FCS updates to the required computers.
15‐ Add the reporting server site to the Local intranet zone in Internet Explorer
16‐ Create a domain user account with name FCS‐DAS.
17‐ Add FCS‐DAS account to the server local administrator.
Installing Forefront Client Security
1‐ Logon to the Client Security server with administrator privileges, and start the
installation
2‐ Click Run the Setup wizard to start the process
3‐ In Before You Begin screen, type your name and your organization, and then click Next.
4‐ On the License Agreement screen, click I accept the terms in the license agreement, and
then click Next.
5‐ On the Component Installation page, select all the check boxes, and then click Next.
6‐ Due to the WSUS server is located on the same server, we will install distribution server
Component also, in case you have a WSUS server in your network, you will need to run
this wizard on the WSUS server.
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 6
Implementing Microsoft Forefront Client Security Guide
7‐ On The Collection Server screen, type the current computer name in collection server
(computer name), and type FCSMG as the name of the management group name.
8‐ On DAS Account section, type the domain account [domainName]\FCS‐DAS and type the
password and click Next.
9‐ On the Collection Database screen, type the server name as collection database server
name, and accept the default size of the database “15 GB”.
10‐ In the Reporting account section, choose re‐use the DAS account for the reporting
account, and click Next.
11‐ On the Reporting Database screen, type ServerName as the reporting database
computer name, accept the default database size “1GB”.
12‐ On DTS account section, choose re‐use the DAS account for the reporting account, and
click Next.
13‐ On the Reporting Server screen, type ServerName as the reporting server computer
name, accept the default URLs for reports, and click Next.
14‐ On the Action Account screen, choose DAS account check box, and then click Next.
15‐ On the Install Location screen, enter the location where you want the Setup wizard to
install Client Security files.
16‐ Change the location to E:\program files if you like, and click Next
17‐ On the Verifying Settings and Requirements screen, verify your system requirements,
and then click Next. If you receive an error, you cannot continue installing Client
Security.
18‐ On the Completing the Setup Wizard screen, verify that you have successfully installed
Client Security, and then click Close.
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 7
Implementing Microsoft Forefront Client Security Guide
Initial FCS Configuration:
1‐ After installing forefront client security server, you must run the Configuration wizard.
2‐ The wizard runs automatically when you open the Client Security console for the first
time.
3‐ Click Start, point to All Programs, point to Microsoft Forefront, point to Client Security,
and then click Microsoft Forefront Client Security Console
4‐ On the Before You Begin screen, click Next.
5‐ On Collection server and Database screen, type ServerName as the collection server
computer name, type ServerName as the collection server database computer name,
and type FCSMG as the management group name, and click Next.
6‐ On Reporting database screen, type ServeName as the reporting database computer
name.
7‐ On the Reporting username and password type the DAS account and password as the
Microsoft recommendation, and click Next.
8‐ On Reporting Server Screen, type ServerName as the reporting server computer name,
accept the URLs for reports, and click Next.
9‐ On the Verifying Settings and Requirements screen, verify your system requirements,
and then click Next.
10‐ On the Completing the Configuration Wizard page, verify that you have successfully
configured Client Security, and then click Close.
11‐ Grant the reporting account “DAS account” db_owner permissions on the
SystemCenterReporting database. [Which is the same database of MOM 2005 data
warehouse, but it contains the data related to forefront, and client status.]
12‐ Open SQL Server Management Studio, expand database, expand
SystemCenterReporting, Right‐click Users, and then click New User on the shortcut
menu.
13‐ Configure DAS account as db_owner, and then click OK
14‐ Open the Client Security console. Make sure you can view all of the data in the console,
including the 14‐day History chart
15‐ From the console, open the reports. Make sure you can view all of the data in the
reports.
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 8
Implementing Microsoft Forefront Client Security Guide
WSUS configuring
1‐ Configure products, and classifications
a. Open WSUS console, choose options
b. Click products and classifications.
c. In products tab , choose forefront client security
d. In classifications tab, choose critical update, definitions updates, security
updates, and updates.
2‐ Configure synchronization schedule:
a. Open WSUS console, choose options
b. Click synchronization schedule.
c. Choose synchronize automatically, and choose synchronizations per day to be 4
times.
3‐ Configure Automatic approvals:
a. Open WSUS console, choose options
b. Click Automatic approvals.
c. Click new rule, and type the name as FCS updates.
d. Configure the rule as when an update is in critical updates, definition updates,
security updates, and updates.
e. When the updates in forefront client security.
f. Approve the update for all computers.
Create client security policy
1‐ A Client Security policy is a collection of settings that you can apply to many client
computers.
2‐ Use Policy Management tab in the Client Security console to create, modify, delete,
and deploy the policy.
3‐ When creating the policy, it will not affect any computer until deploy this policy
4‐ To create a policy, open client security management console, and choose Policy
Management tab.
5‐ To create a new policy, simply click New.
6‐ Type the policy name and comments about this policy.
7‐ Click protection Tab, configure virus protection, and spyware protection to On
8‐ Virus protection and spyware protection can be configured to be on, off, User
controlled.
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 9
Implementing Microsoft Forefront Client Security Guide
9‐ On Malware scanning, click use real‐time protection (scan programs and services
when they are accessed), Run a Scan at this time.
10‐ Choose to run scan every day at 12:00 PM, the type of the scan will be Full Scan.
11‐ Choose Run a quick scan at set interval (hours) and choose 12 hours.
12‐ You can create only one schedule for both virus and spyware protection.
13‐ The Task Scheduler service must be enabled and running on client computers to run
scheduled and interval scans.
14‐ On security state assessment, choose scan at set interval (hours) to be 12 hours.
15‐ For scheduled events, Client Security creates hidden tasks on client computers
16‐ To view hidden tasks, open Scheduled Tasks, click Advanced, and then click View
Hidden Tasks.
17‐ You can allow user to schedule scans, select User controlled on start time Under
Malware scanning.
18‐ On advanced tab, we will configure malware definition updates, malware scan
options, exclusions from malware scans, and client options.
19‐ On malware definition updates, select the Check for updates before starting a scan
check box , this option will configure the client to check the distribution server for
update before start scan
20‐ Select the Check for updates at set interval check box and type the number of hours
between definition‐update.
21‐ Select the Check for updates on Microsoft Update when WSUS is unavailable check
box, to allow client to check for update in case the WSUS server is unavailable and
to fallback to Microsoft Update.
22‐ On malware scan options, choose scan archive files, and Use heuristics to detect
suspicious files.
23‐ On exclusions from malware scans, configure the file and folder paths and
extensions which will be excluded from the scan.
24‐ On Client Options, choose User can view all Client Security agent settings and
messages, only administrators can change Client Security agent settings, and Allow
users to add exclusions and overrides.
25‐ By configure the above Client options, View notification area icon and status
messages will be available to all users, Open Client Security agent and run scans,
Change user‐controlled settings, and Add exclusions and overrides will be available
only to the local Administrators.
26‐ Choose Prompt users when unclassified software is detected, to allow users to
control unclassified software to run or not.
27‐ On Overrides tab, configure overrides to default malware responses and to view the
default response, category, and severity of malware.
28‐ On reporting tab, specifies the freqOn reporting tab, specifies the frequency with
which alerts are generated by computers protected by this policy.
29‐ Alert level 5 results in the most alerts, and alert level 1 results in the fewest.
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 10
Implementing Microsoft Forefront Client Security Guide
30‐ Choose Alert 4‐High, so all alerts for all client security conditions except a successful
response to malware on the network
31‐ On logging , by default Client Security generates events on client computers for
many events
32‐ Don’t select Do not log events for files marked "Unknown"
33‐ Alert level 5 results in the most alerts, and alert level 1 results in the fewest. on
SpyNet, choose basic so Client Security sends basic information about detected
items and the actions you apply. In some instances, personal information may be
sent but no information is used to contact users.
34‐ In case the internet access is provided using Proxy server ,select Use other proxy
server and port and type the proxy name or IP address and port used
35‐ Click OK to finish the policy.
36‐ You can create a lot of policy but none of these will be active until you deploy it.
37‐ At any time you can Edit this policy and change the client setting
38‐ You can copy the policy setting to new one and edit some setting and save it with
new name.
Deploying Client Security
There are three options to install client security: SMS, Startup Script and WSUS. We will
deploy FCS by WSUS
1‐ Policy can deployed for OU in active directory, or a computer group in active directory, or
can be exported to file and used by command line for workgroup computers and also
domain member computers.
2‐ Choose the policy you want to deploy and click deploy.
3‐ Choose the right way you need to deploy the policy by add OU, Add Group, Add GPO, or Add
File.
4‐ Client Security policies apply only to computers, not to user accounts.
5‐ To remove previously deployed policy, you must either deploy a different policy to the
computer or you undeploy the unwanted policy.
6‐ Security‐group policies “Add Group” override policies deployed to OUs “Add OU”.
7‐ After deploy the policy, a new GPO will be created to apply the setting of client security
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 11
Implementing Microsoft Forefront Client Security Guide
Distributing definition and engine updates
1‐ Client Security is designed to use WSUS to distribute definitions and scan‐engine updates to
client computers.
2‐ You can download and install update manually from the link below:
http://technet.microsoft.com/en‐us/forefront/clientsecurity/bb508812.aspx
3‐ The definitions that WSUS downloads are contained in update files.
4‐ The updates can be for definitions, for the scan engine.
5‐ So you need to choose definitions and updates in WSUS setting
6‐ The files are digitally signed.
7‐ The size of update is varied, the base set of definitions is about 1 megabyte (MB), and the
delta set is about half that size or 500 kilobytes (KB).
8‐ When the scan engine is included in an update, the file size can reach 15 MB.
Successful Implementation:
‐ We deployed Forefront Client Security on the largest Egyptian bank with enterprise
topology implementation and on more than 6000 client computer
Notes and considerations:
‐ You should remove your old antivirus product from your network PCs
‐ You should consider moving the DB and Logs paths of SQL server during installation
to another physical disk
‐ We recommend to use one account as domain admin to do all the tasks
MSaadExpert@gmail.com
Dr.Kernel Guides
DrKernel.blogspt.com. Page 12