Sie sind auf Seite 1von 90

_---- ..... ~-------------~------------""!'-~--------~:.:~.

; -/

Table of Contents
Lab Scenario Module A: Creating tanduc.local domain Exercise 1: Installing DNS Exercise 2: Configuring DNS Exercise 3: Create Reverse Lookup for 192.168.1 Zones Exercise 4: Create Reverse Lookup for 172.168.1 Zones Exercise 5: Promote Win2003DC to Domain Controller Exercise 6: Create 3 Domain Users Module B: Implementing ISA 2006 Back-end Server Exercise 1: Installing and Configuring the ISA Server 2006 Software Exercise 2: Configuring the ISA Firewall Back-end Server Exercise 3: Configuring the ISA Firewall Back-end Server (Detailed Steps) Module C: Implementing ISA 2006 Front:end Server Exercise 1: Installing the ISA Server 2006 Software Exercise 2: Configuring the ISA Firewall Front-end Server Exercise 3: Configuring the ISA Firewall Front-end Server (Detailed Steps) Module D: Installing MS Exchange 2007 Hub TransportlMailbox Access Role Module E: Implementing the Edge Transport Server Role
~ ~'9
t"
I

User/Client

Exercise 1:Installing MS Exchange 2007 Edge Transport Role Exercise 2: Review tl).edefault Edge Transport server configuration Exercise 3: Run the SCW to secure the Edge Transport Server Exercise 4: Configure EdgeSync Module F: Implementing MS Forefront for Exchange Server

Exercise I: Installing MS Forefront for Exchange 2007 Edge Transport Role Exercise2: Installing MS Forefront for Exchange 2007 Hub Transport Role Exercise 3: Using MS Forefront for Exchange Server to protect Exchange from Viruses (Lab 1) Exercise 3.1: Scanning Messages for Viruses Exercise 3.2: Using File Filtering to Block Attachment

Module G: Installing & Configuring MS Forefront Client Security on Client Computers Exercise I: Installing Forefront Client Security Server Installing lIS and ASP.NET Install SQL Server 2005 with SP2 or SPI. Install GPMC with SPI. (Run gpmc.msi from C:\FCS folder) Install 'wsus 2.0 with SPI on the Client Security server. Configure and synchronize WSUS. Add the reporting server site to the Local intranet zone in Internet Explorer. Installing Client Security on a one-server topology Configuring Client Security on a one-server topology Verifying the installation of Client Security on a one-server topology Exercise 2: Deploying Forefront Client Security on Client Computers. Approving the client components in WSUS Configuring Automatic Updates Deploying manually to each client computer Approving clients through the MOM server Verifying your Client Security deployment

Module H: Using Forefront Client Security Server (FCS) to monitor and protect client computers (Lab2) Exercise I: Using Forefront Client Security (FCS) to Protect Client Computers

Exercise 2: Updating Signature Files Exercise 3: Using Policies to Manage Clients Exercise 4: Alerting, Reporting and Monitoring Appendix A: Detailed Steps for Lab 1: Using MS Forefront Security for Exchange to protect Exchange Server from Viruses
(~I.;

Appendix B:. Detailed Steps for Lab 2: Using Forefront Client Security(FCS) to monitor and protect client computers

-~.

l-

'

Module A: Creating tanduc.local domain

:~
Y"
\...-

Exercise 1: Installing DNS


Start -> Run -> type appwiz.cpl to launch Add or Remove Programs dialog box Select AddlRemove Windows Components In Windows Components Wizard dialog box, select Networking Services (don't put a check mark next to Networking Services, just select that option), then click Details In the Networking Services page, put a check mark next to Domain Name System (DNS) and a check mark on Dynamic Host Configuration Protocol (DHCP). Click OK Click Next to begin the installation process (You might need to insert Windows 2003 CD during the process)

,,~

Exercise 2: Configuring DNS


Start->Run-> type dnsmgmt.msc to launch DNS Management Console From DNS node, expand Win2003DC. Right-click Forward Lookup Zones node, select New Zone [n the Welcome to the New Zone Wizard page, click Next In the Zone Type page, make sure the Primary zone is selected, then click Next In the Active Directory Zone Replication Scope page, leave it as default, and click Next

v....
c

In the Zone Name page, enter tanduc.local in the Zone Name text box In the Dynamic Update page, select Allow only secure dynamic updates (recommended Active Directory) and click Next Click Finish in the Completing the New Zone Wizard for

+ f

Page 1

...

Exercise 3: Create Reverse Lookup for 192.168.1 Zones


Right-click Reverse Lookup Zones, select New Zone In the Welcome to the New Zone Wizard page, select Next In the Zone Type page, select Next
_r

In the Active Directory Zone Replication Scope page, select Next In the Reverse Lookup Zone Name page, under Network ID, type 192.168.1 then click Next In the Dynamic Update page, select Next Click Finish in the Completing the New Zone Wizard

~."

,~

Exercise 4: Create Reverse Lookup for 172.16.1 Zones


Right-click Reverse Lookup Zones, select New Zone In the Welcome to the New Zone Wizard page, select Next In the Zone Type page, select Next In the Active Directory Zone Replication Scope page, select Next In the Reverse Lookup Zone Name page, under Network ID, type 172.16.1 then click Next In the Dynamic Update page, select Next Click Finish in the Completing the New Zone Wizard

Exercise 5: Promote Win2003DC to Domain Controller


Start-Run->type dcpromo and press Enter

",:-

f -.

In the Welcome to the Active Directory Installation Wizard page, select Next In the Domain Controller Type page, select Domain controller for a new domain and click Next In the Create New Domain page, select Domain in a new forest and click Next

Page 2

In the New Domain Name page, under Full DNS name for a new domain text box, enter fanduc.local and press Enter In the NetBIOS Domain Name page, leave it as default and click Next In the Database and Log Folders page, leave it as default and click Next In the Shared System Volume page, select Next In the DNS Registration Diagnostics page, select Next Click Next in the Permission page

In the Directory Services Restore Mode Administrator Restore Mode Password: P@sswOrd Confirm password: P@sswOrd

Password page, enter the following:

In the Summary page, select Next to begin the installation process. The process takes about 5-10 minutes to complete. Restart the computer after the installation finishes.

Exercise 6: Create 3 Domain Users


Start->Run->dsa.msc
to launch Active Directory Users and Computers

Expand tanduc.local node, right-click Users, select New, then click User In the New Object-User page, enter the following:

First Name: userO I Last Name: empty User logon name: userOl Password: P@sswOrd Confirm password: P@sswOrd
Uncheck User must change password at next logon Click Next and then click Finish

Repeat the same steps to create user02, and userO}

Page 3

Module B: Implementing ISA 2006 Back-end Server


Lab Exercises: . Exercise 1: Installing and Configuring the ISA Server 2006 Software Exercise 2: Configuring the ISA Firewall Back-end Server Exercise 3: Configuring the ISA Firewall Back-end Server (Detailed Steps) Perform these exercises on ISA2006BE machine

Page 4

Configuring the Internal Network Interface


1. Right-click My Network Places on the desktop, and click Properties. 2. In the Network Connections window, right-click the internal interface, and click Properties. 3. In the network interface's Properties dialog box, click Internet Protocol (TCP/lP), and then click Properties. 4. In the Internet Protocol (TCP/IP) Properties dialog box, select Use the following

IP address. IP: 192.168.1.5


SM: 255.255.255.0 DG: Empty DNS Server: 192.168.1.2 \Click OK in the Internet Protocol (TCP/lP) Properties dialog box. 6. Click OK in the internal interface's Properties dialog box.

Configuring the DMZ Network Interface


I. Right-click My Network Places on the desktop, and click Properties. 2. In the Network Connections window, right-click the DMZ interface, and click Properties. 3. In the network interface's Properties dialog box, click the Internet Protocol (TCP/lP) entry, and then click Properties. 4. In the Internet Properties (TCP/IP) Properties dialog box, select Use the following

IP address.
IP: 172.16.1.5 SM: 255.255.255.0 DG: 172.16.1.3 DNS Server: Empty 5. Click OK twice .

1:'.

'~:
....
~.

,w.

Page 5

~-

Exercise 1: Installing and Configuring the ISA Server 2006 Software


The following steps demonstrate how to install the ISA firewall 2006 Standard Evaluation version on a dual-homed ISA2006BE machine; I.Run ISA2k6EVLS EN.exe from C:\ISAlk6Eval folder. 2. From the Open File-Security Warning dialog box, click Run 3. Click Yes in the Microsoft ISA Server 2006 dialog box 4. When Microsoft ISA Server 2006 1S0-Day Evaluation Setup dialog box comes up, click Install ISA Server 2006 link. 5. Click Next in the Microsoft ISA Server 2006-Installation Wizard 6. Accept the license agreement and then click Next 7. Click Next from the Customer Information page 8. Select Typical option from Setup Type page .. 9. From the Internal Network page, click Add button on the top right. Then select Add Adapter in the Addresses page, select Internal:from Select Network Adapters page. Click OK twice. Click Next. 10. Select Allow non-encrypted Firewall client connections option and then click Next \ 1. Click Next in the Services Warning page. 12. Click Install from the Ready to Install the Program page
~ ~

--

."

Page 6

.I

Exercise 2: Configuring the ISA Firewall Back-end Server


The following steps demonstrate how to configure the ISA2006BE machine: I.Create an ISA firewall network representing the DMZ network on the ISA Server Back end 2. Create a network rule on the ISA Server Back-end firewall that sets a Route relationship between the DMZ network and the Internal network 3. Create an intradomain communications Access Rule on the ISA Server Back-end firewall that allows DMZ network machines (Exchange 2007 Edge Transport Role in this case) access the domain controller(s) for intradomain communications 4. Create an "All Open" Access Rule allowing Intemal Network clients access to all protocols and sites on the Internet 5. Create an Access Rule allowing communication between the Exchange 2007 Hub Transport Role to Exchange 2007 Edge Transport Role (its one-way communication from the Hub to the Edge by using LDAPS protocol via port 50636) 6. Create an Access Rule that allows Internal DNS Server to send requests to ISP's DNS Server to resolve Internet name. 7. Create a Publishing Rule to publish DNS server "

Page 7

Exercise 3: Configuring the ISA Firewall Back-end Server (Detailed Steps)


1. Create an ISA firewall network representing the DMZ network a. In the ISA Server console, expand Configuration node, select Networks entry. On the Tasks pane, make sure Taks tab is selected. Click Create a New Network In the Welcome to the New Network Wizard, enter DMZ Network in the Network Name textbox Select Perimeter Network in the Network Type Chick Add Range in the Network Addresses page Enter 172.16.1.0 for the Start addresses and 172.16.1.255 for the End address. Click OK. Click Next Click Finish Select Networks in the Configuration node, from the Details pane, select Network Rules tab. Select Tasks tab in the Tasks pane, click Create a

-a

b. c. d.
I

e. f.
g. h. a.

2.

Establish Route relationship between DMZ network and

b.

Internal network

Network Rule c. In the Welcome to the New Network Rule Wizard page, enter DMZ-Internal in the Network rule name
text box d. Click Add in the Network Traffic Sources, expand Networks entry and then select DMZ Network e. Click Close and then click Next f. In the Network Traffic Destinations page, click Add g. Expand Networks entry, and select Internal. Click

Add
h. Click Close and click Next In the Network Relationship page, select Route l. option J. Click Next and then click Finish. a. In the ISA Server console, in the left pane, select

3. Create a rule that allows intradomain


I I

Firewall Policy
i

communication between DMZ hosts and the Domain Controller behind the
ISA Back-end server

b.

In the right pane~ select the first rule to indicate \vhere the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access

~
!;

Rule
d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Intradomain DMZInternal, and then click Next On the Rule Action page, select Allow, and then click

Name: Intradomain
DMZ-Internal Action: Allow e. f.

Next
On the Protocols page, select Selected protocols in the drop down list, and then click Add g. Expand All Protocols entry in the Add Protocols

Protocols:
Microsoft CI FS

Page 8

-------~--------_::c,',,:-::.~,~.,;~

'>\

--1 ,: '1':_~

.. \~,. ----------~-----

(TCP) Microsoft CIFS (UDP) Kerberos-Adm (UDP) Kerberos-Sec (TCP) Kerberos-Sec (UDP) LDAP LDAP(UDP) LDAP GC (Global Catalog) RPC (all interfaces)
NTP (UDP)

dialog box h. Following protocols need to be selected: Microsoft CIFS(TCP), Microsoft CIFS (UDP), Kerberos-Adm(UDP), Kerberos-Sec(TCP), Kerberos-Sec (UDP), LDAP, LDAP(UDP), LDAP GC (Global Catalog), RPC (all interfaces),
NTP (UDP),

Ping \.
J.

k. l. m.

n.

o. 4. Create an Access Rule that allows traffic replicating from Exchange Hub Transport Role to Exchange Edge Transport Role via port 50636 Name: EdgeSync Action: Allow Protocols: EdgeSync

Ping. On the Access Rule Sources page, click Add. Expand Networks entry, select DMZ network, click Add and click Close. Click Next From the Access Rule Destinations page, click Add Click New and select Computer to create a new network entity In the New Computer Rule Element dialog box, enter the following: ' Name: Domain Controller/Exchange Hub Transport Computer IP Address: 192.168.1.2 Click OK Back to Add Network Entities page, expand Computers and select Domain Controller/Exchange Hub Transport. Click Add and Close Click Next two times and then Finish

a. In the ISA Server console, in the left pane, select Firewall Policy b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule d. In the New Access Rule Wizard dialog box, in the Access rule name text box, enter EdgeSync, and then click Next e. On the Rule Action page, Allow, and then click Next f. On the Protocols page, select Selected protocols in the drop down list and then click Add g. Click New and then Protocol h. In the Welcome to the New Protocol Definition Wizard page, enter EdgeSync I. In the New Protocol Definition Wizard page, click

Page 9

J.

k. I. m. n. o.

p. q. r.

s.

t. 5. Create "All Open" rule to allow Internal hosts to access all sites on the Internet Name: All Open Action: Allow Protocols: All
I

New Enter the following: Protocol Type: TCP Direction: Outbound Port Range: From 50636 to 50636 Click OK and then click Next Select No in the Second Connections page, then click Next and Finish From the Add Protocols page, expand User-Defined entry, select EdgeSync, click Add and Close From the Access Rule Sources page~ click Add Expand Computers entry, select Domain Controller/Exchange Hub Transport. Click Add and Close From Access Rule Destinations page, click Add Click New and select Computer From New Computer Rule Element page, enter the following: Name: Exchange Edge Transport Computer IP Address: 172.16.1.4 Click OK From Add Network Entities page, expand Computers entry and select Exchange Edge Transport. Click Add and Close Click Next two times and Finish
I

a. In the ISA Server console, in the left pane, select Firewall Policy b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule d. In the New Access Rule Wizard dialog box, in the Access rule name text box, enter All Open, and then
I

,..1;,..1., 1\J:n ....


tw'.1.l'\,;I'\,. .!

"4"" .,.,~

6. Create an Access Rule that allows DNS server

e. In the Protocols page, select All outbound traffic entry from the drop down list and then click Next f. In the Access Rule Sources page, click Add g. Expand Networks entry, select Internal. Click Add and Close and Next h. In the Access Rule Destinations page, select Add Expand Networks entry, select External I. Click Add, Close and Next two times J. k. Click Finish a. In the ISA Server console, in the left pane, select Firewall Policy

Page 10

to send requests to ISP's DNS server to resolve Internet name


~ .);,,1

i~

i,

!If!

Name: DNS-Intemet Action: Allow Protocols: DNS

b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule d. In the New Access Rule Wizard dialog box, in the Access rule name text box, enter DNS-Intemet, and then click Next e. On the Rule Action page, select Allow option and click Next f. On the Protocols page, select Selected protocols, click
Add

g. In the Add Protocols page, expand Common Protocols node, select DNS entry. Click Add and Close h. In the Access Rule Sources page, select Add l. Expand Computers node, select Domain Controller/Exchange Hub Transport. Click Add and Close J. In the Access Rule Destinations page, click Add k. Expand Networks node, selest External entry. Click Add and Close l. Click Next two times and Finish
7. DNS Server Publishing

Rule Name: Publishing DomainDNS Action: Allow Protocols: DNS Server Listener: DMZ network

~i:
,!..')

7!~
~.<
~"

"#'

a. In the ISA Server console, in the left pane, select Firewall Policy b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Publish NonWeb Server Protocols d. In the Welcome to the New Server Publishing Rule Wizard dialog box, in the Server Publishing Rule Name text box, type Publishing Domain DNS, and then click Next e. On the Select Servers page, in the Server IP address text box, type 192.168.1.2 f. On the Select protocol page, in the Selected protocol drop down list, select DNS Server and then click Next g. On the Network Listeners IP Addresses page, put a check mark on the DMZ Network h. Click Finish a. Click Apply to a ly all the settings

8. A ply all the settings

Page 11

Module C: Implementing "SA 2006 Front-end Server


Lab Exercises:
Exercise 1: Installing the ISA Server 2006 Software Exercise 2: Configuring the ISA Firewall Front-end Server Exercise 3: Configuring the ISA Firewall Front-end Server (Detailed Steps)

Perform these exercises on ISA2006FE machine

Page 12

,I

il..-...-JL

Configuring the Internal Network Interface


1. Right-click My Network Places on the desktop, and click Properties. 2. In the Network Connections window, right-click the DMZ interface, and click Properties. 3. In the network interface's Properties dialog box, click Internet Protocol (TCPIIP), and then click Properties. 4. In the Internet Protocol (TCP/IP) Properties dialog box, select Use the following ~
..

IP address.
[P : ] 72. ] 6.1.3 SM: 255.255.255.0 DG: Empty DNS Server: 192. I68. I .2 5. Click OK in the Internet Protocol (TCPIIP) Properties dialog box. 6. Click OK in the internal interface's Properties dialog box.

Add the following line to route traffic from DMZ network to Internal network from the command-prompt: From Start->All Programs->Accessories->Cornmand Prompt. Type: Route add -p ] 92.168.1.0 Mask 255.255.255.0 172. I6. 1.5 metric I

Page 13

Exercise 1: Installing the ISA Server 2006 Software


The following steps demonstrate how to install the ISA firewall 2006 Standard Evaluation version on a dual-homed ISA2006FE machine. l.Run ISA2k6EVLS_EN.exe from C:\ISAlk6Eval folder. 2. From the Open File-Security Warning dialog box, click Run 3. Click Yes in the Microsoft ISA Server 2006 dialog box 4. When Microsoft ISA Server 2006 ISO-Day Evaluation Setup dialog box comes up, click Install ISA Server 2006 link. 5. Click Next in the Microsoft ISA Server 2006-Installation Wizard 6. Accept the license agreement and then click Next 7. Click Next from the Customer Information page 8. Select Typical option from Setup Type page 9. From the Internal Network page, click Add button on the top right. Then select Add Adapter in the Addresses page, select Internal from Select Network Adapters page. Click OK twice. Click Next. 10. Select Allow non-encrypted Firewall client connections option and then click Next 11. Click Next in the Services Warning page. 12. Click Install from.. the Ready to Install the Program page

Exercise 2: Configuring the ISA Front":end Server


The following steps demonstrate how to configure the ISA2006BE machine:
t. Creating 192.168.1.0 network as an internal network behind ISA2006FE machine

2. Creat~ an "All Open" Access Rule allowing Internal Network clients access to all protocols and sites on the Internet 3. Create an Access Rule that allows Internal DNS Server to send requests to ISP's DNS Server to resolve Internet name

Page 14

Exercise 3: Configuring the ISA Front-end Server (Detailed Steps)


1. Creating 192.168.1.0 network as an internal network behind ISA2006FE machine l. m. n. o. In the ISA Server console, expand Configuration node, select Networks entry. Select Networks tab Right-click Internal, select Properties Select Addresses tab, then click Add Range In the IP Address Range Properties page enter Start Address: 192.168.1.0 End Address: 192.168.1.255 Click OK two times In the ISA Server console, in the left pane, select Firewall Policy In the right pane, select the first rule to indicate where the new rule is added to the rule list. In the task pane, on the Tasks tab, click Create Access ..~ Rule In the New Access Rule Wizard dialog box, in the Access rule name text box, enter All Open, and then click Next In the Rule Action page, select Allow, and then click Next In the Protocols page, select All outbound traffic entry from the drop down list and then click Next In the Access Rule Sources page, click Add Expand Networks entry, select Internal. Click Add and Close and Next In the Access Rule Destinations page, select Add Expand Networks entry, select External Click Add, Close and Next two times Click Finish
-, -

;"")

....

-'"

~.

2. Create "All Open" Access Rule to allow Internal hosts access all sites on the Internet Name: All Open Action: Allow Protocols: All

p. q. r. s.

~/.

t. u. v. w. x. y. z. aa. 3. Create an Access Rule that allows traffic to move from/to DMZ network to/from ISA Back-end server's internal network Name: Internal-DMZ Action: Allow Protocols: All

.!)
"""

'i~-

a. In the ISA Server console, in the left pane, select Firewall Policy b. In the right pane, select the first rule to indicate where the new rule is added to the rule list. c. In the task pane, on the Tasks tab, click Create Access Rule d. In the New Access Rule Wizard dialog box, in the Access rule name text box, type Internal-DMZ, and then click Next e. On the Rule Action page, select Allow and click Next f. On the Protocols page, select All outbound traffic entry from the drop down list. Click Next g. On the Access Rule Sources page, select Add h. Expand Networks node, select Internal and local host.

Page 15

Page 16

,--------------,,-----------.-----------------,

Module D: Installing MS Exchange 2007 Hub Transport/Mailbox User/Client .Access Role

':>

Perfrom these steps on WIN2003DC machine Hardware Requirements


The hardware requirements for a production Exchange 2007 server are described in the following sections.

"!'

Processor
Exchange Server 2007 exists in both 32- and 64-bit versions, but only the 64-bit version is supported in a production environment. This means that the server hardware on which you plan to install Exchange Server 2007 must have one ofthe following 64-bit processor types installed: An x64 architecture-based processor that supports Intel Extended Memory 64 Technology (Intel EM64T) An x64 architecture-based computer with AMD 64-bit processor that supports AMD64 platform

',~i~t;~$tJQg;~r~ya1\I~iit>hp~~
.. -.----.".~-'.,-"

'wesanJntelPentiilln or'com~ble
',. ,_.:,,~"'. '.','""-,,--,,,-"..-.'.": <_.";"./.,. ..,,"":...,., .. ,,.:.. ;.:,., .. , ~.'_"''-;-''. ;~:_~~.~~~",

:.:_~-:;

Memory
The memory requirements for a 64-bit Exchange 2007 server that is to be deployed in a production environment are 2 gigabytes (GB) of RAM per server. However, bear in mind that those are the minimum requirements. The recommend requirements are: 2GB of RAM per server plus approximately 5 megabytes (MB) of RAM per user mailbox located on the respective server A paging file equivalent to the amount of server memory plus 10MB Also be aware that it's recommended to add additional memory if you're planning to use more than four storage groups (approximately 2GB per three storage groups).' -

Disk Space
Disk space requirements are as follows: At least 1.2GB of disk space on the drive on which Exchange Server 2007 is to be installed 200MB or more of disk space on the system drive. When installing the Unified Messaging role on a server, you will also need to allocate an additional 500MB for each Unified Messaging language pack that is installed.

".,."

Software Requirements
In addition to the hardware requirements, Exchange Server 2007 has some software requirements that need to be fulfilled before you can begin your install.

Page 17

Operating System
When planning to install Exchange Server 2007, in a production environment, you will need Microsoft Windows Server 2003 64-bit version With Service Pack I or Windows Server 2003 R2 64-bit version.

Software Required
The following software is required for any of the five different Exchange 2007 server roles . Microsoft .NET Framework Version 2.0 Microsoft Management Console (MMC) 3:0 (bear in mind thatMMC 3.0 is installed by default when you use Windows Server 2003 R2) Windows PowerShell V 1.0 HotFix for Windows x64 (KB904639) Per(orm these steps on EXE2007ET to prepare (or installation of Exchange 2007 Edge Transport Role 1. Run C:\Ex2k7 2. Run C:\Ex2k7 Transport Role 3. Run C:\Ex2k7 4. Run C:\Ex2k7 (Note: Make sure
1.

Requirements\dotnetfx.exe tp install .NET framework 2.0 Requirements\ADAMSPI_86_English to install ADAM SPI on the Edge Requirements\PowerShell.ex ..e to install Windows PowerShell Requirements\Hotfix.exe to install Hotfix for .NET Framework. lIS Windows component is installed in the system)
I

Active Directory Requirements


First, you want to make sure any domain controllers and global catalog servers in the Active Directory domain in which you're planning to install the Exchange 2007 server are running Windows Server 2003 SP 1 or Windows Server 2003 R2. In addition, you need to set the Active Directory Domain functional level to at least Windows 2000 Native or Windows Server 2003 because these modes are required by the new Exchange 2007 Server Universal Groups. To change the Active Directory functiopallevel, you need to perform the following steps: I. Log on to a Win2003DC machine. 2. Click Start I All Programs I AdministrativeTools and then click Active Directory Users and Computers. 3. When the Microsoft Management Console (MMC) snap-in has launched, right click the Active Directory domain in the left pane, then click Raise Domain Functional Level in the context menu

Preparing the Active Directory Schem~ and Active Directory


Ii

The first step is to prepare your Active Directory schema with new Exchange 2007 attributes by extending it using the Setup /PrepareSchema command-line switch. Exchange Server: 2007

Page 18

adds many new attributes and classes to the Active Directory schema (even more than Exchange Server 2003 did!) and makes additional modifications to the existing classes and attributes. Also we need to prepare the current domain, configure global Exchange objects in Active Directory, and create the Exchange Universal Security Groups (USGs) in the root domain by using Setup

lPrepareAD ION: < Organization Name>


To prepare the schema and Active Directory, perform the following steps: 1. Log on to Win2003 DC machine with an account that is a member of both the Schema Admins and Enterprise Admins groups. (In this case Tanduc\Administrator) 2. Now click Sbu1: I Run and type cmd and press Enter 3. In the Command Prompt window, navigate to the C:\Exchange 200i folder 4. Type Setup IPrepareSchema and press Enter. Wait until the process finishes. 5. Type SetuplPrepareAD ION: Tanduc to prepare the Active Directory Installing Microsoft Exchange 2007 HublMailbox/Client Access Role I.Run Setup.exe 2. When the dialog box comes up, click step4: Install Microsoft Exchange 3. From Exchange Server 2007 Setup page, click Next 4. Select "Accept the terms in the license agreement" and click Next 5. Select No and click Next 6. From the Installation Type page, choose Typical Exchange Server Installation and click Next 7. Select No if you don't have Outlook 2003 clients running in your network. In this case, select No and click Next 8. Put a check mark next to User Mailbox Role, Hub Transport Role, Client Access Role and click Next 9. When it finishes, click Finish to end the installation process. Create User-Enabled Mailbox Create userOl-enable mailbox Start->Programs->Microsoft Exchange Server 2007->Exchange Management Console In the Exchange Management Console, expand Recipient Configuration entry, select Mailbox, click New Mailbox. In the New Mailbox page, select User Mailbox, click Next In the User Type page, select Existing User, click Browse In the Select User page, select userOl, and click OK and then click Next In the Mailbox Settings, click Next Click New and then click Finish to end the process. Repeat the same steps to create user02-enabled Mailbox and user03-enabled-Mailbox

Page 19

Configuring Exchange 2007 Huh Transport Role


:1

Expand Exchange Management Console, expan'd Organization Transport node .. Select Accepted Domains Tab in the middle pane From the Actions pane, select New Accepted Domain In the new Accepted Domain page, enter the following Name: Tanduc Accepted Domain: tanduc.com Then click New In the Completion page, click Finish.

Configuration,

select Hub

Select E-mail Address Policies tab, double-click Default Policy In the Introduction page, click Next ' In the Conditions page, click Next In the Email-Addresses page, select Add " From the SMTP E-mail Addresses page, in the!Email address domain text box, select tanduc.com from the drop down list. Click OKand then click Next From the Email Addressespage.rename%(a)tanduc.comto@tanduc.com Select @tanduc.com, then select Set as Reply button then click Next From the Schedule page, leave it as default then click Next In the Edit Email Address Policy page, select Edit In the Completion page, select Finish .,

Page 20

~--

Module E: Implementing the Edge Transport Server


Lab Exercises:
., Exercise 1: Installing MS Exchange 2007 Edge Transport Role Exercise 2: Run the sew to secure the Edge Transport Server Exercise 3: Configure EdgeSync Perfrom these exercises on EXE2007ET and WIN2003DC machine.

'!

Page 21

I.

Exercise 1: Installing Microsoft Exchange 2007 Edge Transport Role on EXE2007ET machine .
I

Hardware Requirements
The hardware requirements for a production Ex~hange 2007 server are described in the following sections.

Processor
Exchange Server 2007 exists in both 32- and 64-bit versions, but only the 64-bit version is supported in a production environment. This means that the server hardware on which you plan to install Exchange Server 2007 must havei'one ofthe following 64..:bitptocessor type~ installed: An x64 architecture-based processor that supports Intel Extended Memory 64 Technology (Intel EM64T) An x64 architecture-based computer with AMD 64-bit processor that supports AMD64 platform

Memory.
The memory requirements for a 64-bit Exchange 2007 server that is to be deployed in a "'....production environment are 2 gigabytes (GD) of RAM per server. However, bear in mind -~ that those are the minimum requirements. The recommend requirements are: 2GB of RAM per server plus approximately 5 megabytes (MB) of RAM per user mailbox located on the respective server A paging file equivalent to the amount of server memory plus 10MB Also be aware that it's recommended to add additional memory if you're planning to use more than four storage groups (approximately 2GB per three storage groups).

Disk Space
Disk space requirements are as follows: At least 1.2GB of disk space on the drive on which Exchange Server 2007 is to be installed 200MB or more of disk space on the ~ystem drive. When installing the Unified Messaging role on a server, you will also need to allocate an additional 500MB for each Unified Messaging language pack that is installed.

Software Requirements
In addition to the hardware requirements, Exchange Server 2007 has some software requirements that need to be fulfilled before you can begin YOlJr install.

Operating System
When planning to install Exchange Server 2007 .ina production environment, you will need Microsoft Windows Server 2003 64-bit version with Service Pack 1 or Windows Server

PaQe 22

Jl.

2003R2 64-bit version.

Software Required
The following software is required for any of the five different Exchange 2007 server roles . Microsoft .NET Framework Version 2.0 Windows PowerShell V 1.0 HotFix for Windows x64 (KB904639)

The fo!Jowing components are required for the Edge Transport server: ADAM Like the Hub Transport role, SMTP and NNTP must not be installed

Perform these steps on EXE2007ET to prepare (or installation orExchange 2007 Edge Transport Role
I. Run C:\Ex2k7 2. Run C:\Ex2k7 Transport Role 3. Run C:\Ex2k7 4. Run C:\Ex2k7 Requirements\dotnetfx.exe to install .NET framework 2.0 Requirements\ADAMSPl_86_English to install ADAM SPlon Requirements\PowerShell.exe to install Windows PowerShell Requirements\Hotfix.exe to install Hotfix for .NET Framework.

the Edge

Add tanducl.local in the primary DNS sUrrlX oUhis computer


Right-click My Computer, select Properties In the System Properties page, select Computer Name tab Select Change button From Computer Name Changes dialog box, select More button In the DNS Suffix and NetBIOS Computer Name dialog box, enter tanduc.local in the Primary DNS Suffix of this computer

Page 23

,~

Thefollowing steps demonstrate how to perform instaliation of Exchange 2007 Edge Transport Role on EXE2007 ET: I.Run Setup.exe from C:\Exchange 2007 2. When the dialog box comes up, click step4: Install Microsoft Exchange 3. From Exchange Server 2007 Setup page, click Next 4. Select "Accept the terms in the license agre~ment" and click Next 5. Select No and click Next 6. From the Installation Type page, choose Cu~tom Exchange Server Installation and click Next 7. Select No if you don't have Outlook 2003 cli~nts running in your network. In this case, select No and click Next 8. Put a check mark on Edge Transport Role a9d click Next 8. When it finishes, click Finish to end the installation process.

..

Page 24

Exercise 2: Configuring the Security Configuration Wizard


I.Cick Start, point to Control Panel, click Add or Remove Programs 2.Click AddlRemove Windows Components 3. On the Windows Components page, in the Components list, select Security Configuration Wizard check box, and then click Next 4. Click Finish to complete the installation. Close Add or Remove Programs 5. Open Windows Explorer, and then browse to C:\Program Files\Microsoft\ Exchange Server\Scripts. Copy the file named Exchange2007Edge.xm! to the C:\ Windows\security\msscw\kbs directory. Close Windows Explorer. 6 Open a Command Prompt window, and then type the following command to use the Security Configuration Wizard command-line tool to register the Exchange Server 2007 Edge Transport server role extension with the local security configuration database: scwcmd register /kbname:Exl007EdgeKB /kbfile:c:\ Windows\security\msscw\kbs\Exchange2007Edge.xml Press ENTER. 7. Close the Command Prompt window. 8. Click Start, point to Administrative Tools, and then click Security Configuration Wizard. 9. On the Welcome to the Security Configuration Wizard page, click Next. 10. On the Configuration Action page, ensure that Create a new security policy is selected, and then click Next. II. On the Select Server page, click Next. 12. On the Processing Security Configuration Database page, click View Configuration Database. 13. Expand the Exchange 2007 Edge Transport node and verify that it has been installed and enabled. Review the required services and ports for this role. Close the SCW Viewer window, and then click Next. 14. On the Role-Based Service Configuration page, click Next. IS. On the Select Server Roles page, confirm that the Exchange 2007 Edge Transport server role is selected. Accept the other defaults, and then click Next. 16. On the Select Client Features page, click Next. 17. On the Select Administration and Other Options page, click Next. 18. On the Select Additional Services page, review the additional services that the wizard detected on the server, and then click Next. 19. On the Handling Unspecified Services page, ensure that Do not change the startup mode of the service is selected, and then click Next. 20. On the Confirm Service Changes page, review the service configurations that will be changed. Click Next.

rI
l1"".

'l/

.Page 25

21. On the Network Security page, click Next. 22. On the Open Ports and Approve Applications page, review the ports that will be opened. Take note of the approved application entries that specific Exchange related processes and services will use. 23. On the Open Ports and Approve Applications page, click Next. 24. On the Confirm Port Configuration page, click Next. . 25. On the Registry Settings page, select the Skip this section check box, and then click Next. 26. On the Audit Policy page, select the Skip this section check box, and then click Ne~.!: 27. On the Save Security Policy page, click Next. 28. On the Security Policy File Name page, type C:\windows\security\msscw\ policies\EXE2007ET.xml as the policy file name. Click Next. 29. In the Security Configuration Warning dialog box, click OK. Module 2: Configuring Edge Transport Servers 2-21 30. On the Apply Security Policy page, click Apply now, and then click Next. 31. After the policy is applied, click Next. 32. Click Finish to complete the Security Configuration Wizard. 33. Click Start, point to Control Panel, and then click Windows Firewall. 34. Confirm that the firewall is enabled. On the Exceptions tab, confirm that the Exchange-related processes are listed. Click OK. 35. Restart'the EXE2007ET server. After the server restarts, log on as Administrator with the password of Pa$$wOrd.

Page 26

Exercise 3: Configure EdgeSync


Perform these steps to manually add EXE2007ETentry into tanduc.local Zone on Win2003DC so the Exchange 2007 Hub Transport can resolve the Edge's DNS name before replicating selected information from the Active Directory to the Edge.
:~

From Start-Programs-Administrative Tools->DNS Expand DNS node, then expand Forward Lookup Zones Right click tanduc.local node, click New Host(A) In the New Ho~t page, enter the foHowing: Name: EXE2007ET IPaddress: 172.16.104 Put a check mark next to Create associated pointer (PTR) record Click Add Host Close the DNS management console. 1. On EXE2007ET, open the Exchange Management Shell, and at the prompt type New-EdgeSubscription and then press ENTER. 2. At the FileName prompt, type C:\Edgelsubscription.xml and then press ENTER. 3. Read the information displayed in the Exchange Management Shell, and then press ENTER. 4. Close the Exchange Management Shell. 5. Open Windows Explorer, and then browse to drive C. Right-click Edgelsubscription.xml, and then click Copy. 6. On the Start menu, click Run. In the Open text box, type \\WIN2003DC\c$ and then press ENTER. 7. Right-click the \\WIN2003DC\c$ folder, and then click Paste. Close both instances of Windows Explorer. 8. On WIN2003DC, open the Exchange Management Console, expand Organization Configuration, and then click Hub Transport. 9. Click New Edge Subscription to start the New Edge Subscription wizard. 10. On the New Edge Subscription page, click Browse. 11. In the Select the Subscription File dialog box, browse to drive C. Click Edge1subscription.xml, and then click Open. 12. On the New Edge Subscription page, click New, and then click Finish. 13. Close the Exchange Management Console. Note: It may take a minute for the container to appear. If the container does not appear in that time, open the Exchange Management Shell on WIN2003DC, type Start-EdgeSynchronization and then pr~ss ENTER.

Page 27

ModuleF: Implementing:IMS Forefront Security for Exchange Server


Lab Exercises:
Exercise 1: Installing MS Forefront for Exchange 2007 Edge Transport Role Exercise 2: Installing MS Forefront for!Exchange 2007 Hub Transport E~ercise 3: Using MS Forefront.for EXfhange Server (Lab 1) Exercise 3.1: Scanning Messages for Viruses .. Exercise 3.2: Using File Filtering to Block Attachment
il
,

Role'

"'"

Microsoft"

Forefront'~
Client Security
Perform ihses exercises on EXE2007ET, WIN2003DC andclientl machine

Page 28

Exercise 1: Installing Microsoft Forefront Security for Exchange SPI on the Edge Transport
Perform these steps on EXE2007 ET machine

I.Click Setup.exe from C:\Forefront

for Exchange folder to start the installation process.

2. On the Microsoft Forefront Security for Exchange Server Setup page, click next 3. Click Next to accept the Licensing Agreement. 4. Enter TDT in the User Name text box and Tan Due in the Company Name, click Next 5. Choose Local Installation option. Click Next. 6. On the Installation type page, choose full installation and then click Next. 7. On the Quarantine Security Settings page, choose Secure Mode option, and then click Next .. 8. On the next page, choose I don't want to use Microsoft Update option. Click Next 9. On the Engines page, either accept the default or choose up to five different AV engines and then click Next to go to the next page. 10. On Engine Updates Required page, click Next. 11. On the Proxy Server (Optional Settings) page, leave the Use Proxy Settings unchecked, click Next. 12. On Choose Destination Location page, accept the default path and then Next. 13. Leave default on Select Program Folder and then Next. 14. Click Next to Start Copying Files. 15. Click Next to restart MS Exchange Transport Service. 16. On the Recycling Exchange Transport Service page, click Next. 17. Click Finish to finish the installation process.
/

"

~..

Page 29

Exercise 2: Installing Microsoft Forefront Security for Exchange SPI on the Hub Transport
Perform these steps on WIN2003DC machine I.Click Setup.exe to start the installation process from C:\Forefront

for Exchange folder

2. Qn the Microsoft Forefront Security for Ex:change Server Setup page, click next 3. Click Next to accept the Licensing Agreement. 4. Enter TDT in the User Name text box and T~ Duc in the Company Name, click Next 5. Choose Local Installation option. Click Next. 6. On the Installation type page, choose full in~tallation and then click Next. 7. On the next page, choose I don't want to use Microsoft Update option. Click Next. 8. On the Quarantine Security Settings page, choose Secure Mode option, and then click Next. 9. On the Engines page, either accept the default or choose up to five different AV engines and then click Next to go to the next page. 10. On EngIne Updates Required page, click Next. 11. On the P.roxy Server (Optional Settings) p~ge, leave the Use Proxy Settings unchecked,
i

ll<i.

"

click Next. 12. On Choose Destination Location page, accept the default path and then Next.
,;,..

..

13. Leave d~fault on Select Program Folder and then Next. 14. Click Next to Start Copying Files. 15. Click Next to restart MS Exchange Transport Service. 16. On the Recycling Exchange Transport Service page, click Next. 17. Click Finish to finish the installation process.

Page 30

Exercise 3: Using MS Forefront for Exchange Server


Perform these exercises on WIN2003DC and Client] machine

Exercise 3.1: Scanning Message for Viruses


Scenario: In this exercise, you will configure Forefront Security for Exchange to scan email message for viruses. We will perform the following procedures (all the sample files are located in C:\EICAR-l):
I.

~~!~~~:

Examine the four scan jobs in Forefront St:curity for Exchange

2. Configure the Transport scan job - Bias: Favor Performance (Scan each message with up to at least 50% of the selected engines (2 or 3 engines) and Quarantine files 3. Configure the Real time Scan Job - Bias: Favor Performance and Quarantine 4.~"~!~: files.

Send an email to Admin to verify the connectivity to the Exchange Server.

5. Send an email toAdminwithanattachmentVirus-A.com Examine the attachment of the new message in the Inbox, and in Sent Items

6.~~it3~:
6.a. For the Transport scan job, change the deletion text by adding a line: TransportScanned by Keyword (in this case Keyword=% VirusEngines %) 6.b. Use the Incidents in the Report section to determine which scan engines detected the Virus-A.com 7. Configure the Quarantine area to maintain removed attachments for a maximum of30 days by purging them 8. Archive all the messages after they are scanned 9.

~1JJj!!:
9a. Send another email to Admin with a Virus-A.com attachment. 9b. Examine the attachment with a new message in the Inbox. 9c.

~III.! Examine the existence of the antivirus

stamp header in a scanned

message.

10.~i~.~1:
lOa: Send an email to Admin with a Cool Game.zip attachment lOb. Examine the attachment of the new message in the Inbox.

Page 31

1Oc.~~~3QP:

Examine maximum level of compression the Forefront Security for

Exchange Server can detect

lla. Send an email to Admin with a Cool Game2.zip attachment (Cool Game2.zip is an encrypted zipped file attachment) lIb. Examine the attachment of the new message in the Inbox. 12. ~~ 13. milif'. ~'_' ...,.<_,,~,.':"'~,," __' ..
V_".'_

Enable Deleted Encrypted Compressed Files feature

Ila. Send an email to Admin with a Cool Game2.zip attachment lIb. Examine the attachment of the new message in the Inbox. 14.

~Itl~.

Configure the Manual Scan Job to remove the password-protected Cool

Game2.zip with Bias: Max Certainty, Action: Delete: remove infection, Mailbox: Administrator.) 15. Run the Manual Scan 16.

~j!.~: Verify that Forefront Security has removed the Cool Game2.zip

attachment from

the previous message in Administrator Mailbox. 17.~~: 17a. Configure a Background Scan Job to rescan messages that are received in the last 3 days. 17b. Schedule and enable Background Scan Job to run daily at 3:00AM.

Page 32

Exercise 3.2: Using File Filtering to Block Attachments


Scenario: In this exercise, you will configure Forefront Security for Exchange to block file attachment based on the name or the file content. We will pertorm the following procedures: 1.

~~~flI~: Configure File Filtering

to remove attachments with the following attributes:

a. Delete all attachment files named i1oveyou.vbs b. Delete files with the .exe extension c. Delete all bmp-files that are larger than 3MB in size d. Delete all mp3-files from inbound messages only.

2.q~~fJ.Send an email message to Admin with testl.exe


3. Examine the attachment of the new message in the Inbox 4. Make a copy of testl.exe and rename it testl.jgp

attachment

5. Send an email message to Admin with testl.jpg attachment 6. Examine the attachment of the new message in the Inbox Save testl.jpg as testl.exe and run the application. 7. ~i,ijfji"Q~. Change the file filter * .exe /All types to * /EXE file type 8. r;::~!il!~. Send an email message to Admin with two attachments: testl.jpg and picl.jpg 9. Examine the attachment ofthe new message in the Inbox

The detailed steps can be found on Appendix A: Detailed Steps for Lab 1: Using MS Forefront Security for Exchange to protect Exchange Server from Viruses

Page 33

Module G:lmplementing Forefront Client Security (FCS)Server and Deploying FCS on Client Computers
Lab Exercises:
Exercise 1: Installing Forefront Client Security Server Installing IIS and ASP.NET Install SQL Server 2005 with SP2 or SPl:Install GPMC with SPI. (Run gpmc.msi from C:\FCS folder) Install WSUS 2.0 with SPI on the Client Security server. Configure and synchronizeWSUS. Add the reporting server site to the Local intranet zone in Internet Explorer. Installing Client Security on a one-server topology Configuring Client Security on a one-server topology VerifYing the installation of Client,security on a one-server topology
Microsoft~

Forefront'"
Client Security

Exercise 2: Deploying Forefront Client Security on Client Computers .


. f!

Approving the client components in WSUS Configuring Automatic Updates Deploying manually to each client computer Approving clients through the MOM server

Perform these exercises on Forefront and Client] machine

Page 34

Exercise 1: Installing MS Forefront Client Security Server in one-server topology


Perform these steps onforefront machine In the supported one-server topology, the management, collection, reporting, and distribution components, including the collection and reporting databases, are all installed on one server. The following steps are performed on Forefront machine The Forefront Client Security server (FCS Server) has the following prerequisites: lIS and ASP.NET SQL Server 2005 (Standard or Enterprise version) with SP 1 or late! MMC 3.0 (included in Windows 2003 SP2) GPMC with SP 1 WSUS 2.0 with SP 1 Windows Update Agents 2.0 or later Install MMC 3.0. (Already installed with this version of Windows 2003 SP2) Installing Windows Update Agents 2.0 from C:\FCS\FCS Requirements Install GPMC with SPI. (Run gpmc.msi from C:\FCS\FCS Requirements Installing lIS and ASP.NET 1. Click Start, point to Administrative Your Server. Tools, and then click Manage folder)

2. In the Manage Your Server window, click Add or Remove a Role. 3. In the Configure Your Server wizard, click Next. 4. On the next page, click Application Server (lIS, ASP.NET), and then click Next.
.~.

5. On the next page, select the ASP.NET check box, and then complete the wizard .

..s;
.~.

Page 35

Installing SQL Server 2005


Put the SQL 2005 Server CDt in the CD ROM drive. From Registration Information page, enter the following Name:TDT Company: Tan Duc Click Next From the Components to Install, select SQL Server Database Services Reporting Services Integration Services Workstation components, Book Online and development tools From the Instance Name, select Default instance, and click Next From Service Account page, select Use a domain user account. Enter the following: Username: Administrator Password: P@sswOrd Domain: tanduc.Iocal Under Start services at the end of setup, put a check mark on SQL Server Agent Click Next to go to Authentication Mode page, select Windows Authentication Mode
~'

,~

In the Collation Settings page, select leave it as default (Dictionary order, case-insensitive, for use with 1252 Character Set) From Report Server Installation Options page, select Install the default configuration and click Next

Page 36

Click Next to go to Ready to Install. Click Install to begin the installation process

Installing SQL Server 2005 SP2


Run the SQLServer2k5SP2.exe from C:\FCS\FCS Requirements folder

From the Welcome screen, click Next Click I accept the agreement and click Next Click Next on the Feature Selection page On the Authentication page, select Windows Authentication Click Next on Error and Usage Reporting Settings page Click Next on Running Processes page From Ready to Install page, click Install to begin and click Next

Installing WSUS 2.0 SPI


Run WSUS program from C:\FCS\FCS Requirements folder From the Welcome screen click Next Select I accept the terms of the License agreement, click Next
1

Put a check mark on Store updates locally from Select Update Source page, click Next From the Database options, select Use an existing database server on this computer with Default is selected, and then click Next From Connecting to SQL Server Instance, click Next From Web Site Selection page, select Create a Microsoft Windows Server Update Services Web site and click Next

Page 37

Click Next on the Mirror Update Settings

,.

Click Next to begin the installation process

Configure and synchronize WSUS.


Before installing Client Security, you must configure and synchronize WSUS. 1. In the WSUS console, click Options, and then click Synchronization 2. Onthe Synchronization Options.

Options page, Under Update Classification's, dick Change.

3. In Add/Remove Classifications, select the Updates check box, and then click OK. 4. In the Products, select Windows 2003 family only then click OK 5. Scroll down to the very bottom, under Update Files and Languages section, click Advanced button. Click OK when the dialog box comes up on the screen 6. From the Advanced Synchronization Options page, make sure Store update files locally on this server is selected and Download update files to this server only when updates are approved checkbox is checked. In the Languages pane, select Download updates only in the selected languages. Click OK when the dialog box comes up. Select English as a language option. Then click OK. Click Save settings. To start synchronizing, on the Synchronization Options page, click Synchronize Now.

it

Page 38

Installing Client Security Server on a one-server topology


Before installing Forefront ClienlSecurity, make sure the SQL Server Agent service must have its startup type set to Automatic.
Perform the following steps: From Start->AII Programs->Administrative Tools->Services Right-click SQL Server Agent(MSSQLSERVER), select Properties In the Startup type drop down list, select Automatic. Click OK to exit Navigate to C:\FCS\FCS _Eval\Server folder Run Serversetup.exe From Before you Begin page, leave your name as TOT and Organization click Next Select I accept the terms of the license agreement, then click Next From Component Installation page, make sure you put a check mark next to Management as Tan Due, then

Server, Collection Server, Collection Database, Reporting Server and Reporting Databse, and Distribution Server, click Next
From Collection Server page, enter the following as DAS ac~ount

Username (Domain\user): tanduc\Administrator Password: P@sswOrd


From Collection Database page, click Next From Reporting Database page, click Next From Reporting Server page, click Next ~ From Action Account page, click Next Click Next in Install location page. On the Verifying Settings and Requirements click Next page, verify your system requirements, and then

Page 39

On the Completing Setup page, verify that you've successfully then click Close.

installed Client Security, and

Add the reporting server site to the Local intranet zone in Internet Explorer.
For SQL Server Reporting Services to function correctly, you must add the reporting server site to the Local intra net zone on the Client Security server. I. In Internet Explorer, on the Tools menu, click Internet Options. 2. Click the S!curit)l tab, and then click the Local intranet zone .. 3. Click the Sites button. 4. Click the Advanced button. 5. In the Add this website to the zone box, type http://forefront 6. Click Add.

Configuring Client Security on a one-server topology


To configure Client Security, you must run the Configuration automatically wizard. The wizard runs when you open the Client Security console for the first time.

1. Open the Client Security console. (Click Start, point to All Programs, point to Microsoft Forefront, point to Client Security, and then click Microsoft Forefront

Client Security Console.) 2. On the wizard's Before You Begin page, click Next. 3. On the Collection Server and Database page, click Next 4. On the Reporting Database page, enter the username and password for the reporting account: Username: tanduc\administrator; Password: P@sswOrd, then click Next.
5. On the Reporting Server page, click Next 6. On the Verifying Settings and Requirements and then click Next. page, verify your system requirements,

7. On the Completing the Configuration Wizard page, verify that you have successfully configured Client Security, and then click Close.
c'

Page 40

Exercise 2: Deploying Forefront Client Security on Client Computers.


Approving the client components in WSUS
.~.

Before deploying Client Security, you must approve its client components in WSUS. You should also verify that you have configured WSUS so it is synchronizing Updates (in addition to Definition Updates). I. Open the WSUS console. 2. In the console, click Options, and then dick Synchmnization Options. 3. On the Synchronization Options page, under Update Classifications, make sure Updates is listed. 4. Click Updates. 5. Select the most recent Client Update for Microsoft Forefront Client Security, 6. From Update Tasks box on the top left, click Change approval link 7. In the Approve Updates-Web Page Dialog page, from the Approval drop down list, select Install option, then click OK 6. In the Approve Updates dialog box, click OK. 7. In the End User License Agreement dialog box, click I Accept.

Configuring Automatic Updates Before your client computers can download updates from your distribution server, they must be configured so that Automatic Updates on the client computer points to the WSUS server. To make this configuration, you can use Group Policy. Configure Automatic Updates You must specify that Automatic Updates download updates from the WSUS server rather than from Windows Update or Microsoft Update.

I:> To configure Automatic Updates

'.
i,

I. In the Group Policy Object Editor dialog box, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. 2. In the Setting list, double-click Configure Automatic Updates. 3. In the Configure Automatic Updates dialog box, click Enabled, and then click OK. 4. In the Setting list, double-click Specify intranet Microsoft update service location. 5. In the Specify intra net Microsoft update service location dialog box, click Enabled, enter the client configuration URL in both the Set the intranet update service box and the Set the intranet statistics server box. In this case type http://forefront both boxes,

Page 41

and then click OK. 6. In the Setting list, double-click Allow Automatic Updates immediate installation. 7. In the Allow Automatic Updates immediate installation Properties dialog box, click Enabled, and then click OK.
~.

Deploying Forefront Client Security (FCS) Client manually


Perform these steps on Client 1machine Software Prerequisites: Install Windows Update Agent 2.0 from C:\FCS Client Requirementsfolder Install Windows Installer 3.1 from C:\FCS Client Requirements foder I. 2. From the command prompt, enter cd: c:\Client, then press Enter From C:\Client\ prompt, type: c1ientsetup IMS forefrontclientsecurity forefront IL C:\FCS_log then press Enter.
ICG

3. When the tool finishes running, close the Command Prompt window. 4. Open C:\FCS_log to see the log files 4. Restart Clientl Approving clients through the MOM server Perform these steps on WIN2003DC machine After being deployed, the clients are usually automatically approved within an hour. If you want them to begin reporting data sooner than that, you can approve them manually. ~ To approve clients manually through the MOM server I. On the Client Security management server, click Start, click All Programs, click Microsoft Operations Manager, and then click Administrator Console. 2. In the MOM 2005 Administrator Console, ll..'1der Console Root, expand Administration, expand Computers, and then click Pending Action. 3. Right-click the client computer (MCPClient) in the Pending Action list, and then click Approve Manual Agent Installation Now. If you do not see the client in the Pending Action list, wait a few minutes, and then click Refresh on the Action menu. 4. In the Microsoft Operations Manager dialog box, click Yes to confirm approval. The client computer will disappear from the Pending Action list.

Page 42

Module H: Using Forefront Client Server (FCS) to monitor and protect client ~omputers
Lab Exercises: \'-

Exercise 1: Using Forefront Client Security (FCS) to Protect Client Computers Exercise 2: Updating Signature Files Exercise 3: Using Policies to Manage Clients Exercise 4: Alerting, Reporting and Monitoring
Microsoft*

Forefront'.
Client Security

Perform these exercises on WIN2003DC and Clientl machine

Page 43

Exercise 1: Using Forefront C~ient Security (FCS) to Protect Client Computers "
Scenario: In this exercise, you will examine how Forefront Client Security (FCS) detects malware (viruses and spyware) on client computers We will perform the following procedures (all the sample files are located in C:\EICAR-2): 1.

~1::

,7

Use FCS to perform a Quick Scan


_ r ~ ...'

2. Perform a Custom Scan of the C:\EICAR-2 folder. Close the dialog box after finishing scanning wih no action is required. (The folder contains the EICAR antivirus test file) 3. Examine the Scan Schedule, Scan Interval and real-time protection settings 4. Use Notepad to open C:\EICAR-2\Sample-A.txt can run file Sample-B.com in this case 5. Remove EICAR_Test_File with Action: Always allow. Check if you

from the list of allowed items in FCS with Action: Quarantine

6. Attempt to run C:\EICAR-2\Sample-B.com 7. Restore EICAR_Test_File

from the quarantine area

8. Examine the FCS history listing 9. Examine the FCS events in the System event log (Event ID: 3005)

- ,." .-':.~
~.

..

~",..
-~

Page 44
II

Exercise 2: Upd~ting Signature.Files


Scenario: In this exercise, you will configure Windows Server Update Services (WSUS) so that FCS client computer can update the signature definition files. Q We will perform theliJllowingprocedures
o/-~-"."~ .... ,,,,:~.

(all the sample files are located in C\EICAR-2):


..

,.t-

1.~U~~:J):Exa~jpe the current scanning engine and malware definition version nwpbers

2. Attempt to upd~t~ the signature definition manually


:"""~:-~'':'~~:--'''':'.'':'-,
-

Ci.
.

3. ~9~f~~~: Examine the WSUS products and update classification 4. Examine the WSUS update frequency and the FCS update assistant service -::~'( , '" ,/ 5. In WSUS, approve the most recent definition updates (the definition updates contain the antivirus' si.glla:tu~e definitions and the antispyware definitions. In~ase if it's been approved, approve thafagaihffOl::this demo only) "', ;00.
, -1' .

;...."

6.(f!I~i,~!:':U~d~te.the signature definitions manually

',.

-.

7.,~~ft~.~,t: Examine the updates report in the WSUS -;.~


t/ :,'
". "

..
,
~.

/
.

''j'

.~

Page 45

Ex~rcise 3: Using Policies to Manage Clients


Scenario: In this exercise, you will create FCS policies to centrally manage multiple FCS client computers We will perform the following procedures (all the sample files are located in C:\EICAR-2): 1._: Examine the available options in the FCS window Examine the Client Computers 9U

2.1:~;:

3. Create a new FCS policy Name: FCS Central Policy Spyware protection: User controlled Scheduled scan: Every day - 3:00AM Check for Updates: Every 2 hours Failover to Microsoft Update: yes Client options: Full user interface 4. Deploy the FCS Central Policy to the Client Computers 5. Use GPMC to examine the FCS Central Policy settings
.

..

au

6.1IIi~t!: Force group policy processing


7. Examine the available options in theFCS window 8. Attempt to run C:\EICAR-2\Sample-C.com with Action: Quarantine

9.1IIII1i: Modify the FCS Central


10. Redeploy the FCS Central Policy 11. _:

Policy with Client options: Limited user interface

force group policy processing

12. Attempt to open the FCS window 13. Attempt to run C:\EICAR-2\Sample-D.com

Page 46

Thefollowing tasks will help you deploy a FCS policy to afile, and then apply thefile to the Forefront computer

1.ri!lf~I~: Create another FCS Policy


Name: FCS Server Policy Client options: Full user interface 2. Deploy the FCS Server Policy to a file named C:\FCS Server Policy.reg 3. Run C:\FCSLocaIPolicyTool.exe to apply C:\FCS Server Policy .reg file

4. Examine the available options in the FCS window

Page 47

Exercise 4: Alerting, Reporting and Monitoring


Scenario: In this exercise, you will examine the ~lerting and reporting functions of Forefront Client Security. A. Perform the following steps on the I.Examine the FCS Dashboard 2. Examine the Alert View in the MOM Operator console 3. Create a new FCS Policy named FCS Executive Policy with the highest alert level 4. Examine the definition of the Reinfected Computer alert for alert level 3

itli,tijioh, computer

B. Examine FCS Reports I. Examine the Computer Summary 2. Examine the Security Summary, Deployment Summary and Connectivity Summary 3. Examine the Malware Summary report

Page 48

Appendix A: Using Forefront Security for Exchange to protect Exchange from Viruses
t;

Lab Exercises:
Exercise 1: Scanning Messages for Viruses

Microsoftc,

Forefront ..
Client Security

Page 49

Exercise 1: Scanning Messages for Viruses

In this exercise, you will configure message for viruses .

Forefront Security for Exchange to scan e-mail

Note: This lab exercise uses the following computers: WIN2003DC - Clientl Perform the following steps on the WIN2003DC computer. 1. On the WfN2003DC computer, use Forefront Security Administrator to connect to WIN2003DC. a. On the WIN2003DC computer, on the Start menu, click All Programs, click Microsoft Forefront Server Security, click Exchange Server, and then click Forefront Server Security Administrator. b. In the Connect to Server dialog box, in the server dropdown list box, select WIN2003DC, and then click OK. ~ Forefront Security Administrator connects to Forefront Security for Exchange that is running on the WIN2003DC server. The user interface of Forefront Security Administrator is divided in the so-called Shuttle Navigator on the left, and Work Panels on the right. ~ The Shuttle Navigator consists offour areas with icons: Settings - This area contains icons to configure most of the antivirus settings, scanner updates and General Options . Filtering - This area contains icons to corifigure filtering based on keywords in message content and file names of attachments. Operate - This area contains icons to start, stop and schedule antivirus scan jobs. Report - This area contains icons to view and corifigure notifications, detected incidents, and the quarantine area.
~

~
;;"c
#It
oJ

e.

2. Examine the scan jobs in Forefront Security for Exchange.

a. On the left, in the Settings area, click Scan Job. b. On the right, in the top work panel, select Transport Scan Job. ~ Forefront Security for Exchange uses four different

Page 50

,~

ways to scanfor viruses in messages. Three of those are listed in the Scan Job work panel. The Transport Scan Job runs on the Exchange 2007 Hub Transport or Edge Transport roles. All other scan jobs run on the Exchange 2007 Mailbox role. ~ The scan jobs are: Transport Scan Job - Forefront Security scans all e-mail messages that are inbound, or outbound of sent internally within an organization, and pass through the Exchange 2007 Transport stack. II Realtime Scan Job - This scan job provides immediate scanning of e-mail that is sent or received by the mailboxes and Public Folders resident on the server. Manual Scan Job - This allows you to start ajob at a particular time to scan messages that are already in specific mailboxes. Scheduled Background Scanning - Forefront Security can periodically scan messages received within a specific period. For example, all messages in the i~formation storefrom the last 2 days. This scan job is configured in General Options.

3. Configure the

a. In the top work panel, select Transport Scan Job. b. In the Transport Messages work panel, ensure that Internal is enabled. Bias: Favor c. The Transport scan job scans messages that originate Performance from an external server (Inbound), that leave your Action: Quarantine Exchange site or organization (Outbound), and that are Files routedfrom one location in your domain to another location in your domain (Internal). d. On the left, in the Settings area, click General Options. ~ The General Options work panel contains many ~ ~ .. '. ~~ . . - ...~ system level settings. e. In the work panel, in the Scanning section, scroll to the last settings in the section. Transport scan job. ~ The Internal Address setting determines whether messages are considered Inbound (from elsewhere to tanduc.local), Outbound (from tanduc.local to elsewhere), or Internal (from tanduc.local to tanduc.local) .

You can enter multiple domain names, separated by semicolons. f. On the left, in the Settings area, click Antivirus. ~ Fore.front Security contains 9 different scan engines

Page 51

from well-known antivirus vendors. g. In the File Scanners list box, select Kaspersky Antivirus Technology. ~ A warning message box appears which indicates that you can only select a maximum of 5 scan engines at the same time. h. Click OK to close the message box. i. In the Bias drop-down list box, select Favor Performance .
2S

. The Bias setting controls how many of the selected. . . scan engines are used to provide certainty that a single message does not contain a virus. ~ The settings are (for 5 selected scan engines): Maximum Certainty - Scan each message with all selected engines (is 5 engines). Favor Certainty- Scan each message with all selected engines except the engines that are currently unavailable (due to being updated, etc). Neutral- Scan each message with at least 50% of the seleded engines (is 3 engines). Favor Performance - Scan each message with up to at least 50% of the selected engines (is 1, 2 or 3 engines). Maximum Performance - Scan each message with one engine. ~ Note: When multiple scan engines are used, and even a single scan engine reports a message as infected, Forefront Security considers the message infected. j. Ensure that Quarantine Files is selected. k. Click Save to save the changed configuration. a. In the top work panel, select Realtime Scan Job. b. On the left, in the Settings area, ensure that Antivirus is selected. ~ Notice that Forefront Security maintains separate antivirus settings per scan job. The Bias settingfor the Realtime Scan Job is still set to Favor Certainty. c. In the Bias drop-down list box, select Favor Performance. ~ Forefront Security will use 1 to 3 scan engines for the Realtime Scan Job. d. Ensure that Quarantine Files is selected. e. Click Save to save the change configuration.

4. Configure the
Realtime scan job. Bias: Favor Performance Action: Quarantine Files
I

Page 52

Perform the following steps on the Client! computer. 5. On the Clientl . computer, send an email to

Administrator

to

verify the connectivity to the Exchange server.

a. On the Client I computer, on the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007. 2S In this module, you will send e-mail messages from the Administrator mailbox to the Administrator mailbox to demonstrate the Forefront Security for Exchange functionality.
b. In Outlook, on the toolbar, click New. c. In the new message window, complete the following information:

? To: Administrator ? Subject: Test mail to self - 1 ? (Message): Message to Administrator and then click Send.
2S

After afew seconds, the message will disappear from the Outbox and show up in the Inbox. This result verifies that Outlook is correctly connected to the Exchange server on WIN2003DC. Note: After the Exchange server has just started up. the first message is delivered slower, because Forefront needs to start the scanning engines.

2S

I
I

6. Send an e-mail to Administrator. Attach the file:

a. In Outlook, on the toolbar, click New. b. In the new message window, complete the following information:

C:\EICAR-l \VirusA.com

? To: Administrator ? Subject: Include file - 2 ? (Message): Please see attachment


Do NOT send the message yet.

c. In the e-mail window, on the Insert menu, click File. d. In the Insert File dialog box, browse to C:\EICAR-l, select Virus-A.com, and then click Insert.
j ..

Virus-A.com is a copy of the industry standard eicar.com antivirus test file. All antivirus products detect the file. It does not replicate by itself, and only displays a single line of text when run in a command prompt window. e. Click Send.
2S

f. [n the Microsoft Office Outlook message box, click Yes to confirm that you want to send the message with the potentially unsafe attachment.
2S

Note: Outlook does not detect the particular

Page 53

attachment as a virus. It always displays this message boxfor any attachment that is an executable file, such as .exe, .com, .bat, and. vbs.
2S

After afew seconds, the message arrives in the Inbox.

7. Examine the
attachment of the new message in the Inbox, and in Sent Items.

a. In the Inbox, select the Include file - 2 message. 2S Notice that Forefront Security replaced the Virus-A.com attachment by a new text file (VirusA.txt). b. In the Reading pane, right-click Virus-A.txt, and then click Open. Forefront Security reports that Virus-A.com was found to be infected by the EICAR test virus. It removed the attachment before the message arrived in the Administrator Inbox. 2S Note: The Transport scan job (running on the Exchange 2007 Hub Transport role or Edge Transport role) detected and removed the virus. c. Close Notepad. d. In the Sent Items folder, select the Include file - 2 message.
2S 2S

2S

Forefront Security removed the Virus-A.com attachment from both the Inbox folder and the Sent Items folder. Note: The message in the Sent Itemsfolder was not sent through the Hub Tramport or Edge Transport role, but stayed on the Mailbox role. The Realtime scanjob (on-access scanning) detected and removed the virus in the message in the Sent Items folder .

,I

Perform the following steps on the WIN2003DC computer. 8. On the WIN2003DC computer, for the Transport scaI1job, change the deletion text: Add a line: Transport - Scanned by % VirusEngines% a. On the WIN2003DC computer, in Forefront Security Administrator, in the Settings area, click Scan Job. b. In the top work panel, select Transport Scan Job. c. In the bottom work panel, click Deletion Text. 2S The dialog box displays the text that Forefront Security uses in the replacement file when a virus is detected by the Transport scan job. d. In the deletion text area, under the existing lines of text, type: Transport - Scanned by, followed by a space character. e. After the word "by", right-click and then click Paste Keyword. 2S Forefront Security provides a list of keywords that

Page 54

RS

can be used to display iriformation about the message and the scanning process. Note: The keywords starting with IS, ES, IR, ER represent the Internal/External Sender/Recipient names and addresses.

f. On the keyword menu, click Virus Engines. g. Click OK to close the deletion text dialog box. h. Click Save to save the changed configuration. 9. Use the Incidents work panel to determine which scan engines detected the Virus-A.com file. a. In the Shuttle Navigator, Incidents.
RS

in the Report

area, click

The Incidents work panel shows that afile named Virus-A. com was removedfrom the message with subject Include file - 2.

b. In the work panel, change the width of the Name column and the Folder column to display all the text in this column.
RS

Notice that the Transport Scan Job detected the virus in an Internal message, and that the Realtime Scan Job detected the virus in the Sent Items folder of the Administration mailbox.
column to display all

c. Change the width of the Incident the text in this column.


RS

The Incident column lists which scan engines (one or more) detected the virus. Forefront Security maintains a complete copy of the detected virus files in a quarantine area. When Quarantine Purge is enabled, Forefront Security removes all files that are in quarantine longer than the indicated number of days. By default that is 30 days. . .

10.Configure the quarantine area to maintain removed attachments for a maximum of 30 days.

a. In the Report area, click Quarantine.


RS

b. At the bottom of the work panel, select Purge.


RS

c. Click Save to save the changed configuration . Note: The Transport Scan Job scans all messages in transit (on the Hub Transport role or Edge Transport role), and the Realtime Scan Job performs on-access scanning of all messages when they are accessed in the mailbox (on the Mailbox role). To avoid that the same message is needlessly scanned multiple times, the Transport Scan Job adds a so-called antivirus stamp header to the message. The next .scan job examines the antivirus stamp header to determine that the message is already scanned. To avoid spoofing by fake antivirus stamp headers, the Transport Scan Job first removes any antivirus stamp headers from an incoming message. 11.Configure the a. In the Shuttle Navigator, in the Settings area, click

Page 55

Archive Transport Mail setting: Archive After Scan

General Options. b. In the work panel,scrolJ to the Scanning section. 115 The Optimize for Performance by Not Rescanning Messages Already Virus Scanned - Transport is the setting that controls whether the Transport Scan Job adds the antivirus stamp header after scanning the message. c. Scroll to the top of the work panel. d. In the Diagnostics section, in the Archive Transport Mail drop-down list box, select Archive After Scan. 115 The Archive Transport Mail setting option a copy of each message in an Archive folder on the hard disk. This is a diagnostic setting to help diagnose and isolate problems. However, it also allows us to see the antivirus stamp header. e. Click Save to save the changed configuration.

.~.

..

.~ .

. Perform the following steps on the Clientl computer. 12.0n the Client I computer, send an email to Administrator. Attach the file: C:\EICAR-l\VirusA.com a. On the Client I computer, in Outlook, on the toolbar, click New. b. In the new message window, complete the following information: ? To: Administrator ? Subject: Include file - 3 ? (Message): Please see attachment Do NOT send the message yet. c. In the e-mail window, on the Insert menu, click File. d. In the Insert File dialog box, browse to C:\EICAR-l, select Virus-A.com, and then click Insert. e. Click Send. f. In the Microsoft Office Outlook message box, click Yes to confirm that you want to send the message with the potentially unsafe attachment. 115 After afew seconds, the message arrives in the Inbox. a. In the Inbox, select the Include file - 3 message. b. In the Reading pane, right-click Virus-A.txt, and then click Open. 115 The replacement text includes the added line: Transport - Scanned by % VirusEngines%, where the text ~ VirusEngines% is replaced by the actual engine names.
~

I I

13.Examine the attachment of the new message in the Inbox.

Page 56

i,

',l.,

The Transport scan job detected and removed the virus.


computer.

c. Close Notepad . Perform the following steps on the WIN2003DC 14.0n the WIN2003DC computer, examine the existence of the antivirus stamp header in a scanned message.

a. On the WIN2003DC computer, use Windows Explorer (or My Computer) to open the C:\Program Files\Microsoft Forefront Security\ Exchange Server\Data\Archive folder.
P!S

The Archive Transport lv/ail option saves a copy of each message in the Archivefolder. Thefile name consists of the year, month, day, time, a 3-digit random number, and the eml file extension.

b. Right-click the archived eml-file, click Open With, and then click Notepad.

~ Notepad opens the eml-jile. ~ The header section contains the header X-MSExchange-Organization-A VStamp-Mailbox: MSFTFF; 1 ;0;0 0 O. This is the antivirus stamp header added by the Transport scan job, after the message was scanned

~ Note: When the message is written to the information store database, the antivirus stamp header is replaced by an custom MAPI property on the message.
c. Close Notepad. d. Close the Windows Explorer window . Note: In the following tasks, you will examine how Forefront Security can detect viruses inside compressed and encrypted compressed files . Perform the following steps on the Clientl 15.0n the Clientl.. --- computer, examine the contents of the C:\EICAR-l \Cool Gamel.zip file.
~.

computer.

a. On the Clientl computer, use Windows Explorer (or My Computer) to open the C:\EICAR-l folder. b. In the Tools folder, right-click Cool Gamel.zip, then click Open. and

~ Cool GameJ.zip is a zip-jile that contains e;car.com, which is another copy of the eicar.comantivirus test file.
c. Close the Windows Explorer window. a. In Outlook, on the toolbar, click New. b. In the new message window, complete the following information: ? To: Administrator

16.Send an e-mail to Administrator. Attach the file:

Page 57

C:\EICAR-l \Cool . Gamel.zip

? Subject: Cool game - 4 ? (Message): Enjoy! Do NOT send the message yet.

c. In the e-man window, on the Insert menu, click File. d. In the Insert;File dialog box, browse to C:\EICAR-l, select Cool Gamel.zip, and then click Insert. 2S Cool Game 1.zip is the attachment of the e-mail. e. Click Send.
2S

After afew seconds, the message arrives in the Inbox.


I

17.Examine the attachment of the new message in the Inbox.

a. In the Inbox, select the Cool game - 4 message. 2S The e-mail still has an attachment named Cool Game 1.zip. b. In the Reading pane, right-click Cool Gamel.zip, and then click Open. c. In the Opening Mail Attachment message box, click Open.
2S

Windows Explorer displays the content of the Cool Game I.zip attachment.

... ....

d. In the Cool Game 1.zip folder, right-click Cool Gamel.zip, and then click Open. e. In the File Download message box, click Open. f. In the next Explorer window, right-click eicar.txt, and then click Open . 2S Forefront Security has detected the virus inside the zip-jiles, and replaced thefile by a replacement text.
2S

By default, Forefront Security checks compressed files to a maximum of 5 levels deep, and deletes attachments that exceed that maximum.

g. Cluse Notepad.

h. Close the Windows Explorer window.


I I I

is.Examine the contents of the C:\EICAR-

l\Cool Game2.zip
file. Password: password

a. Use WindGvvs t:xpIGn;~r(or My Computer) to open the C:\EICAR.l folder. b. In the Tools folder, right-click Cool Game2.zip, and then click Open. 2S The content of the Cool Game2.zip file is protected by a password. c. In the Cool Game2.zip folder, right-click eicar.zip, and then click Open. d. In the Password needed dialog box, in the Password text box, type password, and then click OK. 2S eicar.zip contains a copy of the eicar.com antivirus
I

.:..:

.. .

Page 58

testfile, but is protected by a password. e. Close the Windows Explorer window. 19.5end an e-mail to Administrator. Attach the file: C:\EICAR-l\Cool Game2.zip a. In Outlook, on the toolbar, click New. b. In the new message window, complete the following information: ? To: Administrator ? Subject: Cool game - 5 ? (Message): Enjoy! Do NOT send the message yet. i Co In the e-mail window, on the Insert menu, click File.
I

d. In the Insert File dialog box, browse to C:\EICAR-l, select Cool Game2.zip, andthen click Insert. s Cool Game2.zip is the attachment of the e-mail. e. Click Send.

s After a few seconds, the message arrives in the Inbox.


20.Examine the attachment of the new message in the Inbox. a. In the Inbox, select the Cool game - 5 message.
.

s The e-mail still has an attachment named Cool


Game2.zip. b. In the Reading pane, right-click Cool Game2.zip, and then click Open. c. In the Opening Mail Attachment message box, click Open. d. In the Cool Game2.zip folder, right-click eicar.zip, and then click Open. e. In the Password needed dialog box, in the Password text box, type password, and then click OK. f. In the File Download message box, click Open. S Forefront Security was NOT able to inspect the password-protected (=encrypted) content of the zipfile. The virus (eicar.com) is delivered to the
recipient! . ~ .. '. ,. _... ,-

s Note: By default, Forefront Security skips encrypted


compressed files. You will change this setting in the next task. g. Close the Windows Explorer window . Perform the following steps on the WIN2003DC computer. 21.0n the WIN2003DC computer, configure the General Options. Delete Encrypted a. On the WIN2003DC computer, in Forefront Security Administrator, in the Settings area, click General Options. b.ln the work panel, in the Scanning section, enable

Page 59

Compressed enable

Files:

Delete Encrypted Scanning section.

Compressed

Files.

c. Scroll the work panel until you see the end of the
~ Forefront Security uses the Max Container File Size, . Max Nested Compressed Files, and Max Container Scan Time settings to protect against so-called "Zipof-Death" attacks where specially crafted zip-jiles are used to attack the resources of antivirus engines.
d . Click Save to save the changed configuration.

Perform the following steps on the Clientl 22.0n the Client} computer, send an email to Administrator. Attach the file: C:\EICAR-l \Cool Game2.zip

computer.

a. On the Client} computer, in Outlook, on the toolbar, cli.ck New. b. In the new message window, complete the following information: ? To: Administrator ? Subject: Cool game - 6 ? (Message): Enjoy! Do NOT send the message yet.

c. In the e-mail window, on the Insert menu, click File.


d. In the Insert File dialog box, browse to C:\EICAR-l, select Cool Game2.zip, and then click Insert.

Cool Game2.zip is the attachment of the e-mail.

e. Click Send.

~ After afew seconds, the message arrives in the Inbox.


23.Examine the attachment of the new message in the Inbox. a. In the Inbox, select the Cool game - 6 message.
~

The e-mail has an attachment named Cool Game2.txt.


and

b. In the Reading pane, right-click Cool Game2.txt, then click Open.


I

~ Forefront Security has removed the encrypted zip-jile I as atlllchmenf with this e-mail.

c. Close Notepad.
Note: In the following tasks, you will configure the Manual Scan Job to remove the password-protected Cool Game2.zip attachment from the Cool game - 5 message in the mailbox of Administrator. Perform the following steps on the WIN2003DC 24.0n the WIN2003DC computer, configure the manual scan job: computer.

-~

....
'"

a. On the WIN2003DC computer, in Forefront Security Administrator, in the Settings area, click Antivirus. b. In the top work panel, select Manual
~

Scan Job.

The Manual Scan Job can be used to scan messa~es

Page 60

Bias: Max Certainty Action: Delete: remove infection Mailbox: Administrator

that are already in the mailboxes and Public Folders. The scan job is disabled (Stopped) by default. c. In the lower work panel, in the Bias drop-down list box, select Max Certainty. ~ Because the Manual scan job works on messages that are already in the users' mailboxes, and does not influence the performance of message delivery, you may want to consider using the highest number of scan engines for Manual scan jobs. d. In the Action drop-dowTIlist box, select Delete: remove infection. ~ The default action for the Manual scan job is Skip: detect only.

e. Click Save to save the changed configuration. f. In the Settings area, click Scan Job. g. In the top work panel, ensure that Manual Scan Jobis selected. h. In the lower work panel, under Mailboxes, select Selected, and then click the little mailbox icon ( & ). ~ To optimize the Manual scan job, you can limit the scanning to certain mail boxes. In the lab environment, there is only a single mail box. i. In the Mailboxes work panel, select Administrator. j. Click Save to save the changed configuration. 25.Run the manual scan job. a. In the Operate area, click Schedule Job. ~ You can schedule the Manual scanjob to run periodically. If enabled, Forefront Security uses the Windows Task Scheduler service to run the Manual scan job at the designated times. b. In the Operate area, click Run Job. c. In the top work panel, ensure that Manual Scan Job is selected;' and then click Start. ~ Forefront Security runs the Manual scan job, scanning all the content of the Administrator mail box on the Exchange server. ~ Note: Unlike the Realtime scanjob (on-access scanning), a Manual scanjob ignores the antivirus stamp, and rescans the Cool game - 5 message in the Administrator mailbox.
RS

t '!'

,~,
<,.\:

After afew seconds, the lower work panel indicates that Forefront Security has removed the encrypted compressediile Cool Game2.zip irom the

Page 61

Cool game - 5 message in the Administrator Inbox folder. d. In the Operate area, click Quick Scan. ~ Instead of configuring and starting a Manual scan job, you can run a Quick scan job. This is equivalent to the configured Manual scan job. Perform the following steps on the Client! computer. 26.0n the Client1 computer, verify that Forefront Security has removed the Cool Game2.zip attachment from the Cool game - 5 message . e. On the Client 1 computer, in Outlook, in the Inbox of Administrat~r, select the Cool game - 5 message .. .~ "Inthe Reading iane, notice that Forefront Security has removed the Cool Game2.zip attachment, even though the zip-jile was already delivered to the Administrator inbox earlier. f. Close Outlook

"'/

. Note: In the following tasks, you will configure a Background Scan Job to rescan message that are received in the last 3 days . Perform the following steps on the WIN2003DC computer. 27.0n the W1N2003DC computer, configure the Background Scan Job. Message age: 3 days Ignore antivirus stamp: Yes a. On the WIN2003DC computer, in Forefront Security Administrator, in the Settings area, click Scan Job. ~ Forefront Security Administrator lists three different types of scan jobs: Transport Scan Job, Realtime Scan Job and Manual Scan Job. However you can configure afourth type of scan job as well: Background Scan Job. ~ A background scan job is used to periodically scan a selected set of messages in the information store with the latest engine updates. b. In the Settings area, click General Options. c. In the work panel, scroll to the Background Scanning section, at the cnd of the work panel. In the Background Scanning section, you only configure the background scan job settings. You schedule and start the background scan job in the Operate area. d. In the Background Scanning section, in the Scan Messages Received Within the Last drop-down list box, select 3 days. e. Ensure that the Scan Only Unscanned Message check box is disabled.
~

~ In order to rescan messages in the information store

Page 62

with the latest engine updates, the background scan job must ignore the antivirus stamp on those messages. This means that you must leave the Scan Only Unscanned Messages setting disabled.
f. Click Save to save the changed configuration. 28.Schedule and enable the Background Scan Job. Start time: 3:10 AM Frequency: Daily a. In the Operate
2S

area, click Run Job.

Unlike a manual scan job, you cannot run a background scan job directly. You can only schedule a background scan job to run periodically.

b. Click Schedule Job, and then in the top work panel, select Background Scan Job. c. In the lower work panel, complete the following information: ? Time: 3:10:00 AM ? Frequency: Daily and then click Save. d. In the top work panel, click Enable.
2S

2S

Every day at 3:10 AM, the background scan job will use the latest engine updates to rescan message in the information store that are received in the last 3 days. Note: The background scan job uses the scan engine selection and bias settings from the realtime scan job.

i',-~

.i

Page 63

Exercise 2 Using File Filtering to Block Attachments


In this exercise, you will configure Forefront Security for Exchange attachments, based on the file name or the file contents . to block file

Note: This lab exercise uses the following computers: WIN2003DC - Client! Refer to the beginning of the manual for instructions on how to start the computers. Log on to the computers.

iii Perform the following steps on the WIN2003DC computer.


1. On the WIN2003DC computer, configure File Filtering to remove attachments: - iloveyou.vbs - *.exe - *.bmp (larger than 3
MB)

..

a. On the WIN2003DC computer, in Forefront Security Administrator, in the Filtering area, click File. b. In the top work panel, select Transport Scan Job . Forefronl Security File Filtering can be used to scan for attachments with specific names, extensions, or file types. Thefile filtering also works inside zip-files, and other container files, such as Word documents. c. In the File Names work panel, click Add. d. In the new text box, type iloveyou.vbs, and then press Enter.
2S 2S

I
I

r..-

- *.mp3 (inbound)

File filtering will delete all attachment files named iloveyou. vbs.

e. Click Add again.


f. In the new text box, type *.exe, and then press Enter.

Filefiltering will delete files with the exe extension. 2S To specify thefile names, you can use wildcards, such as * and ? g. Click Add again.
2S

h. In the new text box, type *.bmp>3MB, and then press Enter. 2S File filtering will delete all bmp-files that are larger than J ME in size. i. In the new text box, type <in>* .mp3, and then press Enter. 2S Filefiltering will delete all mpJ-filesfrom inbound , messages only.

Page 64

,
j

'V.
1,,'

'T.'
'.'

To specify filtering on outbound messages only, use the <out> prefix. j . Click Save to save the changed configuration. Perform the following steps on the Clientl computer. 2. On the Clientl computer, send an email to Administrator.
I

a. On the Clientl computer, on the Start menu, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007.
~

Attach the file: C:\EICAR1\testl.exe

Outlook 2007 displays the mailbox of the t Admmls.rator.

b. In Outlook, on the toolbar, click New. c. In the new message window, complete the following information: ? To: Administrator ? Subject: test - 1 ? (Message): Run the attachment Do NOT send the message yet. d. In the e-mail window, on the Insert menu, click File. e. In the Insert File dialog box, browse to C:\EICAR-1, select testl.exe, and then click Insert. f. Click Send. g. In the Microsoft Office Outlook message box, click Yes to confirm that you want to send the message with the potentially unsafe attachment. ~ After afew seconds, the message arrives in the Inbox.

3. Examine the attachment of the new message in the Inbox.

a. In the Inbox, select the test -1 message. ~ Forefront Security file filtering replaced the test1.exe attachment by a new text file (testJ.txt). b. In the Reading pane, right-click test 1.txt, and then click Open. ~ Forefront Security reports that *. exe file filter matched the original testJ.exe attachment. c. Close Notepad.

4. Copy the C:\EICAR1\testl.exe file to C:\EICAR1\testl.jpg.

a. Use Windows Explorer (or My Computer) to open the C:\EICAR-1 folder. b. In the Tools folder,.right-click testl.exe, and then click Copy. c. Right-click the empty area in the Tools folder, and then click Paste. ~ Test1.exe is copied to Copy ~f test 1.exe. d.. Right-click Copy oftestl.exe, and then click Rename.

Page 65

9. Examine the
attachment of the new message in the Inbox.

3.

In the Inbox, select the test - 3 message. ~ Forefront Security/ile filtering replaced the testl.exe attachment by a new text file (testJ.txt). The picJ jpg file is still attached

b. In the Reading pane, right-click test1.txt, and then click Open. ~ Forefront Security reports that *file filter matched the original testJ jpg attachment. c. Close Notepad. ~ The/ile/ilter successfully detected the renamed testJ jpgfile as an executable file, and removed the attachment. The picJ jpgfile matched the file name criteria (*), but did not match the file type (EXE file type). Therefore Forefront Security did not remove the Forefrontjpg attachment.
I

to.Close Outlook.

3.

Close Outlook.

Page 68

Appendix B: Using Forefront Client Security(FCS) to monitor and protect client computers
Lab Exercises:
Exercise 1: Using Forefront Client Security to Protect Client Computers { Exercise 2: Updating Signature Files Exercise 3: Using Policies to Manage Client Computers Exercise 4: Alerting, Reporting and Monitoring
Microsoft

--l

~.

Forefront

Client Security

.-

Exercise 1: Using Forefront Client Security to Protect Client Computers


In this exercise, you will examine how Forefront Client Security (FCS) detects mal ware (viruses and spyware) on client computers and file servers.

Tasks

Detailed steps

~ Perform the following steps on the Clientl computer.

1. On the Client! computer, use FCS to perform a Quick Scan.

a. On the Client! computer, on the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security.

.:.

The Microsoft Forefront Client Security window opens. This is the FCS client configuration window that is available on client computers and file servers when FCS is installed.

b. In the FCS window, click the down arrow ( ..) next to the Scan button, and then click Quick Scan.

.:.

FCS performs a Quick Scan of the computer . Depending on the speed of your computer, this will take 2 or 3 minutes. A quick scan checks for viruses and spyware at the following locations: in the processes that are loaded in memory, in afew targetedfolders (user profile, desktop, systemfolders and Program Filesfolder), at common malware extensibility points (auto start registry entries, etc).

.:.

c. Click Stop Scan to end the running quick scan. 2. Perform a Custom Scan of the C:\EICAR-2 folder. The folder contains the EICAR antivirus test file. Action: Ignore a. In the FCS window, click the down arrow ( ..) next to the Scan button, and then click Custom Scan.

.:.

Note: Do not run a full system scan in the lab environment. The hard disk contains several sample ''potentially unwanted" files that FCS should not remove yet.

b. On the Select scan options page, click Select. :. With a Custom Scan, you can scan specific locations .

.:. Note: FCS does not scan removable disks and network disks. c. In the Microsoft Forefront Client Security dialog box, expand C:\, and then select the check box for Sample . :. Ensure that you do not fully select other folders. d. Click OK to close the Microsoft Forefront Client Security dialog box. e. On the Select scan options page, click Scan Now. .:. Note: With a custom scan, FCS checks for viruses and spyware at all the quick scan locations, followed

--0--------'-'-'

.---_._--_._._- _.-

__ ._...__ ._---_._.

__

.._._-.-

by the locations selected by the user.

--- ... -_.- ---_._ ..- ..- .._--_._- ..,

.:. .:.

After the scan is completed, the Scan Results page opens, indicating that FCS detected one item: Virus:DOS/EICAR -Test -File.

.' . ..

The EICARfile is not really malicious software. It is the industry standard antivirus test file. All antivirus products detect this test file in order to simulate an infected file. f. On the Scan Results page, scroll down the information area, and then click View more information about this item online.

.:.

If you want more information about a particular detected virus or piece of spyware, you can access the Malicious Software Encyclopedia at Microsoft's Web site.

g. Close the Malicious Software Encyclopedia Web site.


h. On the Scan Results page, Close the dialog box

3. Examine the Scan


Schedule and Scan Interval settings.

a. In the FCS window, click Tools. b. On the Tools and Settings page, click Options.

.:.

On the Options page, in the Automatic scanning section, you can configure FCS to automatically scan your computer periodically. You can also specify an interval to run a Quick Scan multiple times per day. Periodically running a Quick Scan is a good practice to detect malware that appeared on the computer when the signatures were not up-to-date yet, but is now detected by updated signature definitions. and then

.:.

4. Use Notepad to
attempt to open C:\EICAR-2\ Sample-A.txt Action: Always allow.

a. Open a Command Prompt window. b. At the command prompt, type cd C:\EICAR-2, press Enter.

c. Type dir, and then press Enter. :. The C: IFiles folder contains multiple copies of the EICAR antivirus test file. d. Type notepad.exe sample-A.txt, and the press Enter .

.:. Notepad attempts to open the file.

.:. FCS displays a balloon near the system tray to notify you that it detected potentially harmful software . .:. There are two options:
Click the balloon to take the default action, or Right-click the FCS system tray icon to review or configure a custom action. For the EICAR test file, the default action is to Ignore the file. e. In the Notepad dialog box, click OK to acknowledge that access is denied.

The FCS detects the file as malware and suspends access to the file. Notepad displays an Access is denied error .

_.:--

..

_~- ._---~--~-

.'--'._-"._'--"--'."-_._'_._'---"'~,-""_., .. ._-----'-,
,,.,

f: Close Notepad.

--------------

g. Right-click the FCS system tray icon, and then click' Review detected items . :. FCS displays the detected items. The status of the file is suspended There are two options: Click Smart Clean to take the default action, or Click R~v;ew to configure a custom action. h. In the Microsoft Forefront Client Security Warning window, click Review. i. On the Apply actions to detected items page, in the Action column, select Always allow , and then click Apply Actions . .:. The FCS real-time protection will allow access to the file. j. Close the FCS window. k. At the command prompt, type notepad.exe A.txt, and then press Enter . sample;( j

k"

.~

:. Notepad opens the file. The EICAR antivirus test file consists of 68 printable characters. l. Close Notepad. m. At the command prompt, type sample-B.com, and then press Enter .. :. FCS now allows access to all files it detects as the EICAR antivirus test file. Thefile is executed, and displays a message. .5. Remove EICAR Test File from the list of allowed items. a. On the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security. b. In the FCS window, click Tools. c. On the Tools and Settings page, click Allows items . :. FCS displays the list of allowed items. d. On the Allowed items page, select the check box for Virus:DOSIEICAR_Test_File, and then click . Remove From List. e. Close the FCS window. 6. Attempt to run C:\EICAR-2\ Sample-B.com Action: Quarantine a. In the Command Prompt window, type sample-B.com, and then press ,Enter. .:. FCS real-time protection blocks access to the . sample-B. com file. b. Right-click the FCS system tray icon, and then click Open. c. In the FCS window, click Review items detected by real-time protection. d. On the Apply actions to detected items page, in the Action column, select Quarantine, and then click Apply Actions.

-----------

..-----.

.--------- ------------ ---_. ----- .. _--_. __ ..-- -----_._------_.

.:~ Fes remows

the Sample-B.comjile,

and moves it to

------_._------_.-

the quarantine area . :. Note: Quarantined files are stored as encrypted files e. At the command prompt, type dir, and then press Enter. :. The Sample-B.comfile is not present .

7. Restore
EICAR _Test_File from the quarantine area.

a. In the FCS window, click Tools. b. On the Tools and Settings page, click Quarantined items. .:. FCS displays the list of quarantined items. c. On the Quarantined items page, select the check box for . Virus:DOSIEICAR_Test_File, and then click Restore. d. In the Microsoft Forefront Client Security message box, click Yes to confirm that you want to restore this item. e. In the Command Prompt window, type dir, and then press Enter .

.:.

FCS has restored Sample-B. com from the quarantine area.

f. Close the Command Prompt window.

8. Examine the FCS


history listing.

a. In the FCS window, click History. .:. On the History page, you can review all FCS activities. b. Close the FCS window. a. On the Start menu, click Administrative then click Event Viewer. Tools, and

9. Examine the FCS


events in the System event log.

.:.

The Event Viewer console opens.

b. Maximize the Event Viewer console, if that is not done already. c. In the Event Viewer console, in the left pane, expand Windows Logs, and then select System . :. FCS reports configuration changes, and malware detections in the System event log. d. In the right pane, right-click a FCSAM event with Event ID 3005, and then click Event Properties .

.:.

.:. Note: FCSAM

The event indicates that FCS real-time protection has taken action after detecting a piece of malware .

standfor Forefront Client Security Antimalware. Antimalware is the combined term for Antivirus and Antispyware.

e. Click Close to close the Event Properties dialog box. f. Close the Event Viewer console.

Exercise 2: Updating Signature Files


In this exercise, you will configure Windows Server Update Services (WSUS) so that FCS client computer can update the signature definition files. Tasks Detailed steps
s

~ Perform the following steps on the Clientl computer.

1. On the Client! computer, examine the current scanning engine and malware definition version numbers.

a. On the Clientl computer, on the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security.

.:.
.:. .:.

The FCS window opens. In the Status section, you can see the version numbers of the currently loaded antivirus signature definition, and antispyware signature definition. When the current definitions are more than 14 days old, FCS displays an orange warning indicating that you should check for updated signature definitions. This is also the reason that FCS displays an orange icon in the system tray area.

b. In the FCS window, click Home.

c. Click the down arrow ( .) next to the round blue Help button, and then click About Microsoft Forefront Client Security. In the system information section, you can see the version numbers of the client software, the scanning engine, the antivirus definitions and the antispyware definitions. .:. The engine and the definitions may be updated regularly. d. Click OK to close the Microsoft Forefront Client Security dialog box.

.:.

2. Attempt to update the


signature definitions manually.

a. On the Check next to Check

FCS window main page, click for Updates Now (or click the down arrow ( .) the round blue Help button, and click for Updates).

.:. .:. .:.

Note: If the current definitions are less than 14 days old, the FCS window does not display the Check for Updates Now button. FCS connects to WSUS on Forefront, and checks for new definitions or updates. Currently, WSUS does not have new definitions available. After a few moments, the balloon indicates that no new definitions and engine updates are available.

b. Close the notification balloon near the system tray.

.. ._--------_ ..------ ,-,-,,-'-".- .._ ........... __ ...... ~ PerfOIm the following steps on the Forefront
-

_._- -_._- _.'-'.---computer.

~--------_._ ..

..

3. On the Forefront
computer, examine the WSUS products and update classifications.

a. On the Forefront computer, on the Start menu, click Administrative Tools, and then click Microsoft Windows Server Update Services.

.:.

The WSUS 2.0 console opens . Options.

b. In the WSUS console, click Options. c. On the Options page, click Synchronization d. On the Synchronization Options pages, in the Products and Classifications section, under Products, click Change . :. Forefront Client Security is a separate product for which Microsoft Updates provides updates.

.'

e. Click Cancel to close the Add/Remove Products dialog box. f. Under Update Classifications, click Change. .:. Definition Updates is a separate classification of updates, available through Microsoft Update. g. Click Cancel to close the Add/Remove Classifications dialog box. 4. Examine the WSUS update frequency, and the FCS update assistant service. a. In the WSUS console, scroll the Synchronization Options page, so that you can see the Update Source section. .:. WSUS obtains definition updates for FCS from Microsoft Update. b. Scroll back to the top of the options page, so that you can see the Schedule section. .:. Note: The default WSUS 2.0 configuration is to synchronize with Microsoft Update once per day, at a particular time. c. On the Start menu, click Administrative Tools, and then click Services .

.:.

The Services console opens.

d. In the Services console, select the Microsoft Client Security Update Assistant service .

.:. Because

WSUS only connects to Microsoft Update once per day, FCS installs a special service that automatically connects WSUS "manually" to Microsoft Update once per hour. This ensures that WSUS obtains available definition updates within an hour after they are released. The service also automatically approves these updates for distribution and installation.

.:.

Note: The new WSUS 3.0 version allows you to specifY a synchronization schedule more often than once per day. The update assistant service is no longer used when you use WSUS 3. O.

e. Close the Services console.

. 5. In WSUS, approve
the most recent definition updates.

---'-'~--"--'" ._.~..-_ ......._--_ ..-..

a. In the WSUS console, click Updates.

_-_.

--

.:.

Currently, WSUS lists several dejinition updates. Note: The definition updates contain both the antivirus signature dejinitions and the antispyware definitions.

b. In the list of definition updates, select the most recent (top) definition update, and then in the Update Tasks section, click Change approval c. In the Approve Updates dialog box, ensure that the Approval drop-down list box is set to Install, and then click OK.

.:.

The new dejinition update is now available for installation by FCS client computers. Note: To ensure that WSUS has saved all its changes, wait a few seconds before performing the next task.

~ Perform the following steps on the Client! computer.

6. On the Client!
computer, update the signature definitions manually.

a. On the Check next to Check

Client! computer, in the FCS window, click for Updates Now (or click the down arrow (.) the round blue Help button, and click for Updates).

.:. .:.

FCS connects to WSUS on Forefront, and checks for new dejinitions. While the new definitions are being downloaded, FCS continues to use the existing dejinitions. After the dejinitions are downloaded, FCS switches to use the new dejinitions.

b. Wait until the notification balloon near the system tray notifies you that the definitions are up to date. c. Close the notification balloon near the system tray. d. Click Home . :. In the Status section, you can see the updated version numbers of the dejinition signature jiles. e. Close the FCS window.
~ Perform the following steps on the Forefront

computer.

7. On the Forefront
computer, in WSUS, examine the updates report.

a. On the Forefront computer, in the WSUS console, click Reports b. On the Reports page, click Status of Updates. c. On the Status of Updates page, in the left pane, complete the following information: Computer group: All Computers (is default) Installed: enabled Other check boxes: disabled (is default) and then click Apply. d. In the right pane, expand the Definition Update entry for Forefront Client Security with the highest version number, and then expand All Computers.

____

._,~'

--.

- '- ,"-,----... ..
-

____

~ __

~M~

_.

"C-,.'

----,.---~,.----

.,:.. This definition update is installed Client 1. tanduc.local.

011

e. In the Computer Name section, click Clientl.tanduc.local. f. In the Computer Properties dialog box, select the Status tab . :. WSUS maintains the installation history for each computer. g. Click Close to close the Computer Properties dialog box.
i'

h. Close the WSUS console .

i\-

Exercise 3 Using Policies to Manage Clients


In this exercise, you will create FCS policies to centrally manage multiple FCS client computers. Perform these steps on Win2003DC machine to create Cients au From Start->Programs->Adminisrative Tools->Active Directory Users and Groups From Active Directory Users and Computers dialog box, right-click tanduc.local. Select New->Organizational Unit From New-Object page, enter Client Computers in the Name text box. Then click OK. Move Clientl from Computers folder to Client Computers OU and click Yes You will deploy FCS policies to a particular organizational unit, and export to a file.

Tasks

Detailed steps

~ Perform the following steps on the Client! computer. 1. On the Client1 computer, examine the available options in the FCS window. a. On the Clientl computer, on the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security. .:. The FCS client window opens. b. In the FCS window, click Tools. c. On the Tools and Settings page, click Options . :. Currently the FCS client on Client] is not managed centrally. The user is able to change the option settings, and when malware is detected, the user is offered the option to take a custom action. d. Close the FCS window. ~ Perform the following steps on the Forefront computer. 2. On the Forefront computer, use Active Directory Users and Computers to examine the Client Computers organizational unit. a. On the Forefront computer, on the Start menu, click Administrative Tools, and then click Active Directory Users and Computers. .:. The Active Directory Users and Computers console opens. b. In the Active Directory Users and Computers console, expand contoso.com, and then select Client Computers . :. In the lab environment, all client computers (Client]) is placed in a an organizational unit (OU) called Client Computers. c. Close the Active Directory Users and Computers console. 3. Create a new FCS policy. Name: FCS Central Policy ~ __ a. On the Start menu, click All Programs, click Microsoft Forefront, click Client Security, and then click Microsoft Forefront Client Security Console. .:. The FCS management console opens. .~. . ._. .... __ .__... _" __

~------_.---

-------. ------~:~--N,;ii:~~~J;;;~.I~~~~7)~t[,t;; FCS ma7z-;;g-;;~nt-'-1


console, and the FCS client. b. In the FCS management console, select the Policy Management tab. .:. The Policy Management tab list the defined FCS policies. You can deploy a FCS policy to one or more client computers. c. On the Policy Management tab, click New. d. In the New Policy dialog box, on the General tab, in the Name box, type FCS Central Policy. e.. In the Comments text box, type FCS policy for all client computers. f. On the Protection tab, in the Malware protection section, open the Spyware protection drop-down list box, and select User controlled. .:. The FCS policy specifies whether virus protection and spyware protection is enabled or disabled centrally, or is controlled by users. g. In the Malware scanning section, in the Start time drop-down list boxes, configure a scan Every day at 3:00 AM. h. On the Advanced tab, in the Malware definition updates section, in the Check for updates at set interval (hours) text box, type

Spyware protection: User controlled Scheduled scan: Every day - 3:00 AM Check for updates: Every 2 hours Failover to Microsoft Update: yes Client options: Full user interface

2.
:. The FCS policy specifies that the FCS client must checkfor updates (connect to WSUS) every 2 hours. i. In the Malware definition updates section, enable the Check for updates on Microsoft Update when WSUS is unavailable option. j. In the Microsoft Forefront Client Security dialog box, enable the Check for updates on Microsoft Update when client computers cannot connect to the WSUS server option, and then click OK. .:. This option configures the FCS client computer to failover to Microsoft Update on the Internet, when the WSUS server is unavailable. This is especially important/or mobile computers, which are very often not connected to the network that contains the WSUS server. k. In the Client Options section, select User can view all Client Security agent settings and messages . :. The FCS policy specifies whether the user can view settings, and respond to prompt, or whether the user has a limited user interface. I. Select the Overrides tab . :. In the FCS policy, you can define the action that should be taken, instead of the signature-defined actio.!!:....!.his c!!n_':-e... based on the categf?!J'.0/ malware
._

'--

... _.L

,j

._--_._.

.__ .__ .. __

._._---_._,----

.... -

(email flooder, password steale~, etc), or even per individual malware signature in the definition database. m. Click the lower Add button. n. In Classification column, click the down-arrow button, and then select Category. o. In the Type column, click the down-arrow button, and then select Browser Modifier. p. In the Override Response column, click the down-arrow button, and then select Ignore .

.:.

The FCS policy ignores Browser Modifier software.

q. Click the lower Remove button to remove the category


action override from the policy. r. Click OK to close the New Policy dialog box.

.:.

.:.
4. Deploy the FCS Central Policy to the Client Computers QU.

A new FCS policy named FCS Central Policy is created. The policy is not deployed yet . Notice that the icon (cio)) for the policy looks like the paper icon from the Edit button. This indicates that the policy is not yet deployed to client computers.

a. In the FCS management console, on the Policy Management tab, right-click FCS Central Policy, and then click Deploy.

.:.

You can deploy a FCS policy by usingfour different methods: Organizational unit (OU) - The policy applies to all computers in the OU Security group - The policy applies to all computers in the security group. Group Policy Object (GPO) - The policy applies to all computers in the organizational unit that the GPO is linked to. File (*.reg) - The policy applies to all computers on which you manually deploy the *.reg policy file.

b. In the Deploy dialog box, click Add

ou.

c. In the Active Directory dialog box, expand the tanduc domain, select the Client Computers au, and then click OK. d. In the Deploy dialog box, click Deploy.

.:.
.:.

FCS deploys the policy to the Client Computers OU Notice that the icon (lliS)for the policy looks like the icon for the Deploy button. FCS uses the Group Policy Management Console (GPMC) API to create a new group policy object (GPO), and link it to the Client Computers OU The new GPO contains all the settings specified in the FCSpolicy. Tools, and

s.

Use GPMC to

a. On the Start menu, click Administrative

..--

examine the settings.

.....

.,...--_. -----_ ....._----_ .._-----------_ then dick Group Policy Management.

...

__

...... _ ..

_- .....

FCS Central Policy

.:.

The Group Policy Management console opens .

b. In the Group Policy Management console, expand Forest: tanduc.local, expand Domains, expand the tanduc.local domain, and then select the

Client Computers au.

.:.

In the right pane, notice that FCS has created a new GPO that contains the same name as the FCS policy (FCS Central Policy). The new GPO is linked to the Client Computers Ou.

c. In the left pane, expand the Client Computers OU, and then select the FCS-FCS Central Policy-{ ... }-n GPO. d. In the right pane, select the Settings tab. e. At the end of the Extra Registry Settings line, click show.

.:.

GPMC displays the list of HKLM registry settings that the FCS Central Policy GPO applies to computers in the Client Computers au.

f. Close the Group Policy Management console.


~ Perform the following steps on the

Clientl computer.

6. On the Client 1
computer, force group policy processing.

a. On the Client! computer, open a Command Prompt


window. b. At the command prompt, type gpupdate.exe /force, and then press Enter. (You might restart the client 1 if the policy doesn't get refreshed) .:. By default, client computers re-apply group policies every 90 minutes. To apply the new FCS Central Policy GPO immediately, you must run the gpupdate. exe command. c. Wait a few moments for the policy processing to complete. d. Close the Command Prompt window.

7. Examine the available


options in the FCS window.

a. On the Start menu, click All Programs, click Microsoft Forefront, and then click Forefront Client Security .

.:.

The FCS client window opens.

b. In the FCS window, click Tools.

c. On the Tools and Settings page, click Options.

.:.

Notice that most options are grayed out. Because a central FCS policy applies to Client], you can no longer configure the Options settings through the user interface. As an example, the FCS Central Policy allows users to control the spyware protection setting. The option is not grayed out.

d. Scroll to the bottom of the Options page.

.:.

--

r---.------.-.-~.. .. -----. ----_. - ...

e.- Close the I-CS wmdow.

8. Attempt to run
C:\EICAR-2\ Sample-C.com Action: Quarantine

a. Open a Command Prompt window. b. At the command prompt, type cd \Sample, and then press Enter .

.:.

The C:\EICAR-2jolder antivirus test file.

contains copies of the EICAR

c. Type Sample-C.com, and the press Enter. .:. FCS suspends access to the file. d. Right-click the FCS system tray icon, and then click Open. e. In the FCS window, click Review items detected by real-time protection. f. On the Apply actions to detected items page, in the Action column, select Quarantine, and then click Apply Actions.

.:. .:.

The user has indicated that Sample-C.com is moved to the quarantine area. Notice that the current central FCS policy limits access to the FCS configuration options, but can still allow the user to respond to action prompts. computer.

g. Close the FCS window.


~ Perform the following steps on the Forefront

9. Edit the FCS Central Policy. Client options: Limited user interface

a. Oil the Forefront computer, in the FCS management console, on the Policy Management tab, right-click FCS Central Policy, and then click Edit. b. In the Edit Policy dialog box, select the Advanced tab. c. On the Advanced tab, in the Client options section, select User can only view system tray icon and status messages.

.:. .:.

The FCS policy is updated so that the user can no longer respond to action prompts. The FCS Central Policy content is changed However, the updated settings are not yet deployed to the GPO linked to the Client Computers OU Notice that the icon (~) jor the policy looks like the icon for the Edit button, combined with a yellow Deploy arrow.

d. Click OK to close the Edit Policy dialog box.

to.Redeploy the FCS Central Policy.

a. Right-click FCS Central Policy, and then click Deploy. b. In the Deploy dialog box, click Deploy . :. FCS redeploys the changed policy settings to the GPO linked to the Client Computers OU

~ Perform the following steps on the Client! computer.

B.On the Clientl computer, force group

a. On the Clientl computer, in the Command Prompt window, type gpupdate.exe /force, and then press

._-----_._--

i -----E-nter~---

..--.-

..--.-------------.-----

".__

.- .-1

policy processing. .:. The updated FCS Central Policy GPO is applied. b. Wait a few moments for the policy processing to complete.

12.Attempt to open the FCS window.

a. In the system tray, double click the FCS icon. .:. A balloon appears, notifying you that a system administrator manages FCS. You can no longer use the FCS client window. b. Close the notification balloon. a. In the Command Prompt window, at the command . prompt, type cd \Sample, and then press Enter. b. Type Sample-D.com, and the press Enter . :. FCS suspends access to the file. c. Right-click the FCS system tray icon, and then click Review detected items . :. You can only review the detected items. You cannot change the signature-defined (or policy-defined) action for the detected piece of malware. d. In the Microsoft Forefront Client Security Warning dialog box, click Smart Clean . :. FCS performs the configured action (remove) on the detected file . :. Note: If the user does not review the detected items, and click Smart Clean, then FCS will perform the configured action automatically after 10 minutes. e. Close the Command Prompt window.

13.Attempt to run C:\EICAR-2\ Sample-D.com Action: (automatic)

~ Note: In the next tasks, you will deploy a FCS policy to a file, and then manually apply the file to the Forefront computer. This exercise is used to apply policies to those computers that are not usually connected to the network, for example laptop computers. We use forefront machine just this example only. ~ Perform these tasks on forefront machine 14.Deploy the FCS File Server Poli cy to a file named C:\FCS Server Policy .reg a. In the FCS management console, on the Policy Management tab, right-click FCS Central Policy, and then click Copy. b. In the New Policy dialog box, type FCS Server Policy, then click OK . c. Right-click the FCS Server Policy, click Deploy d. In the Deploy dialog box, click Add File. e. In the Save As dialog box, browse to the C:\ folder, and then click Save.
f. In the Deploy dialog box, click Deploy .

:. The FCSpolicy is saved as C:\FCS Server Policy. reg . :. You can browse to C:I to see FCS Server Policy. reg file. Do not open this file .:. Notice that the iconfor the policy indicates that the

---"

FCS policy has been deployed. However, you still" need to copy the file to the intended computers, and manually apply the file. g. Close the FCS management console. a. Open a Command Prompt window. b. At the commarid prompt, type cd \, and then press Enter. c. Type type *.reg, press Tab to expand the file name, and then press Enter .

"

IS.Use the C:\FCS\ FCSLocalPolicyTool .exe to apply the C:\FCS File Server Policy .reg file "

.:.

The C:IFCS Server Policy. reg file is a normal Registry export file, containing a list of registry settings.

--'

d. At the command prompt, type cd c:\fcs then press Enter. e. Type dir, and then press Enter. f. Type FCSLocalPolicyTool.exe, and then press Enter.

.:.

The C: IFCS contains a copy of the local policy tool from the FCS product CDRGM You use this tool to import a FCS policy file (*.reg) on the local machine.

g. Type FCSLocalPolicyTool.exe II C:\*.reg, press Tab to expand the file name, and then press Enter.

.:. .:.

The local policy tool imports the FCS policy settings into the local group policy, and then starts group policy processing. Note: When the client computer processes group policies, the local group policy (containing t~e policy file settings) is overwritten by domain or GU-based GPOs. Therefore, you can use the FCSLocalPolicyTool.exe only to apply a policy file to computers that do not have a FCS policy applied through a domain or GU-based GPo.

h. Close the Command Prompt window.

Exercise 4: Alerting, Reporting and Monitoring


In this exercise, you will examine the alerting and reporting functions of Forefront Client Security. Tasks Detailed steps

~ Perform the following steps on the Forefront computer.

I.Examine the FCS dashboard.

a.' On the Start menu, click All Programs, click Microsoft Forefront, click Client Security, and then click Microsoft Forefront Client Security Console.

.: . The FCS management


.:.

console opens .

FCS uses MOM 2005 to collect events and data from all FCS client computers. MOM uses SQL Reporting Services to provide administrators with an overview of the issues and vulnerabilities that FCS detected. Some events or event levels are presented as notifications or alerts to the administrators.

b. In the FCS management console, ensure that the Dashboard tab is selected. .:. The Dashboard page provide a quick overview of the reported issues over the last 24 hours. .:. The 14-Day History chart displays the trend of computers reporting issues over the last 14 days.

.:.
2. Examine the Alerts View in the MOM Operator console.

The bottom section of the dashboard contains a summary of the active alerts in MOM

a. On the Dashboard tab, in the Notifications section, click the top alert notification. .:. FCS opens the MOM Operator console. b. In the left pane, select the Alerts section, and then under Alert Views, expand Microsoft Forefront Security, and then select Alerts. :. This selection limits the view to just FCS alerts .

c. In the top part of the Detail pane, select an alert. .:. In the bottom part, you can see information about this alert. d. Close the MOM Operator console. 3.Create a new FCS policy with the highest alert level. Name: FCS. Executive Policy Alert level: 5 a. In the FCS management console, select the Policy Management tab. .:. In order to reduce the number of alefts, you can configure FCS to only generate certain alerts, based on a so-called alert levels. assigned to each client computer. You specify the alert level in an FCS policy. b. On the Policy Management tab, click New.

._-

._--'---~._.-.-_._ .

c. In the New Policy dialog box, on the General tab, in the Name text box, type FCS Executive Policy. d. In the Comments text box, type FCS policy for computers of executives.

.:.

You want to deploy a FCS policy that applies to computers of executives or management in the organization. Those computers require high availability and may contain crucial data.

e. On the Reporting tab, in the Alert level section, move the slider to High (Alert Level 5).

.:.

The assigned alert level on a client computer specify which alerts are generated For example, if FCS detects malware and successfully removes itfrom the client computer, then only at level 4 and 5 will this event be issued as an alert. A new FCS policy named FCS Executive Policy is created Note: In this lab exercise, you will not deploy this new FCS policy to any computers.

f. Click OK to close the New Policy dialog box.

.:. .:.
4.Examine the definition of the Reinfected Computer alert for alert level 3.

a. On the Start menu, click All Programs, click Microsoft Operations Manager 2005, and then click Administrator Console.

.:.

The MOM Administrator console opens.

b. In the MOM Administrator console, in the left pane, expand Microsoft Operations Manager (FOREFRONT), expand Management Packs, expand Rule Groups, expand Microsoft Forefront Client Security, and then expand Host Alerts.

.:.

The FCS management pack defines parameters for specific alerts per alert level.

c. Under Host Alerts, expand Alert Level 3, and then select Event Rules. d. In the Detail pane, right-click Reinfected Computer Parameters then click Properties. - Alert Level 3, and

e. In the Event Rule Properties dialog box, on the Responses tab, select the response line, and then click Edit . By default, MOM issues a ReinJected Computer alert, if a client computer is infected 3 times with the same malware within a 72 hour (3 days) period f. Click Cancel to close the Launch a Script dialog box. g. Click Cancel to close the Event Rule Properties dialog box. h. Close the MOM Administrator console.

.:.

5.Examine the Computer Summary report.,

a. In the FCS management console, select the Dashboard tab. .:. The dashboard is the central place to start exploring FCS reports . :. Each column-chart icon (1d1iJ on the Dashboard page represents a link to an available report. b. Click the Reporting Critical Issues icon . :. FCS opens the Computer Summary report. c.. In the Computer Summary report, scroll doWn the report, until you see the list of computer names in the table of computers that reported issues. d. In the computer name table, click the first computer name in the list. .:. You can get a detalled report on each FCS client computer. e. In the Computer Detail By ID report, scroll down the report to examine its contents. f. Close the Computer Detail By ID report.

C"
lJ

~-~~

6. Examine the Security SUJPmary and Deployment Summary and Connectivity Summary 'reports.

a. In the FCS management console, select the Dashboard tab. .:. On the right side of the Dashboard page, there is a list of six Summary Reports: Alerts Summary ~ Computers Summary Deployment Summary Malware Summary Security State Assessment Summary ~~ Security Summary b. On the right side, in the Summary Reports section, click the. Security Summary link . :. The Security Summary contains an overview of all the other five summary reports. Each report has links to drill down into other reports, and see more details . :. The top part of each report allows you to filter the data, so that the report only applies to a subset of the FCS client computers, or to a relevant time span. c. In the Security Summary report, scroll down the report, so that you can see the Policy Deployment Status pie chart. d. Above the Policy Deployment Status pie chart, click the Deployment Summary link . :. The Deployment Summary report opens . :. The report displays the signature deployment status and FCS policy deployment status for all FCS client computers.

.. :::.
,.;

')

----------........----------------------------------~.
.--_._--_._-----_.-_._--------_
7.Examine the Malware Summary report.
..

.J

_-_.----_ .._-------,
tab,

e. Close the Deployment Summary report. a. In the FCS management console, on the Dashboard in the Summary Reports section, click the Malware Summary link. .:. The Malware Summary report opens . :. The report displays all the detected pieces of rnalware, 'grouped by action taken. b. In the Malware Summary report, scroll down the report, so that you can see the Malware Instances Details listing. c. In the Malware Instances Details section, expand Remove. d. IfEICAR_Test_File is in the list, then click that, else click the first malware in the list. .:. You can get a detailed occurrence report for each detected rnalware. e. In the Malware Detail report, scroll to the Malware Information section. f. If you clicked EICAR_Test_File, then right-click EICAR_Test_File Encyclopedia Information, and then click Open in New Window . :. You can access the Malicious Software Encyclopedia at the Microsoft Web site, directly from the Malware report . :. Note: In the lab environment, oniy the EICAR antivirus test file. portion of the Microsoft Web Site is _ available. . g. Close the Malicious Software Encyclopedia window. h. Close the Malware Detail report. i. Close the FCS management console.
7' .
- .

'~I
J~.
'> ~ -

:"~.c

~'

,
.~

"