Introducing Microsoft

Forefront Client Security

Steve Lamb
Technical Security Advisor, Microsoft Ltd
stephen.lamb@microsoft.com
http://blogs.technet.com/steve_lamb
Introduction
Infrastructure Overview
Defining Security Steady State
Keeping Systems Up to Date
Reporting and Alerting
Summary
 Threats are more Fragmentation of Difficult to use,
dangerous than ever security technology deploy and manage

More advanced Too many point Multiple consoles

Profit motivated products Uncoordinated event
More frequent Poor interoperability reporting & analysis
among security Cost and complexity
Application-oriented products
Lack of integration
with IT infrastructure
Security Solution Requirements

“All security frameworks “Integration and simplified manageability

should include a are important drivers when purchasing
comprehensive, security”
layered approach...” The State of Security in SMB & Enterprises,
Forrester Research, Inc. – Sept. 21, 2005
Understanding the Nine Protection
Styles of Host-Based Intrusion
Prevention
Microsoft Forefront’s comprehensive line of
business security products helps you gain
greater protection through deep integration
and simplified management
 FOR
FOR INDIVIDUAL USERS BUSINESSES
Microsoft
Windows Windows Windows Forefront
MSRT Defender Live Safety Live Client
Remove most Center OneCare Security
prevalent viruses
Remove all
known
viruses
Real-time
antivirus
Remove all
known
spyware
Real-time
antispyware
Central reporting
and alerting

Customization

IT Infrastructure
Integration
Unified malware protection for business
desktops, laptops and server operating
systems that is easier to manage and
control
One solution for spyware and virus protection
Built on protection technology used by millions
worldwide
Effective threat response
Complements other Microsoft security products

One console for simplified security administration

Define one policy to manage client protection agent
settings
Deploy signatures and software faster
Integrates with your existing infrastructure

One dashboard for visibility into threats and

vulnerabilities
View insightful reports
Stay informed with state assessment scans and
security alerts
One engine for virus and spyware protection
Also used in Windows Defender, OneCare, Antigen, MSRT, etc.
Comprehensive system cleaning for viruses and spyware, with
checks to ensure system is fully functional after cleaning
Real-time, scheduled or on-demand detection & removal
Checks to ensure system is fully functional after cleaning

Tenets of a unified design

Security, accuracy & performance: Core engine metrics
Scale: Usage drives sample submissions and signature
creation
Multi-user or limited user support
Detection and removal capabilities include:
Scanning dozens of archives and packers
Using tunneling signatures that bypass user mode rootkits
Code emulation for behavior analysis and polymorphic viruses
Heuristic or generic detections for new malware and variants
Directed quick-scan
Identifies latent registry keys and files that reference the scan target files
Quarantines/removes ClassIDs, RunKeys, and the infected files as one unit
Cleaning scripts
Custom script language for cleaning difficult threats

Flexible engine design enables

Frequent updates for new format support and detection features
Engine to be delivered as part of the signature package
Define security steady state
Specify the ongoing security behavior of my
clients
Keep systems up-to-date
Ensure that clients have the latest signatures
View reports
Determine the security state, now and over time
Respond to alerts
What critical security events require my attention?
Console deploys policy through use of
Active Directory Group Policy Objects
Granularity at OU-level with exceptions
READ,
using security groups GPO
SAVE

If:
Policy A  Redmond OU
Policy B  Marketing Security Group
Then
Marketing in the Redmond OU will get Policy B
Console creates GPO, sends to Sysvol, GP
deploys profile
Policy applied on host per AD default
 Existing SW
Client GPMC Dist System
Security
Console
Infrastructure SW dist
AD/GP AD/GP
used system

Create and edit GPMC, using Exported

In Console
profile ADM file files

Targeting Single Single

granularity OU-level
machine machine

Profile Security
exceptions Unlimited Unlimited
Groups

Enables profile
compliance Yes No No
report
*Agents deployed via existing software distribution system
Defining Security Steady State
 Multiple data
Dedicated team, Tightly integrated
sources enabling
analysis with industry
advanced
automation and leading MSRC
telemetry on
testing response process
threats
Security Research Organization
• Identify malware and create signature definitions
• Develop Windows Defender (25+ million users) & MSRT
• Achieved VB 100% award, West Coast Labs & ICSA Certification
• With protection engine implementation in Windows Live
OneCare
• MSRT whitepaper: In-depth perspective of the malware
 Signature deployment optimized for Malware
MU Research
Windows Server Update Services (WSUS)
Can
Can use any software distribution system
Auto
Auto and manual approval of definitions
Sync
Client Security installs an Update Assistant
service to:
Increase
Increase sync frequency between WSUS and WSUS +
Microsoft Update (MU) for definitions Update
Notify Assistant
Notify console when new signatures require
approval

Support for roaming users Sync

Failover from WSUS to Microsoft update
Desktops,
Laptops and
Servers
Keeping Systems Up to Date
 One dashboard for visibility
into threats and
vulnerabilities

Insightful reports
Real-time
Real-time and emerging trends
Focus
Focus on critical information
Executive
Executive reports
Drill
Drill down for detail

 Linked within the console

 Built on MOM 2005 technology
 Uses SQL Reporting Services
 Enables focus on threats and possible vulnerabilities
State assessment scans determine which machines:
Need to be patched
Are configured insecurely
Report categories include:
Summary Report Malware Threat(s)
Deployment Vulnerability Summary
Alerts Scan Results
Computers Historical Information
 Computer
Summary

Deployment
Summary

Threat Summary

Alert
Summary
Security Summary
Vulnerability
Summary
 Alert configuration is policy specific
Alerts notify admin of high-value incidents,
including:
Malware detected Malware outbreak
Malware failed to remove Malware protection
disabled
Alert levels control type & volume of alerts
generated Rich Data,
1 2 3 4 5 High Value Assets

Critical Issues Only,

Outbreak Malware Signature Malware Signature
Low Value Assets removal update detected and update failed
failed failed removed (per min)
Client Security Reporting and Alerting
Currently in private beta with select customers

Public beta planned for Q4 CY2006

Release to manufacturing planned for 1H CY2007

Unified malware protection for business desktops, laptops
and server operating systems that is easier to manage and
control
 Unified Protection
 Simplified Administration
 Critical Visibility & Control

An integral part of Microsoft Forefront

For more information

Visit:
http://www.microsoft.com/clientsecurity to learn about
Forefront Client Security and register for beta
information
http://www.microsoft.com/forefront to learn more
about other Microsoft Forefront offerings