microsoft forefront endpoint protection 2010 evaluation guide
TRANSCRIPT
Forefront Endpoint Protection 2010, the next version of Forefront Client Security, enables businesses to simplify and improve endpoint protection while greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2007 R2, allowing customers to use their existing client management infrastructure to deploy and maintain endpoint protection.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide
© 2010 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, Forefront, Windows, Windows Server, all Forefront products, and Active Directory Rights Management Services are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
This reviewers guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Other product and company names herein may be trademarks of their respective owners.
Microsoft Corp. • One Microsoft Way • Redmond, WA 98052-6399 • USA
This guide is designed to walk you through an end-to-end
evaluation of Microsoft® Forefront
™ Endpoint Protection
2010, based on task-driven scenarios that you would
commonly find in your daily production use. Step-by-step
instructions will give you a sense of product features,
capabilities, usage, and end-user benefits in order to help
your pre-purchase assessment.
Forefront Endpoint
Protection 2010
Evaluation Guide
Table of Contents .................................................................................................................................. 4
Introduction ........................................................................................................................................... 6 Using This Guide 6
Chapter 1: Overview ............................................................................................................................. 7 What Is Forefront Endpoint Protection 2010? 7
The Convergence of Desktop Security and Management 7
Reduce Ownership Costs 7
Improved Protection 7
Increased Efficiency 8
What’s New in Forefront Endpoint Protection 2010 9
Common Usage Scenarios for Forefront Endpoint Protection 2010 11
Ease of Deployment 11
Enhanced Protection 12
Simplified Management 13
Getting Started 14
Summary 15
Chapter 2: Ease of Deployment and Simplified Management ........................................................ 17 Exercise 1: Deploying Forefront Endpoint Protection 2010 18
Exercise 2: Using Configuration Manager to deploy FEP clients 21
Exercise 3: Operations 27
Exercise 3.1 Operational status: Dashboard overview 28
Exercise 3.2: Policy management 29
Exercise 3.3: Policy customization 32
Exercise 3.4: Policy assignment 39
Exercise 3.5: Using Group Policy for FEP 40
Exercise 3.6: Signature updates 44
Summary 50
Chapter 3: Comprehensive Protection ............................................................................................. 52 Exercise 4: Detecting and cleaning malware impact scanning 53
Exercise 5: On-demand, scheduled and real-time scanning 56
Exercise 5.1: Forefront Endpoint Protection 2010 real-time scanning 57
Exercise 5.2: Forefront Endpoint Protection 2010 scheduled scanning 60
Exercise 5.3: Forefront Endpoint Protection 2010 on-demand scanning 60
Summary 62
Chapter 4: Simplified Management—Reporting and Alerting ........................................................ 63 Exercise 6: Forefront Endpoint Protection 2010 reports 63
Exercise 7: Forefront Endpoint Protection 2010 alerts 66
Exercise 7.1: Sending a Malware Outbreak alert 66
Exercise 7.2: Sending a Malware Detection alert 68
Exercise 7.3: Sending a Repeated Malware Detection alert 70
Exercise 7.4: Sending a Multiple Malware Detection alert 72
Exercise 7.5: Setting the alert level 74
Summary 75
TABLE OF CONTENTS
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 5
APPENDIX: System Requirements and Prerequisites .................................................................... 76 Hardware Requirements 76
Pre-configured Virtual Environment System Requirements 76
Forefront Endpoint Protection 2010 System Requirements 76
Forefront Endpoint Protection 2010 Client 77
Software Prerequisites for Forefront Endpoint Protection Deployment 77
Exercise 8: Deploying SQL Server 78
Deploying Configuration Manager 2007 R2 80
Forefront Endpoint Protection Security Management Pack: Enabling Real-Time Monitoring with
System Center Operations Manager 2007 R2 .................................................................................. 81 Exercise 9: Enabling real-time monitoring with Forefront Endpoint Protection
2010 83
Exercise 10: Generating alerts and notifications 86
Exercise 11: Performing task remediation 89
Resources ............................................................................................................................................ 92
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 6
Forefront Endpoint Protection 2010 (FEP), the next version of Forefront Client
Security, enables businesses to simplify and improve endpoint protection while
greatly reducing infrastructure costs. It builds on System Center Configuration
Manager 2007 R2 and R3, and allows customers to use their existing client
management infrastructure to deploy and maintain endpoint protection. .
Microsoft Forefront Endpoint Protection 2010 Overview
Simplify
Creates a single administrative experience for managing and securing endpoints
Improves visibility to help administrators identify and remediate
potentially vulnerable endpoints
Integrate
Lowers ownership costs by using a single infrastructure for
endpoint management and security
Deploys effortlessly to hundreds of thousands of endpoints using
existing Configuration Manager agents
Protect
Provides highly accurate detection of known and unknown
threats
Manages Windows® Firewall configurations to actively protect
against network-level attacks
Using This Guide
This guide highlights important features of FEP and is designed to simplify your
review process.
Chapter 1 provides an overview of FEP and outlines its new features,
benefits, and common usage scenarios.
Chapter 2 covers FEP setup and configuration and signature updates, with
installation and management using System Center.
Chapter 3 covers the comprehensive antimalware detection and prevention
capabilities of FEP, including results analysis.
Chapter 4 covers reporting and alerting capabilities of FEP.
The appendices provide steps to install System Center server components
and other pre-requisites for FEP evaluation. They also explain how you can
use Microsoft System Center Operations Manager to monitor FEP activities
in real time using the Forefront Endpoint Protection Security Management
Pack.
The labs throughout this guide provide evaluation and testing instructions and
explain the design and use of various features.
INTRODUCTION
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 7
What Is Forefront Endpoint Protection 2010?
Desktop management and security have traditionally
existed as two separate disciplines, yet both play a
central role in keeping users safe and productive.
Forefront Endpoint Protection 2010 enables
businesses to align client security and management to improve endpoint protection
while greatly reducing operational costs. It provides protection from evolving
malware threats and builds on Configuration Manager 2007 R2 and R3. This
enables customers to use their existing client management infrastructure to deploy
and manage endpoint protection.
With discrete infrastructures for management and
security, companies need to purchase and maintain
separate hardware and software, create and manage two sets of policies, and take
two sets of actions when security incidents occur. Together, FEP and Configuration
Manager 2007 deliver operational efficiencies not available with traditional
management and security silos.
You can use your existing Configuration Manager infrastructure to easily deploy
FEP to provide:
Simplified deployment of endpoint protection through a proven
infrastructure that scales to hundreds of thousands of clients across a
distributed environment
Reduced infrastructure costs by using your existing Configuration Manager
deployment for both endpoint protection and client management
Many desktop vulnerabilities are a result of poor
system configuration, yet security administrators often
lack easy access to inventory, patch level, and other desktop-specific data.
Forefront Endpoint Protection 2010 and Configuration Manager 2007 give your
organization industry-leading threat-detection capabilities to remediate endpoint
security vulnerabilities. The FEP antimalware engine provides highly accurate and
efficient threat detection and protects against the latest malware and rootkits with
low false-positive rate. It also helps protect the clients against unknown or zero-day
threats. The combination of these technologies in a single infrastructure offers a
unique, consolidated view into the health and protection status of user systems. IT
can better identify at-risk machines and take action to patch systems, block
outbreaks, and initiate clean-up efforts. These technologies can also consolidate
and simplify reporting on the complete desktop environment.
CHAPTER 1: OVERVIEW
The Convergence of Desktop
Security and Management
Reduce Ownership Costs
Improved Protection
Secure and Streamline the Windows
Optimized Desktop
Forefront Endpoint Protection 2010
and Configuration Manager are part of
the Windows Optimized Desktop,
which is built on the Windows 7
Enterprise operating system. The
Windows Optimized Desktop also
deploys virtualization technologies
with integrated management across
physical and virtual machines,
including Microsoft Virtual Desktop
Infrastructure (VDI).
Along with Microsoft Office 2010,
Windows Internet Explorer 8. and the
Microsoft Desktop Optimization Pack,
FEP and Configuration Manager help
create a more productive,
manageable, and secure workforce
environment.
For more information on
Windows Optimized Desktop, visit
www.microsoft.com/windows/enter
prise.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 8
Forefront Endpoint Protection 2010 centralizes
visibility into the management and security of
endpoints, which can help you identify and remediate potentially vulnerable
endpoints via:
A single experience to manage clients and to create and configure endpoint
protection policies
Increased awareness of potentially vulnerable clients
Increased Efficiency
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 9
What’s New in Forefront Endpoint Protection 2010
Forefront Endpoint Protection 2010 makes it easier to protect critical desktop,
laptop, and server operating systems from viruses, spyware, rootkits, and other
threats. Some of the key new capabilities in FEP include:
Forefront Endpoint Protection 2010
Feature Description
Single console
and
infrastructure for
desktop
management and
protection
Forefront Endpoint Protection 2010 is built on Configuration
Manager 2007 R2 or R3, which enables you to use your existing
client-management infrastructure. You can deploy and manage
endpoint protection through a single interface of Configuration
Manager, which enables you to manage and secure endpoints
without the need for additional servers to support FEP. This
integration is based on:
o Centralized deployment: Central package installation on
client machines.
o Policy Management: Endpoint security policies can be
defined centrally through the management console. Predefined templates for productivity and security defaults make it simpler to define policies based on best practices. It helps reduce complexity and improve troubleshooting and reporting insights, and can save time and effort.
o Customized alerts: Forefront Endpoint Protection
generates alerts when it detects malware—alerts are based on the severity of the malware. Alerts can also be customized for specific types of malware detection.
o Reporting: View the overall status of security threats,
actions needed, and the overall health status of client machines.
Enterprise
scalability
Forefront Endpoint Protection 2010 uses the Configuration
Manager infrastructure to more efficiently deploy clients and
policies. This enables enterprises to deploy and manage endpoint
protection clients on a very large scale.
More accurate
and efficient
threat detection
The new antimalware engine protects against the latest malware
and rootkits with a low rate of false positives. The engine also
helps keep employees productive with scanning that has low
impact on performance. It enables the administrators to limit
processor usage during scans and uses new improvements in the
engine like advanced caching to provide high-quality security with
optimized performance.
Key New Features
Simplify
Single console
FEP is built on Configuration Manager
2007 R2. Configuration Manager
provides a single interface for
managing and securing endpoints,
reducing complexity, and improving
troubleshooting and reporting insights.
Central policy creation
Administrators have a central location
for creating and applying all endpoint-
related policies.
Improved visibility
With a shared view of endpoint
protection and configuration,
administrators can more easily identify
and remediate vulnerable computers.
Integrate
Single infrastructure
FEP uses Configuration Manager
infrastructure to deploy and manage
endpoint protection. Eliminates the
expense of purchasing and
maintaining an independent security
infrastructure.
Enterprise scalability
Using the Configuration Manager
infrastructure, FEP clients and policies
can be efficiently deployed to
hundreds of thousands of users.
Protect
Highly accurate detection
FEP helps protect against the latest
malware and rootkits with lower false
positives. Includes protection against
network vulnerability exploits.
Behavior monitoring
FEP detects system behavior and file
reputation data to identify unknown
threats.
Efficient scanning
FEP keeps employees productive with
low performance impact scanning.
Client firewall management
FEP helps administrators centrally
manage Windows Firewall protections
across the enterprise.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 10
Forefront Endpoint Protection 2010
Feature Description
Behavioral threat
detection
Forefront Endpoint Protection 2010 uses system behavior and file
reputation data to identify and block attacks on client systems from
previously unknown threats. Detection methods include behavior
monitoring, emulation, and Dynamic Translation. Behavior
monitoring identifies new threats and tracks behavior of unknown
processes or known processes gone bad. Any behavior monitoring
detection triggers a request to a cloud-based Dynamic Signature
Service that can deliver protection in near-real time for new threats
that are not in the signature set on the endpoint.
Network
Vulnerability
Shielding
Forefront Endpoint Protection 2010 provides protection against
network-level exploits and intrusions by inspecting inbound and
outbound network traffic. Based on the Microsoft Network
Inspection System, it balances protection with performance by only
enabling signatures for the unpatched vulnerabilities.
Windows Firewall
Management
Forefront Endpoint Protection 2010 ensures that Windows Firewall
is active and working properly to protect against network-layer
threats. It also enables you to more easily manage these
protections across the enterprise from the FEP console.
Signature
updates
Forefront Endpoint Protection 2010 provides multiple options to
receive signature and engine updates. Organizations can use their
existing Windows Server Update Services (WSUS) infrastructure
to receive FEP updates. Administrators can also configure a client
to connect to Microsoft Update or use a file share to download the
latest definition updates.
Customized
alerts based on
incidents and
assets
Forefront Endpoint Protection 2010 automatically alerts you if it
detects viruses, spyware, or other potentially unwanted software. It
also provides the level of alert for a detected item:
o Severe or high-level alerts: Forefront Endpoint Protection
alerts you to a threat and then always recommends that you remove the program(s).
o Medium-level alerts: Review the alert details (click the Show details link) to see why FEP detected the item. If you
dislike what the software does or if it comes from an unknown or untrusted publisher, consider blocking or removing the software.
o Low-level alerts: This type of alert typically occurs when a
program is installed and FEP is unsure about the authenticity of the program. To allow the software, review the alert details or check to see if you recognize and trust the software publisher.
You can also customize alerts and set FEP to alert you if you run
software that has not yet been analyzed. You can also set alerts to
notify you if software makes or tries to make some changes to
your computer.
Detailed reports Forefront Endpoint Protection 2010 uses the same reporting
infrastructure as Configuration Manager and provides easy-to-use
reports out of the box that provide deep insight into enterprise-
wide client security activities.
Integration with
Operations
Manager 2007 R2
The FEP Security Management Pack enables you to monitor the
security of server operating systems or critical assets in real time
using existing Operations Manager infrastructure.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 11
Common Usage Scenarios for Forefront Endpoint Protection
2010
Endpoint protection that operates separately from
existing endpoint management systems often requires
many resources and has high maintenance costs.
Forefront Endpoint Protection 2010 uses Configuration Manager 2007 to centralize
deployment of security software and policies to multiple endpoints. You can deploy
FEP Server on a Configuration Manager standalone (single) site or to a hierarchical
site environment. In a hierarchical Configuration Manager deployment there is a
parent site that has one or more sites (child sites) attached to it in the hierarchy.
Configuration Manager 2007 sites define the scope of administrative control. The
administrative control requirements will determine where FEP should be installed:
For centralized policy creation and control, install FEP on the central site
For decentralized policy creation and control, install FEP on the child sites
Configuration Manager distribution is used to centrally manage and monitor the
deployment of FEP to client computers in your existing infrastructure. With this
method, you can control which Configuration Manager collections the client is
deployed to, and use the provided reports to determine deployment status or drill-
down to information about computers on which the client failed to deploy and why
Organizations can use their existing WSUS infrastructure to receive the signature
and antimalware engine updates. Additionally, administrators can define network
file shares or Internet-based Microsoft Update to provide the latest signature
updates to the clients.
In the related section of this common usage scenario, you will evaluate the process
of centralized client deployment through Configuration Manager 2007. This scenario
provides step-by step instructions to distribute and advertise the software to existing
or new endpoints.
Ease of Deployment
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 12
Exposure to fast-evolving security threats requires
businesses to frequently test patches and updates before
they release them to users. Viruses, rootkits, spyware,
malware, and directed attacks can arise from inside and outside an organization’s
network. Some threats breach tight security on the corporate network, and some
enter via removable devices.
Forefront Endpoint Protection 2010 detects known and unknown threats with a high
degree of accuracy and actively protects against network-level exploits.
Administrators can enable real-time protection against the evolving threats by
defining endpoint protection policies.
Enhanced Protection
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 13
In combination with Configuration Manager 2007, FEP
provides a central location for you to create and apply
malware protection policies on endpoints. This policy
mechanism allows you to centrally control and manage malware-scanning
properties, and it provides configurable protection on client computers such as:
Scheduled scans
Threat-handling settings
Real-time protection
Exclusion of files, folders, file types, and processes from scans
Scans of removable drives and devices
Overrides of recommended actions against threats
You can enable updates based on behavior monitoring through the cloud-based
Dynamic Signature Service This approach can make policy management a more
efficient process that can save organizations time and resources. In the related
section in this guide for this common usage scenario, you will evaluate the process
of policy creation and centralized deployment on multiple endpoints.
Simplified
Management
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 14
Getting Started
The step-by-step instructions in the following sections show you how to distribute
FEP to client computers, create and manage policies, configure FEP alerts, monitor
FEP status, look at FEP reporting, and force a quick scan on specific computers.
To evaluate FEP, you can either use an FEP Pre-configured Virtual Environment on
downloadable virtual machines pre-configured for evaluation or FEP evaluation
software that you can deploy in your own environment.
Forefront Endpoint Protection 2010 Evaluation Options
Using the pre-configured virtual environment (Business Ready Security
demonstration environment): These Hyper-V-based virtual machines are pre-
configured for an easy evaluation of FEP. If you are using the downloadable pre-
configured virtual environment (Hyper-V), the FEP environment is already
established on the server and client machines. Start with the section: ―Forefront
Endpoint Protection 2010 Evaluation Scenarios for Configuring, Deploying and
Using FEP 2010.‖ To deploy the virtual evaluation environment, which is built on
virtual hard drives, you will need at least one Windows Server 2008 R2 Standard
system with Hyper-V enabled.
Note: Before you deploy the virtual environment lab or the evaluation software, in
Appendix A please refer to the System Requirements section and ensure that the
server and client machines in your environment meet all requirements.
Pre-Configured Virtual Environment for FEP Evaluation Link:
You can download the pre-configured virtual environment at:
http://go.microsoft.com/fwlink/?LinkId=190269
Access the pre-configured virtual environment for evaluation: Before you can
do the lab exercises, you must log on to the virtual machines. The user name and
password are the same for all virtual machines:
User name: WoodgroveBank\Administrator
Password: password
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 15
This guide uses the pre-configured virtual environment to provide step-by-step
guidance on common security tasks. The environment is pre-configured with the
following virtual machines:
Using FEP evaluation software: If you choose to set up your own environment to
evaluate FEP, you first need to set up the server and client machines. The
prerequisite installations for this setup include:
SQL Server® 2005 SP2 or 2008
Configuration Manager 2007 R2 / R3
Forefront Endpoint Protection 2010
For detailed installation steps and system requirements, refer to Appendix A.
You can download FEP evaluation software at:
http://technet.microsoft.com/en-us/evalcenter/ff182914.aspx
After you install the software, go to the evaluation scenarios.
Summary
This chapter showed how customers use their existing client management
infrastructure to deploy and manage FEP. It discussed the benefits and features of
FEP and the reasons why organizations should make it a part of their infrastructure.
It also gave an overview of the three common usage scenarios, which the
subsequent sections of the guide cover in greater detail.
You can find an overview of the three evaluation scenarios in these sections:
Common Usage Scenarios for FEP 2010: Describes the common usage
scenarios for using FEP
Getting Started with the evaluation scenarios: This helps users evaluate
FEP
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 16
Chapter 2 provides more information about the ease of deployment and simplified
management and covers the following topics:
Deploying Forefront Endpoint Protection 2010: Step-by-step installation of
FEP.
Using Configuration Manager to Deploy FEP Clients: Step-by-step process
to distribute and advertise the software to existing or new endpoints.
Dashboard Reporting using Forefront Endpoint Protection 2010: The
dashboard summarizes the overall health status of clients and provides
detailed reports for particular computers.
Policy Management using Forefront Endpoint Protection 2010: Defines the
various configuration options of the FEP client that users can manage such
as: policy customization, policy assignment, group policy configuration, the
scan schedule, the location and frequency of definition updates, and scan
exclusions
Performing Signature Updates on Forefront Endpoint Protection 2010
clients: Provide the latest updates to all endpoints from a central console
and keep them protected from new threats.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 17
Forefront Endpoint Protection 2010 and Configuration Manager together provide the
enterprise scalability to efficiently deploy enhanced security within large
organizations.
Forefront Endpoint Protection 2010 Installation: consists of
downloading the package, verifying prerequisites, installing the FEP server,
and validating that the success of the installation.
Deploy FEP: distribute the client and policies using Configuration Manager
to multiple endpoints.
Operationalized Security: centralized operations management through
Configuration Manager across multiple client machines:
o Dashboard Monitoring: summarizes the overall health status of
machines and provides detailed reports for particular computers.
o Policy Creation: create, configure, and assign FEP policies to
endpoints.
o Signature Updates: enables administrators to provide latest updates
to all endpoints centrally and thus keep them protected against new
threats
In this chapter, you will evaluate the installation of FEP, FEP centralized client
deployment using Configuration Manager 2007, and operations. This chapter will
cover the following exercises:
Exercise Illustrates
1. Deploying FEP Step-by-step installation of FEP
2. Using Configuration
Manager to deploy FEP
clients
Centralized deployment of FEP from server to client
machines.
3. Operations Description of the operations that can be performed
with FEP
3.1. Operational status:
Dashboard overview
Contents of Dashboard of Configuration Manager
2007
3.2. Policy management Step-by-step creation of FEP policies
3.3. Policy customization Advanced protection methods to customize policies
and change granular settings
3.4. Policy assignment Assign FEP policies to a Configuration Manager
collection
3.5. Using Group Policy for
FEP
Configure clients with FEP Group Policy objects,
pre-configured policy templates, and the FEP
Group Policy Tool
3.6. Signature updates Methods to provide signature updates to endpoints.
CHAPTER 2: EASE OF
DEPLOYMENT AND
SIMPLIFIED
MANAGEMENT
Deployment and
Management Benefits
Simple installation
process
Installs on root site, deploys to hierarchy
Automatically creates additional components (FEP distribution packages, DCM baselines)
Creates new reporting database
Converged System
Management
Simple Centralized
Policy
Use existing infrastructure
No new servers
Integrated console
Supports Configuration
Manager 2007 SP2/R2
and later
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 18
If you are evaluating FEP with the pre-configured virtual environment, you will need
the following virtual machines:
Lab Environment
S.No. Machine Name Roles
1 Server 1 (Denver) DC – CA – AD FS, WSUS
2 Server 2 (Fargo) FEP Server and Configuration Manager
3 Client 1 (Chicago) Forefront Client Security (FCS) Client
4 Client 2 (Cairo) FEP
If you chose to use the pre-configured virtual environment to evaluate FEP, please
skip to Using Configuration Manager to Deploy FEP Clients
Exercise 1: Deploying Forefront Endpoint Protection 2010
To install FEP, you need to download FEP, verify prerequisites, which include SQL Server 2008 and Configuration Manager 2007, install the FEP server, and validate the success of the installation.
This section describes how to install FEP.
After you set up and install the pre-requisites, you can install FEP on the
Configuration Manager server.
1. Go to the location where you extracted the FEP server source files, and then double-click serversetup.exe to open the FEP server setup wizard.
2. Enter your Name and Organization.
NOTE:
This lab requires a server installed with
Configuration Manager 2007 and SQL
Server 2008. For system requirements
and prerequisite installation details,
you can refer to the following sections
of the Appendix:
APPENDIX: System Requirements
and Prerequisites
Deploying SQL Server
Deploying System Center
Configuration Manager 2007 R2
Deploying Windows Installer
version 3.1
Deploying WFP Rollup Package
Figure 1.1 Welcome screen.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 19
3. After accepting the license agreement, select one of four installation options:
Basic topology: Install all infrastructures on a single server.
Basic topology with remote reporting database: Install all FEP
components except the remote reporting database. This option allows you to specify a different SQL Server for the FEP reporting database
Advanced topology: Customized option that lets you define the following FEP components to install in a distributed environment:
o Configuration Manager Site Server FEP Extension
o FEP Reporting and Alerts
o Configuration Manager Console Extension for FEP
Configuration Manager Console FEP 2010 Extension Only: Install FEP as an extension for the Configuration Manager console.
Based on the install options you choose, the prompts and content you see in the setup wizard may vary from the next steps described here. The remaining steps assume that you used the Advanced topology option was used and selected the capabilities for Site Server, FEP Reporting and Alerts, and Configuration Manager Console Extension for FEP (See Figure 1.3).
Extension of FEP for System Center: Integrating FEP with Configuration Manager occurs at multiple levels: the software distribution procedures and analysis, and security configuration through components. These extensions allow the creation of collections, packages for distribution processes, and the creation of objects and baselines used in the desired configuration.
Forefront Endpoint Protection 2010 Reporting and Alerts: Allows component installation on local machines for monitoring FEP.
Configuration Manager Console extension for FEP: Installation of
the FEP console in Configuration Manager for centralized management.
4. The wizard provides information to configure the FEP database, including Configuration Manager database computer, database instance, and Forefront Endpoint Protection 2010 database name (See Figure 1.4).
If you chose to build your own test environment, enter the information to reference your SQL Server installation.
5. Next, the wizard configures FEP to use Microsoft Update for automatic updates for Windows and other Microsoft products, including FEP (See Figure 1.5).
If you select Join the customer experience program, Microsoft will collect information about the system hardware and FEP usage, to enable further improvements.
Figure 1.2 Deployment options.
Figure 1.3 Advanced topology.
Figure 1.4 Database configuration.
Figure 1.5 Update and customer experience.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 20
6. If you choose to join the Microsoft SpyNet community, you can automatically send and share information about detected software.
This information helps Microsoft create new definitions for improved protection, which can help your software better detect and notify you of potential malware. Basic Membership enables the Dynamic Signature Service to provide updates based on behavior monitoring without waiting for the regular signature update process (See Figure 1.6).
7. The Installation Location page allows you to specify the path and folder locations for Forefront files and data files. You can also use the Browse button to change the storage location of product files. This dialog also specifies disk space requirements (See Figure 1.7).
8. The final screen prior to setup is a pre-requisite check. The installer will verify that each of the pre-requisites listed in step 1 have been met. If a pre-requisite check fails, the installer will provide an explanation and remediation steps. Only when all pre-requisites have been met will setup continue (See Figure 1.8).
After you have met all the prerequisites to install FEP, the wizard displays a summary of wizard selections to configure, including general settings, updates, and FEP site extension (See Figure 1.9).
9. The FEP installation will configure antimalware support on the server automatically. You can use the configuration snap-in added to the Configuration Manager console to manage and monitor FEP.
Figure 1.6 SpyNet policy configuration.
Figure 1.7 Installation location.
Figure 1.8 Prerequisites verification.
Figure 1.9 Setup summary.
Figure 1.10 Installation complete.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 21
Exercise 2: Using Configuration Manager to deploy FEP clients
Software deployment in a large network is generally a tedious process that requires
a great deal of administrators’ time and resources. Installing the software on
individual client computers reduces productivity and increases the need for remote
and centralized deployment. Using different infrastructures for security management
and deployment makes the task more complex.
In this exercise, you will perform centralized deployment of FEP from a single server
to selected endpoints (client machines). This section provides a step-by-step
process to distribute and advertise the software to an existing or new collection of
endpoints using the same process that is used in Configuration Manager.
If you are evaluating with the pre-configured virtual environment, you will need the
following virtual machines:
Lab Environment
S.No. Machine Name Roles
1 Server 1 (Denver) DC
2 Server 2 (Fargo) FEP Server and Configuration Manager
3 Client 1 (Chicago) Forefront Client Security (FCS) Client
4 Client 2 (Cairo) FEP
The following step-by-step instructions use the pre-configured virtual environment
and are configured on the virtual machine called Fargo (Server 2 in the table
above).
To examine the integration between FEP Server and Configuration Manager:
1. On the Start menu, click Microsoft System Center, click Configuration
Manager 2007, and then click ConfigMgr Console to open the Configuration
Manager 2007 SP1 R2 console.
2. In the Configuration Manager Console, expand Site Database, expand
Computer Management, and then expand Forefront Endpoint Protection.
The Forefront Endpoint Protection 2010 node contains subnodes for Policies,
Alerts, and Reports. Notice that FEP Server integrates with the Configuration
Manager console to manage FEP client policies, alerts, and reporting.
Key Deployment Benefits
Deploys effortlessly to
multiple endpoints using
existing Configuration
Manager agents
NOTE:
Appendix A contains the System
Requirements for Client
computers.
Figure 2.1 Start menu.
Figure 2.2 Configuration Manager console.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 22
3. Under Computer Management, expand Collections, and then expand
Forefront Endpoint Protection 2010 collections.
Note that FEP Server maintains several collections of client computers.
To use the Software Distribution wizard to deploy FEP client software
1. In the Configuration Management console, in the left pane, under Collections,
select All Systems. Server and client computers are listed in this collection.
2. In the middle pane, right-click a client to deploy, click Distribute, and then click
Software to open the Distribute Software to Resource wizard.
Note: Instead of deploying the FEP client software to a single computer, you
can also distribute FEP to all computers in a particular collection at once.
3. On the Welcome page, click Next.
Figure 2.3 Collections.
Figure 2.4 All systems.
Figure 2.5 Distribute software.
Figure 2.6 Welcome page.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 23
4. On the Package page, ensure that Select an existing package is selected,
and then click Browse.
This page also provides options to Create a new package from a definition
file and to Create a new package and program without a definition file,
which can be used to create new packages.
5. In the Select a Package dialog box, select the Microsoft Corporation
Forefront Endpoint Protection 2010 - Deployment 1.0 package, and then
click OK.
6. On the Package page, click Next.
7. On the Distribution Points page, select your default distribution point (Fargo, if
you are using the virtual environment) and then click Next.
On this page, you can select distribution points based on where the clients will
access the package. If the package was previously distributed, some
distribution points will already be selected. If you cancel the selection of a
distribution point, the package will be deleted from it.
Figure 2.7 Package page.
Figure 2.8 Select a Package dialog box.
Figure 2.9 Package page.
Figure 2.10 Distribution Points page.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 24
8. On the Select Program page, select Install, and then click Next.
Note: You can also use the software distribution package to uninstall FEP
clients.
9. On the Advertisement Target page, select Advertise this program to an
existing collection that contains this resource, and then click Next.
Note: This page also provides you the option to Advertise this program to an
existing collection that contains this resource and then select the collection
to send the advertisement.
10. On the Advertisement Name page, in the Name box, type
FEP – Deployment – Install to All Systems.
The name of the new advertisement will start with Forefront FEP –
Deployment – Install to All Systems.
11. On the Advertisement Subcollection page, select Advertise the program to
members of the collection and its subcollections, and then click Next.
Note: This page also provides you the option to Advertise the program only
to members of the specified collection.
Figure 2.11 Select Program page.
Figure 2.14 Advertisement Subcollection
page.
Figure 2.12 Advertisement Target page.
Figure 2.13 Advertisement Name page.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 25
12. On the Advertisement Schedule page, click Next.
13. On the Assign Program page, select Yes, assign the program, select Ignore
maintenance windows, and then click Next.
14. On the Summary page, click Next.
15. On the Wizard Completed page, click Close.
Figure 2.15 Advertisement Schedule page.
Figure 2.16 Assign Program page.
Figure 2.18 Wizard Completed page.
Figure 2.17 Summary page.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 26
To examine the FEP deployment
1. In the Configuration Manager Console, in the left pane, expand
System Status, expand Advertisement Status, and then select the Forefront
Endpoint Protection 2010 - Deployment advertisement.
In the middle pane, notice that the related program from this advertisement has
successfully started.
2. In the left pane, under Computer Management, select
Forefront Endpoint Protection.
3. In the Actions page, click Update Forefront Endpoint Protection
2010 Collections membership.
4. Click OK to confirm that you want to update the membership of the FEP
collections.
In the middle pane, notice that FEP is now deployed on the client machines.
5. After the distribution is successfully completed, FEP client will be installed on
the endpoint. The time needed for successful deployment depends on the
Configuration Manager client setting. After successful installation, you can see
the FEP icon ( ) in the task bar.
Note: When you install the FEP client package, it will automatically uninstall
existing antimalware clients, including:
Forefront Client Security version 1, including the Operations Manager
agent
Symantec Endpoint Protection version 11
TrendMicro OfficeScan version 8.0 and version 10.0
McAfee VirusScan Enterprise version 8.5 and version 8.7
Symantec Endpoint Protection Small Business Edition version 12
Symantec Corporate Edition version 10
Figure 2.21 Update FEP Collections
membership.
Figure 2.22 FEP icon.
Figure 2.19 Deployment status.
Figure 2.20 Actions page.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 27
Exercise 3: Operations
This exercise will help you evaluate ease of operations while managing endpoint
security with FEP. Operations include viewing client health status on the
Dashboard, centralized policy creation, and configuration of signature updates for
multiple clients.
This exercise covers the following sub-exercises:
Exercise Illustrates
3.1. Operational
status: Dashboard
overview
Contents of Dashboard of Configuration Manager 2007
3.2. Policy
management Step-by-step creation of FEP policy
3.3. Policy
customization
Once the policy is created from the template, FEP offers
flexibility to customize it further. Administrators can open
the properties of the policy and customize the policy-
show an example, for e.g. Administrators can define CPU
threshold for scans(highlight it, its anew feature) and
many other granular settings
3.4. Policy assignment Assign the FEP policy to a Configuration Manager
collection
3.5. Using Group
Policy for FEP
Configure clients by using Forefront Endpoint Protection
GPOs, pre-configured policy templates, and the Forefront
Endpoint Protection Group Policy Tool
3.6. Signature updates Methods to provide signature updates to endpoints.
If you are using the pre-configured virtual environment to evaluate FEP, you will
need the following virtual machines:
Lab Environment
S.No. Machine Name Roles
1 Server 1 (Denver) DC – CA – AD FS, , WSUS
2 Server 2 (Fargo) FEP Server and Configuration Manager
3 Client 1 (Chicago) Forefront Client Security (FCS) Client
4 Client 2 (Cairo) FEP
The following step-by-step instructions use the pre-configured virtual environment
and the steps are configured on the server machine named Fargo (Server 2) and
the FEP Client machine named Cairo (Client 2).
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 28
The Dashboard summarizes the overall health status of clients and provides
detailed reports for specific clients.
To open the Dashboard, in the Configuration Manager Console under
Computer Management, click Forefront Endpoint Protection 2010.
The Dashboard has several sections and sub-sections:
Operational Statistics: These are statistics based on the operations
performed by FEP on the system and they consist of:
o Client Deployment Status: An account of the number of clients
targeted and not targeted by FEP and the number of successful,
pending, or failed deployments. The graph shown represents these
statistics.
o Malware Activity Status: The status of malware activity on the
clients scanned and any required action to be taken.
Active Malware indicates the presence of malware content
in the client machines indicated by the numbered link.
Restart required shows that the client machines indicated
by the numbered link need to be restarted.
Full scan required indicates the client machines that need
a full system scan.
Malware cleaned (Last 24 hours) shows all the malware
removed from client machines in the past 24 hours.
o Definition Status: Information about definition updates on client
machines. The definition update information is categorized as:
Older than 1 week
Up to 7 days old
Up to 3 days old
Up to date
o Policy Distribution Status: The distribution status of the FEP policy
deployed to clients in terms of:
Distribution failed
Distribution in progress
Policy Distributed
o Forefront Endpoint Protection Baselines: These include the
following baselines:
FEP – Standard Desktop
FEP – High- Security
FEP – Optimized Desktop
FEP – Laptop
o Links and Resources: Links to reports, policy management, alert
configuration, and resources for more information.
Exercise 3.1 Operational status: Dashboard overview
Figure 3.1 Configuration Manager Console.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 29
Forefront Endpoint Protection 2010 policy settings define the configuration options
of the FEP client and the desktop firewall that you can manage such as, the scan
schedule, the location and frequency of definition updates, and scan exclusions.
Forefront Endpoint Protection 2010 policy settings that you specify are contained in
an FEP policy object. Policies only affect FEP clients after you assign them to a
Configuration Manager collection.
This section describes how to create a new FEP policy.
To create a new FEP policy
1. On the server, in the Configuration Manager console, in the left pane, under Computer Management, expand Forefront Endpoint Policies, and then select Policies.
Note: Forefront Endpoint Protection 2010 policy settings define various configuration options of the FEP client that an administrator can manage.
You can associate an FEP policy with multiple collections, and you can associate multiple policies with a single collection. Policies are applied in order of precedence.
2. In the Actions pane, click New Policy to open the New Policy wizard.
3. On the General page, in the Policy name box, type Forefront Endpoint Protection 2010 Desktop policy, and then click Next.
Exercise 3.2: Policy management
Figure 3.2 FEP Policies page.
Figure 3.3 New Policy wizard.
Figure 3.4 General page.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 30
4. On the Policy Type page, select High Security policy, and then click Next.
Note: You can choose other templates based on client requirements.
For example, the High-security policy enables maximum security settings for antimalware and desktop firewall, and the Performance-optimized policy maximizes performance and enables baseline protections.
You can also choose to load one of 16 pre-configured templates that provide optimized security settings based on the server role.
5. On the Scheduled Scans page, under Weekly scan, in the Day box select Sunday, in the Hour box select 3:00 AM, and then click Next.
6. On the Scan Exclusions page, click Next.
7. On the Updates page, click Next. This page provides options for you to select locations from which clients can receive definition updates.
By default, the selected options are:
Enable updates from Configuration Manager or WSUS
Enable updates from Microsoft Update
This page also allows you to enable updates from specified file locations.
Note that FEP clients can obtain antimalware signature updates from four sources (in order): Configuration Manager, WSUS, Microsoft Update Web site, and UNC file share.
Figure 3.6 Schedule Scans page.
Figure 3.7 Scan Exclusions page.
Figure 3.8 Updates page.
Figure 3.5 Policy Type page.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 31
8. On the Client Configuration Options page, select Real-time protection, and then click Next.
With this setting, users can configure the scheduled scan time and can choose to receive notification when malware is detected.
9. On the Summary page, click Next.
10. On the Wizard Completed page, click Close.
Figure 3.9 Client Configuration Options page.
Figure 3.10 Summary page.
Figure 3.11 Wizard Completed page.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 32
After you create the policy from the template, FEP offers flexibility to customize it.
Administrators can open the properties of the policy and customize the policy and
many other settings.
Administrators can limit the processor usage during the scans to different
percentages.
1. Open the FEP Console and click Policies.
2. Select the newly created policy, right-click the policy, and select Properties.
3. Click the Antimalware tab and select Limit processor usage during scans to
the following percentage to define the percentage of processor usage (see Figure 3.13). Users on endpoint computers can configure CPU usage limits for scans.
Exercise 3.3: Policy customization
Defining CPU Usage for Scans
Figure 3.12 Policy > Properties.
Figure 3.13 Limit processor usage.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 33
Administrators have the option to export policies that can be used to create a
backup or to use it for clients that are not managed by Configuration Manager.
1. Open the FEP Console and click Policies.
2. Select your policy, right-click the policy, and then click Export Policy.
3. Save the policy XML file to the desired location on the system
Exporting a Policy
Figure 3.14 Export policy.
Figure 3.15 Save the policy XML.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 34
Policies that have a higher precedence override settings that are defined in policies
lower in the precedence order. It allows users to select any policy and adjust its
precedence order. Multiple policies can be applied to the same machine, but the
policy with the highest precedence takes priority.
1. Open the FEP Console and click Policies.
2. Select your Policy and in the Actions pane click Policy Precedence.
3. Define the precedence for the policies by moving the policies up and down using the buttons available.
4. When you are finished, click OK.
Policy Precedence
Figure 3.16 Policy precedence.
Figure 3.17 Edit policy precedence.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 35
Dynamic Signature Service (Microsoft SpyNet)
Microsoft SpyNet service enables users to join an online community that helps them
choose how to respond to potential threats and helps stop the spread of new
infections. Users can choose to send basic or advanced information about detected
software. Additional information helps Microsoft create new definitions to better
protect users’ machines. This service is also used to provide dynamic updates to
the endpoints based on behavior-monitoring detections.
1. Click Start, click All programs, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console.
2. In Configuration Manager 2007, expand Computer Management. Under
Computer Management, expand Forefront Endpoint Protection, and then click Policies.
Advanced Protection Methods
Figure 3.18 Click ConfigMgr Console.
Figure 3.19 Computer Management >
FEP > Policies.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 36
3. Double-click Default FEP policy.
4. Click the Antimalware tab and in the list on the left side of the dialog box, select Microsoft SpyNet.
5. Select Join Microsoft SpyNet, and then select either Basic membership or Advanced membership. The screenshot in this example shows the Basic membership selected.
6. Select Allow users on endpoint computers to change SpyNet settings.
7. Click Apply and then click OK.
You can centrally enable Windows Firewall on client machines to protect them.
Windows Firewall protects client machines from dangerous attacks and helps
prevent resource theft and misuse.
1. Click Start, click All programs, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console.
Firewall Management
Figure 3.20 Property Dialog Box >
Antimalware > Microsoft SpyNet.
Figure 3.21 Join Microsoft SpyNet.
Figure 3.22: Click ConfigMgr Console.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 37
2. In Configuration Manager 2007, expand Computer Management. Under
Computer Management, expand Forefront Endpoint Protection, and then click Policies.
In the middle pane, you can see two new default policies: Default Server Policy and Default Desktop Policy
3. Double-click Default Server policy to open the Default Forefront Endpoint Protection Policy Properties dialog box.
4. Click the Windows Firewall tab.
5. Select Enable Host Firewall protection.
You can configure Windows Firewall settings for:
Domain Networks - Domain network settings are the settings for workplace networks that are attached to a domain.
Private Networks - Private network settings are the settings for the networks at home or work where the user knows and trusts the people and devices on the network.
Public Networks - Public network settings are the settings for networks
in public places such as airports and coffee shops
For any of these network types, you can adjust settings and preferences for:
Firewall state (On/Off) – On is recommended
Incoming Connections (Block Default /Allow/ Block all) – Block Default is recommended
Notification Display (Yes/No)
Block All blocks all unsolicited attempts to connect to your machine. Use this setting when you need maximum protection, such as when you connect to a public network, or when a computer worm is spreading over the Internet. With this setting, Windows Firewall does not notify you if it blocks programs, and it ignores programs in the list of allowed programs. You can still view most webpages, send and receive email, and send and receive instant messages.
Block Default blocks the connections defined by policies applied in the organization. Everything else will pass through Windows Firewall.
Figure 3.25 Enable Host Firewall
Protection.
Figure 3.23 FEP > Policies > Default Server
Policy.
Figure 3.24 Windows Firewall tab.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 38
System Restore is a component of the Windows operating system that allows you
to roll back system files, registry keys, and installed programs, to a previous state in
the event of system malfunction or failure.
A restore point is a saved snapshot of a machine's data at a specific time. By
creating a restore point, you can save the state of the operating system and your
own data so that if future changes cause a problem, you can restore the system
and your data to its state before the changes occurred.
1. In Configuration Manager 2007, expand Computer Management. Under
Computer Management, expand Forefront Endpoint Protection, and then click Policies.
2. Double-click Default FEP policy to open the Default Forefront Endpoint Protection Policy Properties dialog box.
3. Click the Antimalware tab and in the list on the left select Additional Settings.
4. Select Create a system restore point before cleaning computers.
5. Click Apply and then click OK.
Restore Point
Figure 3.26 Computer Management >
FEP > Policies.
Figure 3.28 Create a Restore Point.
Figure 3.27 Antimalware > Additional
Settings.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 39
To assign FEP policies to clients, you first assign them to a Configuration Manager
collection. You can assign a policy to more than one collection if needed and you
can assign more than on policy to a collection. When an FEP client has more than
one policy assigned to it, the FEP client applies the policy with the highest
precedence.
To assign a policy to a collection
1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection 2010, and then click Policies.
2. Right-click the policy that you want to assign, and then click Assign Policy.
Note: You cannot assign the Default Server Policy or the Default Desktop Policy.
3. In the Add/Remove Collection dialog box, click Add.
4. In the Browse Collection dialog box, select the collection to which you want to assign the policy, and then click OK.
If you need to assign this policy to multiple collections, in the Add/Remove Collection dialog box, for each collection, click Add and repeat this step.
5. In the Add/Remove Collection dialog box, click OK.
To monitor FEP policy deployment
1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and click Forefront Endpoint Protection 2010.
2. View the Policy Distribution Status section of the Operational Statistics on the Forefront Endpoint Protection dashboard. You might need to refresh the page to get latest information.
3. In the Links and Resources pane under Web Reports click Policy Distribution Overview for policy deployment information started at the collection level down to the computer level.
Note: The FEP reports and FEP Dashboard statistics include only those machines running the FEP client software and the Configuration Manager agent.
Exercise 3.4: Policy assignment
Figure 3.29 Assign Policy.
Figure 3.30 Adding Collection.
Figure 3.31 Policy Distribution status.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 40
Users can configure FEP client settings by using Active Directory Group Policy and Group Policy objects (GPOs). The following procedures will show you how to configure clients by using FEP GPOs, pre-configured policy templates, and the FEP Group Policy Tool.
You can convert policy settings contained in configured FEP policies to the format that is used by Group Policy. In order to convert policies, you must first download and install the FEP Group Policy Tool. This tool is available in the Microsoft Download Center as part of the FEP Group Policy Tools download package. The package also contains ADMX and ADML files. Although these files are not required to use the FEP Group Policy Tool, they are required in order to view or edit GPO policy settings.
To extract and install the FEP Group Policy Tool
1. Obtain the Forefront Endpoint Protection Group Policy Tool from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=205492) and copy it to your machine.
2. Double-click fep2010grouppolicytools.exe and extract the files from the package.
The Forefront Endpoint Protection Group Policy Tools package includes
the following files:
fep2010.adml
fep2010.admx
fep2010gptool.exe
3. Locate and double-click fep2010gptool.exe to open the FEP Group Policy Tool.
Exercise 3.5: Using Group Policy for FEP
Exercise 3.5.1: Converting FEP policies to Group Policy
Figure 3.32 Extract Group Policy Tool.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 41
To convert FEP policy settings to Group Policy
1. Locate and double-click fep2010gptool.exe to open the FEP Group Policy Tool.
2. Select the Domain and the name of the Group Policy object in that domain that you want to populate with pre-configured FEP policy settings.
3. Click Select Policy File. Locate and select the XML policy file that contains the settings that you want to import to the Group Policy object.
4. Select Clear existing Forefront Endpoint Protection settings, and then click OK to import the settings. You can then edit and view the policy settings by using gpedit.msc.
Warning: Selecting Clear existing Forefront Endpoint Protection settings
will remove all FEP settings contained in the selected Group Policy object and replace them with the imported FEP policy settings. Only select this item if you want to clear all of the existing FEP policy settings from the Group Policy object.
To add ADMX and ADML files locally in order to view or edit policy settings
1. Navigate to the location where you extracted the ADMX and ADML files in the previous procedure.
2. Copy the ADMX file to the %systemroot%\PolicyDefinitions\ folder.
3. Copy the ADML file to the %systemroot%\PolicyDefinitions\ language folder. For example, en-US.
Note: You must restart the Group Policy Object Editor after performing the preceding steps.
Figure 3.33 FEP Group Policy Tool.
Figure 3.34 Copying an ADMX file.
Figure 3.35 Copying the ADML file.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 42
You can merge policy settings from one or more FEP policies into a single GPO. This is helpful when you have settings contained in multiple FEP policies and you would like to combine those policy settings and use Group Policy to configure clients. In order to merge FEP policies into a single GPO, you must use the FEP Group Policy Tool.
Warning: When you merge multiple policies to a single GPO, the order in which you merge the policies will affect the outcome of the effective policy. For example, if you merge three policies that contain conflicting settings for a particular feature, the settings in the last policy that you merge will overwrite any conflicting settings that are already merged or contained in the GPO.
To merge FEP policy settings to a GPO:
1. Double-click fep2010gptool.exe to open the FEP Group Policy Tool.
2. Select the Domain and the name of the GPO in that domain that you want to populate with pre-configured FEP policy settings.
3. Click Select Policy File. Locate and select the XML policy file that contains the settings that you want to import into the GPO.
If this is the first policy that you are merging and there are no FEP policy settings that you want to retain that already exist in the selected GPO, select Clear existing Forefront Endpoint Protection settings.
When you select this option, it clears all FEP policy settings in the target GPO. Clearing the previous policy settings ensures that only the FEP settings that are contained in this policy will be present in the target GPO settings.
However, if this is not the first policy that you have merged to the selected GPO and you want to retain existing previous settings contained in that GPO, verify that the check box is not selected. Selecting the check box will clear any previously configured FEP policy settings that are contained in that GPO. Click Apply to merge the policy settings to the GPO.
Note: Merging policy settings by using the FEP Group Policy Tool does not affect the source FEP policy file.
4. To merge additional settings contained in FEP policies into the selected GPO, repeat the previous step.
Exercise 3.5.2: Merging policies
Figure 3.36 Merging FEP policy settings.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 43
You can view and configure Forefront Endpoint Protection settings by using the Group Policy Object Editor. Each policy setting contains parameter information specific to the feature that you want to configure. Typically you will access the Group Policy Object Editor by selecting a Group Policy object (GPO) from within the Group Policy Management Console (GPMC), and then selecting the edit action for that object.
To view FEP Group Policy settings
1. Open the Group Policy Object Editor and go to Local Computer Policy\Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010.
2. Expand Forefront Endpoint Protection 2010 and click the folder that contains the settings that you want to view.
For more information about each policy setting, in the right pane, double-click the setting that you want to view to open the configuration dialog box and view the additional policy setting information.
To edit FEP GPO settings
1. Open Group Policy Management.
2. In the console tree, double-click Group Policy Objects in the forest and domain containing the GPO that you want to edit.
3. Right-click the GPO, and then click Edit.
Note: You must have edit permissions for the GPO that you want to edit.
4. In the Group Policy Object Editor console, expand Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010 and click the folder that contains the settings that you want to configure. In the right pane, double-click the setting that you want to configure in order to open the configuration dialog box.
5. Configure the settings that you want to deploy to clients, and then click OK.
6. Deploy the policy settings to clients.
Exercise 3.5.3: Configuring and viewing policies
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 44
The Updates section allows you to configure how the FEP clients check for
definition updates. This enables you to provide the latest updates to all endpoints
centrally and protected them from new threats.
Note: If you are evaluating FEP in your own environment, you need to perform the
following pre-requisites before proceeding to the next steps:
Install WSUS 3.0: Before you can successfully install and configure a
software update point on a site system server in Configuration Manager
2007, you must install WSUS 3.0 on the server.
Install WSUS 3.0 Administration Console: You need to install the WSUS
3.0 Administration Console on the Configuration Manager 2007 site server
to allow the site server and remote Configuration Manager consoles to
configure and synchronize software updates.
Create and configure an active Software Update Point: The software
update point in Center Configuration Manager 2007 is a required
component of software updates and is installed as a site system role in the
Configuration Manager console. You must create the software update point
site system role on a site system server that has WSUS 3.0 installed
You can find more information on configuring the Software Update Point
here: http://technet.microsoft.com/en-us/library/bb633119.aspx
The above settings are already completed in the pre-configured virtual environment
on the server machine named Denver (Server 1-WSUS) and Fargo (Server 2-
FEP/ConfigMgr server)
The following step-by-step instructions use the pre-configured virtual environment
and the steps are configured on the server machines named Denver (Server 1) and
Fargo (Server 2).
Software Updates and Windows Server Update Services
When you configure FEP or the FEP Security Management Pack deployment for WSUS-based definition updates, you must perform the following tasks:
Configure either the Software Updates area of Configuration Manager or
your WSUS server to synchronize both updates and definition updates.
Approve the FEP definitions in the WSUS Administration console.
Exercise 3.6: Signature updates
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 45
To synchronize updates and approve FEP definitions in Software Updates in
Configuration Manager (in the virtual evaluation environment, this is the virtual
machine named Fargo)
1. In the Configuration Manager Console, expand Site Management, expand the site name, expand Site Settings, and then click Component Configuration.
2. In the middle pane, right-click Software Update Point Component, and then click Properties.
3. On the Classifications tab, select Definition Updates and Updates.
4. On the Products tab, select Forefront Endpoint Protection 2010, and then click OK.
Figure 3.37 Component Configuration page.
Figure 3.38 Classifications tab.
Figure 3.39 Products tab.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 46
To synchronize updates and approve FEP definitions in WSUS
1. Using an account that has local administrator user rights, log on to the machine running WSUS (in the virtual evaluation environment, this is the virtual machine named Denver).
2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services.
3. In the WSUS Administration console, in the tree, expand Computers, click Options, and then click Products and Classifications.
4. In the Products and Classifications dialog box, on the Products tab, select Forefront Endpoint Protection 2010
5. On the Classifications tab, select Definition Updates and Updates, and then click OK.
Approving Updates
Updates for the FEP client must be approved before those updates are offered to
clients requesting the list of available updates. Clients connect to the WSUS server
to check for applicable updates and then request the latest approved definition
updates. Updates will only be offered to clients after they are approved for
installation and after the WSUS server has completed the binary download.
To approve definitions and updates in WSUS
1. Using an account that has local administrator user rights, log on to the computer running WSUS.
2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services.
3. In the WSUS Administration console, click Updates, and then click All Updates or the classification of updates you want to approve.
4. On the list of updates, right-click the update or updates you want to approve for installation, and then click Approve.
5. In the Approve Updates dialog box, click the arrow next to the group for which you want to approve the updates, and then click Approved for Install.
Note: You can also set an Automatic Approval rule for definition updates and FEP updates, which configures WSUS to automatically approve for installation any definition updates or FEP updates downloaded by WSUS.
Figure 3.41 Forefront Endpoint Protection
2010.
Figure 3.40 Product and Classifications.
Figure 3.42 Approve all pending updates.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 47
To configure an automatic approval rule
1. In the WSUS Administration console, click Options, and then click Automatic Approvals.
2. On the Update Rules tab, click New Rule.
3. In the Add Rule dialog box, under Step 1: Select properties, select When an update is in a specific product.
4. Under Step 2: Edit the properties, click any product.
5. Clear all selections except Forefront Endpoint Protection, and then click OK.
6. In the Step 3: Specify a name box, enter a name for the Forefront Endpoint Protection Definition Updates rule, and then click OK.
7. In the Automatic Approvals dialog box, select the newly created Forefront Endpoint Protection Definition Updates rule and then click Run rule.
Figure 3.43 Automatic approvals.
Figure 3.44 New rule.
Figure 3.45 Forefront Endpoint Protection
2010.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 48
Microsoft Updates Definition Updates
You use the Microsoft Update definition update option to keep definitions on mobile
clients up-to-date when they are not connected to the corporate network.
The Microsoft Update definition update option works in the same way as a normal
Microsoft Update request. If configured, the FEP client will query Microsoft Update
for new definitions per the frequency configured in the FEP policy.
You can configure clients to check for definition updates by setting a policy option.
To configure clients to check Microsoft Update
1. When you create an FEP policy, on the Updates page, select Enable updates from Microsoft Update.
2. When you want to add Microsoft Update as a definition update option to an existing policy, in the properties of the policy, click the Updates tab, and in the update source list, select Updates from Microsoft Updates (MU).
File Share-Based Definition Updates
Forefront Endpoint Protection clients can be configured to check a file share for
definition updates. To check for updates, the client accounts must have read access
to the file share in which you store the definition files. Domain users need read
access as well. The user account is used when a manual update is performed.
Note: When you configure clients to check a file share for definition updates, clients
check the file share first, by default, before they check WSUS or Microsoft Update.
You can change this hierarchy.
To enable file share-based definition updates
1. Create a folder called File Share on Server 1 (Denver).
2. Right-click the folder and go to Share with.
3. Add the user, select Read/Write access and then click Share.
4. When you create an FEP policy, on the Updates page, select Enable updates from the following file share location, then, in the text box, enter the Universal Naming Convention (UNC) path to the file share.
Note: FEP does not create or set permissions on the share automatically
Figure 3.46: Updates tab.
Figure 3.47 UNC check Box and Path for the
file share.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 49
To enable file share-based definition updates in an existing policy
1. In the Configuration Manager console, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies.
2. In the middle pane, right-click the policy you want to edit, and then click Properties.
3. Click the Updates tab, then, in the list of update sources, select Updates from UNC file shares (specified below).
4. Under Specify, in order of preference, file shares, click Add, and then type the UNC path to the file share.
5. If necessary, click Add again and add additional UNC paths.
Note: You can alter the order of the list of file shares by selecting a listed path, and then, under the list, click Up or Down.
6. When finished, click OK.
To configure a file share for definition updates
1. Download the required files from the following locations:
For x64:
Antimalware definitions
(http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64)
Network-based exploit definitions
(http://go.microsoft.com/fwlink/?LinkId=197094)
Note: This file is required only if you have selected Enable protection against network-based exploits on the Antimalware tab of an FEP policy.
For x86:
Antimalware definitions
(http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86)
Network-based exploit definitions
(http://go.microsoft.com/fwlink/?LinkId=197095)
Note: This file is required only if you have selected Enable protection against network-based exploits on the Antimalware tab of an FEP policy.
Figure 3.48 Downloaded files for x64.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 50
2. Save the files in folders with the following names:
The files for x64-based computers must be in a folder named x64
The files for x86-based computers must be in a folder named x86
For example:
...\Updates\x86
...\Updates\x64
3. Ensure that each folder contains the following files:
Mpam-fe.exe
Nis_full.exe
Summary
This chapter has shown how you can deploy FEP to secure client machines. You
can use Configuration Manager 2007 to centrally install and uninstall FEP clients,
manage policies, and view the state of client protection. For more details refer to:
Deploying Forefront Endpoint Protection 2010: Step-by-step installation of
Forefront Endpoint Protection 2010. It is an easy wizard driven setup.
Using Configuration Manager to Deploy FEP Clients: Step-by step process
to distribute and advertise the software to an already existing or a new
collection of endpoints.
Overview of the contents of the Dashboard of System Center Configuration
Manager 2007: The Dashboard summarizes the overall health status of
clients. It provides drilled down reports for particular computers.
Policy creation for Forefront Endpoint Protection 2010: Defines the various
configuration options of the FEP client that users can manage such as,
policy customization and assignment, configuring group policy, the scan
schedule, the location and frequency of definition updates, and scan
exclusions.
Providing signature updates to endpoints: Enables the administrators to
provide latest updates to all endpoints centrally and thus keep them
protected against new threats.
Figure 3.49 UNC checkbox and path.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 51
In Chapter 3, you will learn how FEP can comprehensively protect client machines
by detecting and cleaning malware, provide reports and alerts, and provide different
types of configurable scanning methods that can be configured for client machines.
For more details, refer to:
Detecting and Cleaning Malware: Step-by-step process of detecting and
cleaning malware using Configuration Manager 2007.
On-demand, Schedule and Real-time Scanning: The scanning methods
used by FEP include:
Real-time scanning: Process of configuring real-time scans
Scheduled scanning: Process of configuring scheduled scans
On-demand scanning: Process of configuring on-demand scans
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 52
Forefront Endpoint Protection 2010 makes it easier to protect critical desktop,
laptop, and server operating systems against viruses, spyware, rootkits, and other
threats.
Highly accurate and efficient threat detection: The FEP engine protects against the latest malware and rootkits with a low false-positive rate and helps keep employees productive with low-impact scanning.
Detection of unknown threats: Forefront Endpoint Protection 2010 uses system behavior and file reputation data to identify and block previously unknown threats from attacking endpoints.
Improved network-based protection: Forefront Endpoint Protection 2010
ensures Windows Firewall is active and working properly to protect against network-layer threats, and it allows you to more easily manage protection across the enterprise.
Forefront Endpoint Protection 2010 provides protection against these threats using
the following techniques:
Antimalware protection: The FEP client helps users stay secure and productive both at work and on the go with a lightweight, easy-to-use interface. Whenever possible, the FEP client automatically solves security issues as they occur without disturbing users, so users can stay safe and continue with their work without contacting their desktop administrators.
Protection against rootkits: Rootkits are software that enables continued privileged access to a computer, while hiding their presence from administrators. Forefront Endpoint Protection 2010 has features that provide efficient rootkit detection.
Heuristics and emulation techniques: Dynamic Translation technology in FEP uses heuristics-based protection. Based on emulated behavior, it translates code that accesses real resources into code that accesses virtualized resources, which keeps the real resources in the system safe from any malicious content.
Behavior monitoring: Live system behavior monitoring identifies new threats and tracks behavior of unknown processes and known good processes gone bad. Detections trigger a request to the Dynamic Signature Service and clients will receive an updated signature through the cloud if it is recently identified malware without waiting for the regular signature update process.
Network vulnerability shielding: Forefront Endpoint Protection 2010 provides protection against network level exploits and intrusions by inspecting inbound and outbound network traffic. It balances protection with performance by only enabling signatures for the unpatched vulnerabilities.
CHAPTER 3:
COMPREHENSIVE
PROTECTION
Simple Client Experience
Simple Interface
Keep user interactions minimal and high-level
Provide only necessary
interactions
Administrator-managed
options
Control user
configurability
Enforce central policy
Performance-Oriented
Defaults
Template-driven policy
creation based on risk
Workload-specific
policies for servers
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 53
In this scenario, you will evaluate the process of detecting and cleaning malware
using FEP. This section will provide you with the step-by-step processes to detect a
malware, run the FEP software to clean up the malware, and generate reports of
the malware operations.
Exercise Illustrates
4. Detecting and cleaning
malware impact
scanning
Detecting and cleaning malware on the client
computer
5. On-demand, scheduled,
and real-time scanning Protecting endpoints against malware in real-time
Exercise 4: Detecting and cleaning malware impact scanning
Companies today are challenged to protect endpoints from unauthorized access to
information and loss of critical data. Forefront Endpoint Protection 2010 enables
organizations to centrally protect endpoints against different types of malware like
viruses and rootkits.
While evaluating with pre-configured virtual environment, you will need the following
virtual machines:
Lab Environment
S.No. Machine Name Roles
1 Server 1 (Denver) DC – CA – AD FS, AD-RMS, FCI, WSUS
2 Server 2 (Fargo) FEP Server and Configuration Manager
3 Client 1 (Chicago) Forefront Client Security (FCS) Client
4 Client 2 (Cairo) FEP
In this exercise, you will see an example of detecting and cleaning malware on a
client machine.
The following step by step instructions use the pre-configured virtual environment
and are configured on the client machine called Cairo (Client 2 in the table above)
1. If you are using the virtual environment, then directly open the folder where the
EICAR test virus file is stored to run a malware and skip to step 4.
2. If you are using your own environment, download the EICAR antimalware test
file eicar.com.txt from the EICAR website
(http://www.eicar.org/download/eicar.com.txt).
Note: Forefront Endpoint Protection 2010 should block this file from being
downloaded. The Sample folder contains several copies of the EICAR test
virus. This is not a real virus, but a sample file used for antimalware tests
3. Place the file in the C:\Tools\Sample folder
Figure 4.1 Opening the Sample folder.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 54
4. In the Sample folder, right-click eicar.com.txt, and then click Open.
FEP real-time detection recognizes the EICAR test virus, and blocks
access to the file.
Near the notification area, a popup appears that briefly informs the user
about the blocked access to the files.
5. Click OK to acknowledge that Windows cannot access the file.
Notice that the eicar.com.txt file is no longer in the folder; FEP has removed it.
6. Close the Sample folder
7. In the Notification area, right-click the FEP icon, and then click Open.
8. In the FEP window, click the History tab.
Note: It may take up to 10 minutes before the detected item appears in the list.
9. Close the FEP window
10. On the FEP Server (In the pre-configured virtual environment, it is the server
named Fargo), in the Configuration Manager console, under Computer
Management, select Forefront Endpoint Protection.
Figure 4.2 Notification for blocked
access to user.
Figure 4.4 History tab in the FEP
window.
Figure 4.5 Select Forefront Endpoint
Protection under Computer Management.
Figure 4.3 Right-click the FEP icon.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 55
11. In the middle pane, note that the Malware Activity Status section shows the
number of detected and cleaned malware.
Note: The detected malware from the client may not show up immediately. The
status change depends on the Configuration Manager client state update
setting.
12. In the Configuration Manager console, under Forefront Endpoint Protection,
select Reports.
The middle pane lists the three pre-defined reports.
13. In the middle pane, select Antimalware Activity Report.
14. Right-click the report, and then click Run.
Notice that FEP 2010 integrates with both Configuration Manager and SQL
Server Reporting.
The malware information may take some time to appear in the report. In
the virtual environment, it will take 10-15 minutes for the latest information
to populate. In general, it depends on the interval set for a client to upload
state messages,
Figure 4.7 Select Reports from
Configuration Manager Console.
Figure 4.8 Right-click the Antimalware
Activity Report and then click Run.
Figure 4.6 Malware Activity Status section.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 56
15. Close the Report Viewer window.
Exercise 5: On-demand, scheduled and real-time scanning
Forefront Endpoint Protection 2010 provides the options for on-demand, scheduled
and real-time scanning. The organization can select the option appropriate for its
business needs.
Exercise Illustrates
5.1. FEP real-time scanning Real-time scanning on an FEP Client
5.2. FEP scheduled
scanning Scheduled scanning on an FEP Client
5.3. FEP on-demand
scanning On-demand scanning on an FEP Client
If you choose to evaluate FEP with the pre-configured virtual environment, you will
need the following virtual machines:
Lab Environment
S.No. Machine Name Roles
1 Server 1 (Denver) DC – CA – AD FS, , WSUS
2 Server 2 (Fargo) FEP Server and Configuration Manager
3 Client 1 (Chicago) Forefront Client Security (FCS) Client
4 Client 2 (Cairo) FEP
Figure 4.9 Displayed Antimalware Activity
report.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 57
Real-time scan: protects endpoints against malware in real-time. This can help
prevent infection by malware present in the files being accessed.
Real-time scanning: All FEP incidents on client machines are reported to the FEP
server, used for reporting, creating, and distributing FEP policies throughout the
network.
In this exercise, you will see an example of configuring and scheduling a scan on
the client machine in real time.
These step-by-step instructions use the pre-configured virtual environment and the
steps are configured on the client machine named Cairo (Client 2 in the table
above).
1. In the FEP client, click the Start menu, and then click Computer.
2. Right-click USB Disk (K:), and then click Open.
Exercise 5.1: Forefront Endpoint Protection 2010 real-time scanning
Figure 5.1 Click Computer.
Figure 5.2 Right-click to Open.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 58
3. On the K: disk, right-click Woodgrove Bank Trey Information.doc, and then click Open
Forefront Endpoint Protection 2010 blocks access to the document. Even though the client computer may be on the corporate network, behind the firewalls, malware-infected files can still enter the network through the use of portable USB drives. However, FEP on the client machine detects and blocks the malicious content.
4. Click OK to close the Microsoft Word dialog box.
5. Close Microsoft Word.
Figure 5.3 Opening the document from the
USB drive.
Figure 5.4 Error message shown on the
infected file.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 59
Note: The steps to enable real-time scanning are shown in the Policy Creation
section in the Evaluation Scenario: Single Infrastructure. These steps are
completed on the FEP Configuration Manager Console
Figure 5.5 Real-time scanning.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 60
Scheduled scan enables an organization to:
Configure a scheduled scan: You can select the scan frequency from
Weekly quick scan, Weekly full scan, Daily quick scan, Daily full scan, Daily
quick scan and Weekly full scan. You can also set the time and day for
weekly scans.
Allow clients to schedule scan time: Select this option to allow end
users to schedule scans on their client machines.
Scan only when the computer is idle
Randomize scheduled scan start times (within 30 minutes from scheduled
time)
Force a scan upon reboot when two or more scheduled scans are missed.
Scan archived files
Limit processor usage during scans: You can set the processor usage
at the client machine for the scanning process.
In this exercise, you will configure and schedule a scan on a client machine.
In the FEP Client, the steps to enable scheduled scanning are mentioned in the
Policy Creation section in the Evaluation Scenario: Single Infrastructure.
On demand scan: enables an organization to perform three kinds of scanning:
Quick scan: checks the areas that malicious software—including viruses,
spyware and unwanted software—is most likely to infect.
Full scan: checks all the files on the hard disk and checks all running
programs. Time duration of the scan depends on the system.
Custom scan: checks only the locations and files that user selects.
The scanning can be performed either manually or by running the endpoint scan
from the FEP management console
In this exercise, you will perform the three types of on-demand scans on a client
machine.
1. Quick Scan
Manual steps
a. Double-click the FEP icon on the taskbar.
b. Under Scan options, click Quick.
c. Click Scan now to start scanning.
Exercise 5.2: Forefront Endpoint Protection 2010 scheduled scanning
Exercise 5.3: Forefront Endpoint Protection 2010 on-demand scanning
Figure 5.6 Enable Scheduled scanning.
Figure 5.7 Manually performing the Quick
scan.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 61
Running the Quick Scan from the FEP Management Console
a. Open Configuration Manager console, expand Computer Management, and expand Collections.
b. Select All Systems.
c. Select the client machine Cairo.
d. Go to the Action Pane, and under the client machine Cairo select FEP Operations.
e. Click Run Quick Scan.
2. Full Scan
Manual Steps
a. Double-click the FEP icon on the taskbar.
b. Under Scan options, click Full.
c. Click Scan now to start scanning.
Running the Quick Scan from the FEP Management Console
a. Open Configuration Manager console, expand Computer Management and expand Collections.
b. Select All Systems.
c. Select the client machine Cairo.
d. Go to the Action Pane, and under the client machine Cairo select FEP Operations.
e. Click Run Full Scan.
3. Custom Scan
a. Double-click the FEP icon on the taskbar and then click Custom Scan.
Figure 5.9 Manually performing the Full scan.
Figure 5.11 Custom scan.
Figure 5.8 Run Quick Scan from FEP
console.
Figure 5.10 Run Full Scan from FEP console.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 62
b. Select the locations/files that you want to scan.
c. Click OK to start the Custom Scan.
Summary
This chapter showed how FEP can provide comprehensive protection to client
machines by detecting and cleaning malware, providing reports and alerts, and by
providing different types of configurable scanning methods. For more details, please
refer to the following sections:
Detecting and Cleaning Malware: Step by step process of detecting and
cleaning malware impact scanning using Configuration Manager 2007.
On-demand, Scheduled and Real-time Scanning: The scanning methods
used by FEP
In Chapter 4, you will learn how FEP provides simplified management by using
predefined reports and customized alerts. For more details, please refer to the
following sections:
FEP Reports: Predefined reports with information on client deployment,
health, and malware detection.
FEP Alerts: Receive email notifications when FEP detects security
incidents and generates alerts
Figure 5.12 Select the file location.
Figure 5.13 Custom scan.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 63
Forefront Endpoint Protection 2010 is built on Configuration Manager 2007 R2 and
provides a single interface for you to manage and secure endpoints, which helps
reduce complexity and improve troubleshooting and reporting insights. It provides a
central location for you to create and apply all endpoint-related policies.
With a shared view of endpoint protection and configuration, you can more easily
identify and remediate vulnerable computers. Forefront Endpoint Protection 2010
provides simplified access to information and tools you need to keep your
enterprise secure and running.
No separate console: Configuration Manager provides a single interface to manage and secure endpoints, which helps to reduce complexity and improve troubleshooting and reporting insights. This approach also helps to reduce the training necessary for client administration.
Improved endpoint visibility: With a shared view of endpoint protection and configuration, you can more easily identify and remediate vulnerable computers.
Exercise Illustrates
6. FEP reports Reports on client deployment, health, and malware detection
7. FEP alerts Notification when security threats are detected
If you choose to evaluate FEP with the pre-configured virtual environment, you will
need the following virtual machines:
Lab Environment
S.No. Machine Name Roles
1 Server 1 (Denver) DC – CA – AD FS, AD RMS, FCI, WSUS
2 Server 2 (Fargo) FEP Server and Configuration Manager
3 Client 1 (Chicago) Forefront Client Security (FCS) Client
4 Client 2 (Cairo) FEP
Exercise 6: Forefront Endpoint Protection 2010 reports
Forefront Endpoint Protection 2010 provides a number of predefined reports in the
Reports node under the Forefront Endpoint Protection node. These reports provide
information on client deployment, health, and malware detection. Forefront Endpoint
Protection 2010 has six predefined FEP reports:
Antimalware Activity Report, Antimalware Protection Summary Report, and Computer List Report run directly from the Reports node
Malware Details Report and Computer Details Report run by drilling down within the Antimalware Activity Report
Computer List Report and Policy Deployment run directly from the FEP Dashboard
CHAPTER 4: SIMPLIFIED
MANAGEMENT—
REPORTING AND
ALERTING
Reporting and Alerting
Benefits
Uses existing Reporting Infrastructure- no need for additional database servers
Improved visibility into client security and health
Critical level alerting
Rich historical reports
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 64
Antimalware Activity Report: This report displays a dashboard summarizing the overall antimalware status.
Security Alerts: Displays a summary of raised FEP alerts.
Security Status: Displays a summary of client machines by FEP client status.
Antimalware Activity: Displays a dashboard of information about all
detected malware.
Malware Activity: Displays lists of the top malware infections by severity and frequency.
Antimalware Protection Summary Report: This report provides an overview of
antimalware deployment and health.
Antimalware Deployment and Health: Displays a dashboard of antimalware information.
Security Status: Displays a summary of client machines by FEP client
status.
Malware Details Report: This report displays further details about specific
malware.
Malware Details: Displays details about the detected malware.
Antimalware Activity: Displays a dashboard of information about the
detected malware.
Infected Computers: Displays a list of client machines that the detected malware has infected.
Figure 6.1 Antimalware Activity report.
Figure 6.2 Antimalware Protection Summary
report.
Figure 6.3 Malware Details report.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 65
Computer List Report: This report displays a list of computers.
Computer List: When you run this report from the Reports node, it
displays a list of computers on which the FEP client is deployed. When
you run this report by drilling down, it displays a filtered list of computers
according to the clicked link.
Computer Details Report: This report displays further details about the specified
computer.
Computer Details: Displays details about the specified computer.
Protection Status: Displays information about the status of the FEP client features.
Malware Activity: Displays a summary of malware information followed
by a list of malware that has been detected on the specified computer.
Policy Deployment Report: This Web report displays the breakdown of FEP
2010 client distribution states per collection
Click the FEP Dashboard and scroll to the Links and Resources
Section. Under Web Reports, click Deployment Overview
Figure 6.4 Computer List report.
Figure 6.5 Computer Details report.
Figure 6.6 Policy Deployment report.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 66
Exercise 7: Forefront Endpoint Protection 2010 alerts
Forefront Endpoint Protection 2010 can notify you when it detects security incidents.
The alert types that FEP provides include:
Malware Outbreak: Forefront Endpoint Protection 2010 can send an alert
when it detects a malware outbreak. An outbreak occurs when the number
of malware detections reaches a certain threshold.
Malware Detection: When FEP detects malware on a client machine, it
sends an alert to the client machines that are members of its collection.
You can configure the settings to generate alerts and select the recipients
of the alerts,
Repeated Malware Detection: Forefront Endpoint Protection 2010 sends
an alert to client machines if the same malware infects them repeatedly.
The alert occurs after a certain number of repeated detections.
Multiple Malware Detection: Forefront Endpoint Protection 2010 sends an
alert to the client machines infected by multiple malware types. The alert
occurs after a certain number of malware detections on a single computer.
1. Click Start, click All Programs, under Microsoft System Center click Configuration Manager 2007, and then click ConfigMgr Console.
2. In Configuration Manager 2007, expand Computer Management. Under
Computer Management, expand Forefront Endpoint Protection, and then click Alerts.
Exercise 7.1: Sending a Malware Outbreak alert
Figure 7.1 Click ConfigMgr Console.
Figure 7.2: Computer Management > FEP >
Alerts.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 67
3. After selecting Alerts, select Malware Outbreak Alert.
4. Right-click Malware Outbreak Alert and then click Properties.
The Malware Outbreak Alert Properties dialog box will appear.
5. Select Enable alerts for malware outbreaks and then specify the criteria for
malware outbreak alerts, such as: Malware detected on number of
computers and Malware detection interval (in minutes). Add the addresses
of the recipients to whom alerts should be sent.
Figure 7.3 Select Malware Outbreak Alert.
Figure 7.4 Right-click and Select Properties.
Figure 7.5 Properties dialog box.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 68
6. Click Apply and then click OK.
1. Under Computer Management, expand Forefront Endpoint Protection, and
then click Alerts. In the middle pane, select Malware Detection alert. 2. Right-click Malware Detection Alert and then click Properties.
Exercise 7.2: Sending a Malware Detection alert
Figure 7.6 Enable Alerts for Malware
Outbreaks.
Figure 7.7 Select Malware Detection Alert.
Figure 7.8 Right-click and select Properties.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 69
The Malware Detection Alert Properties dialog box will appear.
3. Select Enable alerts for malware detection and then click Browse to select
the parent collection you want to monitor.
4. In the Browse Collection dialog box, click All Systems, and then click OK.
Figure 7.9 Properties Dialog box.
Figure 7.10 Select Parent Collection.
Figure 7.11 Select All Systems.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 70
5. Set the Alert detection level to Medium and then add the addresses of
recipients to whom alerts should be sent.
6. Click Apply and then click OK.
1. Under Computer Management, expand Forefront Endpoint Protection, click
Alerts, and then click Repeated Malware Detection Alert. 2. Click Browse.
Exercise 7.3: Sending a Repeated Malware Detection alert
Figure 7.12 Add recipients.
Figure 7.13 Repeated Malware Detection
Alert.
Figure 7.14 Properties dialog box for
Repeated Malware Detection Alert.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 71
3. In the Browse Collection dialog box, click All Systems, and then click OK.
4. Select Add recipients Email ID. Click Apply and then click OK.
Note: In order to send the email alerts, the SMTP settings need to be defined
5. To define the SMTP settings, in the Actions pane, click Email Settings.
6. Enter the SMTP Server and Email address, and then click OK
Figure 7.15 Select All Systems.
Figure 7.16 Add recipients Email ID.
Figure 7.17 Email Settings.
Figure 7.18 Enter SMTP details.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 72
1. Under Computer Management, expand Forefront Endpoint Protection,
expand Alerts, and then select Multiple Malware Detection Alert. 2. In the Action pane on the right side, click New Multiple Malware Detection
Alert.
3. Click Browse. 4. In the Browse Collection dialog box, select All Systems, and then click OK
Exercise 7.4: Sending a Multiple Malware Detection alert
Figure 7.19 Multiple Malware Detection Alert.
Figure 7.20 Properties Dialog box for Multiple
Malware Detection Alert.
Figure 7.21 Select All Systems.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 73
5. Select Add recipients Email ID. Click Apply and then click OK.
Note: In order to send the email alerts, the SMTP settings need to be defined.
6. To define the SMTP settings, in the Actions pane, click Email Settings.
7. Enter the SMTP Server and Email address and then click OK.
Figure 7.22 Add recipients Email ID.
Figure 7.23 Email Settings.
Figure 7.24 Enter SMTP details.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 74
Exercise 7.5: Setting the alert level
1. Click Start, click All Programs, under Microsoft System Center click Configuration Manager 2007, and then click ConfigMgr Console.
2. In Configuration Manager 2007, expand Computer Management. Under
Computer Management, expand Forefront Endpoint Protection and then click Policies.
3. Double-click Default FEP policy to open the Default FEP Policy Properties
dialog box.
4. Click the Antimalware tab.
5. In the list on the left, select Threat Handling.
Figure 7.25 Click ConfigMgr Console.
Figure 7.26 Computer Management >
FEP > Policies.
Figure 7.27 Property Dialog Box >
Antimalware > Threat Handling.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 75
Forefront Endpoint Protection 2010 responds to potential threats and classifies
them at different alert levels:
Low Level: These programs collect personal information or change settings but do not damage the system and operate within the licensing terms displayed when the software is installed.
Medium Level: These programs collect personal information or change
settings but do not damage the system.
High Level: These programs collect personal information, change settings without the user’s consent or knowledge, or damage the system.
Severe Level: These are exceptionally malicious programs that threaten the privacy and security of the client machine and can damage the system.
For each of the alert levels, you can choose to take action as follows:-
Allow: This action allows the detected item and will also add it to the
―Allowed Items‖ list.
Quarantine: This action moves the detected item to the quarantined area and enables the user to either restore or permanently delete the item.
Remove: This action permanently deletes the detected item.
Recommended Action: These actions are recommended by Microsoft
Security Essentials based on their severity level.
o Severe and High: Remove the detected programs immediately.
o Medium: Consider removing the detected item if it is from an untrusted publisher.
o Low: Consider quarantining the detected item if it is from an untrusted
publisher.
Summary
This chapter described how FEP provides simplified management through
predefined reports and customized alerts and how it provides the necessary tools to
keep the enterprise secure and running. For more details, please refer to the
following sections:
FEP Reports: Predefined reports with information on client deployment,
health, and malware detection.
FEP Alerts: Allows administrators to receive email notifications when FEP
detects security incidents and generates alerts.
Figure 7.28 Action types for each Alert Level.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 76
NOTE: This appendix will help you install FEP. Because this guide has been
prepared for the purpose of the following labs, instructions in this section may not
be suitable for production environments. Please refer to the respective product
manuals for information about the setup for production environments.
Hardware Requirements
For this evaluation, you can use either a Hyper-V based FEP virtual environment
(called Business Ready Security Demo Environment) or FEP evaluation software
that you can deploy in your own test/production environment.
Pre-configured Virtual Environment System Requirements
To deploy the business ready security demo environment, which is built on virtual
hard disks, you need at least one Windows Server 2008 R2 Standard with Hyper-V
enabled with following recommended specifications:
Single processor with 1.4 GHz (x64 processor) or 1.3GHz (dual core)
8 GB RAM
100 GB of hard disk space
Forefront Endpoint Protection 2010 System Requirements
Configuration Manager requires a system running Windows 2003 SP2 or later with
the following specifications:
2 GB RAM
Disk Space
o Forefront Endpoint Protection Server: 600 MB
o Forefront Endpoint Protection Database: 1.25 GB
o Forefront Endpoint Protection Reporting Database: 1.25 GB
Additional Requirements
o No earlier versions of Forefront Endpoint Protection Server installed
o No installations of other antimalware protection
o Microsoft Windows Installer version 3.1 or later
o Microsoft .NET Framework 3.5 Service Pack 1
o SQL Server 2005 SP2 or 2008 Enterprise, including:
Analysis Services
Integration Services
Reporting Services
SQL Server Agent
Configuration Manager 2007 Service Pack 2 Release 2 site installed with
default roles, configured to use the SQL Server Reporting Services, and
the following installed and configured:
o Hardware Inventory
o Software Distribution
o Desired Configuration Management
o Management Class Hotfix Package
APPENDIX: SYSTEM
REQUIREMENTS AND
PREREQUISITES
NOTE:
For a list of compatible systems and
peripherals required for Windows Server
2008 R2, visit
http://www.microsoft.com/whdc/hcl/default.ms
px
NOTE:
Actual requirements will vary based on your
system configuration and the applications and
features you choose to install.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 77
Forefront Endpoint Protection 2010 Client
Forefront Endpoint Protection 2010 protects multiple Microsoft operating systems.
System requirements for the FEP client include:
Processor
o Windows XP: 500 MHz or higher
o Windows Vista or Windows 7: 1.0 GHz or higher
Memory
o Windows XP: 256 MB RAM or higher
o Windows Vista or Windows 7: 1 GB RAM or higher
Disk Space
o 300 MB
Operating System
o Windows XP SP3 and later x64
o Windows Vista RTM and later, x64 and x86
o Windows 7 RTM x64, x86
o Windows 7 XP mode
o Windows Server 2003 SP2 and later, x64 and x86
o Windows Server 2008 RTM and later, x64 and x86 (not server core)
Additional Requirements
o Configuration Manager agent
o Windows Installer 3.1
o Filter manager rollup (KB914882)
o WFP rollup package (KB981889). Redistributed by client
o Windows Update
Software Prerequisites for Forefront Endpoint Protection
Deployment
The FEP Setup wizard checks that the prerequisites are already installed before
you continue with the installation. If the prerequisites verification check identifies
missing prerequisites, the wizard informs you where you can download and install
the required components.
Forefront Endpoint Protection 2010 Server requires Configuration Manager 2007
R2 / R3 and SQL Server. The following steps explain how to deploy SQL Server
and Configuration Manager 2007 for FEP.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 78
Forefront Endpoint Protection 2010 requires SQL Server 2005 SP2 or 2008
Enterprise with Analysis Services, Integration Services, Reporting Services, and
SQL Server Agent running. The SQL Server should be part of the domain.
1. Run System Configuration Checker to detect if SQL Server 2008 R2 is installed
on your machine. If it detects SQL Server 2008 on the machine, it will show a
message about the automatic upgrade of SQL Server 2008 R2, otherwise setup
begins with step 2.
2. To use the database, analysis, and reporting services for FEP, select the
following SQL Server components:
Database Engine Services
Analysis Services
Reporting Services
Integration Services
SQL server agent
You need to specify a Default instance or a Named instance to use or run the
FEP analysis and reporting services and to activate the databases.
MSSQLSERVER is the default Named instance and Instance ID.
3. Microsoft recommends separate accounts for the respective FEP services. This
page shows the Service Account tab, which indicates the service account
details for the SQL Server services and allows you to specify the startup type
for each of the services (for example, Automatic, Manual, and Disabled).
Exercise 8: Deploying SQL Server
Figure 8.1 System Configuration Checker.
Figure 8.2 Services Selection.
Figure 8.3 Configuring database instance.
Figure 8.4 Authentication Selection.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 79
4. The Database Engine Configuration enables you to maintain and generate FEP
reports and to enable secure access to those reports. Use the Account
Provisioning tab to specify the Authentication Mode and administrators for
the database engine:
Authentication Mode: SQL Server supports two authentication modes, Windows authentication mode and Mixed Mode.
Specify SQL Server administrators: You must specify at least one
system administrator for each instance of SQL Server.
The Data Directories tab enables you to specify non-default installation directories and in the FILESTREAM tab you can enable FILESTREAM for instances of SQL Server.
5. On the Analysis Services Configuration page, the Account Provisioning
tab enables administrators to specify users with administrative privileges to
allow access to analysis services.
6. On the Reporting Services Configuration page, you can select the type of
Reporting Services you wish to install. Options include:
Install the native mode default configuration
Install the SharePoint integrated mode default configuration
Install, but do not configure the report server
7. On the Ready to Install page, you can see a tree view of the installation
options specified during Setup.
Figure 8.5 Authentication Method.
Figure 8.6 Analysis Services Configuration.
Figure 8.7 Reporting Services Configuration.
Figure 8.8 Configuration View.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 80
After you complete the installation of SQL Server 2008, the installer will provide
a link to the summary log file for the installation and other important notes.
Before you install Configuration
Manager 2007 R2, make sure you fulfill the following prerequisites:
Extend the Active Directory schema
Create a Configuration Manager 2007 R2 System Management Container in Active Directory
Install the Microsoft Remote Differential Compression feature
Install WebDAV and configured in IIS
Install the BITS Server Extensions feature
Install WSUS Server 3.0 SP1
During the Configuration Manager installation, when you configure the client agent
option, select the following options:
Software inventory: Discovers the software installed on the system.
Hardware inventory: Scans and reports for hardware configuration for the
specific machine. Collected reports or data is controlled by Managed Object Format (MOF). Defined classes are added to WMI, which reports back to the site server.
Desired configuration management: Defines the schedule that the
system will scan for compliance based on DCM rules.
System Center Client Deployment: Configures the client settings—
including the account that is used to connect to the software distribution location—and notification settings.
Deploying Configuration Manager 2007 R2
Figure 8.9 Installation Completion.
Figure 8.10 Agent Configuration Option.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 81
High-value assets (typically servers) that require a greater degree of monitoring can
report their events to an Operations Manager infrastructure. Forefront Endpoint
Protection 2010 includes the FEP Security Management Pack, which is a standard
management pack that you can import to Operations Manager 2007 R2.
The FEP Security Management Pack serves two goals. First, organizations that use
Operations Manager 2007 R2 to monitor servers can now use their preferred tool to
monitor security, too. Second, for organizations that require guaranteed real-time
monitoring for their critical systems (like servers) the management pack uses
Operations Manager 2007 R2 capabilities to ensure real-time reporting on FEP. In
addition to real-time monitoring and alerting, the FEP Security Management Pack
can use SQL Reporting or Microsoft Excel® to connect to the Operations Manager
2007 R2 database to generate custom reports.
The Operations Manager 2007 R2 console provides access to real-time data
generated by FEP clients with Operations Manager 2007 R2 agents installed. This
data includes a state view of the various FEP client components (antimalware
engine, antimalware activity, definitions, last scan time, firewall state, and others), a
list of active alerts, and a list of all FEP-related events that the servers have sent./
The FEP Security Management Pack for Operations Manager 2007 R2 provides a
server-centric view under Operations Manager with the following features:
Server security and availability tasks
Predefined reporting views that can be used to generate custom reports
using Excel (an Excel sample spreadsheet with various example of
possible reports is available in the download center)
Real-time monitoring and alerting for critical systems
FOREFRONT ENDPOINT
PROTECTION SECURITY
MANAGEMENT PACK:
ENABLING REAL-TIME
MONITORING WITH
SYSTEM CENTER
OPERATIONS MANAGER
2007 R2
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 82
In this scenario, you will import the FEP Management Pack into an Operations
Manager 2007 R2 Management Group. You can then monitor all the servers
assigned to that Management Group that have the FEP client installed.
If you are evaluating FEP with the pre-configured virtual environment, you will need
the following virtual machines:
Lab Environment
S.No. Machine Name Roles
1 Server 1 (Denver) DC, CA, AD FS, AD RMS, FCI
2 Server 2 (Madrid) Exchange 2010
3 Server 3 (Oxford) FEP Security Management Pack, Operations
Manager
The following step-by-step instructions use the pre-configured virtual environment
and the steps are configured on the FEP server machine called Madrid (Server 2 in
the table above). The FEP Security Management Pack and Operations Manager
Console are configured on the server machine called Oxford (Server 3 in the table
above).
You can also download the evaluation version of FEP Security Management Pack
software to evaluate it with System Center Operations Manager in your test
environment.
Exercise Illustrates
9. Enabling real-
time monitoring
with FEP
Step-by-step guide to import the FEP Security Management
Pack, creating an override to allow discovery of Windows
Clients and use Operations Manager Console to monitor FEP.
10. Generating alerts
and notifications
Step-by-step guide to generate alerts and create an incident
in Operations Manager Console.
11. Performing task
remediation
Step-by-step guide for remediation tasks targeted at
computers by Operations Manager operators and delivered to
them for execution.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 83
This section explains the steps required to import the FEP Security Management
Pack. The following steps need to be completed if you are using the evaluation
version of FEP Software Management Pack. If you are evaluating FEP Security
Management Pack using the pre-configured virtual environment, please skip to
Exercise 10 (the FEP Security Management Pack is already installed in the pre-
configured virtual environment).
To import management pack files into Operations Manager, you must first extract
the files from the fep2010 security mp.msi package. You are not required to
extract the package locally on the Operations Manager server; however, you must
be able to access the files from the Operations Manager console in order to import
them.
Download and expand the Forefront Endpoint Protection Security Management
Pack from the Forefront Endpoint Protection download page
(http://go.microsoft.com/fwlink/?LinkID=196678).
To extract Management Pack files
1. Double-click fep2010 security mp.msi.
Note: No Management Pack files are installed or imported to Operations Manager during this procedure. The wizard only extracts files.
2. Read and accept the license agreement, and then click Next.
3. On the Select Installation Folder page, specify the folder to which you want to extract the management pack files, and then click Next.
Exercise 9: Enabling real-time monitoring with Forefront Endpoint Protection 2010
Figure 9.1 Accept the license agreement.
Figure 9.2 Specify the installation folder.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 84
4. On the Confirm Installation page, click Install to extract the package to the specified location. On the Installation Complete page, click Close.
5. Navigate to the file location specified earlier and verify that the following files are present:
Microsoft.FEPS.Application.mp
Microsoft.FEPS.Library.mp
Microsoft.FEPS.Reports.mp
To import the FEP Security Management Pack
1. Log on to the server running System Center Operations Manager 2007 by using an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group.
2. In the Operations Console, click the Administration button.
3. Right-click the Management Packs node and then click Import Management Pack(s) to open the Import Management Packs dialog box.
4. In the Import Management Packs dialog box, click Add, and then click Add from disk.
5. In the Online Catalog Connection dialog box, Select No.
6. In the Select Management Packs to import dialog box, browse to C:\Program Files (x86)\System Center Management Packs\FEP 2010 for Servers OpsMgr 2007 R2 MP, press CTRL+A to select the three .mp files and then click Open.
7. On the Select Management Packs page, the management packs that you
selected for import are listed. Next to each management pack a green check
mark icon should appear that indicates that the management pack is ready to
import.
8. Click Install to import the selected management packs
9. After installation, click Close to close the Import Management Packs
window.
10. In the Management Packs node, press F5 to refresh the list of management packs installed to Operations Manager. Then, in the Look for text box, type Protection, and then click Find Now. The two management packs imported in step 7 should appear in the view.
Figure 9.3 Verification of extracted
Figure 9.4 Import Management pack.
Figure 9.5 Add Management pack.
Figure 9.6 Verifying Management Packs .
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 85
To create an override to allow discovery of Windows clients
The Operations Manager Discovery that discovers the FEP client installed on
Windows Client machines is disabled. In order to allow Operations Manager to
monitor FEP on Windows clients you need to configure an override.
1. In the lower-left corner, select the Authoring node.
2. Expand Management Pack Objects and select Object Discoveries.
3. In the top-right corner, click Change Scope.
4. Select View all targets.
5. In the Look for box, type Forefront.
6. Click Clear All to clear the default objects and then click Select All to select
all the Forefront objects. Click OK.
7. Double-click Protected Client Candidate Discovery.
8. Click the Overrides tab.
Figure 9.7 Change Scope .
Figure 9.8 Forefront Object selection.
Figure 9.9 Protected Client Candidate
Figure 9.10 Override tab selection.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 86
9. Click the Override button and select For all objects of class: Windows
Client.
10. In the top Override box, change the Override Value to True. Click OK and
Close.
To generate alerts for the monitors, you first need to create an incident so
Operations Manager can identify the issue and generate alerts. In this procedure,
you will create an incident by stopping FEP service.
To stop the FEP service on a server
Perform the following step on the Server 2 (Madrid) computer
Open Task Manager, go to the Services tab, right-click Microsoft
Antimalware Service, and then click Stop.
Exercise 10: Generating alerts and notifications
Figure 9.12 True Override Value.
Figure 9.11 For all objects of class:
Figure 10.1 Stop Antimalware Service.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 87
To monitor the FEP service stopping on a server and then restart it
1. Select Protected Server State and click Refresh until the state changes.
This should take less than 1 minute and the Antimalware Engine and
Antimalware Definitions components should change to Critical.
2. Select the Active Alerts view. Three alerts are raised in response to this
condition.
3. Select the domain controller, and in the Action pane, click Health Explorer.
As before, you can review information about the monitors that raised these
alerts.
4. Select Antimalware Engine to read information about this condition.
Figure 10.2 State change under Protected
Server State.
Figure 10.3 Active Alerts view.
Figure 10.4 Health Explorer.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 88
5. Select the State Change Events tab to see when the computer entered this
state.
6. Near the bottom of the window is a recovery task called Enable real-time
protection. Click the link to run it and then click Yes.
7. Close the Health Explorer window and return to the Protected Server State
view.
8. Click Refresh a few times until the state changes to Healthy.
Figure 10.5 State Change Events tab.
Figure 10.6 Enable real-time protection.
Figure 10.7 Healthy state of system.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 89
9. Return to the Active Alerts view.
The alerts are automatically set to Closed after the monitors change state,
and they are removed from the Active Alerts view.
Tasks are targeted at computers by Operations Manager operators and delivered to
them for execution. In this exercise, you will use a task to retrieve FEP information
and update definitions on the domain controller. You will also investigate the FEP
reports and extract more details
To use a task to retrieve FEP information from a Windows Server
1. Select Protected Server State.
2. Select the Server 2 (Madrid) computer and in the Action pane under
Protected Server Tasks, click Retrieve Endpoint Settings.
3. Accept the defaults and click Run and then click Close.
4. Select Task Status and click Refresh until the task status changes from
Queued to Success.
5. Select the completed task and scroll down to see detailed information about
the client. Examine the list of other tasks—such as Run a full / quick scan,
Stop a scan, Update definition files, and others.
Exercise 11: Performing task remediation
Figure 10.8 Closed Alerts under Active Alerts
Figure 11.1 Retrieve Endpoint settings.
Figure 11.2 Task Status.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 90
To use a task to update definitions on the domain controller
1. Select Protected Server State.
2. Select the domain controller and in the Action pane under Protected Server
Tasks, click Update Antimalware Definitions
3. Accept the defaults and click Run and then click Close.
4. Select Task Status and click Refresh until the task status changes from
Queued to Success. This may take a minute or so.
To investigate FEP Reports
1. Select Protected Server State.
2. Select the domain controller and in the Action pane under Protected Server
Reports, click Event Analysis.
3. In the From box, select Yesterday and then click Run.
Figure 11.3 Update Antimalware Definitions.
Figure 11.4 Event Analysis.
Figure 11.5 Select Yesterday in the From box
and then click Run.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 91
4. Expand the Protect Server object to see the events related to that server. You can also filter by event type, category, ID or source. Close the report.
5. Click Alerts
6. In the From box, select Yesterday and then click Run. Expand Antimalware
Engine Malfunction to see more details.
Figure 11.6 Event Analysis Report.
Figure 11.7 Alerts.
Figure 11.8 Alert Report.
Microsoft Forefront Endpoint Protection 2010 Evaluation Guide Page 92
Forefront Endpoint Protection 2010 Overview:
http://www.microsoft.com/fep
System Center Configuration Manager Overview:
http://www.microsoft.com/systemcenter/en/us/default.aspx
Forefront Endpoint Protection 2010 Datasheet:
http://download.microsoft.com/download/E/8/1/E81B0B04-5A97-4C0C-8E15-
7464EBCAAE7C/FEP_ds_FINAL%20110810.pdf,
Forefront Endpoint Protection 2010 Evaluation Download:
http://technet.microsoft.com/en-us/evalcenter/ff182914.aspx
Forefront Endpoint Protection 2010 System Requirements:
http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-system-
requirements.aspx
Forefront Endpoint Protection 2010 Hyper-V enabled Virtual Machine
Environment for Evaluation: http://go.microsoft.com/fwlink/?LinkId=190269
Forefront Endpoint Protection 2010 Deployment Guide:
http://technet.microsoft.com/en-us/library/ff823762.aspx
Forefront Endpoint Protection 2010 Technical Library:
http://technet.microsoft.com/en-us/library/ff684073.aspx
Forefront Endpoint Protection 2010 FAQ:
http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-faq.aspx
Forums:
http://social.technet.microsoft.com/Forums/en-US/FCSNext/threads
RESOURCES