ronald beekelaar beekelaar consultancy [email protected] forefront client security
TRANSCRIPT
2
Introductions
Presenter – Ronald Beekelaar
MVP Windows Security
MVP Virtual Machine Technology
E-mail: [email protected]
Work
Beekelaar ConsultancySecurity consultancy
Forefront, IPSec, PKI
Virtualization consultancy
Create many VM-based labs and demos
3
Agenda - FCS
Architecture
Deployment
FCS server roles
FCS agents
FCS policies
Definition Updates
Signatures and engine
Scans and engine
Reports & Alerts
4
One solution for virus and spyware protection
Uses advanced malware protection technologies
Backed by global malware research & responseOne console for simplified security administration
Deploy signatures and software quickly
Integrates with your existing infrastructure
One dashboard for real-time visibility into threats and vulnerabilities
View insightful reports
Stay informed with state assessment scans
Unified malware protection for business
desktops, laptops and server operating
systems that is easy to manage and
control
5
Architecture
6
Host MOM Server
SQL Reporting Services
Web BrowserMOM DB· Event table· Alerts table· State table
MOM DWH· Event table· Alert table
Report RDLFile
SQL queries
Source table definitions
Rendering directives
Report Processor
Rendered Report
FCS Reports are XML (.rdl) files driving a set of stored procedures
Source for reports on last 24 hours and current status
Source for reports on historic data
AM Service SSA Service
System Log
AM and VA services write events to system log
MOM agent reads event from log
MOM agent sends events to MOM server, downloads rules, tasks
MOM Web UI Application
MOM Console
Alerts
State
Events
Tasks
FCS Console
Rendered reports are viewed in a web browser but also through email subscriptions
Alerts, State, Events
UI Controls
UI Controls are based on data from the MOM operational DBThe console launches MOM tasks
XML File
MOM agent reads events from logs
MOM Agent
Registry Policy
Policy is deployed via GP. One of the policy settings is the alert level.
Rules, Tasks
Mgmt Pack
The MOM console is used for manipulation of alerts and investigation
The MOM Web UI is pointed to from alert notification
Architecture
7
Deployment
Deploy FCS server
Multiple server roles
Deploy FCS client to client computes
Client scanning and user interface
Deploy FCS policy
Configuration settings
Deploy FCS definition updates
Signatures and engine
8
Operating System FCS Server
Windows Server 2003 Standard, Enterprise SP1 +
Supported
Windows Server 2003 R2 + Supported
Windows Server 2003 SP1/R2 x64 editions
Not supported
Windows Server 2008 Supported (at Win2008 RTM)
Windows 2003 and R2 Datacenter Editions
Not supported
Windows 2003 Web editions Not supported
Windows 2003 SBS Not supported
9
Prerequisites for FCS Server
SQL 2005 SP1
SQL 2005 Reporting SP1
WSUS 2.0 SP1 or later
GPMC
MMC 3.0
.NET Framework 2.0
IIS 6.0
MOM 2005 hotfixes for SQL 2005
10
FCS Server deliverable includes:
MOM 2005 SP1
MOM 2005 Reporting SP1
MOM hotfixes required by FCS
FCS console + reports
FCS Clients deliverable includes:
FCS AntiMalware
Security State Assessment
MOM Agent 2005 SP1
FCSLocalPolicyTool.exe
11
Challenges:Desktop Management FocusCollection Scalability Cross Machine Alerts Specialized Views on Live DataApplication vs. Platform
Solutions: A Dedicated MOM 2005 Installation
Reduced Event Stream Special Configuration and Base MOM Pack Custom Schema Multi-homing (deployment and versions)
Server Based Analysis Reporting Against The Operational DatabaseAuto Approval for New Agents + Flood resiliency
Future: System Center Operation Manager
12
Management Server• FCS Management Console• FCS Client• MOM 2005 SP1• GPMC• FCS functional management pack
Collection Server Database• SQL Server 2005 SP1• MOM 2005 SP1 Operational Database• Configuration Repository
Collection Server• MOM 2005 SP1 Server• MOM 2005 SP1 Console
FCS Server Roles
Reporting Server• MOM 2005 SP1 Reporting• IIS 6.0
Reporting Server Database• SQL Server Reporting Service 2005 SP1• SQL Server 2005 SP1• MOM 2005 SP1 Data Warehouse
Distribution Server• WSUS 2.0 SP1 or later• FCS Update Assistant
13
FCS Server Deployment - Topologies
FCS supports the following topologies
Topology Role Distribution Recommended For
1 Server All roles on a single serverPilot deployments or small sites
2 ServerDistribution role separated from other roles
1000-2500 seats
3 ServerDistribution and SystemCenterReporting DB separated
2500-5000 seats
4 Server All 4 roles separated, DB’s localLarge Deployments (>5k)
5 ServerAll 4 roles separated, both DB’s off-box (same server)
Large Deployments (>5k)
6 Server All 6 roles on separate serversLarge Deployments (>5k)
14
Operating System Client Security Agent
Windows 2000 SP4 + Security Rollup and GDI+ hotfix
Supported
Windows XP SP2 (with Filter Manager hotfix)
Supported
Windows XP “Media Center” edition Not supported
Windows Server 2003/R2 x64 SP1 + Supported
Windows XP “Tablet” editions Supported
Windows Server 2003 X86 SP1 + Supported
Windows Server 2003 R2 + Supported
Windows Vista Business, Enterprise, and Ultimate
Supported
FCS Client - Support
15
FCS Client - Setup
No UI (command line)
Example syntax:clientsetup.exe /MS momserver3 /CG fcsgroup
clientsetup.exe /nomom
Install Tasks:
Pre-req checking
Installing MOM agent, FCS SSA agent and FCS AM agent
logging actions and errors to a file
How to deploy the client software
Group Policy
SMS
Other third party distribution tool
Login scripts
WSUS
16
Deploy FCS agent with WSUS
Recommended way to deploy FCS agent
Step 0 - Remove existing antivirus softwareFor scripts, see www.codeplex.com/fcscompete
Step 1 - In WSUS: Approve FCS packageStep 2 - On server: Create and deploy FCS policyStep 3 - Client: will install FCS agent from WSUS
Speed up (after uninstall existing anti-virus):gpupdate.exe /forcewuauclt.exe /detectnow
17
Deploy FCS agent with WSUS
Step 1 - In WSUS: Approve FCS package
18
FCS Policy Settings
FCS policy manages the following
Antimalware and Security State Assessment scan settings
Signature override settings
Alert levels and reporting
Advanced settingsSignature check frequency
Path and file extension exclusions
Client UI options
19 *Agents deployed via existing software distribution system
FCS ConsoleFCS Console GPMCGPMCExisting SW Existing SW Dist SystemDist System
Infrastructure used
Targeting granularity
Policy distribution via
Policy exceptions
Enables policy compliance report
AD/GPAD/GP AD/GPAD/GP SW dist SW dist systemsystem
OU-levelOU-level Single Single machinemachine
Single Single machinemachine
Security Security GroupsGroups UnlimitedUnlimited UnlimitedUnlimited
YesYes Yes*Yes* Yes*Yes*
ConsoleConsole GPMCGPMC(no ADM file)(no ADM file)
ExportedExportedfilesfiles
Profile Deployment Options
20
Deploying a FCS Policy to a File
Ability to deploy and report on a policy distributed outside of Group Policy
Exports the policy to a .reg file
Import on the client using FCSLocalPolicyTool.exeQuestion: Why can’t I just double-click the .reg file and import?
A1: Service is listening for an update via GP, and this won’t raise the proper event – policy won’t be picked up until you stop/start the service
A2: The tool creates the proper local GPO object, which is the prescribed method to update policy
Can be used to distribute policy to non-AD machines(via scripts or other distribution tool)
21
OperationFCS
ConsoleGPMC/.adm
Maintain policy deployment state for FCS reporting
Yes No
Configure Overrides Yes No
Changes made to a deployed policy via GPMC reflected in the FCS console
N/A No
22
Signature deployment optimized for Windows Server Update Services (WSUS)
Can use any software distribution system
Auto and manual approval of definitions
Client Security installs an Update Assistant service to:
Increase sync frequency between WSUS and Microsoft Update (MU) for definitions
Support for roaming users
Failover from WSUS to Microsoft Update
Malware Malware ResearchResearchMicrosoft Microsoft
UpdateUpdate
WSUS + WSUS + Update AssistantUpdate Assistant
Desktops, Laptops Desktops, Laptops and Serversand Servers
SyncSync
SyncSync
®
Keep Systems Up-to-date
23
Signature Distribution Channels
Microsoft Update - http://update.microsoft.com
Windows Server Update Services (WSUS)
Supports WSUS 2.0 SP1 and 3.0
Manual download anddistribution via other software (SMS, login script, etc)
Through signature download site
24
FCS Distribution Server
WSUS
WSUS assistant (if WSUS 2.0)
Force WSUS 2.0 to sync up with Microsoft Update hourly
Not needed in WSUS 3.0
Auto-approval rules for FCS definition updates
Subscribe to FCS product category and definition update classification
25
Signature Details
On client machine installed at:
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates
25
26
Item Description
mpengine.dll The antivirus engine
mpavbase.vdm The AV signature database containing most of the signatures
mpavdlta.vdm The AV signature database containing the most recent signature additions
mpasbase.vdm The spyware signature database containing most of the signatures
mpasdlta.vdm The spyware signature database containing the most recent signature additions
Signature Details
27
Signature Package Overview
mpam-fe.exe
Antimalware Full + Engine package (for x86, amd64, ia64)Contains engine (mpengine.dll), mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlt.vdm, mpsigstub.exe.
Size of 11M
mpam-d.exe:
Antimalware Delta package contains AV and AS signatures.Contains mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlta.vdm, mpsigstub.exe.
Size < 0.5M
28
Scans
Quick scan
Full scan
Custom scan
Not:
Removable disk
Network disk
Single folder
29
Engine
Real-time protection
Uses kernel-mode mini-filter
Static analysis
Emulation
Executes in sandbox - to unpack
Heuristics
Detects user-mode rootkits
Checks API detouring (= tunneling signatures)
30
FCS monitoring options
Enterprise Security DashboardHigh level view of the Organization Security State
AlertsActionable Immediate Alerts on Security Incidents
ReportsInvestigation of Security Issues Through Security State Visualization of Both Online and Historical Data
31
Enterprise Security Dashboard
Reports
Alerts
Configuration
Live Data
Change Indication
Dashboard – The Security State in a Glance
Switchboard – Access the Different Views
32
Reports
DashboardDashboard Investigation Tool Investigation Tool
ValueValueSecurity SummarySecurity Summary Incident SummaryIncident Summary
ActivityActivityLive
Static
Aggregation Focus Performance
33
Security Summary
Main Report
34
Security Summary
Alert Summary
Computer Summary
Threat Summary
Vulnerability Summary
Deployment SummaryReports
35
Security Summary
Alert Summary
Computer Summary
Threat Summary
Deployment Summary
Alert Detail
Computer Detail
Threat Detail
Vulnerability Detail
Vulnerability Summary
Signature Deployment Details
36
Security Summary
Alert Summary
Computer Summary
Malware Summary
Deployment Summary
Alert Detail
Computer Detail
Malware Detail
Alert Instance
Vulnerability Summary Vulnerability Detail
Signature Deployment Details
Vulnerability Instance
Malware Instance
37
Alert Types
Malware ActivityComputer Infected / Malware On Network Successful / Failed ResponseRepeated Malware InfectionsMalware Outbreak
Malware ActivityComputer Infected / Malware On Network Successful / Failed ResponseRepeated Malware InfectionsMalware Outbreak
Protection AgentProtection Turned OffScanning FailedSignature Update Failed
Protection AgentProtection Turned OffScanning FailedSignature Update Failed
FCS Server Security ImpactFlooding DetectedEvaluation Product ExpirationFCS Failures
FCS Server Security ImpactFlooding DetectedEvaluation Product ExpirationFCS Failures
38
Alert configuration is policy specific
Alerts notify admin of high-value incidents, including:
Alert levels control type & volume of alerts generated
11 55443322
Outbreak Malware removal
failed
Signature update failed
Malware detected and
removed
Signature update failed
(per min)
Rich Data,High Value Assets
Critical Issues Only,Low Value Assets
Malware detectedMalware detected
Malware failed to removeMalware failed to removeMalware outbreakMalware outbreak
Malware protection Malware protection disableddisabled
Alert Levels
39
FCS Alert Levels
Pre-canned Configuration for
Management Attention
Asset Value
5 Levels of Attention
Detailed alerts for operational servers
Low sensitivity for desktops
Even less attention to Kiosk machines
Set via FCS Policies
40
Alert Design Guidelines
Important – Only significant security incidents
Actionable – Each alert represent a work item
Timely – Relevant for immediate action
Few – No more then few events per day
Correct – Minimize false positives
41
Email alerts and reports
Alerts
In MOM 2005 Admin ConsoleDefine email server (SMTP)
Add "operator" to Client Security Notification Group
Reports
In SQL Server 2005 Reporting ServicesDefine email settings (SMTP)
In http://<server>/reportsCreate report subscription
42
FCS Alerts
What is an alert
Kinds of alerts we have
Criteria for a good alert
Why alerts
Security operator productive
A list of actionable things
How to use and configure alerts
Alert Levels
The MOM operator console
43
Alert Design GuidelinesImportant
Only significant security incidents
ActionableEach alert represent a work item
TimelyRelevant for immediate action
FewNo more then few events per day
CorrectMinimize false positives
44
FCS Alert Level
Pre-scanned Configuration for
Management attention
Asset value
5 Levels of Attention
Detailed alerts for operational servers
Low sensitivity for desktops
Even less attention to Kiosk machines
Set via FCS Policies
45
Security State Assessment ChecksEvaluation Process
Retrieve machine settings from available sources
E.g. Registry, WMI, File System, WUA, Firewall
Evaluate configuration against known criteria
Assign score based on compliance with security best practices
High, Medium, Low, or Informational
Aggregate and report on results across multiple machines
46
Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control
Effective Malware Protection supported by Microsoft Malware Response Center
Integration with the existing environment makes FCS easier to manage
Visibility over vulnerabilities helps proactively secure the environment against upcoming attacks
An integral part of Microsoft Forefront
Download free evaluation software: http://www.microsoft.com/forefront/serversecurity
47
48
Extra Slides
50
Top issues
Context
“What portion of my environment is at risk?”
51
Problems Addressed
Limited visibility into the security state of the enterprise
Which clients are vulnerable to exploitation?
Which clients expose an increased surface area for attack?
Difficult to prioritize security issues based on impact to an organization
Are my clients vulnerable to infection from this virus?
Can my clients be re-infected by the same virus?
IT resources focused on reacting to threats rather than managing vulnerabilities
52
Goals
Provide visibility into vulnerabilities and insecure configurations on managed clients
Help customers focus efforts on managing vulnerability exposure instead of reacting to malware threats
53
Solution Approach
SSA Agents
Installed on managed clients to perform state assessment scans
Security Checks
Detect common vulnerabilities and missing security updates
Compare system configuration against security best practices
FCS Reports
Surface issues found across the enterprise
Reports help focus IT resources on the right security issues
54
Drilldown: Scheduled ScansFCS Scan Policy
Time-Based Scan
Scan once per day at the specified time
Scan When Missed - Option to scan after reboot if a daily scan was unable to run at the scheduled time
Interval-Based Scan
Scans once every N hours
Scans can occur more than once per day
55
Drilldown: On-Demand ScansFCS Console
Invoked by “Scan Now…” button in FCS Console
Allow users to trigger scans immediately
Can target a single machine or all managed computers
Performs both AM and SSA scans
56
Security State Assessment ChecksOverview
Types of vulnerabilities:
Missing security updates
Configuration exposures
Checks “power” SSA scans:
Assess Security State – System settings and patch status
Evaluate Vulnerability Risk – Assign score based on compliance with security best practices
57
Drilldown: Security Updates CheckOverview
Two types of updates reported:
Security Bulletins – Updates that address specific security vulnerabilities
Cumulative Security Updates – Rollups & Service Packs that supersede security updates
Updates categorized by Product Family
58
Drilldown: Security Updates CheckDetection Logic
Security updates are “missing” if:
Required updates are not installed
Installed updates require system restart
Built on Windows Update platform:
Update search performed against default Update Server (WSUS or MU)
Only detects approved security updates when scanning against WSUS
Reports connection failures to Update Server
59
Drilldown: Windows Firewall CheckOverview
Provides central monitoring of Windows Firewall
Gives visibility into end-user configuration
Reports on:
Firewall status (on/off)
User-defined exceptions
Applicability to each network interface
60
Drilldown: Windows Firewall CheckEvaluation Logic
Firewall Status
If disabled on any network interface, score is “High”
If configured by Group Policy, score is “Informational
Exceptions
Enumerates each port and application exception
Any exception not configured via GP, score is “Medium”
If configured by Group Policy, scores as “Informational”
61
Drilldown: Configuration ChecksChecks Available in FCS
Check Description
Automatic Updates Identifies whether the Automatic Updates feature is enabled on the scanned computer and if so, how it is configured
Administrators Identifies and lists the individual user accounts that belong to the local Administrators group
Guest Account Determines whether the built-in Guest account is enabled
Unnecessary Services Determines whether the following services are installed and not disabled: World Wide Web Service, SMTP Service, Telnet, and FTP Publishing
Autologon Determines whether the Auto Logon feature is enabled on the scanned computer, and if the logon password is encrypted in the registry or stored in plaintext
62
Drilldown: Configuration ChecksChecks Available in FCS
Check Description
Incomplete Updates Determines whether any installed software updates require a system restart to complete installation
File System Determines the file system of each hard drive, to ensure that the NTFS file system is being used
Password Expiration Determines whether any local accounts have passwords that do not expire
Restrict Anonymous Determines whether anonymous connections are restricted on the scanned computer
Shares Determines if there are any shared folders on the client computer
63
Drilldown: Configuration ChecksDetailed Descriptions
Each check is like a different feature
Administrators can judge risk represented by each by understanding how each check is evaluated and scored
Each check documented on TechNet
http://technet.microsoft.com/en-us/library/bb418830.aspx
Includes information on evaluation criteria, scores, and possible results
64
Reporting ResultsBringing Visibility to Issues
SSA scan results:
Collected from managed clients
Aggregated to determine vulnerability exposure and overall risk
Drilldown into issues:
Console – Number of computers reporting critical vulnerabilities
Security Summary – Top 5 vulnerability exposures
SSA Summary – All vulnerability issues in the enterprise
Vulnerability Detail – Enterprise exposure to a single vulnerability
Computer Detail – All SSA results for a single client
65
Drilldown: ConsoleOverview of Security Issues
Computers Reporting Critical Issues:
Percentage of managed computers reporting critical issues
Includes: malware detection events, missing security updates
Links to FCS Reports:
Security Summary Report
SSA Summary Report
66
Drilldown: ConsoleOverview of Security Issues
67
Drilldown: Security Summary ReportOverview of Vulnerability Issues
Top Vulnerabilities
Top 5 vulnerabilities currently exposed in the enterprise
Prioritized by risk and exposure
Vulnerability Trend
Shows trend in vulnerability exposure over the past month
68
Drilldown: SSA Summary ReportOverview of SSA Results
Computers by Score
Breakdown of computers by risk of vulnerability exposure
Computers by MSRC Severity
Breakdown of computers by security bulletin severity value
Vulnerabilities List
List of security issues prioritized by risk factor and exposure in the enterprise
Drill through to specific issue reports
69
Drilldown: SSA Summary ReportComputers by Score
70
Drilldown: SSA Summary ReportHigh Score Computers by MSRC Severity
Trend data reveals interesting patternsUpdates released on second Tuesday of every month (“Patch Tuesday”)MS07-017 security update was released a week earlyResult was two spikes in trend for missing updates in the month of April