Aug 18 2009

The Forefront of Security

Microsoft's enterprise antivirus product protects desktops, notebooks and servers that don't host specific applications.

Forefront Client Security's (FCS) failure to pass tests conducted by Virus Bulletin in 2007 led to doubts as to whether Microsoft's enterprise antimalware offering and Windows Live OneCare, which uses the same scanning engine, delivered sufficient protection against common threats. A year later, FCS holds not only Virus Bulletin'sVB100 certification, but also ICSA and West Coast Labs certifications, which makes the product a serious contender.

While the name suggests the product is designed only for desktop and notebook computers, FCS also protects servers that don't host specific applications. The Forefront range includes Server Security, which is intended for Exchange, SharePoint and Office Communications servers. Internet Security and Acceleration (ISA) Server and Intelligent Application Gateway also come under the Forefront umbrella.

Installing Forefront Client Security

FCS supports several different topologies, where server roles can be distributed across four physical machines, supporting a maximum of 10,000 clients (Figure 1). As you become familiar with the product, I'd recommend running all the server roles on one machine. FCS's Distribution server is required only for Windows Server Update Services 2.0, as the hourly update functionality that the Distribution server provides is included in WSUS 3.0.

FCS depends on a variety of technologies, many of which are likely to be part of your infrastructure already. FCS additionally installs Microsoft Operations Manager (MOM) 2005 to facilitate reporting and alerting.

Figure 1

Forefront Client Security Prerequisites:

  1. Windows Server 2003 (Service Pack 1 or later) or Server 2008 (32-bit editions only);  note that while FCS server components can be installed only on 32-bit editions of Windows Server, the client components support 64-bit editions
  2. SQL Server 2005 (SP1) with Database Services, Integration Services, Reporting Services and Workstation components installed
  3. WSUS 2.0 or later
  4. Group Policy Management Console (GPMC) SP1
  5. Internet Information Services (IIS) 6.0 and ASP.NET
  6. Microsoft Management Console (MMC) 3.0
  7. .NET Framework 2.0 or later

Once all the prerequisites are in place, run through the following checklist to ensure a smooth install.

Forefront Client Security Pre-Installation Checklist:

  1. Create a user in Active Directory to serve as FCS's DAS account. You can reuse the account in single-server topologies for the Reporting, Action and Data Transformation Services (DTS) accounts. The account must be a member of the Domain Users group and have local administrator access to the local server.
  2. Synchronize WSUS with Microsoft Update or the upstream server at least once.
  3. Ensure that the Windows Update Agent (Version 3.0 or later) is installed on the server.
  4. End-points that will receive the Client for Forefront Client Security, including the server on which FCS will be installed, should be configured to receive updates from WSUS.
  5. Configure WSUS to issue Critical Updates, Definition Updates and Updates, and enable Forefront Client Security in the list of products to update.

Running the FCS console for the first time initializes a wizard to configure the location of the various server roles and databases, regardless of whether you opted for a single or multiserver topology.

Client Deployment and Policies

Definition updates and deployment of the FCS client are handled by WSUS. Synchronize WSUS with the upstream server and the latest Client update for Microsoft Forefront Client Security should appear in the list of updates. Once approved and installed, WSUS can be used to automatically update the client and provide new definitions based on the schedule set in FCS policy. The FCS client (Figure 2) is simple to use and similar in look and feel to Windows Defender.

Figure 2

Client configuration is managed using Group Policy, and Group Policy Objects (GPOs) can be created and linked to Active Directory Organizational Units (OUs) from the Policy Management tab of the FCS console. Malware detection and security state assessment scans can be run on a schedule, and real-time protection is enabled by default (Figure 3). Security state assessments check for missing hot fixes and best practice configuration, such as the presence of potentially unwanted services.

Figure 3

The Advanced tab (Figure 4) lets system administrators change the frequency of definition updates, and importantly, to download definitions directly from Microsoft Update if WSUS is unavailable. Client options are used to limit access to the client interface. Overrides can be used to reclassify threats and change the response to specific malware, while Reporting lets the level of logging and alerting be modified. Once a policy has been created, you simply click Deploy in the FCS console and choose an OU or Group Policy Object to deploy the policy settings (Figure 5).

Figure 4

Figure 5


The Dashboard (Figure 6), along with displaying a summary of the overall status of clients, offers access to comprehensive reports that can also be delivered by e-mail using SQL Server Reporting Services. Reports are HTML-based, enabling system administrators to drill down for more detailed information, but custom reports are not supported. Alerts are viewed from the Reporting web console, and events are accessible only via MOM or, once they've been archived, via FCS reports.

Figure 6


IT Takeaway

Tight integration into existing Windows systems means that FCS is unlikely to require infrastructure changes or a steep learning curve. While the FCS console won't provide you with a one-stop shop for all your configuration needs, once you're past the tricky installation, running and maintaining FCS should be relatively simple for experienced system administrators.

On the downside, FCS doesn't cater to Linux or Apple, nor does it offer additional firewall software for those who prefer not to use Windows Firewall. It lacks advanced root-kit detection and doesn't provide Outlook integration for protecting POP3 mail (but this won't be missed in environments where Exchange and Outlook are properly secured). Other features, such as Network Access Control and device or application control, included in products such as McAfee Total Protection for Endpoint and Symantec Endpoint Protection, are already provided by Microsoft's latest server and client operating systems.

Can Forefront Stirling Deliver?

Forefront Stirling, the next generation of Forefront products, promises dynamic responses to threats detected by Forefront applications, removing the need for support staff to identify the source of a problem and take appropriate action. If Stirling proves to be effective, then Forefront security products will have a significant advantage over the competition when deployed together.