Tactical Advice

The Forefront of Security

Microsoft's enterprise antivirus product protects desktops, notebooks and servers that don't host specific applications.
This story appears in the December 2008 issue of BizTech Magazine.

Forefront Client Security’s (FCS) failure to pass tests conducted by Virus Bulletin in 2007 led to doubts as to whether Microsoft’s enterprise antimalware offering and Windows Live OneCare, which uses the same scanning engine, delivered sufficient protection against common threats. A year later, FCS holds not only Virus Bulletin’sVB100 certification, but also ICSA and West Coast Labs certifications, which makes the product a serious contender.

While the name suggests the product is designed only for desktop and notebook computers, FCS also protects servers that don’t host specific applications. The Forefront range includes Server Security, which is intended for Exchange, SharePoint and Office Communications servers. Internet Security and Acceleration (ISA) Server and Intelligent Application Gateway also come under the Forefront umbrella.

Installing Forefront Client Security

FCS supports several different topologies, where server roles can be distributed across four physical machines, supporting a maximum of 10,000 clients (Figure 1). As you become familiar with the product, I’d recommend running all the server roles on one machine. FCS’s Distribution server is required only for Windows Server Update Services 2.0, as the hourly update functionality that the Distribution server provides is included in WSUS 3.0.

FCS depends on a variety of technologies, many of which are likely to be part of your infrastructure already. FCS additionally installs Microsoft Operations Manager (MOM) 2005 to facilitate reporting and alerting.


Figure 1

Forefront Client Security Prerequisites:

  1. Windows Server 2003 (Service Pack 1 or later) or Server 2008 (32-bit editions only);  note that while FCS server components can be installed only on 32-bit editions of Windows Server, the client components support 64-bit editions
  2. SQL Server 2005 (SP1) with Database Services, Integration Services, Reporting Services and Workstation components installed
  3. WSUS 2.0 or later
  4. Group Policy Management Console (GPMC) SP1
  5. Internet Information Services (IIS) 6.0 and ASP.NET
  6. Microsoft Management Console (MMC) 3.0
  7. .NET Framework 2.0 or later

Once all the prerequisites are in place, run through the following checklist to ensure a smooth install.

Forefront Client Security Pre-Installation Checklist:

  1. Create a user in Active Directory to serve as FCS’s DAS account. You can reuse the account in single-server topologies for the Reporting, Action and Data Transformation Services (DTS) accounts. The account must be a member of the Domain Users group and have local administrator access to the local server.
  2. Synchronize WSUS with Microsoft Update or the upstream server at least once.
  3. Ensure that the Windows Update Agent (Version 3.0 or later) is installed on the server.
  4. End-points that will receive the Client for Forefront Client Security, including the server on which FCS will be installed, should be configured to receive updates from WSUS.
  5. Configure WSUS to issue Critical Updates, Definition Updates and Updates, and enable Forefront Client Security in the list of products to update.

Running the FCS console for the first time initializes a wizard to configure the location of the various server roles and databases, regardless of whether you opted for a single or multiserver topology.

Client Deployment and Policies

Definition updates and deployment of the FCS client are handled by WSUS. Synchronize WSUS with the upstream server and the latest Client update for Microsoft Forefront Client Security should appear in the list of updates. Once approved and installed, WSUS can be used to automatically update the client and provide new definitions based on the schedule set in FCS policy. The FCS client (Figure 2) is simple to use and similar in look and feel to Windows Defender.


Figure 2

Client configuration is managed using Group Policy, and Group Policy Objects (GPOs) can be created and linked to Active Directory Organizational Units (OUs) from the Policy Management tab of the FCS console. Malware detection and security state assessment scans can be run on a schedule, and real-time protection is enabled by default (Figure 3). Security state assessments check for missing hot fixes and best practice configuration, such as the presence of potentially unwanted services.


Figure 3

The Advanced tab (Figure 4) lets system administrators change the frequency of definition updates, and importantly, to download definitions directly from Microsoft Update if WSUS is unavailable. Client options are used to limit access to the client interface. Overrides can be used to reclassify threats and change the response to specific malware, while Reporting lets the level of logging and alerting be modified. Once a policy has been created, you simply click Deploy in the FCS console and choose an OU or Group Policy Object to deploy the policy settings (Figure 5).


Figure 4


Figure 5

Reporting

The Dashboard (Figure 6), along with displaying a summary of the overall status of clients, offers access to comprehensive reports that can also be delivered by e-mail using SQL Server Reporting Services. Reports are HTML-based, enabling system administrators to drill down for more detailed information, but custom reports are not supported. Alerts are viewed from the Reporting web console, and events are accessible only via MOM or, once they’ve been archived, via FCS reports.


Figure 6

 

IT Takeaway

Tight integration into existing Windows systems means that FCS is unlikely to require infrastructure changes or a steep learning curve. While the FCS console won’t provide you with a one-stop shop for all your configuration needs, once you’re past the tricky installation, running and maintaining FCS should be relatively simple for experienced system administrators.

On the downside, FCS doesn’t cater to Linux or Apple, nor does it offer additional firewall software for those who prefer not to use Windows Firewall. It lacks advanced root-kit detection and doesn’t provide Outlook integration for protecting POP3 mail (but this won’t be missed in environments where Exchange and Outlook are properly secured). Other features, such as Network Access Control and device or application control, included in products such as McAfee Total Protection for Endpoint and Symantec Endpoint Protection, are already provided by Microsoft’s latest server and client operating systems.

Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.
Sign up for our e-newsletter

About the Author

Russell Smith

Russell Smith

Microsoft Technology Best Practices

Russell is a technology consultant and trainer specializing in management and security of Microsoft server and client technologies. A Microsoft Certified Systems Engineer with more than 10 years of experience, Russell’s projects have included everything from deploying Small Business Server to developing security practices on large-scale United Kingdom government IT projects. Russell is also author of Least Privilege Security for Windows 7, Vista and XP published by Packt.

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.