Overview
Deploying and maintaining your Forefront client Security clients can be automated using System Center Configuration Manager (SCCM). With SCCM customers can quickly deploy the Forefront Client Security (FCS) agents, maintain signature updates automatically and assess the agent s configuration compliance on a routine basis. This document assumes that you have a functional SCCM Software Distribution and Software Update infrastructure and FCS Management roles deployed within the organization.
FCS Agent Deployment Overview
Deploying Forefront client agents using System Center Configuration Manager (SCCM) reduces administrative workload as these agents get installed automatically through SCCM Software Distribution. Administrators do not require additional software or technology, but can leverage their SCCM distribution infrastructure. Furthermore, as this is an administrative controlled policy, even machines that have removed client agents accidentally or intentionally receive the client agent automatically when they update their policy with the SCCM server. Once the agents have been deployed signature updates need to be applied on a routine basis which is also made possible by the use of existing SCCM Note: If you are using System Center Configuration, it is advised that you do not use Windows Server Update Services (WSUS) to deploy the Forefront Client agent The Group Policy Object (GPO) directing the client machine to the WSUS server will block the use of any other WSUS server for SCCM patching which may negatively impact the ability of the SCCM client from processing Software Updates as intended.
How to create a Package using SCCM
This process will create an installation package for the FCS Agent. After creating the package you will be able to advertise it to the computers that need to have the FCS agent installed or re-installed. 1) Copy the Client directory from the FCS installation media to a directory on the SCCM Management Server a) For example c:\FCS 2) Navigate to the Packages node in the SCCM Console
3) Right click on the node and select New Package to launch the New Package Wizard
4) Enter Forefront Client Security for the Name 5) Enter Microsoft for the Manufacturer 6) Click Next to proceed to the Data Source page
7) Check the This package contains source files box 8) Set the source directory to the location you copied the Client folder to from the FCS Installation media 9) Select the radio button for Use a compressed copy of the source directory 10) Click next to proceed to the Data Access page 11) Click next to proceed to the Distribution settings 12) Update any settings on the Distribution page to best suit your specific environment 13) Click next to proceed to the Reporting page 14) Click next to proceed to the Security page 15) Modify the security settings to suit your specific environmental needs 16) Click next to proceed to the Summary page 17) Verify all settings and click Next to initiate the package creation
18) Verify that the Wizard completed successfully and click close to exit the wizard 19) Create the Program in the Package
20) Navigate to the programs node within the Microsoft Forefront Client Security Package 21) Right click on Programs and choose New Program to launch the New Program Wizard
22) Set the name as x86 Install 23) Set the Command Line a) ClientSetup.exe /MS <MOM Collection Server Name> /CG <MOM Config Group Name> b) By default the MOM Config Group name is ForefrontClientSecurity 24) Click next to proceed to the requirements 25) Check the boxes for the x86 platforms a) All x86 Windows 2000 b) All x86 Windows Server 2003 (Non R2) c) All x86 Windows Server 2003 R2 d) All x86 Windows Vista e) All x86 Windows XP
26) Set the Estimated Disk space to 98MB 27) Click Next to proceed to the Environment page
28) Set the dropdown for the program to run Whether or not a user is logged on 29) Click next to proceed to the Advanced page 30) Click next to proceed to the Windows Installer page 31) Click next to proceed to the MOM Maintenance page 32) Select options that are appropriate for your environment and click Next to go to the Summary page 33) Verify summary details and click Next to create the program 34) Verify that the Wizard completes successfully
35) Click Close to exit the Wizard
How to create a collection for FCS agent distribution using SCCM
The collection created through this process will contain any computers that do not have the FCS Agent currently installed. This collection will be used to target the advertisement of the earlier created FCS Agent install package. 1) Navigate to the Collections Node, right click and choose New Collection to launch the New Collection Wizard
2) Enter Clients Requiring Forefront Client Security as the name of the new collection
3) Click Next to continue to the Membership Rules
4) Click the yellow cylinder to add a new Query Rule
5) Enter Clients Requiring Forefront Client Security as the name of the Query Rule 6) Click Edit Query Statement
7) Click Show Query Language and paste the following query into the Query Statement box select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType , SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in ( select SMS_R_System.ResourceId from SMS_R_System inner join SMS_G_System_SoftwareProduct on SMS_G_System_SoftwareProduct.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SoftwareProduct.ProductName = "Microsoft Forefront Client Security" )
8) Click OK to accept and Exit the Query Language Dialog 9) Click OK to accept and exit the Query Rule Properties Dialog 10) Click Next to proceed to the Advertisements page of the Wizard 11) Click Next to proceed to the Security page of the wizard a) Set any environment specific security here 12) Click next to proceed to the Progress and confirmation stages 13) Upon reaching the confirmation stage you may click close to exit the New Collection Wizard
Create Advertisement
1) Navigate the program created earlier 2) Right click the program and select Distribute Software to launch the Distribute Program Wizard 3) Click Next to proceed to the Advertisement Target page 4) Select the Clients Requiring Forefront Client Security collection
5) Click Next to proceed to the Advertisement Name Page 6) Click next to proceed to the Advertisement Subcollection page 7) Click next to proceed to the Advertisement Schedule page 8) Uncheck the Download content from unprotected distribution point and run locally checkbox 9) Set the time and date for the start of the advertisement 10) Click next to proceed to the Assign Program page 11) Select the radio button for Yes, assign the program and set the date, time and other options as appropriate for your environment 12) Click Next to proceed to the summary page 13) Click next to create the assignment 14) Verify that the wizard completes successfully and click close to exit the wizard.
Deployment Tips
Note: If you are using System Center Configuration, it is advised that you do not use Windows Server Update Services (WSUS) to deploy the Forefront Client agent The Group Policy Object (GPO) directing the client machine to the WSUS server will block the use of any other WSUS server for SCCM patching which may negatively impact the ability of the SCCM client from processing Software Updates as intended.
FCS Signature Updates
The goal of this document is to provide guidance for automatically updating your FCS signature updates using the WSUS infrastructure required by SCCM for Software Updates.
Configuration Assumptions
This document assumes that you have a functional SCCM Software Updates installation.
Installation
The installation process consists of 5 steps 1) Install all FCS Management Infrastructure components as per the FCS Deployment Guide with the exception of the Distribution Server component. 2) Install the FCS Distribution server component on the SCCM Software Update Point (SUP) for the SCCM site. 3) Update the WSUS Updates Synchronization settings on the SCCM SUP to include the FCS Definition Updates. a) Launch the SCCM Console b) Navigate to Component Configuration
c) Right click the Software Update Point Component and choose Properties to open the Properties Dialog
d) Navigate to the Classifications tab and verify that Definition Updates is Checked
e) Navigate to the Products tabs and ensure that the box for Forefront Client Security is checked f) Click OK to accept and exit the dialog
4) Create an Auto Acceptance rule to automatically accept updates of the category Definition Updates a) Open the Microsoft Windows Server Update Services 3.0 console b) Navigate to the Options node c) Open the Automatic Approvals Dialog d) Click New Rule to open the Add Rule dialog
e) Check the box for When and Update is in a Specific Classification f) Click the Any Classification link to open the Choose Update Classifications Dialog
g) Uncheck any checked boxes and check the box next to Definition Updates
h) Click OK i) Click OK to accept All Computers as the target for the Auto-Approval Rule i) Note: You may alter the Targeted computers but it is recommended that you take the default of All Computers
j)
Specify a Name for the rule e.g. FCS Definition Update Auto-Approval
k) Click OK to accept the new rule after verifying the settings. l) Click OK on the Automatic Approvals dialog to exit and apply the new rule
5) Configure an appropriate automatic synchronization schedule in WSUS Note: Within the SCCM console, SCCM only allows for a maximum of once per day synchronization of WSUS with Microsoft Update which may not be aggressive enough for FCS definitions. Forefront Client Security customers are recommended to configure an additional Automatic Synchronization Schedule for Definition Updates that updates with a higher frequency. Below are the steps : a) In the WSUS console, navigate to the Options node b) Open the Synchronization Schedule Dialog
c) Configure a Synchronization Schedule that best matches your needs. Keeping in mind that Definition Updates may be released as many and 3 times per day
d) Click OK to accept and Exit the dialog
Configuration Tips
It is very important that there is no GPO forcing the selection of a specific WSUS server if you have SCCM clients that roam between SCCM sites. If there is a GPO enforcing a WSUS server that is not the WSUS server for the current site s SUP, Software Updates will not function properly. It is essential that the FCS Distribution Server Component and the WSUS server used for the SCCM Software Update Point be installed on the same server.
FCS Assessment Baseline
The FCS Assessment Baseline provides general configuration auditing of default policy settings applied to the FCS agent. The baseline needs to be targeted and scheduled for assessment.
Configuration Items & Settings
This document assumes that you have a functional SCCM Software updates installation and FCS Management infrastructure. These settings are referenced from the FCS Policy Setting and Registry Keys content posted on TechNet http://technet.microsoft.com/en-us/library/bb418783.aspx
Config Item Advanced Advanced Advanced Advanced Advanced Advanced Advanced Advanced Advanced Advanced Advanced Advanced Advanced Advanced Hidden Hidden Hidden Hidden Hidden Hidden Overrides Overrides Overrides Protection Protection Protection Protection Protection Protection Protection
Setting Allow users to add exclusions and overrides Check for updates at set interval (hours) Check for updates before starting a scan Check for updates on Microsoft Update when WSUS is unavailable Delete after (days) Delete quarantined files Extensions File and folder paths Only administrators can change Client Security agent settings Prompt user when unclassified software is detected Scan archive files Use heuristics to detect suspicious files Users can only view notification area icon and status messages Users can view all Client Security settings and messages Designates whether the Client Security agent will take action on items detected during a real-time protection scan (after a non-configurable delay) Designates whether the Client Security agent will take default actions during scheduled scans Designates whether the Client Security service will continue to run when scans are turned off Reads language and minimum manifest version from server Specifies the day and time that Client Security agent will update definitions Specifies whether the Client Security icon will be displayed in the notification area at all times Overrides based on category Overrides based on severity Overrides based on threat Do not run security state scan If scan was not run when scheduled, run as soon as possible Run a quick scan at set interval (hours) Run a scan at this time Scan at set interval (hours) Scan at this time Scan type
Setting Spyware protection Start time Use real-time protection (scan programs and services when they are accessed) Virus protection Do not log events for files marked "Unknown" Specify the alert level SpyNet reporting Use Microsoft Internet Explorer® settings Use other proxy server and port
Baseline Deployment
Deploying the baseline consists of two quick steps: Importing the configuration packs and assigning a baseline for collection.
Import the Configuration Packs
1) Download the Zip archive containing the Forefront Client Security Assessment Baseline. 2) Extract the Contents to a folder on your local disk a) Examples will use c:\DCM 3) Launch the SCCM Console a) Start -> All Programs -> Microsoft System Center -> Configuration manager 2007 -> SCCM Console 4) Navigate to DCM Configuration Items node in the tree a) Site Database (for your site) -> Computer Management -> Desired Configuration Management -> Configuration Items 5) Right click Configuration Items and Choose Import Configuration Data
6) On the choose Files Dialog, Click Add
7) Point the Open Files dialog to the C:\DCM directory and select all of the cab files a) HINT: Click one of the files, then hit Ctrl-A
8) Click Open
a) You may get a Security Warning Dialog. Click Run for each file that pops up if it has not been signed by publisher
9)
You should return to a Choose Files dialog that it populated with a list of files to import
10) Click Next to move to the Summary step
11) Click Next and it will begin to import the Config Packs
12) Once complete you will be at the Confirmation Step and should see that everything imported successfully
13) Click Close
Assign Baselines to a Collection
1) Choose a Collection to Deploy baselines to a) For the purposes of this document, the Windows 2003 Operating System Config Packs will be assigned to the All Windows Server 2003 Systems collection 2) Right click on the collection and choose Assign Configuration Baseline a) This will launch the Assign Configuration Baseline Wizard
3) Click the Add button
4) Check the boxes next to the baselines you want to assign to this collection and click OK
5) Click Next in the Assign Configuration Baseline Wizard 6) The Collection should already be filled in but can be changed if needed. Click next to go on to the Set Schedule step
7) Choose a schedule for the Compliance Evaluation to run on or accept the default of 7 Days and click Next
8) The Summary step will show that is going to be done. Click next to proceed
9) Once the assignment has completed you will receive a confirmation page showing that it was successfully assigned. Click close to complete the wizard
10) The Baselines will be evaluated on the schedule you have configured on all client systems in the targeted collection