Security optimize

Four ways to deploy and manage Microsoft Forefront Endpoint Protection 2010

John Joyner details Microsoft's Forefront Endpoint Protection anti-malware platform and how it can benefit organizations of all sizes.

Anti-virus utilities have been a mandatory component of any network since boot sector viruses were rampant in the early 1990's. Twenty years later, we have the concept of malware defense, and among other fortifications, we still need a utility that runs on every computer to keep the bad stuff out. Microsoft has a new-generation anti-malware platform that deserves serious consideration by organizations of all sizes.

How we got to FEP

Microsoft left the supplying of client anti-malware utilities to third parties such as McAfee and Norton (Symantec) for quite a while, finally entering the market in 2007 with a product named Forefront Client Security (FCS). FCS was a "V1" product that had an attractively low price and did an average to good job at keeping malware off the computer. FCS technology was repackaged in a completely free bare-bones consumer anti-malware utility called Microsoft Security Essentials (MSE), offered to the individual and very small business.

In 2010 Microsoft started releasing their "V2" anti-malware engine, beginning with a new version of MSE, which is already among the most used free anti-virus products in the USA and globally. Microsoft's V2 anti-malware functionality for business networks is found in the Forefront Endpoint Protection (FEP) 2010 client. A functional improvement FEP has over MSE, is that FEP uses system behavior and file reputation data to identify and block attacks on client systems from previously unknown threats. Also, FEP can be centrally managed as far as alerting and setting scanning policies, while MSE lacks any central administration features.

Microsoft customers familiar with the previous management framework (for FCS) will be delighted to see the new platform. FCS used a stand-alone administration console for FCS policy deployment, and a complex lash-up between the FCS console and a dedicated MOM 2005 management group for the alerting and reporting pieces. The new FEP product is much more flexible in how you can deploy and manage it, and it inherits none of the complexity and overhead of the FCS solution. You can even get FEP delivered from the cloud using the new InTune service from Microsoft, covered in a previous blog post here at TechRepublic.

#1 Deploying the FEP client manually

You can deploy the FEP client software by using System Center Configuration Manager (SCCM) packages, manually with the setup GUI, manually or via scripting at the command prompt, and by including FEP in a client disk image. The client software is delivered as a single executable program (FEPInstall.exe) in 32 and 64-bit versions. If you choose to deploy the FEP client manually, you can just run FEPInstall.exe and accept the defaults in a short setup wizard GUI.

If you won't be using Active Directory group policy or SCCM, but still want to standardize scanning settings, there is a command line option to install the FEP client along with a preconfigured policy template. These templates are supplied as XML files and cover common server roles such as Exchange server or SQL server.

#2 Deploying and managing the FEP client with SCCM

The preferred way to deploy and manage FEP on client PCs is using the System Center Configuration Manager 2007 R3 platform. If you have SCCM, or if you deploy SCCM just to manage FEP, running the FEP server setup on top of SCCM 2007 R3 adds some huge functionality to SCCM. You can push the FEP agent to SCCM clients along with custom scanning policies in a few clicks. Figure A shows the new FEP dashboard view in the SCCM console; you can click-through anywhere you see an underlined number to see immediately the names of the computers involved.

The FEP dashboard inside the System Center Configuration Manager (SCCM) console (click to enlarge)

#3 Managing the FEP client with Group Policy

It was notoriously difficult to configure previous-generation FCS clients with scanning polices without deploying the ugly duckling FCS console piece. Microsoft makes it much easier to centrally configure scanning policies for FEP clients using Active Directory group policy. This scenario fits customers that do want to standardize the scanning policies on their computers but don't want to deploy SCCM.

It is simple to manage FEP policy with group policy. FEP policies use the new native Windows 2008 ADMX-based group policies. If you don't have a Windows 2008 domain controller, you can still take advantage of ADMX-based GPOs by using a Windows 7 ‘admin tools workstation' running Remote Server Administration Tools (RSAT). You install the ADMX into your admin tools workstation, create and link a GPO, and edit the FEP policy settings in the GPO, using Group Policy Editor.

#4 Managing the FEP client with SCOM

For customers using Microsoft System Center Operations Manager 2007 (SCOM), there is an invaluable FEP management pack from Microsoft. For servers running the FEP client as their resident anti-virus scanner, this management pack elevates visibility of the security status of managed computers into the SCOM console.

Figure B shows the computer state view in the SCOM console for managed servers running FEP. You get positive feedback on the status of the Windows firewall, the age of the anti-virus definitions, and other critical information including alert views so you know immediately when your servers encounter malware. This is an elegant and overdue way to centrally monitor server security status.

The FEP management pack for SCOM: Server anti-virus status at a glance; notice the Protected Endpoint Tasks (click to enlarge)
Note: If you've got FEP, you need the Forefront Endpoint Protection 2010 Tools. (Download here the ADMX files for using Active Directory to configure the FEP client, as well as the XML templates for manually configuring FEP client policies.)

About

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...

2 comments
jmastry
jmastry

....for small to mid-sized networks. The cost and complexity of SCCM and SCOM are just not worth it, and the manual / AD install options don't provide central reporting. We were a long-time Forefront user but switched to Symantec Endpoint Protection last month because of these issues.

banx
banx

Deployed this using MOM and a MS supplied script. Not the best product and integration with MOM was troublesome. Reporting was sketchy and innacurate although the poduct itself seemed to work ok. Now removed in favour of Sophos Endpoint which doesn't require SCCM to deploy and manage.