© 2012 Microsoft Corporation. All rights reserved. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

System Center 2012 Configuration Manager Concepts & Administration Lesson 8: System Center Endpoint Protection (SCEP) Your Name Premier Field Engineer Microsoft © 2012 Microsoft Corporation

Conditions and Terms of Use Microsoft Confidential This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited. The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non- infringement. Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Copyright and Trademarks © 2012 Microsoft Corporation. All rights reserved. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. For more information, see Use of Microsoft Copyrighted Content at http://www.microsoft.com/about/legal/permissions/ Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. © 2012 Microsoft Corporation Microsoft Confidential

System Center 2012 Configuration Manager System Center Endpoint Protection (SCEP) in Configuration Manager Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential Objectives In this module you will learn about : Endpoint Protection in System Center 2012 Configuration Manager Capabilities of Endpoint Protection Features of Endpoint Protection client Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential Endpoint Protection Endpoint Protection in System Center 2012 Configuration Manager Now fully integrated with Configuration Manager Configured as a Configuration Manager Role Capabilities of Endpoint Protection Configure antimalware policies and Windows Firewall settings Use Software Updates to download the latest antimalware definition files to keep clients up-to-date Stay updated on client status via email notifications, in-console monitoring, and reports Endpoint Protection client Installs in addition to Configuration Manager client Malware/Spyware/rootkit detection and remediation Critical vulnerability assessment and automatic definition and engine updates Network vulnerability detection via Network Inspection System Integration with Microsoft Active Protection Services Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential Managing Malware Create antimalware policies containing Endpoint Protection settings Deploy antimalware policies to client computers Managing Windows Firewall with Endpoint Protection Monitoring: “Monitoring” workspace “System Center 2012 Endpoint Protection Status” node Configuration Manager reports For each network profile, you can configure the following settings: Enable or disable the Windows Firewall. Block incoming connections, including those in the list of allowed programs. Notify the user when Windows Firewall blocks a new program. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Changes from Forefront Endpoint Protection 2010 No longer an add-on Install the Endpoint Protection client by using Configuration Manager client settings, or you can manage existing Endpoint Protection clients Role-Based Administration Endpoint Protection reports integrated with Configuration Manager reporting Update definitions and the definition engine using automatic deployment rules Classification: Definition updates Product: Forefront protection category Configure multiple malware alert types for malware notification Endpoint Protection dashboard is integrated with the Configuration Manager console - Select the Endpoint Protection point as one of the available Configuration Manager site system roles. - You do not use a package and program to install the Endpoint Protection client. Example of reports: Identify the users who have computers that most frequently report security threats System Center 2012 Endpoint Protection Status node in the Monitoring workspace will give you some visibility into the environment, without Reporting Services Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Prerequisites for Endpoint Protection Deployment Dependencies Windows Server Update Services (WSUS) The following update methods require client computers to have Internet access: Updates distributed from Microsoft Update Updates distributed from Microsoft Malware Protection Center Clients download definition updates by using the built-in System account You must configure a proxy server for this account to enable these clients to connect to the Internet You can use Windows Group Policy to configure a proxy server on multiple computers WSUS must be installed and configured for software updates synchronization if you want to use Configuration Manager software updates to deliver definition and engine updates Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Prerequisites for Endpoint Protection Deployment Dependencies Endpoint Protection point can only be enabled on the Central Administration Site (or a Standalone Primary) If using software updates to deliver definition and engine updates, you will need a Software Update Point USER NOTES: Security permissions to manage Endpoint Protection You must have the following security permissions to manage Endpoint Protection: To create and manage subscriptions to Endpoint Protection alerts: Create, Delete, Modify, Read, Set Security Scope for the Alert Subscription object. To create and modify alerts for Endpoint Protection: Create, Delete, Modify, Modify Report, Read, Run Report for the Alerts object. To create and modify antimalware policies: Create, Delete, Modify, Modify Default, Modify Report, Read, Read Default, Run Report, Set Security Scope for the Antimalware Policy object. To deploy antimalware and Windows Firewall policies to computers: Audit Security, Delete, Deploy Antimalware Policies, Deploy Firewall Policies, Enforce Security, Read, Read Resource for the Collection object. To view and manage Endpoint Protection in the Configuration Manager console: Read permissions for the Site object. To create and modify Windows Firewall policies: Create Policy, Delete Policy, Modify Policy, Read Policy, Read Settings for the Windows Firewall Policy object. The Endpoint Protection Manager security role includes these permissions that are required to manage Endpoint Protection in Configuration Manager. Note : To perform the following actions, you must be a member of the Full Administrator security role. Configure the Endpoint Protection point site system role. Configure email notification for Endpoint Protection alerts. For more information, see Configure Role-Based Administration in the topic Configuring Security for Configuration Manager. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Configure Endpoint Protection Steps to configure Endpoint Protection Create an Endpoint Protection point site system role Configure alerts for Endpoint Protection Optional: configure Software Updates to deliver definition updates to client computers Configure the default antimalware policy and create custom antimalware policies Configure custom client settings for Endpoint Protection Step 1: Create an Endpoint Protection point site system role. The Endpoint Protection point site system role must be installed before you can use Endpoint Protection. It must be installed on one site system server only, and it must be installed at the top of the hierarchy on a central administration site or a stand-alone primary site. Step 2: Configure alerts for Endpoint Protection. Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts are displayed in the Alerts node of the Monitoring workspace, or optionally can be emailed to specified users. Step 3 (OPTIONAL): Optionally configure Configuration Manager software updates to deliver definition updates to client computers. Endpoint Protection can be configured to use Configuration Manager software updates to deliver definition updates to client computers. Step 4: Configure the default antimalware policy and create any custom antimalware policies. The default antimalware policy is applied when the Endpoint Protection client is installed. Any custom policies you have deployed are applied by default, within 60 minutes of deploying the client. Ensure that you have configured antimalware policies before you deploy the Endpoint Protection client. Step 5: Configure custom client settings for Endpoint Protection. Use custom client settings to configure Endpoint Protection settings for collections of computers in your hierarchy. Microsoft Confidential Important: Do not configure the default Endpoint Protection client settings unless you are sure that you want these settings applied to all computers in your hierarchy. © 2012 Microsoft Corporation Microsoft Confidential

DEMO: Enable and configure an Endpoint Protection Point Scenario You are the Administrator of the Contoso Configuration Manager hierarchy and you wish to enable and configure an Endpoint Protection Point DEMO Enable EP point Enable client Goals Ensure prerequisites are met Enable and configure the Endpoint Protection Point Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Creating and deploying antimalware policies Deploy antimalware policies to collections of Configuration Manager clients to determine how Endpoint Protection protects them from malware and threats Policies include information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected Upon enabling Endpoint Protection: A default antimalware policy is applied to client computers You can use additional policy templates that are supplied or Create custom antimalware policies to customize the settings for your environment Note: Configuration Manager supplies a selection of predefined templates that are optimized for various scenarios and can be imported into Configuration Manager. These templates can be found in the folder <ConfigMgr Install Folder>\AdminConsole\XMLStorage\EPTemplates. Important: If you create a new antimalware policy and deploy it to a collection, this antimalware policy overrides the default antimalware policy. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Modifying the default antimalware policy FIX ANIMATION 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. Select the antimalware policy Default Client Antimalware Policy and then, on the Home tab, in the Properties group, click Properties. 4. In the Default Antimalware Policy dialog box, configure the settings that you require for this antimalware policy, and then click OK. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Creating a new antimalware policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. On the Home tab, in the Create group, click Create Antimalware Policy. 4. In the General section of the Create Antimalware Policy dialog box, enter a name and description for the policy. 5. In the Create Antimalware Policy dialog box, configure the settings that you require for this antimalware policy, and then click OK. 6. Verify that the new antimalware policy displays in the Antimalware Policies list. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Importing an antimalware policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. In the Home tab, in the Create group, click Import. 4. In the Open dialog box, browse to the policy file that you want to import, and then click Open. 5. In the Create Antimalware Policy dialog box, review the settings to use, and then click OK. 6. Verify that the new antimalware policy is displayed in the Antimalware Policies list. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Deploying an antimalware policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. In the Antimalware Policies list, select the antimalware policy that you want to deploy and then, on the Home tab, in the Deployment group, click Deploy. Note The Deploy option cannot be used with the default client antimalware policy. 4. In the Select Collection dialog box, select the device collection to which you want to deploy the antimalware policy, and then click OK. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Create and deploy Windows Firewall policies Firewall policies for Endpoint Protection allow you to perform basic Windows Firewall configuration and maintenance tasks on client computers in your hierarchy You can use Windows Firewall policies to perform the following tasks: Control whether Windows Firewall is turned on or off Control whether incoming connections are allowed to client computers Control whether users are notified when Windows Firewall blocks a new program Group Policy settings will override any Configuration Manager settings for the Firewall Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Creating a Windows Firewall policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Windows Firewall Policies. 3. On the Home tab, in the Create group, click Create Windows Firewall Policy. 4. On the General page of the Create Windows Firewall Policy Wizard, specify a name and an optional description for this firewall policy, and then click Next. 5. On the Profile Settings page of the wizard, configure the following settings for each network profile: 6. On the Summary page of the wizard, review the actions to be taken, and then complete the wizard. 7. Verify that the new Windows Firewall policy is displayed in the Windows Firewall Policies list. Microsoft Confidential Important: If you want to deploy Windows Firewall policies to computers running Windows Server 2008 and Windows Vista Service Pack 1, you must first install Hotfix KB971800 on these computers. Note: If Enable Windows Firewall is not enabled, the other settings on this page of the wizard are unavailable. Block all incoming connections, including those in the list of allowed programs Notify the user when Windows Firewall blocks a new program © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential DEMO: Configuring and Deploying Antimalware and Windows Firewall Settings Scenario You are the Administrator of the Contoso Configuration Manager hierarchy and you wish to deploy antimalware and Windows Firewall settings in your client environment DEMO: Import antimalware policy Create new antimalware policy Create Windows Firewall policy DEPLOY selective policies and check its application on the clients Goals Create new antimalware policy Import antimalware policy Configure policies for deployment Create new Windows Firewall policies Deploy specific policies to clients Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Monitor Endpoint Protection in Configuration Manager Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential What’s new SP1 ? Endpoint Protection client setting can be enabled to commit the changes on Windows Embedded devices that are write filter enabled Definition updates deployed by software updates can be configured to write to the overlay on Windows Embedded devices, without a restart immediately Endpoint Protection client can be installed only during configured maintenance windows. Maintenance window must be at least 30 minutes long to allow installation to occur. Endpoint Protection now uses client notification to start the following actions ASAP, instead of during the normal client policy polling interval With SP1, CM can handle Evaluation Schedule settings within Automatic Deployment Rule up to 3 times a day without impacting server performance to align with the Microsoft System Center Endpoint Protection definition updates publishing frequency. Force antimalware definition updates Run quick scans Run full scans Allow threats Exclude folders and files Restore quarantined files Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

What’s new SP1 ? ….continued Improvements to software updates to allow more frequent distribution of Endpoint Protection definition updates Multiple antimalware deployed to a client computer are merged on the client When settings conflict, the setting with highest priority option is used. some settings are merged, such as exclusion lists from separate antimalware policies. Client-side merge also honors the priority that are configured for each antimalware policy. A software update deployment template named Definition Updates is included in the Deploy Software Updates Wizard and Automatic Deployment Rule Wizard. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential Lesson Review What would happen when there is a conflict between Group Policy settings and Configuration Manager EP Firewall policy settings? Are there anything added in SP1 with respect to Deployment Template? If yes then what is the name of that Deployment Template? Where can you install Endpoint Protection Point? Group Policy settings will override any settings Yes - Definition Updates Only on Central Administration Site or Standalone Primary Site Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential Module Summary In this module you learned about : Endpoint Protection in System Center 2012 Configuration Manager Capabilities of Endpoint Protection Features of Endpoint Protection client Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

Microsoft Confidential APPENDIX Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

List of Antimalware Policy Settings: Scheduled Scans Setting name Description Scan type You can specify one of two scan types to run on client computers: Quick scan: This type of scan checks in-memory processes and folders where malware is typically found. It requires fewer resources than a full scan. Full Scan: This type of scan adds a full check of all local files and folders to the items scanned in the quick scan. This scan takes longer than a quick scan and uses more CPU processing and memory resources on client computers. In most cases, use Quick scan to minimize the use of system resources on client computers. If malware removal requires a full scan, Endpoint Protection generates an alert that is displayed in the Configuration Manager console. The default value is Quick scan. Randomize the scheduled scan start times (within 30 minutes) Select True if you want to help avoid flooding the network if all computers send their antimalware scans results to the Configuration Manager database at the same time. This setting is also useful when you run multiple virtual machines on a single host. Select this option to reduce the number of simultaneous disk accesses for antimalware scanning. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

List of Antimalware Policy Settings: Scan Settings Setting name Description Scan network drives when running a full scan Set to True if you want to scan any mapped network drives on client computers. If you enable this setting, it might significantly increase the scan time on client computers. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

List of Antimalware policy settings: Default Actions The following actions can be selected to be taken when malware is detected on client computers: Recommended Use the action recommended in the malware definition file Quarantine Quarantine the malware but do not remove it Remove Remove the malware from the computer Allow Do not remove nor quarantine the malware Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

List of Antimalware policy settings: Real-time Protection Setting name Description Enable real-time protection Set to True if you want to configure real-time protection settings for client computers. We recommend that you enable this setting. Monitor file and program activity on your computer Set to True if you want to monitor when files and programs start to run on client computers and alerts you about any actions that they perform or actions taken on them. Scan system files This setting lets you to configure whether incoming, outgoing, or incoming and outgoing system files are monitored for malware. You might have to change the default value of Scan incoming and outgoing files for performance reasons if a server has high incoming or outgoing file activity. Enable behavior monitoring Enable this setting to use computer activity and file data to detect unknown threats. When enabled, this setting might increase the time taken to scan computers for malware. Enable protection against network-based exploits Enable this setting to protect computers against known network exploits by inspecting network traffic and blocking any suspicious activity. Enable script scanning Set to True if you want to scan any scripts that run on computers for suspicious activity. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

List of Antimalware policies: Threat Overrides Setting name Description Threat name and override action Click Set to customize the remediation action to take for each threat ID when it is detected during a scan. The list of threat names might not be available initially after the configuration of Endpoint Protection. Wait until the Endpoint Protection point has synchronized threat information, and then try again. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential

List of Antimalware policies: Threat Overrides Setting name Description Set sources and order for Endpoint Protection client updates Click Set Source to specify the sources for definition and scanning engine updates, and the order in which they are used. If Configuration Manager is specified as one of the sources, other sources are used only if software updates fails to download the client updates. If you use any of the following methods to update definitions on client computers, the client computer must be able to access the Internet. Updates distributed from Microsoft Update Updates distributed from Microsoft Malware Protection Center Clients download definition updates by using the built-in system account. You must configure a proxy server for this account to enable these clients to connect to the Internet. Microsoft Confidential © 2012 Microsoft Corporation Microsoft Confidential