2. Jayesh Mowjee Security Consultant Microsoft Session Code: SIA203

3. Session Objectives And Takeaways Session Objectives: Understand the capabilities of FCSv2 Know how FCSv2 protects endpoints against threats Plan an FCSv2 deployment Key Takeaways: FCSv2 provides comprehensive endpoint protection FCSv2 is part of Forefront codename: “Stirling”

4. Agenda Forefront Today Forefront Client Security v2 Unified Protection Simplified Administration Visibility and Control Enterprise Ready Question and Answer

5. Business Ready Security Help securely enable business by managing risk and empowering people Highly Secure & Interoperable Platform Block from: Enable CostValue SiloedSeamless to :

6. Comprehensive line of business security products that helps you gain greater protection and secure access through deep integration and simplified management Network Edge Server Applications Client & Server OS

7. Unified endpoint security that integrates anti-malware, host firewall and more Coordinated protection with Forefront codename: “Stirling” Inspection, threat mitigation and remediation Unified endpoint security that integrates anti-malware, host firewall and more Coordinated protection with Forefront codename: “Stirling” Inspection, threat mitigation and remediation Manage from a single role-based console Integrates with existing Microsoft infrastructure Easy discovery and deployment of protection for endpoints Manage from a single role-based console Integrates with existing Microsoft infrastructure Easy discovery and deployment of protection for endpoints One dashboard for visibility into threats, vulnerabilities, and configuration risks Increased visibility into endpoint security with vulnerability assessment scanning One dashboard for visibility into threats, vulnerabilities, and configuration risks Increased visibility into endpoint security with vulnerability assessment scanning Comprehensive protection for business desktops, laptops and server operating systems that is easier to manage and control ComprehensiveProtectionComprehensiveProtection SimplifiedAdministrationSimplifiedAdministration Visibility and Control Control

9. Comprehensive Protection Forefront Client Security v2 Vulnerability Remediation Reduce attack surface of vulnerabilities Host Firewall Restrict what applications can do Vulnerability Assessment Scan for vulnerabilities and configuration exposures Behavior Monitoring Monitor suspicious processes Antivirus/ Antispyware Block, remove and clean malicious software Proactive Reactive Limit exposure from vulnerable clients Network Access Protection

10. AVComparatives (Feb 2008) Test of consumer anti-virus products using a malware sample covering approximately the last three years. Received AVComparatives Advanced Certification FCS Awards and Certifications In recent tests, Microsoft rated among the leaders in anti-virus protection Test based on more than 1 million malware samples AVTest.org (March 2008)Kaspersky98.3%Symantec97.7% McAfee94.9% Microsoft93.9% VBA3287.7% AVK (G Data) 99.9% Trend Micro 98.7% Sophos98.1% Microsoft97.8% Kaspersky97.2% F-Secure96.8% Norton (Symantec) 95.7% McAfee95.6% eTrust / VET (CA) 72.1% Antivirus – Antispyware Building on FCS v1 Test based on more than 1 million malware samples AVTest.org (Sept 2008) AVK 2009 (G Data) 99.8%F-Secure99.2% Norton (Symantec) 98.7% Kaspersky98.4% Microsoft97.7% Sophos97.5% McAfee93.6% Trend Micro 91.3% CA - VET 65.5%

11. Antivirus – Antispyware Building on FCS v1 Integrated anti-virus/anti-spyware agent delivering real-time protection Uses Windows Filter Manager Maintains stable operation Scans viruses and spyware in real-time Dynamic Translation Unique to Microsoft agent Maximizes scanning speed: Decryption and code emulation of malware with speed of native code execution Other protection features: Tunneling signatures for detecting and removing rootkits Advanced system cleaning: Customized remediation (recreating registry entries, restoring settings) Event Flood Protection: Shields reporting infrastructure during outbreak from infected clients Heuristics for classifying programs based on behavior Better malware detection Multiple technologies for malware protection Greater stability of client environment Faster malware scanning conducted in real-time

12. Sources: West Coast Labs, AVTest.org, Performance benchmarking study conducted by West Coast Labs. Product Name/ Capability LeadingCompetitor Forefront Client Security Memory Footprint 1 Client – uninfected Client -infected 536 Mbs 593 Mbs 522 Mbs 495 Mbs Avg Usage, CPU & Memory 2 % Client – uninfected % Client - infected 82.37%88.56%79%81.6% Scanning time Uninfected client Infected client 147.69min 167.09min 81.82 min 95.33 min Application Startup time Starting Word with no AV – 1.725 2.425 sec 2.233 sec Starting IE with no AV – 2.275 3.6 sec 2.6 sec 7% less CPU 2x faster Antivirus – Antispyware Building on FCS v1 Product Name/ Capability Leading Competitor Forefront Client Security Memory Footprint 1 ServerClient 58.6 Mbs 66.3 Mbs 56.5 Mbs 57.9 Mbs Avg Usage, CPU & Memory 2 % Server Avg % Client Avg 30.5%29.4%2.0%11.1% Boot time increase 3 62% avg increase 4.5% avg increase Scanning time (quick) Network 1 (Avg) 4 Network 2 (Avg) 4 29.9 min 12.0 min 13.6 min 5.3 min Scanning time (full) Network 1 (Avg) 4 Network 2 (Avg) 4 156.8 min 92.8 min 34.6 min 18.3 min 60%+ less CPU usage 14x faster at boot time 2x faster in quick scans 5x faster in full scans The FCS agent efficiently uses system resources, scans quickly, and detects malware effectively

13. Vulnerability Management Proactively reduce the surface area Check Assess Remediate NEW Detect common vulnerabilities and missing security updates Discover misconfiguration exposures Configure security checks parameter New checks include: IE Security Setting, DEP, IIS Setting, and more… Compare system configuration against security best practices Assign score based on associated risk Surface issues found across the enterprise in real time Automatically remediate based on policy Integrate with NAP for compliance enforcement Remotely remediate from the management console

14. Vulnerability Assessment Checks Available in Forefront Client Security v2 Internet Explorer Browser Security  Restricted Sites  Allowed Trusted Sites  Home Page Protection Internet Explorer Browser Security  Phishing Filter  Pop-up Blocker  Protected Mode Antimalware Malware detected and/or failed to clean BitLocker Device Control Antimalware  AM Service Running  AM Signatures Up-To-Date  AM Scan Required Windows Firewall Data Execution Prevention (DEP) Account Management  Guest Account  Autologon  Restrict Anonymous  Auditing (Login/Logoff)  Password Expiration File System  File System NTFS  Shares Security Updates  Approved Updates  Unapproved Updates  Automatic Updates Unnecessary Desktop Services Office Macros Internet Explorer Browser Security  Internet Explorer Zones  Enhanced Security Configuration User Account Control (UAC)  Application Elevation for App Install  Application Elevation for Signed Exe  Application Elevation for UIAccess Apps  ActiveX Install Without Prompt  Virtualization for File and Registry Failures  Admin Approval Mode for Built-In Admin  Elevation Prompt for Admins  Elevation Prompt for Standard Users  Admin Approval Mode for All Admins  Elevation Prompt Secure Desktop  Secure Credential Entry

15. Network Access Protection 15 Up-to-date Protection: ensures that all clients have the latest definitions & host protection policy Compliance Enforcement: enables administrators to enforce their corporate security policy and protect the network from non-compliant and vulnerable clients Outbreak Containment: protects the network from clients with active malware infections Network Eviction: enables administrators to protect the network from suspicious and potentially compromised clients

16. Host Firewall Firewall Management: centralized management of the Windows Firewall Windows XP/2003, Windows Vista/2008, and Windows 7 Support Inbound and Outbound Filtering Configure Firewall Exceptions for Ports, Applications, and Services Configure Network Location Profiles for Roaming Users Centralized Visibility: Firewall State in the Enterprise Sensors for Security Incident Detection Activity Monitoring Statistics

18. Central Management Server Central Management Server Forefront Code Name "Stirling" Network Edge Server Applications Client & Server OS An integrated security suite that delivers comprehensive protection across endpoint, application servers, and the edge that is easier to manage and control Code Name “Stirling” Third-Party Partner Solutions Other Microsoft Solutions Active Directory NAP Unified Management In-Depth Investigation Enterprise-Wide Visibility Security Assessment Sharing (SAS)

19. Simplified Administration With Stirling Protect your business with greater efficiency FCSv2 is managed through “Stirling” One console for simplified, role-based security management Define one security policy for your assets across protection technologies Deploy signatures, policies and software quickly Integrates with your existing infrastructure: SQL, WSUS, AD, NAP, SCCM, SCOM (new & existing)

20. REPORTS POLICY SIGNATURE, UPDATES MicrosoftUpdate GROUPS (OR ALTERNATE SYSTEM) POLICY EVENTS Network Access Protection (NAP) (OR ALTERNATE SYSTEMS) Forefront Client Security, Forefront Security for Exchange Server, Forefront Security for SharePoint, Forefront Threat Management Gateway Required Infrastructure INTEGRATION INFRASTRUCTURE CORE INFRASTRUCTURE Integration With Your Infrastructure

21. Stirling Core Stirling Console Stirling SQL DB SCOM Root Management Server (RMS) SCOM SQL DB SQL Reporting Server SQL Reporting DB Stirling Server Roles Software/Signature Deployment e.g. WSUS or SCCM (TYPICALLY ALREADY DEPLOYED BEFORE STIRLING) 250 – 2,500 Assets 1 Up to 25,000 Assets Stirling Console Stirling Core SCOM (RMS) SQL Reporting Server Stirling SQL DB SCOM SQL DB SQL Reporting DB WSUS 4 1 2 1 Scaling Up… Stirling Console Stirling Core SQL Reporting Server SCOM RMS SCOM SQL DB + Per 25,000 Assets Per 20,000 Assets 1 1 WSUS 1 1 Stirling SQL DB SQL Reporting DB 1 An asset is a computer with one of the Stirling protection technologies (FCS, FSE, FSSP and/or TMG) Deployment and Scalability

23. Know your security state View insightful reports Investigate and remediate security risks Critical Visibility and Control Know where action is required

24. FCSv2 Tasks: Update signatures AM quick/full Scan Vulnerability scan Install missing updates Vulnerability remediation Network eviction Reboot computer Integrated With Dynamic Response Critical Visibility and Control Take action to remediate issues

26. Enhanced Enterprise Capabilities Forefront Client Security Scale to the largest enterprises Role-based Administration Virtualized Deployments Clustering and High Availability Deployments Support for both domain and non-domain joined assets Protection for Windows Server Roles Native NAP Integration Microsoft Confidential

27. Platform Support Client Agents Windows XP, Windows Vista, Windows 7 Windows 2003, Windows 2008 Virtual machines (MSFT virtual machine technology only) Non-domain joined machines Windows Embedded, WEPOS Server Infrastructure Windows Server 2003, Windows 2008 (x64 only) SQL Server 2008 Standard or Enterprise Will support installation of server infrastructure on virtual machines (MSFT virtual machine technology only) Will support clustered environments for high availability

28. Summary Forefront Client Security v2 provides unified protection for endpoints (desktops, laptops and servers) that is easier to manage and control Forefront Client Security v2 provides unified protection for endpoints (desktops, laptops and servers) that is easier to manage and control Built on FCS v1 strong foundations Offers greater protection Integrated with “Stirling” Centralized management Comprehensive, insightful reports Enterprise Ready

30. www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources

31. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.